Skip to content
VÆN

Privacy Policy

Last updated: May 5, 2026

Our Commitment

Your data exists to serve you, not us. VÆN is built on honesty, that includes how we handle your information. This policy explains what we collect, why, and what we do with it. No legal jargon designed to confuse. Straight answers.

Data Controller

VÆN ("we", "our", "us") is the data controller responsible for your personal data. For any privacy questions, contact us at privacy@vaen.cc.

What We Collect

Account Data

Email address, name (optional), and account preferences. Collected when you sign up. Legal basis: contract performance.

Health & Wellness Data (Special Category)

Journal entries, mood data, fitness metrics, sleep data, nutrition logs, biometric data from connected apps. Only collected with your explicit consent. You choose what to share. Legal basis: explicit consent (GDPR Art. 9(2)(a)).

Usage Data

Anonymous analytics: pages visited, features used, session duration. No tracking across sites. No advertising profiles. Legal basis: legitimate interest.

Integration Data

Data from connected apps. At launch: Apple Health (HealthKit) and Google Fit (Health Connect). Additional integrations (Oura, Strava, Whoop, Garmin) roll out in the months after launch. Only what you explicitly authorize. We access data, not accounts. Legal basis: explicit consent.

How We Use Your Data

  • - Personalize your VÆN OS dashboard and AI insights
  • - Enable cross-extension intelligence between your modules
  • - Improve our product based on aggregate, anonymized patterns
  • - Send you communications you've opted into (newsletter, updates)
  • - Process payments and manage your account

Legal Basis for Processing

Contract Performance (GDPR Art. 6(1)(b))

Account creation, providing VÆN OS features and extensions, processing payments, managing your subscription.

Explicit Consent (GDPR Art. 6(1)(a) and Art. 9(2)(a))

Health and wellness data processing (mood, energy, journal entries, fitness metrics). You grant this consent during onboarding and can withdraw it at any time.

Legitimate Interest (GDPR Art. 6(1)(f))

Error monitoring and service stability (Sentry), fraud prevention, security measures, and anonymous usage analytics (Plausible).

Legal Obligation (GDPR Art. 6(1)(c))

Financial record keeping (7 years as required by Belgian law), responding to legal requests from authorities.

What We Never Do

  • - Sell your data to anyone
  • - Share your data with advertisers
  • - Use your personal data to train AI models
  • - Create advertising profiles from your health data
  • - Retain data after you request deletion

AI Personalization

VÆN uses AI to provide personalized insights based on your data. This AI processing happens within your account context only. Your data is not used to train or improve AI models. AI-generated insights are observations and suggestions, not medical advice, diagnoses, or professional recommendations.

Data Storage & Security

- All data encrypted at rest (AES-256) and in transit (TLS 1.3)

- Health data receives additional encryption layers

- Servers located in the EU (GDPR jurisdiction)

- Regular security audits and penetration testing

- Minimal data access: only essential personnel, logged access

Data Retention

- Account data: retained while your account is active

- Health data: retained while your account is active + 30 days after deletion request

- Usage analytics: anonymized and aggregated after 90 days

- Email communications: until you unsubscribe

- Payment data: as required by law (typically 7 years for financial records)

Your Rights (GDPR)

- Access: Request a copy of all your data

- Rectification: Correct inaccurate data

- Erasure: Request full deletion of your data

- Portability: Export your data in a standard format

- Restriction: Limit how we process your data

- Objection: Object to data processing based on legitimate interest

- Withdraw consent: Revoke any consent at any time

To exercise any right, email privacy@vaen.cc. We respond within 30 days.

Cookies

Essential cookies: Session management, authentication, security, and preferences. Required for the site to function. Legal basis: contract performance.

Analytics: We use Plausible for website analytics. Plausible is cookieless and does not track individuals across sites. No analytics cookies are set.

Error monitoring: Sentry may store a local session identifier to group error reports. This is classified as an essential cookie for service stability.

