Privacy policy
Privacy Policy
Last updated: 29 April 2026 Effective date: 22 April 2026
Who we are
This Privacy Policy ("Policy") describes how DAILYHEALTH SL, a Spanish limited liability company ("Sociedad Limitada") with tax identification number B72489370 and registered office at Calle San Andrés 139, 10º D, 15003 A Coruña, Spain, operating the brand VION ("VION", "we", "us", "our"), collects, uses, shares and protects your personal information when you visit web, place an order, use the VION smart device, the VION mobile application, the at-home blood test, or otherwise interact with our products or services (collectively, the "Services").
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and equivalent laws in your jurisdiction, DAILYHEALTH SL is the data controller of your personal information.
Contact for any privacy matter:
• Email: admin@vionnutrition.com
• Postal address: DAILYHEALTH SL — Privacy, Calle San Andrés 139, 10º D, 15003 A Coruña, Spain
If you have a complaint, you may also contact your local data protection supervisory authority (in Spain: Agencia Española de Protección de Datos, [www.aepd.es](https://www.aepd.es)).
1. Scope of this Policy
This Policy applies to all personal information we collect when you:
• Visit, browse or purchase from our online store at vion.health (hosted on Shopify);
• Create a VION account or use the VION mobile application;
• Use the VION smart device and its connected services;
• Take the at-home blood test offered as part of the VION VIP plan;
• Connect Apple HealthKit, Apple Watch, or any other wearable to your VION account;
• Communicate with our customer support, by email or any other channel;
• Subscribe to our marketing communications, social media or events.
Our Terms of Service and our Return and Refund Policy apply alongside this Policy. In case of conflict regarding the processing of personal information, this Policy prevails.
2. Personal information we collect
Depending on how you interact with the Services, we may collect or process the following categories of personal information. Inferences derived from any of these categories are also treated as personal information.
2.1. Identity and contact details
Name, postal address, billing address, shipping address, email address, telephone number, country of residence, date of birth, government-issued identifier (only where strictly required by tax or shipping law).
2.2. Account and authentication data
Username, password (stored hashed), security questions, account preferences, language and unit settings, marketing consents.
2.3. Order and transaction data
Items viewed, added to cart, wishlisted, purchased, returned, exchanged or cancelled; order history; promotional codes used; gift card balances; refund and chargeback events.
2.4. Payment data
Card brand, last four digits of the card, expiry, payment method (Apple Pay, Google Pay, Shop Pay, PayPal, etc.), billing country, transaction confirmation tokens. Full card numbers and CVV are processed exclusively by our PCI-DSS-compliant payment processors and are never stored on VION servers.
2.5. Health and biometric data — special category data
Because VION is a personalised supplementation service, we process special categories of personal data within the meaning of Article 9 GDPR, specifically:
• Self-reported health information you enter in our onboarding questionnaire and follow-up assessments (sleep quality, stress, energy, digestion, mood, lifestyle, dietary preferences, medical conditions, medications you disclose).
• Wearable and Apple HealthKit data you choose to connect (heart rate, heart-rate variability (HRV), blood oxygen (SpO2), sleep stages and duration, activity, steps, workouts, mindfulness sessions).
• At-home blood test results for VIP plan customers (biomarker values such as vitamin D, B12, ferritin, hsCRP, lipid panel and any other markers analysed under our blood test partner's panel).
• Personalised supplement formulations generated for you, including dose adjustments and incompatibility flags.
We process this category of data only with your explicit consent under Article 9(2)(a) GDPR, given separately from your acceptance of this Policy and revocable at any time. See Section 5 for legal bases and Section 7 for automated decision-making.
2.6. Device and connectivity data
For the VION smart device: device serial number, firmware version, dispenser usage logs (timestamps of doses prepared, capsule IDs inserted, error codes), Wi-Fi connection status (no SSID or password collected), pairing tokens with the VION app.
2.7. Online identifiers and usage data
IP address, device type, browser, operating system, app version, mobile advertising ID (only where you have consented), cookies and similar identifiers, pages viewed, products clicked, time on page, referral source, in-app screens visited, feature usage and interaction events.
2.8. Communications
Content of emails, chat messages, support tickets, voice messages, postal letters, surveys and reviews you submit to us.
2.9. Inferences
Inferences we derive from any of the above to personalise your experience (e.g. "high stress profile", "low sleep quality cluster"). These inferences are treated with the same level of protection as the underlying data.
3. Sources of personal information
We collect personal information from the following sources:
• Directly from you when you create an account, complete the questionnaire, place an order, contact support, leave a review, or otherwise interact with us.
• Automatically, through cookies and similar technologies on vion.health, through telemetry from the VION smart device, and through the VION mobile application (with the permissions you grant on your phone).
• From Apple HealthKit and other wearables when you authorise the integration. Apple HealthKit data is requested only with your in-app consent and only for the metrics relevant to personalisation.
