vitality
vitality

Privacy Policy

Last updated: April 13, 2026

Vitality, Inc., a Delaware C-Corporation (“Vitality,” “we,” “us,” or “our”), is committed to protecting your privacy, including the privacy of your genetic information. This Privacy Policy describes how we collect, use, store, share, and protect your personal data — including genetic data — when you use our website, services, and products.

By using our services, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use our services.

1. Information We Collect

1.1 Personal Information

When you create an account or purchase a membership, we collect: name, email address, shipping address, phone number, date of birth, and payment information. Payment data is processed directly by our third-party payment processor (Stripe, Inc.) and is not stored on Vitality servers.

1.2 Genetic Data

When you submit a DNA sample through our at-home collection kit, your sample is processed by our CLIA-certified, CAP-accredited, HIPAA-compliant diagnostic partner (Dynamic DNA Labs, Springfield, MO; CLIA #26D2106631). The laboratory genotypes approximately 710,000 single nucleotide polymorphisms (SNPs) from your sample. We receive the resulting digital genotype data to generate your personalized supplement formula.

Your genetic data is collected and processed only with your explicit, informed consent. Before your sample is processed, you will be asked to provide affirmative consent to the collection, analysis, and storage of your genetic information for the specific purposes described in this policy.

1.3 Usage and Device Information

We automatically collect standard usage data when you visit our website, including: IP address, browser type and version, operating system, device identifiers, pages visited, time spent on pages, referring URLs, and interaction data. This data is collected through cookies and similar tracking technologies (see Section 9).

2. How We Use Your Information

2.1 Genetic Data — Limited Use

Your genetic data is used solely and exclusively for:

  • Filtering your genotype data to our curated panel of 200+ supplement-related SNP markers
  • Evaluating those markers through our proprietary rules engine to determine your custom formula
  • Generating a supplement specification sent to our manufacturing partner for production
  • Presenting personalized genetic insights to you through your member dashboard

We do not use your genetic data for marketing, advertising, research, insurance underwriting, employment decisions, or any purpose other than supplement personalization and delivering your genetic insights.

2.2 Personal Information

We use your personal information to:

  • Process your membership, orders, and payments
  • Ship your DNA kit and supplement products
  • Communicate with you about your account, orders, and formula
  • Send marketing communications (with your consent; you may opt out at any time)
  • Comply with legal obligations

3. Genetic Data — Storage, Retention, and Deletion

3.1 Physical Samples

Your physical DNA sample (cheek swab) is processed at our CLIA-certified partner laboratory. After genotyping is complete, your physical sample is destroyed in accordance with the laboratory's standard protocols. We do not retain physical biological samples.

3.2 Digital Genotype Data

Your digital genotype data is stored on encrypted servers with access controls limited to authorized personnel. Data is encrypted both at rest (AES-256 or equivalent) and in transit (TLS 1.2+). We retain your genetic data for as long as your membership is active plus 90 days, after which it is deleted unless you request earlier deletion or request that we retain it for future formula reorders.

3.3 Your Right to Deletion

You may request complete deletion of your genetic data at any time by emailing hello@vitalityformulas.co. Upon receiving your verified request, we will delete your genetic data from our systems within 30 days and confirm deletion in writing. Once deleted, we will no longer be able to remanufacture your formula without a new DNA test.

4. Third-Party Data Sharing

We share your information only in the following limited circumstances:

  • Diagnostic laboratory partner (Dynamic DNA Labs): Your DNA sample and associated identifiers are shared with our partner laboratory solely for genotyping purposes. Dynamic DNA Labs is CLIA-certified, CAP-accredited, and HIPAA-compliant. They do not retain your data after results are delivered to us, except as required by CLIA regulations.
  • Manufacturing partner (Personalized Nutrients): Your formula specification — ingredients and dosages only, not raw genetic data — is shared with our manufacturing partner to produce your supplement.
  • Payment processor (Stripe, Inc.): Payment information is processed by Stripe in accordance with their privacy policy and PCI DSS standards.
  • Analytics providers: We may use third-party analytics services (e.g., Google Analytics, Mixpanel) that collect anonymized usage data. These services do not receive genetic data or personally identifiable health information.
  • Legal requirements: We may disclose information if required to do so by law, regulation, subpoena, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We never sell your genetic data. We never share your genetic data with insurance companies, employers, data brokers, or third parties for marketing, research, or any purpose other than those described above.

5. GINA — Genetic Information Nondiscrimination Act

The Genetic Information Nondiscrimination Act (GINA) is a federal law that prohibits discrimination based on genetic information in health insurance and employment. Under GINA, health insurers may not use genetic information to make coverage or premium decisions, and employers may not use genetic information in hiring, firing, or promotion decisions.

Vitality acknowledges and supports GINA protections. We do not provide genetic information to health insurers, employers, or any entity that could use it for discriminatory purposes. However, please be aware that GINA does not apply to life insurance, disability insurance, or long-term care insurance.

6. State Genetic Privacy Laws

6.1 California — CalGIPA

Under the California Genetic Information Privacy Act (Cal. Civ. Code §56.18 et seq.), we are required to obtain your express consent before collecting, analyzing, or sharing your genetic information. We collect genetic information only after you provide informed, written (electronic) consent. You have the right to revoke consent and request destruction of your genetic data at any time.

