Your privacy matters to us. This policy explains what personal data VYVE Health CIC collects, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018. We process health-related data and take our obligations seriously. If you have any questions, contact us at
team@vyvehealth.co.uk.
1. Who we are
VYVE Health CIC (“VYVE”, “we”, “us”, “our”) is a UK-based workforce wellbeing platform registered as a Community Interest Company in England and Wales. We are the data controller for personal data collected through our website (www.vyvehealth.co.uk), member portal (online.vyvehealth.co.uk), and related services.
We are registered with the Information Commissioner’s Office (ICO) under registration number 00013608608.
ICO Registration Number: 00013608608
Contact us at: team@vyvehealth.co.uk
A Data Processing Agreement (DPA) is available for enterprise clients and employer partners upon request. Please contact us at team@vyvehealth.co.uk with the subject line “DPA Request”.
2. Data we collect
When you create an account or are onboarded as a member
- Full name and email address
- Employer name (for corporate members)
- Age and gender (optional, used for personalisation)
- Date of account creation and onboarding responses
- Authentication credentials (managed securely via Supabase Auth)
When you use the VYVE member portal
- Activity logs — workouts (including exercise names, sets, reps, and weight), cardio sessions, daily habits, and weekly check-ins completed
- Nutrition data — TDEE estimates, macro targets, hydration logs, and food diary entries (where used)
- Session engagement data — live sessions and replay content viewed, duration watched
- Wellbeing check-in responses — mood and wellbeing scores across multiple dimensions
- Habit tracking data — daily habit selections, streaks, and completion records
- Workout programme data — assigned plans, progress through programmes, and custom workouts built
- Q&A and education content completions
- Page visits and navigation behaviour within the portal
- Device type and browser information
When you contact us
- Name, email address, and the content of your enquiry
- Company details (for employer enquiries)
Automatically collected data
- IP address and approximate location
- Browser and device information
- Pages visited and time spent on our websites
- Referral source
3. How we use your data
We use your personal data to:
- Create and manage your VYVE membership account
- Deliver the VYVE platform — including live sessions, replay content, habit tracking, workout programmes, nutrition tools, and wellbeing check-ins
- Generate personalised AI-powered content including workout recommendations and wellbeing coaching, using your profile and activity data
- Track your activity and progress within the platform
- Display your personalised wellbeing dashboard
- Send service emails — including account confirmations, milestone certificates, and re-engagement notifications
- Generate aggregated, anonymised engagement reports for your employer (where applicable) — individual data is never shared with employers
- Improve the VYVE service through analysis of platform usage
- Respond to enquiries and support requests
- Comply with legal and regulatory obligations
4. Legal basis for processing
We process your personal data on the following legal bases under UK GDPR:
- Contract performance — processing necessary to deliver the VYVE membership service you have signed up for
- Legitimate interests — improving the platform, preventing fraud, and maintaining platform security, where these do not override your rights
- Legal obligation — where we are required to process data to comply with applicable law
- Consent — for any optional processing, including marketing communications and AI-powered features, where we will always ask for your explicit consent first
For health and wellbeing data (which is special category data under UK GDPR), we rely on your explicit consent provided during onboarding.
5. Health and wellbeing data
VYVE collects data that may constitute health data under UK GDPR, including wellbeing scores, mood check-ins, physical activity logs, workout and nutrition data, and engagement with mental health content. This is classified as special category data and is subject to additional protections.
We process this data only:
- With your explicit consent, given during the onboarding process
- To deliver the personalised wellbeing service you have signed up for
- To generate AI-powered coaching recommendations tailored to your goals and profile
- In aggregated, anonymised form for employer reporting — no individual health data is ever shared with your employer
You may withdraw consent for health data processing at any time by contacting us at team@vyvehealth.co.uk. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal but may mean we are unable to continue providing the full VYVE service.
6. Who we share data with
We do not sell your personal data. We share data only where necessary to deliver our service, with the following categories of third parties:
- Supabase — our primary data store and authentication provider. All member data is stored in Supabase infrastructure located in the EU West (Ireland) region. Supabase is SOC 2 Type II certified and GDPR compliant.
- Brevo — transactional email delivery (account confirmations, certificates, re-engagement notifications). EU-based. A Data Processing Agreement is in place.
- Anthropic — AI-powered coaching recommendations and wellbeing content are generated via the Anthropic API. Prompts include pseudonymised profile data. A Data Processing Addendum is in place with Anthropic.
- PostHog — behavioural analytics within the member portal, linked to your authenticated identity. Used to understand platform usage and improve the service.
- Stripe — payment processing for individual memberships. Stripe is PCI DSS compliant. VYVE does not store card details.
- GitHub (Microsoft) — our member portal and marketing site are hosted via GitHub Pages. No personal member data is stored in GitHub repositories.
- YouTube (Google) — live session and replay content is hosted on unlisted YouTube channels embedded in the portal. YouTube’s privacy policy applies to embedded video content.
- Your employer — where you are a corporate member, your employer receives aggregated, anonymised engagement data only. Your name, individual activity data, and health information are never shared with your employer.
All third-party processors are required to handle your data securely and only for the purposes we specify. We do not transfer personal data outside the UK/EEA without appropriate safeguards in place (Standard Contractual Clauses or UK International Data Transfer Agreements where applicable).
7. How long we keep your data
- Member account data — retained for the duration of your membership and for 12 months after cancellation, after which it is deleted or anonymised
- Activity and engagement logs — retained for 24 months to support progress tracking and reporting, then anonymised
- Wellbeing check-in responses — retained for 12 months, then anonymised
- Nutrition and food diary data — retained for 12 months after last use, then deleted
- Enquiry and contact data — retained for 12 months after last contact
- Financial records — retained for 7 years as required by UK law
You may request early deletion of your data at any time (see Your Rights below). Our full Data Retention Policy is available upon request.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data (“right to be forgotten”), subject to certain exceptions
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format (CSV)
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent for any consent-based processing at any time
To exercise any of these rights, contact us at team@vyvehealth.co.uk with the subject line “Data Privacy Request”. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk · 0303 123 1113.
9. Cookies and analytics
Our websites use cookies and similar technologies for the following purposes:
- Essential cookies — required for authentication and basic site functionality (Supabase Auth session management)
- Local storage — the member portal uses browser local storage to cache your profile and activity data for performance, reducing load times on repeat visits
- Analytics cookies — PostHog is used to track member behaviour within the portal to help us improve the service. Analytics data is linked to your authenticated identity within the platform.
- YouTube embedded content — session replay content is delivered via embedded YouTube players, which may set their own cookies. YouTube’s privacy policy applies to this content.
You can control cookies through your browser settings. Disabling essential cookies may affect your ability to log in and use the platform.
10. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures including:
- Authentication managed via Supabase Auth with invite-only access controls and secure session management
- All member data stored in Supabase (EU West, Ireland) with encryption at rest, row-level security, and immutable audit logging
- HTTPS encryption enforced across all VYVE web properties and API endpoints
- All API credentials and keys stored server-side only in Supabase Edge Functions — never in client-facing code
- Automated point-in-time database backups provided by Supabase Pro infrastructure
- Employer-facing reporting returns aggregated data only — no individual PII is ever exposed via reporting endpoints
- Access controls limiting who within VYVE can access personal data on a need-to-know basis
- Regular review of our data processing activities and third-party processors
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify members by email and update the “Last updated” date at the top of this page. Your continued use of the VYVE platform after changes are published constitutes acceptance of the updated policy.