VESTED

Vested Privacy Policy

Effective date: June 25, 2026 Last updated: June 25, 2026

Summary (the short version)

This summary is for convenience only and does not replace the full policy below.

Contents

  1. Who we are
  2. Definitions
  3. Information we collect
  4. Categories of personal information (at a glance)
  5. Health data and consumer health data
  6. Payments
  7. How we use your information
  8. Legal bases for processing (GDPR)
  9. How we share information
  10. Data retention
  11. Account deletion
  12. Your privacy rights
  13. Your choices and controls
  14. Cookies and tracking
  15. International data transfers
  16. Security
  17. Children's privacy
  18. Automated decision-making
  19. Third-party links and services
  20. Changes to this Policy
  21. Contact us

1. Who we are

Vested is a monthly fitness membership delivered through the Vested mobile app, which is white-labeled on the EverFit platform. The app is published on the Apple App Store and Google Play as Vested Fitness, under the Google Play Developer name Vested Fitness. The app and the Vested service are operated by Team Gabriel Fitness LLC ("Vested," "we," "us," or "our"), a limited liability company organized in the State of Florida, United States.

This Privacy Policy explains what information we collect, how we use and share it, and the rights and choices you have. It applies to the Vested app, our website at vested.fitness, and related services (together, the "Service").

Contact for privacy matters: - Email: support@vested.fitness - Mail: Team Gabriel Fitness LLC, 21200 NE 38th Ave, Aventura, FL 33180, United States

2. Definitions

3. Information we collect

Information you provide: - Account and profile information: your name, email address, date of birth, gender (optional), password, and the training track you select (for example, Full Gym or Home Gym). - Health and fitness information you enter or generate in the app: workout activity and completion, exercise logs, sets, reps, and weights, body metrics such as body weight and measurements, progress photos you choose to upload, nutrition logs and meal selections, heart rate (where available), and similar fitness metrics. - Communications: messages you send to support, your responses to intake and check-in forms, and posts or comments you make in the Vested community.

Information collected automatically: - Usage and device information: app interactions, features used, device type, operating system, app version, language, and similar technical data. - Cookies and similar technologies on our website (see Section 14).

Information from third parties: - Payment confirmation from our payment processor (we do not receive or store your full card number, see Section 6). - If you choose to connect the app to a health platform such as Apple Health, the data you authorize us to read or write (see Section 5).

We do not collect Social Security numbers or government identifiers, and we do not use location information for advertising or track your precise location for marketing purposes.

4. Categories of personal information (at a glance)

This table summarizes the categories we collect and is provided to support transparency requirements under California and other US state laws. Details are in Sections 3, 7, and 9.

Category Examples Source Purpose Disclosed to
Identifiers Name, email, date of birth You Create and manage your account EverFit (processor)
Account and commercial information Subscription status, billing country, last four digits of card You, Stripe Provide and bill the membership Stripe (processor)
Health and fitness data (sensitive) Workouts, exercise logs, body metrics, heart rate, nutrition logs You, connected health apps Deliver core features, tracking, sync EverFit (processor) only; never sold or shared
Visual information (sensitive) Progress photos you upload You Progress tracking EverFit (processor) only; never sold or shared
Internet and device activity App interactions, device type, OS, app version Automatic Operate, secure, and improve the Service EverFit, analytics provider (processors)
Communications and user content Support messages, form responses, community posts You Support and community features EverFit (processor)

We do not sell or share any of these categories, and we use sensitive categories only to provide the Service you requested.

5. Health data and consumer health data

Our app collects and processes health-related information such as workout activity, exercise logs, heart rate, and other fitness metrics. This data is collected only with your explicit consent and is used exclusively to deliver core app features, including fitness tracking, progress insights, and cross-device synchronization. We do not share your health data with any third parties, and we do not use this data for advertising or marketing purposes. All health information is stored securely and access is limited to authorized personnel only. We adhere to industry best practices to ensure data protection. If you choose to delete your account, all associated personal and health-related data will be permanently deleted from our systems.