• From our blood test laboratory partner (for VIP customers) when your sample is processed and biomarker results are returned.
• From service providers and partners (payment processors, fraud-detection providers, shipping carriers, marketing analytics) who provide us with limited data needed to deliver the Services.
4. How we use your personal information
We use your personal information for the purposes listed below. Section 5 sets out the legal basis for each purpose.
4.1. Provide and personalise the Services
• Set up and maintain your account.
• Process orders, payments, shipping, returns, refunds and warranty claims.
• Pair, configure and operate your VION smart device.
• Generate personalised supplement formulations based on your questionnaire, wearable data and (for VIP) blood biomarkers.
• Adjust formulations dynamically as your data evolves.
• Send transactional notifications: order updates, shipping milestones, refill reminders, dose alerts, blood test result availability.
• Provide customer support and respond to your inquiries.
4.2. Improve and develop the Services
• Conduct analytics on aggregated and pseudonymised data to understand product usage.
• Train and validate our personalisation algorithms (only on data lawfully collected, with appropriate safeguards — see Section 7).
• Carry out A/B tests and product research.
• Monitor performance, debug and fix issues.
4.3. Marketing and advertising
• Send promotional emails and SMS where you have consented or where permitted by applicable law.
• Show online advertising on third-party platforms (e.g. Meta, Google, TikTok) based on your activity on vion.health — strictly subject to your cookie and tracking preferences.
• Manage referrals, loyalty programmes and waitlists.
We never use special category data (Section 2.5) for marketing or advertising purposes.
4.4. Security, fraud prevention and integrity
• Authenticate access to your account and device.
• Detect and prevent fraudulent transactions, account takeover, abuse, harmful content and other illegal activity.
• Maintain the security of our systems, conduct audits and respond to incidents.
4.5. Legal and regulatory compliance
• Comply with applicable laws (consumer protection, tax, food supplement and health regulations, anti-money-laundering).
• Respond to legal requests from public authorities, courts and regulators where lawfully required.
• Defend or exercise legal claims and enforce our terms.
5. Legal bases for processing (EU / UK)
If you reside in the EU, EEA or UK, we rely on the following legal bases under GDPR / UK GDPR:
|
Purpose |
Legal basis |
|
Process orders, payments, shipping, account, support |
Performance of a contract with you (Art. 6(1)(b)) |
|
Process special category data for personalisation (questionnaire, wearable, biomarkers) |
Your explicit consent (Art. 9(2)(a)), revocable at any time |
|
Send transactional communications |
Contract performance (Art. 6(1)(b)) |
|
Marketing emails / SMS / push |
Your consent (Art. 6(1)(a)); for existing customers, soft opt-in where permitted |
|
Personalised online advertising / cookies for advertising |
Your consent (Art. 6(1)(a)) via the cookie banner |
|
Improve and develop the Services on aggregated/pseudonymised data |
Our legitimate interest (Art. 6(1)(f)) — fundamental rights balancing test passed |
|
Security, fraud prevention |
Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
|
Compliance with tax, accounting, consumer protection law |
Legal obligation (Art. 6(1)(c)) |
|
Defend legal claims |
Legitimate interest (Art. 6(1)(f)) |
You may withdraw consent at any time by emailing admin@vionnutrition.com or through the in-app preference centre. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
6. Special category (health) data — additional safeguards
We treat your health and biometric data with heightened protection:
• We collect it only with your explicit, separate consent in the VION app or web flow.
• We use it only to (i) generate and adjust your personalised formulations, (ii) flag potential incompatibilities, (iii) provide your blood test report, (iv) deliver clinical-grade insights to you.
• We never sell your health data and never share it with advertising platforms.
• Access inside DAILYHEALTH SL is restricted on a need-to-know basis to clinical, product and engineering personnel under confidentiality obligations.
• Health data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• You can revoke consent at any time and request deletion of your health data, subject to limited legal retention obligations (see Section 12).
7. Automated decision-making and profiling
VION uses algorithms — including AI-based personalisation — to recommend supplement formulations, dosages and adjustments based on your profile. Under Article 22 GDPR you have specific rights when a decision producing legal or similarly significant effects is taken without meaningful human review.
• Our position: the personalised recommendations generated by VION are decision-support outputs, not autonomous medical decisions. You always retain the choice to follow them or not, and our clinical team reviews edge cases (e.g. flagged incompatibilities, abnormal biomarker values).
• We perform this profiling only with your explicit consent, which is necessary for performance of the personalisation service you requested.
• You have the right to request human review of any recommendation, express your point of view, and contest the recommendation by writing to admin@vionnutrition.com.
• We provide meaningful information about the logic involved and the categories of data used, available on request.
VION recommendations are not a substitute for professional medical advice. Always consult a qualified health professional for diagnosis or treatment.
