Version 1.4 — As of: March 2026
Privacy policy pursuant to GDPR Articles 13, 14 for the service "VitalStack".
Tilo von Drathen
Otto-Hahn-Straße 11
22880 Wedel, Germany
Email: tilo@vital-stack.com
We process personal data exclusively for the purpose of providing our service. Below we inform you about the type, scope, and purpose of data processing.
| Data Category | Examples | Legal Basis | Retention Period |
|---|---|---|---|
| Contact Data | Email address | GDPR Art. 6(1)(b) (Contract) | Until account deletion |
| Profile Data | Age, gender, weight, activity level | GDPR Art. 6(1)(b) (Contract) | Until account deletion |
| Health Data (GDPR Art. 9) | Supplement intake, health goals, sleep quality, stress level, training data | GDPR Art. 9(2)(a) (Explicit consent) | Until account deletion or consent withdrawal |
| Usage Data | Consents, timestamps, IP address at registration | GDPR Art. 6(1)(f) (Legitimate interest: proof) | 3 years after account deletion (proof obligation) |
| Authentication Data | OAuth sessions, tokens | GDPR Art. 6(1)(b) (Contract) | Until session end / token expiry |
(1) Supplement intake data, health goals, and daily context data (sleep quality, stress level, training data) constitute health data within the meaning of GDPR Article 9. Your supplement list may reveal nutritional deficiencies, prevention interests, or possible health conditions.
(2) Processing is carried out exclusively on the basis of your explicit consent pursuant to GDPR Art. 9(2)(a). This consent is obtained separately and granularly during registration. Consent must be voluntary, informed, specific, and unambiguous. VitalStack documents the date of consent.
(3) Consent may be withdrawn at any time with effect for the future (GDPR Art. 7(3)). Withdrawal can be done via your AI assistant, by email, or via the REST API. The lawfulness of processing carried out prior to withdrawal remains unaffected. Withdrawal has no disadvantages for your use of VitalStack.
VitalStack operates an MCP interface (Model Context Protocol). When you connect your AI assistant (e.g., Claude, ChatGPT) to VitalStack, your assistant can retrieve your supplement data via this interface to provide personalized responses.
Important: VitalStack does not proactively send your data to AI providers. Data flows only when your AI assistant queries VitalStack at your request. You control this connection entirely.
VitalStack is the data controller for data stored with us. Your AI provider (e.g., Anthropic, OpenAI) is an independent controller for the data it retrieves and is subject to its own privacy policies. VitalStack has no data processing agreement with these providers.
Via the MCP interface, your AI assistant can access the following depending on your query:
Not accessible via MCP: Password, payment data, email address.
VitalStack returns only the data relevant to the specific query (data minimization pursuant to GDPR Art. 5(1)(c)).
Providing data via the MCP interface is based on:
You provide consent when activating the MCP connection.
You can disconnect the MCP connection in your AI assistant at any time. VitalStack will then no longer provide any data. Data already retrieved by your AI provider can only be deleted directly with that provider.
Your data is stored with Supabase Inc. in the EU region Frankfurt (AWS eu-central-1). A Data Processing Agreement (DPA) pursuant to GDPR Art. 28 is in place.
The server application is operated via Vercel Inc. (USA) as a serverless runtime (region Frankfurt, fra1). Vercel serves solely as an execution environment for the application logic. No personal data is persistently stored at Vercel; all data is stored exclusively in the Supabase database. Vercel processes request data (IP address, request headers) only transiently in memory. The Vercel Privacy Policy and the guarantees of the EU-US Data Privacy Framework apply.
Magic link emails are sent via Supabase built-in email service.
(a) Own processors: Vercel Inc. is based in the United States and processes request data transiently in the Frankfurt region. The transfer is based on the EU-US Data Privacy Framework and a Data Processing Agreement. Supabase stores your data exclusively in the EU (Frankfurt).
(b) AI providers: VitalStack has no data processing agreement and no Standard Contractual Clauses (SCC) with AI providers such as Anthropic or OpenAI. Data retrieval is performed exclusively by your AI assistant at your direction. Anthropic and OpenAI are based in the United States and act as independent controllers for the data they retrieve. Their own privacy policies apply.
Risk notice: US authorities may, under certain circumstances, access data held by US providers (e.g., under FISA). If you do not wish to accept this risk, disconnect the MCP connection in your AI assistant.
(1) The service uses no tracking cookies and no analytics tools.
(2) During registration, browser session storage (sessionStorage) is used temporarily to transfer consents between the login page and the callback page. This data is automatically deleted after registration and does not survive a browser restart.
You have the following rights regarding your personal data:
Exercising these rights has no negative consequences for your use of VitalStack.
To exercise your rights, contact: privacy@vital-stack.com. We respond within 30 days.
You have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). The competent supervisory authority for the provider is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Website: www.datenschutzzentrum.de
We reserve the right to update this privacy policy as needed to reflect changes in law or the service. The current version is available at /legal/privacy.
As of: March 2026