Vastali

Privacy Policy

Last updated: March 2026 · Version 1.2

Vastali ("we", "our", "us") operates the Vastali platform — a booking and membership management system for wellness businesses. This Privacy Policy explains how we collect, use, and protect your personal data when you use our platform, whether as a business operator or as an end customer.

1. What data we collect

We collect the following categories of personal data:

  • Account data: Your name and email address when you create a Vastali account. Business operators additionally provide their business name and configuration details.
  • Booking data: When customers make bookings, we store the service booked, the date and time, any notes provided, and the booking status.
  • Payment data: Payments are processed by Stripe, Inc. Vastali does not store card numbers or banking details. We receive and store a record of the transaction amount, status, and Stripe's payment intent ID for reconciliation purposes.
  • Health and wearable data (optional, explicit consent required): If you choose to connect a health data source, we may read the data types listed below. Connection is entirely optional and requires your active authorisation through OAuth for each provider. You may disconnect at any time.
    • Apple Health (iOS only): resting heart rate, heart rate variability (HRV), step count, workout sessions. Permission is granted through the iOS system health dialog.
    • Whoop: recovery score, strain score, HRV, sleep performance, recent workout activity type, VO2 max, and basic profile data (name, date of birth, height, weight, timezone). Accessed via Whoop OAuth 2.0. By connecting your Whoop, you are also subject to Whoop's Privacy Policy.
    • Garmin: training load, stress score, sleep data, VO2 max estimates. Accessed via the Garmin Health API under Garmin's partner programme. By connecting your Garmin device, you are also subject to Garmin's Privacy Policy.

    All health and wearable data is used solely to display personalised recovery information to you within the Vastali app and platform. It is never used to make automated decisions about you, and it is never used for advertising, insurance assessment, employment screening, or any purpose other than delivering the recovery feature you have opted into.

  • Usage data: We collect standard server logs including pages visited, timestamps, and browser/device type to monitor platform performance and diagnose issues.

2. How we use your data

  • To provide, operate, and improve the Vastali platform and its features.
  • To send booking confirmation and reminder emails.
  • To process payments and manage payment accounts (for business operators).
  • To display personalised recovery suggestions based on wearable or Apple Health data, only where you have explicitly granted access.
  • To diagnose technical issues and monitor platform availability.
  • To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

3. Wearable and health data — specific commitments

Because health data is sensitive, we make the following explicit commitments regarding any data received from wearable devices or Apple Health:

  • Purpose limitation: Health and fitness data is used only to display your personal recovery metrics within Vastali. It is not used for any other purpose.
  • No sale: We do not sell health or fitness data to any third party under any circumstances.
  • No advertising: Health data is never used to target you with advertisements, either within Vastali or through any external ad network.
  • No profiling for third parties: We do not share health data with insurers, employers, financial institutions, or any organisation that could use it to make decisions about you.
  • Minimum data: We request only the specific data types needed to calculate a recovery or readiness score. We do not request broader access than is necessary.
  • Token security: OAuth access tokens and refresh tokens for wearable providers (Whoop, Garmin) are stored encrypted server-side and are never exposed to the client or to other users.
  • Revocation: You can disconnect any wearable provider at any time from Settings in the Vastali app or portal. On disconnection, your OAuth tokens are immediately invalidated and deleted. Historical daily snapshots can be deleted on request.
  • Retention: Daily health snapshots are retained for 12 months to power weekly and monthly trend views. You may request deletion of all health data at any time by contacting hello@vastali.com.

4. Data storage and security

Your data is stored securely on servers located in the EU. Data in transit is encrypted via TLS. Payment data is handled by our payment processor, which is PCI-DSS Level 1 certified. We apply strict access controls to ensure that users and businesses can only access their own data.

5. Third-party services

We work with trusted third-party service providers to operate the platform. These providers may process your data on our behalf:

  • Supabase: Secure database, authentication, and file storage (EU region)
  • Stripe: Payment processing (PCI-DSS Level 1)
  • Resend: Transactional email delivery
  • Vercel: Web application hosting
  • Apple Health (iOS only): On-device health data, accessed with explicit iOS permission
  • Whoop, Garmin: Wearable health APIs, accessed only if you choose to connect a device and grant OAuth authorisation
  • Xero / QuickBooks (business operators only): Accounting integration, if a business operator chooses to connect their accounting software

All providers are contractually bound to handle your data in accordance with applicable data protection laws. We do not use any provider for advertising or data brokerage purposes.

7. Data retention

We retain your account data for as long as your account remains active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. payment records, which may be retained for up to 7 years).

8. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability

To exercise any of these rights, contact us at hello@vastali.com.

9. Cookies

We use essential session cookies to keep you logged in. We do not use third-party tracking or advertising cookies. No cookie consent banner is shown because we only use strictly necessary cookies.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to account holders by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions or concerns about how we handle your data, please contact us at hello@vastali.com.