Vastali

Privacy Policy

Last updated: May 2026 · Version 1.3

Vastali ("we", "our", "us") operates the Vastali platform — a booking and membership management system for wellness businesses. This Privacy Policy explains how we collect, use, and protect your personal data when you use our platform, whether as a business operator or as an end customer.

1. What data we collect

We collect the following categories of personal data:

  • Account data: Your name and email address when you create a Vastali account. Business operators additionally provide their business name and configuration details.
  • Booking data: When customers make bookings, we store the service booked, the date and time, any notes provided, and the booking status.
  • Payment data: Payments are processed by Stripe, Inc. Vastali does not store card numbers or banking details. We receive and store a record of the transaction amount, status, and Stripe's payment intent ID for reconciliation purposes.
  • Health and wearable data (optional, explicit consent required): If you choose to connect a health data source, we may read the data types listed below. Connection is entirely optional and requires your active authorisation through OAuth for each provider. You may disconnect at any time.
    • Apple Health (iOS only): resting heart rate, heart rate variability (HRV), step count, workout sessions. Permission is granted through the iOS system health dialog.
    • Whoop: recovery score, strain score, HRV, sleep performance, recent workout activity type, VO2 max, and basic profile data (name, date of birth, height, weight, timezone). Accessed via Whoop OAuth 2.0. By connecting your Whoop, you are also subject to Whoop's Privacy Policy.
    • Garmin: training load, stress score, sleep data, VO2 max estimates. Accessed via the Garmin Health API under Garmin's partner programme. By connecting your Garmin device, you are also subject to Garmin's Privacy Policy.

    All health and wearable data is used solely to display personalised recovery information to you within the Vastali app and platform. It is never used to make automated decisions about you, and it is never used for advertising, insurance assessment, employment screening, or any purpose other than delivering the recovery feature you have opted into.

  • Usage data: We collect standard server logs including pages visited, timestamps, and browser/device type to monitor platform performance and diagnose issues.

2. How we use your data

  • To provide, operate, and improve the Vastali platform and its features.
  • To send booking confirmation and reminder emails.
  • To process payments and manage payment accounts (for business operators).
  • To display personalised recovery suggestions based on wearable or Apple Health data, only where you have explicitly granted access.
  • To diagnose technical issues and monitor platform availability.
  • To comply with legal obligations.

We do not sell your personal data to third parties. We use anonymised analytics and advertising measurement tools (Google Analytics, Meta Pixel, Microsoft Clarity) to understand how visitors use our marketing website and to measure the effectiveness of our advertising campaigns. These tools may use cookies or device identifiers — see section 9 for details.

3. Wearable and health data — specific commitments

Because health data is sensitive, we make the following explicit commitments regarding any data received from wearable devices or Apple Health:

  • Purpose limitation: Health and fitness data is used only to display your personal recovery metrics within Vastali. It is not used for any other purpose.
  • No sale: We do not sell health or fitness data to any third party under any circumstances.
  • No advertising: Health data is never used to target you with advertisements, either within Vastali or through any external ad network.
  • No profiling for third parties: We do not share health data with insurers, employers, financial institutions, or any organisation that could use it to make decisions about you.
  • Minimum data: We request only the specific data types needed to calculate a recovery or readiness score. We do not request broader access than is necessary.
  • Token security: OAuth access tokens and refresh tokens for wearable providers (Whoop, Garmin) are stored encrypted server-side and are never exposed to the client or to other users.
  • Revocation: You can disconnect any wearable provider at any time from Settings in the Vastali app or portal. On disconnection, your OAuth tokens are immediately invalidated and deleted. Historical daily snapshots can be deleted on request.
  • Retention: Daily health snapshots are retained for 12 months to power weekly and monthly trend views. You may request deletion of all health data at any time by contacting hello@vastali.com.

4. Data storage and security

Your data is stored securely on servers located in the EU. Data in transit is encrypted via TLS. Payment data is handled by our payment processor, which is PCI-DSS Level 1 certified. We apply strict access controls to ensure that users and businesses can only access their own data.

5. Third-party services

We work with trusted third-party service providers to operate the platform. These providers may process your data on our behalf:

  • Supabase: Secure database, authentication, and file storage (EU region)
  • Stripe: Payment processing (PCI-DSS Level 1)
  • Resend: Transactional email delivery
  • Vercel: Web application hosting
  • Apple Health (iOS only): On-device health data, accessed with explicit iOS permission
  • Whoop, Garmin: Wearable health APIs, accessed only if you choose to connect a device and grant OAuth authorisation
  • Xero / QuickBooks (business operators only): Accounting integration, if a business operator chooses to connect their accounting software
  • Google Analytics (GA4): Website analytics to understand how visitors use our marketing website. Data is anonymised and aggregated. Google's privacy policy applies: policies.google.com/privacy
  • Meta Pixel: Advertising measurement tool that helps us understand the effectiveness of our Facebook and Instagram campaigns and build anonymised lookalike audiences. Meta's data policy applies: facebook.com/privacy/policy
  • Microsoft Clarity: Session recording and heatmap analytics that help us understand how visitors interact with our marketing website. Data is anonymised. Microsoft's privacy statement applies: privacy.microsoft.com

All providers are contractually bound to handle your data in accordance with applicable data protection laws.

7. Data retention

We retain your account data for as long as your account remains active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. payment records, which may be retained for up to 7 years).

8. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability

To exercise any of these rights, contact us at hello@vastali.com.

9. Cookies

We use the following categories of cookies:

  • Essential cookies: Session cookies required to keep you logged in to the Vastali platform. These are strictly necessary and cannot be disabled.
  • Analytics cookies: Google Analytics (GA4) and Microsoft Clarity use cookies and similar technologies to collect anonymised data about how visitors use our marketing website (vastali.com). This data helps us improve our product and marketing. No personally identifiable information is collected through these tools.
  • Advertising cookies: Meta Pixel uses cookies to measure the effectiveness of our advertising campaigns on Facebook and Instagram, and to help us reach people with similar interests through lookalike audiences. You can opt out of Meta's use of your data for advertising via your Facebook ad preferences.

Analytics and advertising cookies are only placed on our public marketing website (vastali.com), not within the logged-in platform used by business operators and their customers.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to account holders by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions or concerns about how we handle your data, please contact us at hello@vastali.com.