Privacy Policy

1. What data we collect

We collect the following categories of personal data:

• Account data: Your name and email address when you create a Vastali account. Business operators additionally provide their business name and configuration details.
• Booking data: When customers make bookings, we store the service booked, the date and time, any notes provided, and the booking status.
• Payment data: Payments are processed by Stripe, Inc. Vastali does not store card numbers or banking details. We receive and store a record of the transaction amount, status, and Stripe's payment intent ID for reconciliation purposes.
• Apple Health data (iOS app only): If you use the Vastali iOS app and choose to connect Apple Health, we may read the following data types with your explicit permission granted through iOS system dialogs: resting heart rate, heart rate variability, step count, and workout sessions. This data is used solely to generate personalised recovery suggestions within the app. We do not share Apple Health data with third parties or use it for advertising.
• Usage data: We collect standard server logs including pages visited, timestamps, and browser/device type to monitor platform performance and diagnose issues.

2. How we use your data

• To provide, operate, and improve the Vastali platform and its features.
• To send booking confirmation and reminder emails via Resend (our transactional email provider).
• To process payments via Stripe and manage your Stripe Connect account (for business operators).
• To generate Apple Health-based recovery suggestions within the iOS app (when Health permissions are granted).
• To diagnose technical issues and monitor platform availability.
• To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

3. Data storage and security

Your data is stored securely in our database hosted on Supabase (EU region). Data in transit is encrypted via TLS. Payment data is handled by Stripe, which is PCI-DSS Level 1 certified. We apply row-level security policies to ensure that users and businesses can only access their own data.

4. Third-party services

We use the following third-party services that may process your data:

• Supabase — database and authentication (EU region)
• Stripe — payment processing (subject to Stripe's Privacy Policy)
• Resend — transactional email delivery
• Vercel — web application hosting
• Apple HealthKit — health data integration (iOS app only, with explicit permission)

5. Data retention

We retain your account data for as long as your account remains active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. payment records, which may be retained for up to 7 years).

6. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to processing
• Data portability

To exercise any of these rights, contact us at hello@vastali.com.

7. Cookies

We use essential session cookies to keep you logged in. We do not use third-party tracking or advertising cookies. No cookie consent banner is shown because we only use strictly necessary cookies.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to account holders by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions or concerns about how we handle your data, please contact us at hello@vastali.com.