8. How we share your personal information
We do not sell your personal information. We share it only with the categories of recipients set out below, and only to the extent necessary for the relevant purpose.
8.1. Service providers (sub-processors)
We engage carefully selected service providers under written data processing agreements (DPAs) compliant with Article 28 GDPR. The current categories include:
|
Function |
Provider category |
Notes |
|
E-commerce hosting, checkout |
Shopify Inc. (Canada) |
Standard Shopify DPA + Standard Contractual Clauses |
|
Payment processing |
Shopify Payments / Stripe / PayPal / Apple Pay / Google Pay |
PCI-DSS Level 1; only tokenised payment data |
|
Cloud hosting (app & device backend) |
AWS or Google Cloud (EU regions where possible) |
Encryption at rest and in transit |
|
Transactional and marketing email |
E-mail service provider (e.g. Klaviyo, SendGrid) |
Marketing only with your consent |
|
Customer support tooling |
Helpdesk provider (e.g. Gorgias, Zendesk) |
Access to communication content only |
|
At-home blood test analysis |
Accredited clinical laboratory (EU-based) |
Processes biomarker data under medical confidentiality |
|
Shipping carriers |
DHL, GLS, UPS, local carriers |
Only name and address |
|
Analytics |
Privacy-friendly analytics + GA4 (with consent) |
Pseudonymised |
|
Advertising platforms |
Meta, Google, TikTok, etc. |
Only with your consent; never on health data |
|
AI / personalisation infrastructure |
Approved inference provider(s) under DPA |
No health data sent to third-party LLM APIs without contractual safeguards |
A current detailed list of sub-processors is available on request at admin@vionnutrition.com.
8.2. Business and legal transfers
We may share information when reasonably necessary to:
• Comply with applicable law, valid legal process or lawful regulator requests.
• Investigate, prevent or address fraud, security incidents, abuse or violations of our terms.
• Defend the rights, property or safety of VION, our customers or the public.
• In connection with a merger, acquisition, reorganisation, financing or sale of assets, in which case the recipient will be bound by privacy commitments at least as protective as this Policy.
8.3. With your direction or consent
We may share your information with third parties when you direct us to do so (e.g. social media login, sharing your blood test report with your physician).
9. Apple HealthKit data — specific terms
If you connect Apple HealthKit to the VION app, the following Apple-mandated rules apply in addition to the rest of this Policy:
• HealthKit data is requested only with your explicit in-app consent for each metric.
• We use HealthKit data exclusively to provide and improve the personalisation features of the VION Services.
• We do not use HealthKit data for advertising or marketing.
• We do not sell, license or otherwise disclose HealthKit data to third parties for advertising purposes or data brokerage.
• We do not disclose HealthKit data to any third party except (i) sub-processors strictly necessary to provide the Service (Section 8.1), (ii) with your explicit consent, (iii) where required by law.
• You can revoke HealthKit access at any time from the iOS Settings → Privacy → Health menu, and request deletion of synced data via admin@vionnutrition.com.
10. Cookies and similar technologies
We use cookies, SDKs and similar technologies on vion.health and within the VION app for: (i) strictly necessary functionality, (ii) preferences, (iii) analytics, (iv) advertising and personalisation.
• Strictly necessary cookies are set by default and cannot be disabled.
• All other categories require your prior consent via our cookie banner (or in-app prompt).
• You can change or withdraw your preferences at any time via the "Cookie preferences" link in the website footer.
If your browser sends a Global Privacy Control ("GPC") signal, we treat it as a valid opt-out from sale or sharing of personal information for targeted advertising purposes for the device and browser sending the signal, and — where we can match it to your account — for that account. We do not honour other "Do Not Track" signals at this time.
11. International data transfers
VION operates internationally. Your personal information may be transferred to, stored or processed in countries outside your country of residence, including outside the European Economic Area or the United Kingdom (notably the United States and Canada, where some of our service providers are located).
When we transfer personal information outside the EEA or the UK to a country that has not been recognised as providing an adequate level of protection by the European Commission or the UK government, we rely on:
• The European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum, and
• Where applicable, supplementary technical and organisational measures (encryption, pseudonymisation, access restrictions).
Copies of these transfer mechanisms can be requested at admin@vionnutrition.com.
12. Data retention
We keep your personal information only for as long as necessary for the purposes described in this Policy, in accordance with the following criteria:
|
Category |
Typical retention |
|
Account data |
While your account is active, plus 24 months of inactivity |
|
Order and payment records |
6 years (Spanish accounting and tax law) |
|
Customer support communications |
Up to 5 years |
|
Marketing consent and preferences |
Until withdrawal + reasonable record of the withdrawal |
|
Health data (questionnaire, wearable, biomarkers) |
While you keep an active VIP/Core/Starter relationship + the period strictly necessary to comply with health regulations; deletable on request, subject to limited legal exceptions |
|
Cookies and online identifiers |
Per the cookie banner duration table |
|
Backups |
Up to 90 days after the production deletion |
|
Legal claims |
Until any applicable statute of limitations expires |
After expiry, we either delete or anonymise the data so that you cannot be re-identified.