We do not use advertising, marketing, or third-party tracking cookies.

Third-Party Services

Data Infrastructure

- Supabase: Database, authentication, and file storage. EU-hosted servers. Processes account data, health data (with consent), and usage records.

- Vercel: Application hosting and edge network. May process IP addresses and request metadata for performance optimization.

- Upstash: Rate limiting and request throttling. Processes anonymized request data only. No personal data stored.

Payments

- Stripe: Payment processing and subscription management. Processes billing details, payment method information, and transaction history. VÆN does not store your payment card details directly.

Communications

- Resend: Transactional and marketing emails (welcome messages, receipts, newsletter). Processes your email address and name.

Analytics and Monitoring

- Plausible: Privacy-first website analytics. Plausible does not use cookies, does not collect personal data, and is hosted in the EU. We see aggregate page views, referral sources, and device types only.

- Sentry: Error monitoring and performance tracking. When an error occurs, Sentry captures technical context including page URL, browser type, and device information. Sentry may also record a session replay (a reconstruction of your screen activity) when errors happen, to help us identify and fix issues. No health or wellness data is intentionally included in error reports. Session replays are retained for 90 days.

Media

- Cloudinary: Image and media hosting. Processes uploaded media files only.

Integrations

- At launch: Apple Health (HealthKit) and Google Fit (Health Connect). Additional integrations (Oura, Strava, Whoop, Garmin) roll out in the months after launch. Only data you explicitly authorize. We access data, not accounts.

All third-party services operate under Data Processing Agreements (DPAs) compliant with GDPR requirements. For services based outside the EU, Standard Contractual Clauses are in place.

International Data Transfers

Some of our service providers (Vercel, Stripe, Resend, Sentry, Cloudinary) are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) as approved by the European Commission. Supabase and Plausible host data within the EU. These transfers comply with GDPR Chapter V requirements.

Medical Disclaimer

VÆN is not a medical device. The platform provides lifestyle and performance insights only. It does not diagnose, treat, cure, or prevent any disease or medical condition. Health data insights are observations, not medical advice. For any health concerns, consult a qualified medical professional.

Children's Privacy

VÆN is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data immediately. If you are a parent or guardian and believe your child has provided data to VÆN, please contact us at privacy@vaen.cc.

Social Media & Third-Party Platforms

VÆN operates official accounts on X (Twitter), Instagram, TikTok, and YouTube. When you interact with VÆN through these platforms:

- The platform's own privacy policy applies to your use of their service.

- We do not collect personal data from your social media profiles unless you explicitly share it with us.

- We use automated scheduling tools to publish brand content. No personal user data is used in this process.

- Comments, likes, or follows on our social channels do not create a data processing relationship under GDPR.

- We may use aggregate, anonymized engagement metrics (likes, views, reach) for internal analytics. No individual user data is processed.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach poses a high risk to you personally, we will also notify you directly via email without undue delay, including the nature of the breach, likely consequences, and measures taken.

Automated Decision-Making

VÆN uses AI to generate personalized insights and recommendations based on your data. These AI outputs are informational only and do not constitute automated decision-making with legal or similarly significant effects as defined by GDPR Article 22. You are never subject to decisions based solely on automated processing that produce legal effects or significantly affect you. All AI-generated insights are suggestions, you always retain full control over your actions and decisions.

Data Protection

For all data protection inquiries, including exercising your GDPR rights, data access requests, and breach notifications, contact us at privacy@vaen.cc. We will respond within 30 days as required by GDPR. For complex requests, we may extend this by 60 days with prior notification.

Changes to This Policy

We'll notify you of significant changes via email. Minor updates will be reflected in the "last updated" date. We recommend reviewing this policy periodically.

Contact

For privacy questions or to exercise your rights: privacy@vaen.cc

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority: Gegevensbeschermingsautoriteit (GBA), Drukpersstraat 35, 1000 Brussel , contact@apd-gba.be. If you reside outside Belgium, you may also contact your local data protection authority.