6.2 Florida

Under Florida law (Fla. Stat. §760.40), DNA analysis results are the exclusive property of the person tested. We recognize your ownership of your genetic data. We do not perform DNA analysis without your informed consent, and we do not disclose results to any third party without your authorization except as described in Section 4.

6.3 Texas

Under the Texas Genetic Privacy Act (Tex. Bus. & Com. Code §503.001 et seq.), genetic information may not be collected, retained, or disclosed without the individual's informed, written consent. We comply with Texas requirements by obtaining express consent before processing your sample and by providing deletion rights as described in Section 3.3.

7. HIPAA Non-Applicability

Vitality, Inc. is not a “covered entity” or “business associate” as defined under the Health Insurance Portability and Accountability Act (HIPAA). We are a direct-to-consumer dietary supplement company, not a healthcare provider, health plan, or healthcare clearinghouse.

While we are not subject to HIPAA, we voluntarily adopt security and privacy practices that meet or exceed HIPAA standards for the protection of your genetic data, including encryption, access controls, audit logging, and breach notification procedures.

Our diagnostic laboratory partner (Dynamic DNA Labs) is HIPAA-compliant in their capacity as a clinical laboratory and handles your physical sample under their own HIPAA obligations.

8. California Consumer Privacy Act (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the third parties with whom we share it.
  • Right to delete: You may request deletion of personal information we have collected from you, subject to certain legal exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
  • Right to limit use of sensitive personal information: Genetic data is classified as sensitive personal information under CCPA. We use it only for the purposes disclosed in this policy and will not use it for purposes beyond what is necessary to provide our services.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, email hello@vitalityformulas.co with the subject line “CCPA Request.” We will verify your identity before processing any request and respond within 45 days.

9. Cookies and Tracking Technologies

We use the following types of cookies and tracking technologies:

  • Strictly necessary cookies: Required for site functionality (authentication, security, cart). Cannot be disabled.
  • Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics). Anonymized and aggregated.
  • Marketing cookies: Used to deliver relevant advertising and measure campaign effectiveness. Only set with your consent.

You can control cookie preferences through your browser settings or through our cookie consent banner. Disabling certain cookies may limit site functionality.

We do not use cookies or tracking technologies to collect, transmit, or correlate genetic data with browsing behavior.

10. European Economic Area (GDPR)

If you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Lawful basis: We process your data based on your explicit consent (for genetic data) and contractual necessity (for service delivery).
  • Right of access: You may request a copy of all personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate data.
  • Right to erasure: You may request deletion of your data (“right to be forgotten”).
  • Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
  • Right to restrict processing: You may request that we limit how we use your data.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to withdraw consent: You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

To exercise GDPR rights, email hello@vitalityformulas.co with the subject line “GDPR Request.” You also have the right to lodge a complaint with your local data protection authority.

International transfers: Your data is processed in the United States. By using our services, you consent to the transfer of your data to the U.S. We implement appropriate safeguards for international transfers, including standard contractual clauses where applicable.

11. Children's Privacy (COPPA)

Vitality services are intended exclusively for adults aged 18 and older. We do not knowingly collect personal information, genetic data, or any other data from children under the age of 18 (or under the age of 16 for residents of the EEA).

If we become aware that we have inadvertently collected data from a person under the applicable age, we will promptly delete that data and any associated genetic information. If you believe we have collected data from a minor, please contact us immediately at hello@vitalityformulas.co.

12. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal or genetic data, Vitality commits to:

  • Notifying affected individuals by email within 72 hours of confirming the breach
  • Notifying applicable state attorneys general and regulatory authorities as required by law
  • Providing a clear description of the nature of the breach, the data involved, and the steps we are taking to mitigate harm
  • Offering appropriate remediation measures, which may include credit monitoring services

We maintain an incident response plan that is reviewed and tested regularly. Our breach notification procedures comply with the notification requirements of all U.S. states in which we operate, including California (Cal. Civ. Code §1798.82), Texas (Tex. Bus. & Com. Code §521.053), Florida (Fla. Stat. §501.171), and the GDPR (Article 33/34) where applicable.

13. Data Retention

We retain your personal information for as long as your account is active plus a reasonable period to fulfill legal and business obligations. Specific retention periods:

  • Genetic data: Active membership + 90 days, or until you request deletion (whichever is sooner)
  • Account information: Active membership + 2 years
  • Billing records: 7 years (as required by tax law)
  • Usage/analytics data: 26 months
  • Marketing consent records: Duration of consent + 3 years

14. Security

We implement administrative, technical, and physical safeguards to protect your data:

  • Encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2+)
  • Role-based access controls with multi-factor authentication
  • Regular security audits and penetration testing
  • Employee security training and background checks for personnel with data access
  • Genetic data stored separately from personally identifiable information where feasible (pseudonymization)

No system is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least 30 days' advance notice of material changes by: (a) updating the “Last updated” date; (b) sending email notification to the address on your account; and (c) displaying a prominent notice on our website. Your continued use of our services after the effective date constitutes acceptance of the revised policy.

For changes that materially affect how we use or share genetic data, we will seek your renewed consent before the changes take effect.

16. Contact

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, please contact:

Vitality, Inc.
Attn: Privacy
Austin, TX
Email: hello@vitalityformulas.co