Consumer health data (US state laws). The fitness and body-metric information you provide is "consumer health data" under laws such as Washington's My Health My Data Act, Nevada's SB 370, and Connecticut's health-data provisions. We collect it only to provide the Service, we obtain your consent before collecting it, we do not sell it, we do not share it for cross-context or targeted advertising, and we limit access to authorized personnel. You can withdraw consent and request deletion at any time (see Sections 11 and 12).

Apple Health (where available): If you choose to connect Vested to the Apple Health app, we access only the data you authorize, use it solely to display and update your metrics inside the app, and never use Apple Health data for advertising or share it with third parties for their own purposes. You can disconnect this access at any time in your device settings.

Explicit consent and special category data (GDPR): Health and fitness data is treated as a special category of personal data under Article 9 of the GDPR. When you first enable fitness tracking or enter health information, the app asks you to provide explicit consent for this processing. Where the GDPR applies to you, we process this data on the basis of that explicit consent, and you may withdraw it at any time by adjusting your in-app settings or contacting us, without affecting the lawfulness of processing before withdrawal.

This is not a medical service. Vested is a fitness and wellness product, not a healthcare provider. We are not a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the health information you provide here is not "protected health information" under HIPAA. The Service does not provide medical advice, diagnosis, or treatment. Always consult a qualified professional before beginning any exercise or nutrition program.

6. Payments

Membership payments are processed through our third-party payment processor, Stripe, using a secure web checkout. We do not collect or store your full payment card number, security code, or bank details on our own systems. Stripe handles that information under its own privacy policy (https://stripe.com/privacy) and applicable payment-card security standards. We receive limited confirmation data such as your subscription status, the last four digits of your card, and billing country, which we use to manage your membership.

7. How we use your information

We use your information to: - Provide, personalize, and operate the Service, including assigning your program, delivering daily messages, tracking progress, and powering the community. - Sync your data across your devices. - Respond to support requests and communicate with you about your membership. - Send service and transactional messages (for example, billing notices and program updates). - With your consent where required, send marketing communications, which you can opt out of at any time. - Maintain the safety, security, and integrity of the Service and prevent abuse. - Comply with legal obligations and enforce our agreements.

We do not use your health and fitness data for advertising, and we do not sell your personal information.

8. Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases: - Performance of a contract: to deliver the membership Service you signed up for. - Explicit consent: for health and fitness (special category) data, and for marketing communications where consent is required. You may withdraw consent at any time. - Legitimate interests: to secure the Service, prevent fraud, and improve features, balanced against your rights and freedoms. - Legal obligation: where we must process data to comply with applicable law.

9. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as described here:

We do not share your health and fitness data with third parties for their own marketing or advertising.

10. Data retention

We keep your personal information for as long as your account is active and as needed to provide the Service. To decide how long to keep information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it and whether we can achieve those purposes by other means, and applicable legal requirements.

After you delete your account (see Section 11), we permanently delete your personal and health-related data from our active systems within 30 days, and it is purged from routine backups within 90 days. We retain limited records, such as billing and transaction records, for up to seven years where necessary to comply with U.S. tax, accounting, and legal obligations, and we retain information longer only where required to resolve disputes or enforce our agreements.

11. Account deletion

To request the deletion of your personal information from our database, you can submit a request through our in-app settings or contact form available on our platform. For such requests, please write "delete my account" in the subject line, and include your first and last name and e-mail address in the body of the message. We will use commercially reasonable efforts to honor your request. We may retain an archived copy of your records as required by law or for administrative purposes. Please note that we will store communications you may send through the Service, as well as any comments you may post, and they may not be subject to modification or deletion. You may also control the information that we collect through the settings in your browser or mobile device. You may configure your browser to reject cookies from our app and may adjust the settings of your mobile device to prevent the Platform from obtaining location information. However, please note that the Service may rely on cookies and location information to function properly and some parts of the Service may not be available if you disable cookies.

You can also email a deletion request to support@vested.fitness with "delete my account" in the subject line.

