Open Vitals

Privacy Policy

Last updated: May 25, 2026 · Operated by Exapta Labs (sole proprietor — Robson Tedim)

Overview

Open Vitals ("the App") syncs Apple HealthKit data from your iPhone to a destination of your choice — your own server, an AI agent, or a cloud relay. Your health data belongs to you.

Data We Collect

Health Data (via Apple HealthKit)

  • Activity metrics (steps, distance, calories, exercise)
  • Heart metrics (heart rate, HRV, SpO2, respiratory rate)
  • Sleep data (duration, stages, efficiency)
  • Body measurements (weight, height, BMI, body fat)
  • Workout data (type, duration, calories, heart rate)
  • Other HealthKit categories you explicitly enable

We do NOT store your health data on our servers. Data is either:

  • Sent directly to your own server (Local Sync mode), or
  • Encrypted end-to-end and relayed through our cloud service (API Sync mode), where it is held for a maximum of 15 minutes before automatic deletion.

Relay Data (API Sync mode only)

  • A unique device identifier (generated at pairing)
  • Authentication tokens (stored as cryptographic hashes)
  • Encrypted health payloads (held max 15 minutes, then auto-deleted)

What We Do NOT Collect

  • Your name, email, or contact information
  • Your Apple ID
  • Location data
  • Advertising identifiers
  • Usage analytics or tracking data

End-to-End Encryption

When using API Sync mode, your health data is encrypted on your device using X25519 key exchange and ChaCha20-Poly1305 before leaving your iPhone. The relay server cannot read your health data — it only passes encrypted blobs.

Data Retention

DataRetention
Health payloads (relay)Max 15 minutes, then auto-deleted
Authentication tokensUntil you disconnect
Pairing dataUntil you disconnect
Health data (local sync)Stored on your own server — your responsibility

Third-Party Services

  • Apple HealthKit — Used to read health data with your explicit permission. We comply with Apple's HealthKit guidelines.
  • Cloudflare Workers — Powers the cloud relay. Subject to Cloudflare's Privacy Policy.

We do NOT use analytics services, advertising networks, or social media SDKs.

Your Rights

  • Disconnect anytime: Remove the pairing from Settings → Cloud Relay → Disconnect. All relay data is deleted immediately.
  • Revoke HealthKit access: Go to iPhone Settings → Health → Data Access → Open Vitals → Turn Off All.
  • Delete your data: Since we don't store health data, there's nothing to delete on our side. Local data is on your own server.

Children's Privacy

Open Vitals is not directed at children under 13. We do not knowingly collect data from children.

Changes to This Policy

We may update this policy. Changes will be posted here with an updated date.

Contact

For privacy questions: privacy@exaptalabs.com
For general support: support@exaptalabs.com

Operator address: available on request at the email above.

← Back to Open Vitals