Last updated: May 14, 2026
1. Data Controller
The Data Controller is:
VYDA SPA
Via Monte Napoleone 8, 20121 Milan (MI), Italy
PEC: vydaspa@pec.it
REA: MI - 2780222
P.IVA: 14396170962
2. Types of Data Collected
Among the Personal Data collected by this Application, either independently or through third parties, there are:
- Usage data: Automatically collected information (e.g., IP addresses, access times, pages visited).
- Contact details: name, surname, email address.
- Biometric data: Heart rate, HRV, SpO₂, body temperature, sleep data (via VYDA app only).
- Location data: GPS location (only with explicit consent).
3. Purpose of the Processing
User Data is collected to allow the Owner to provide its Services, as well as for the following purposes:
- Waitlist registration and promotional communications.
- Provision of fitness and wellness monitoring service via VYDA Bracelet device.
- User experience analysis and personalization through AI Coach.
- Improving our products and services.
- Fulfillment of legal and tax obligations.
- Handling customer support requests.
4. Legal Basis of the Processing
The Data Controller processes the Personal Data relating to the User if one of the following conditions applies:
- The User has given consent for one or more specific purposes.
- Processing is necessary for the performance of a contract with the User.
- Processing is necessary to comply with a legal obligation.
- Processing is necessary for the pursuit of the legitimate interest of the Data Controller.
5. Processing Methods
The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of Personal Data.
Processing is carried out using IT and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.
Technical Security Measures
- End-to-end encryption for biometric data transmission between device and server.
- Data encryption at rest on cloud servers.
- HTTPS/TLS protocols for all communications.
- Automatic daily backups with secure storage.
- Two-factor authentication for administrative access.
- Access logs and monitoring of anomalous activities.
- Intrusion detection and prevention systems.
External Data Processors
In addition to the Data Controller, in some cases, other parties involved in the organization (administrative, commercial, marketing, legal, system administrators) or external parties designated as Data Processors pursuant to Art. 28 GDPR may have access to the Data, including:
- Cloud Provider and Hosting: for the provision of server and database infrastructure.
- OpenAI: for processing requests to the AI Coach (biometric data is anonymized before sending).
- Email Services: for sending transactional and service communications.
- Analysis Services: for aggregated and anonymized statistics on app usage.
All External Processors are contractually bound to comply with the GDPR and data protection regulations.
6. Data Retention
The Data is processed and stored for the time required for the purposes for which it was collected. The specific retention periods for each type of data are as follows:
- Account data (name, email, credentials): retained for the entire duration of the contractual relationship and up to 30 days after the account is deleted.
- Biometric data (heart rate, HRV, SpO₂, body temperature, sleep data): retained for up to 5 years from the user's last activity, or until the account is deleted.
- GPS location data (sports activity paths): retained for a maximum of 5 years from the user's last activity, or until the account is deleted.
- ECG recordings: retained for a maximum of 5 years from the user's last activity, or until the account is deleted.
- AI Coach Conversation History: retained for a maximum of 12 months from the last interaction, or until manually deleted by the user.
- Nutritional and hydration data: retained for a maximum of 5 years from the user's last activity, or until the account is deleted.
- Usage data (logs, IP, pages visited): stored for a maximum of 24 months.
- Data for marketing purposes: until the user revokes consent.
At the end of the retention period or following a request for deletion, the data will be permanently and irreversibly deleted within 30 days of the request, with the exception of data that the Data Controller is required to retain for legal obligations (e.g. tax and accounting data retained for 10 years pursuant to art. 2220 c.c. ).
7. Deletion of Data and Account
The User has the right to request deletion of their account and all personal data associated with it. Deletion can be requested in the following ways:
- From the VYDA app: by going to Settings → Accounts → Delete Account.
- By email: by sending a request to vydaspa@pec.it specifying your email address associated with the account.
Following the cancellation request:
- All personal data (biometric data, ECG recordings, GPS routes, AI history, nutritional data) will be permanently deleted within 30 days of your request.
- Anonymized and aggregated data, which cannot be traced back to the user, may be stored for statistical purposes.
- Any data that the Data Controller is required to retain for legal obligations (security, fraud prevention, tax compliance) will be retained for the period required by law and subsequently deleted.
The deletion is irreversible. Once completed, it will not be possible to recover the deleted data.
8. User Rights
Users may exercise certain rights regarding the Data processed by the Data Controller. In particular, the User has the right to:
- Access: obtain confirmation that Personal Data is being processed and receive a copy of it.
- Correction: obtain the correction of inaccurate or incomplete Data.
- Cancellation: obtain the deletion of your Data (see section 7).
- Limitation: obtain restriction of processing.
- Portability: receive the Data in a structured, commonly used and machine-readable format.
- Opposition: object to the processing of your data.
- Withdrawal of consent: withdraw consent at any time without prejudice to the lawfulness of processing based on consent before its withdrawal.
To exercise your rights, the User can:
- Send a request via certified email to: vydaspa@pec.it
- Use the data management features available in the VYDA app (Settings → Account).
The Data Controller undertakes to respond within 30 days of receiving the request. The User also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
9. Data Transfer
The User's Personal Data may be transferred to a country other than the one in which the User is located. In the event of transfer to third countries, the Data Controller ensures that the transfer is carried out in compliance with the provisions of the GDPR.
Guarantees for Transfers Outside the EU
- Exclusive use of certified suppliers compliant with European Commission adequacy standards.
- Adoption of the Standard Contractual Clauses (SCC) approved by the European Commission.
- Data Privacy Framework (DPF) compliance for transfers to the United States.
- Periodic risk assessments for international transfers.
10. Changes to the Privacy Policy
The Data Controller reserves the right to make changes to this privacy policy at any time. Users will be informed on this page and, if technically and legally possible, through notification to Users.
11. Contacts
For any questions regarding this Privacy Policy, you can contact us:
PEC Email: vydaspa@pec.it
Address: Via Monte Napoleone 8, 20121 Milan (MI), Italy