13. Security
We apply appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, loss or destruction. These measures include encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), role-based access control, multi-factor authentication for staff, security logging and monitoring, periodic penetration testing, vendor security review, secure software development practices and an incident response plan.
No system is impenetrable. If we become aware of a personal data breach affecting your information, we will notify you and the competent supervisory authority where and as required by law.
14. Your rights
Subject to your jurisdiction and applicable exceptions, you may have the following rights regarding your personal information:
• Access — receive confirmation of whether we process your data and a copy of it.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion in certain circumstances.
• Restriction — limit our processing in certain circumstances.
• Objection — object to processing based on our legitimate interest.
• Portability — receive a structured, commonly used and machine-readable copy of certain data and ask us to transmit it to another controller.
• Withdraw consent — at any time, where processing is based on your consent (without affecting prior lawful processing).
• Not be subject to automated decisions producing legal or similarly significant effects — see Section 7.
• Lodge a complaint with your local data protection supervisory authority.
14.1. United States — additional state privacy rights
If you reside in California, Colorado, Connecticut, Texas, Virginia, Utah or another U.S. state granting consumer privacy rights, you may have the right to: (i) know what personal information we have collected, used, disclosed and "sold" or "shared", (ii) request deletion or correction, (iii) opt out of "sale" or "sharing" for targeted advertising, (iv) opt out of certain profiling, (v) limit the use of "sensitive personal information" (which includes health data — VION already restricts such use to providing the Service). California residents may also designate an authorised agent.
We do not "sell" personal information for monetary value. Where applicable law treats certain data sharing for advertising as a "sale" or "share", you can opt out via our cookie banner or by emailing admin@vionnutrition.com.
14.2. How to exercise your rights
You may exercise your rights by:
• Emailing admin@vionnutrition.com (recommended).
• Writing to DAILYHEALTH SL — Privacy, Calle San Andrés 139, 10º D, 15003 A Coruña, Spain.
• Using the in-app privacy preference centre, where available.
We will respond within the deadlines required by applicable law (typically 30 days under GDPR, extendable by 60 days for complex requests; 45 days under CCPA/CPRA).
We may need to verify your identity before fulfilling a request. You may also designate an authorised agent to act on your behalf, in which case we will require written proof of authorisation.
We will not discriminate against you for exercising any of these rights.
15. Children
The Services are not directed to and not intended for use by children. We do not knowingly collect personal information from individuals under the age of 18. Food supplements and clinical analyses sold by VION are not appropriate for minors and we require all customers to confirm they are at least 18 years old (or the applicable age of majority in their jurisdiction, whichever is higher) at checkout.
If you are a parent or legal guardian and become aware that your child has provided us with personal information, please contact admin@vionnutrition.com and we will promptly delete it.
As of the effective date of this Policy, we do not have actual knowledge that we "share" or "sell" the personal information of individuals under 16 years of age within the meaning of applicable law.
16. Third-party links and platforms
Our Services may contain links to third-party websites, applications or platforms (e.g. social media, partner stores, blog references). We are not responsible for the privacy practices or content of those third parties. When you follow a link or use an integration, the recipient's own privacy policy applies — please review it before sharing personal information.
17. Relationship with Shopify
Our online store is hosted by Shopify Inc., which collects and processes personal information about your access to and use of the store in order to host, operate, secure and improve the Shopify platform. Shopify acts as our processor for storefront operations (under our DPA) and, for some enhanced cross-merchant features, as an independent or joint controller under its own Consumer Privacy Policy. To learn more, see Shopify's privacy notices at [https://www.shopify.com/legal/privacy](https://www.shopify.com/legal/privacy) and the Shopify Privacy Portal at [https://privacy.shopify.com](https://privacy.shopify.com).
18. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, services or legal requirements. We will revise the "Last updated" date and, where the change is material, notify you by email or through a prominent notice on the Services before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy, except where additional consent is required by law.
19. Contact
For any question about this Policy, your personal information or your rights:
• Data controller: DAILYHEALTH SL (NIF B72489370)
• Brand: VION
• Email: info@vionnutrition.com
• Postal address: Calle San Andrés 139, 10º D, 15003 A Coruña, Spain
• Supervisory authority (Spain): Agencia Española de Protección de Datos — [www.aepd.es](https://www.aepd.es)
• EU ODR platform: [https://ec.europa.eu/consumers/odr](https://ec.europa.eu/consumers/odr)
We aim to acknowledge any privacy request within 5 business days and resolve it within the legally applicable deadline.
End of Policy.