Privacy policy.

Last updated: 27 October 2025

Plain‑English summary: We only collect what we need to run the site, answer your messages, improve our service, and - if you opt in - send you updates. We don’t sell your personal data. Ever. Read on for the full legal detail.

1) Who we are (the controller)

  • Legal name: vitaOS.

  • Trading name: vitaOS.

  • Registered address: TBA.

  • Contact email for privacy matters: LIFE@vitaOS.co.uk.

This policy covers personal data processed when you use www.vitaos.co.uk (the “Site”). If you are looking for the L!FE app privacy details, that’s a separate policy: [link to app privacy policy when ready].

We operate under the UK GDPR and the Data Protection Act 2018.

2) What we collect

We collect the minimum needed. That includes:

a) Information you provide directly

  • Contact forms: name, email, message content, and anything else you choose to include.

  • Newsletter sign‑ups: email address and preferences.

  • Support/feedback: details you submit when you ask for help or give feedback.

b) Information collected automatically

  • Basic analytics and diagnostics: IP address, device/browser type, pages viewed, referring URL, time spent, and similar usage data.

  • Cookies and similar technologies: see Cookies below.

c) Information from third parties

  • If you follow links from social media or embedded content (e.g. Instagram), those platforms may share limited information with us according to their settings and your permissions.

We do not knowingly collect special category data via the Site (health, biometric, political opinions, etc.). Don’t include sensitive information in free‑text fields.

3) Why we use your data and our lawful bases

We rely on one or more lawful bases under the UK GDPR for each purpose. Here’s the short, honest list:

Purpose

Examples

Lawful basis

Run and secure the Site

hosting, uptime, performance, fraud prevention

Legitimate interests (keeping the Site working and secure)

Respond to your enquiries

contact form replies, support emails

Legitimate interests or Contract (if your enquiry relates to a service you want us to provide)

Send you marketing you asked for

newsletters, product updates

Consent (you can withdraw any time)

Improve the Site

analytics, feature decisions

Consent (analytics cookies) and Legitimate interests where appropriate

Comply with law

regulatory/ tax/ legal obligations

Legal obligation

We don’t do automated decision‑making that produces legal or similarly significant effects via the Site.

4) Cookies & analytics

We use cookies and similar technologies for basic site operation and—if you agree—analytics and marketing.

  • Essential cookies (always on): needed to load pages, keep security features running, and remember minimal settings.

  • Analytics cookies (optional): help us understand what’s working so we can improve. Disabled unless you opt in.

  • Marketing/embedded media (optional): used when we embed content from third parties (e.g. Instagram). These services may set their own cookies.

You’ll see a cookie banner the first time you visit. Use it to accept, reject, or fine‑tune categories. You can change your choice any time via [Add “Cookie settings” link or instructions for Squarespace].

Typical providers (examples):

  • Hosting/CMS: Squarespace [confirm] — essential cookies for load balancing and security.

  • Analytics: Google Analytics/Tag Manager [confirm or remove] — usage stats; IP anonymisation recommended.

  • Email marketing: Mailchimp/ConvertKit [confirm or remove] — only if you sign up.

If you don’t want cookies at all, you can also block them in your browser. The Site may not function perfectly without essentials.

5) Who we share data with (processors & recipients)

We use trusted service providers who process personal data on our instructions:

  • Website host/CMS: Squarespace, Inc. [confirm] (site hosting, security, performance)

  • Analytics: Google LLC [confirm]

  • Email service / CRM: Mailchimp (Intuit), ConvertKit, or similar [confirm which]

  • Professional advisers: accountants, legal counsel (where necessary)

  • Authorities: if required by law or to protect rights/security

We sign data processing terms where appropriate. We don’t sell personal data. Full stop.

6) International transfers

Some providers are outside the UK (often the USA). Where that happens, we rely on UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU SCCs, or other lawful safeguards approved by the ICO. Provider‑specific details are available in their privacy documentation.

7) How long we keep your data (retention)

We keep data only as long as needed, then delete or anonymise it. Typical periods:

Enquiry emails and contact form submissions: up to 24 months.

  • Newsletter subscriber records: until you unsubscribe or we prune inactive lists.

  • Web server logs and security events: up to 12 months.

  • Analytics data: up to 26 months (or your configured GA retention).

  • Legal/contractual records: 6 years where required.

Actual periods may vary depending on legal obligations and operational needs.

8) Your rights (UK GDPR)

You have rights over your personal data, subject to limits in the law:

  • Access – a copy of your data.

  • Rectification – fix inaccurate or incomplete data.

  • Erasure – ask us to delete it.

  • Restriction – pause processing in certain cases.

  • Portability – receive your data in a structured, machine‑readable format.

  • Object – to processing based on legitimate interests or to direct marketing.

  • Withdraw consent – where processing relies on your consent.

To exercise these rights, contact us at [privacy@vitaos.co.uk]. We may need to verify your identity. If you’re unhappy, you can complain to the Information Commissioner’s Office (ICO): ico.org.uk or 0303 123 1113. We’d prefer to resolve it with you first.

9) Security

We use appropriate technical and organisational measures to protect personal data (TLS encryption in transit, access controls, least‑privilege accounts, and routine platform updates). No system is perfect; we can’t guarantee absolute security.

10) Third‑party links and embedded content

The Site may link to other websites or embed content (e.g. social posts). Those services operate their own privacy policies and cookies. We’re not responsible for their practices—check their notices.

11) Children

This Site isn’t intended for children under 13. We don’t knowingly collect personal data from children via the Site. If you think a child provided data, contact us and we’ll delete it.

12) Changes to this policy

When we make material changes, we’ll update the date at the top and, where appropriate, show a notice on the Site. Keep an eye on this page.

13) Contact us

If you run the L!FE app, remember: the app’s privacy policy is separate and will explain HealthKit and other app‑specific data.