12. Your privacy rights

If you are in the EEA, the UK, or Switzerland (GDPR / UK GDPR): you have the right to access, correct, delete, restrict, and object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time. We respond to verified requests within one month, as required by law. If we cannot resolve your concern, you may lodge a complaint with your local data protection authority.

If you are a California resident (CCPA/CPRA): you have the right to know the categories and specific pieces of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share it; the right to delete; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; the right to limit the use of sensitive personal information; and the right not to be discriminated against for exercising these rights. We do not sell or share personal information and have not done so in the preceding twelve months, and we use sensitive personal information only to provide the Service you requested. We respond to verified requests within 45 days, and we do not charge a fee.

If you are a resident of another US state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, and Tennessee, among others): you generally have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Where these laws require it, we obtain your consent before processing sensitive data, including health data. If we deny your request, you have the right to appeal that decision by replying to our response or emailing support@vested.fitness with "privacy appeal" in the subject line.

If you are in Brazil (LGPD): you have rights to confirmation, access, correction, anonymization or deletion, portability, and information about sharing, and you may contact us to exercise them.

If you reside in another country with a data-protection law, you may have similar rights; contact us at support@vested.fitness and we will honor applicable rights.

How to exercise your rights: email support@vested.fitness or use the in-app settings. Because we operate primarily online, this email and in-app method is our designated request channel. To protect your account, we will verify your identity (for example, by confirming control of your account email) before fulfilling a request. An authorized agent may submit a request on your behalf with proof of authorization.

13. Your choices and controls

You can control your information in these ways: - Marketing emails: click "unsubscribe" in any marketing email or contact us. We will still send essential service and billing messages. - Push notifications: turn these off in your device settings. - Health-data and Apple Health: withdraw consent or disconnect Apple Health at any time in your in-app or device settings. - Cookies: control or disable cookies through your browser (see Section 14). - Opt-out preference signals: where applicable, we honor recognized signals such as Global Privacy Control. - Delete your account and data: see Section 11.

14. Cookies and tracking

Our website uses cookies and similar technologies to operate the site, remember your preferences, and understand how the site is used. We use essential cookies that are necessary for the site to function and analytics cookies that help us improve it. We do not use cookies to build advertising profiles or to sell your information. You can control or disable cookies through your browser settings, and where applicable we honor recognized opt-out preference signals such as Global Privacy Control. We do not currently respond to legacy browser "Do Not Track" signals, which are not standardized. Some features may not work if you disable certain cookies.

15. International data transfers

We are based in the United States, and our service providers may process and store your information in the United States and other countries. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. Where required for transfers of personal data from the EEA, the UK, or Switzerland, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, and our agreements with service providers incorporate those safeguards.

16. Security

We use administrative, technical, and physical safeguards designed to protect your information, including encryption of data in transit and, where supported by our providers, at rest, access controls, and limiting access to health and fitness data to authorized personnel only. No method of transmission over the internet or method of electronic storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

17. Children's privacy

The Service is intended for adults and is not directed to children. We do not knowingly collect personal information from anyone under the age of 18, or the age of majority in your jurisdiction if higher. We set our minimum age at 18 intentionally because Vested is an adult fitness program. We rely on age information provided at registration and on age signals from the app stores, which we use only to comply with applicable legal requirements. If you believe a minor has provided us with personal information, please contact support@vested.fitness and we will delete it.

18. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. If we introduce features that rely on such processing in the future, we will update this Policy and provide any rights and choices required by law.

19. Third-party links and services

The Service may link to or rely on third-party sites and services, including the EverFit platform, Stripe, and social media. Their privacy practices are governed by their own policies, and we are not responsible for them. We encourage you to review the privacy policies of any third-party services you use.

20. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, give advance notice in the app or by email before the changes take effect. Prior versions are available on request. Your continued use of the Service after an update takes effect means you accept the revised Policy.

21. Contact us

Questions, requests, or concerns about this Policy or your data: - Email: support@vested.fitness - Mail: Team Gabriel Fitness LLC, 21200 NE 38th Ave, Aventura, FL 33180, United States