How Veast X LTD collects, uses, shares, and protects your personal data. Compliant with GDPR and CCPA.
Veast X LTD ("Veast," "we," "us," or "our") operates the Veast Life mobile application and the veast.life website (collectively, the "Platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we retain it, and what rights you have over it.
This policy applies to all users of the Platform globally and satisfies the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by CPRA, and Canada's PIPEDA.
By using the Platform, you confirm that you are at least 16 years of age and that you have read and understood this policy.
Name, email address, date of birth, country/region, gender (Male or Female), profile photo (optional), and password hash (never stored in plaintext).
Workout logs (exercise type, duration, GPS coordinates, accelerometer/motion patterns); food log photos; water intake logs; meditation session durations; sleep data cross-referenced from iOS HealthKit or Android Health Connect (read-only); injury disclosures and health notes from onboarding (treated as special-category sensitive data under GDPR Article 9).
Journal entries, Veast Pulse daily check-ins, community posts and comments, and private coach chat messages (Premium subscribers).
Subscription tier and billing records, Stripe payment tokens (we do not store raw card numbers — Stripe handles PCI compliance), in-app purchase receipts, and Stripe Identity KYC data where required for coach onboarding.
Solana wallet address (if you join the $VEAST ecosystem), $VEAST token balances, transaction history (recorded on-chain — see Section 11), and Founding Member NFT status.
IP address, device identifiers, OS version, app version, crash logs, location data (GPS for workout validation), background accelerometer/motion data, and push notification tokens.
Coach specialty planes, credentials, bio, client roster metadata (counts, not PII), and revenue and payout records.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing and operating the Platform | Account, health, content, device data | Contract (Art. 6(1)(b)) |
| $VEAST token reward validation | Location, motion, health, photos | Contract + Legitimate Interests |
| AI-powered coaching and routine generation | Questionnaire, health, activity data | Contract (Art. 6(1)(b)) |
| Coach matching and routine handoff | Questionnaire, plane preferences | Contract (Art. 6(1)(b)) |
| Processing payments | Financial, identity | Contract + Legal Obligation |
| Fraud prevention and security | IP, device, location, activity patterns | Legitimate Interests (Art. 6(1)(f)) |
| Legal and tax record-keeping | Subscription and payment records | Legal Obligation (Art. 6(1)(c)) |
| Improving the Platform (anonymized) | Aggregated analytics | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications (opt-in only) | Consent (Art. 6(1)(a)) | |
| Health data processing (special category) | Injury disclosures, health questionnaire | Explicit Consent (Art. 9(2)(a)) |
We do not use your data to train third-party AI models. Data passed to Anthropic for real-time inference is not used to train their foundation models under our enterprise agreement.
For users in the EEA and United Kingdom, our processing rests on:
We do not sell your personal data. We share data only with the processors below, each under a Data Processing Agreement with appropriate safeguards.
| Processor | Role | Location | Data Shared |
|---|---|---|---|
| Supabase | Database hosting (PostgreSQL) on AWS | AWS us-east-1, United States | All structured user data |
| Apple HealthKit | On-device health data read (iOS) | On-device only | Activity data for token validation |
| fal.ai | 3D avatar generation | United States | Single profile photo per call; not retained by fal.ai beyond inference |
| Anthropic | AI agent (Veast Agent) | United States | Conversation context, questionnaire data |
| Stripe | Payment processing and KYC | United States | Financial and identity verification data |
| Cloudflare | CDN, DDoS protection, bot detection | Global edge (no PII stored) | Request metadata, IP addresses (ephemeral) |
| Twilio Verify | Phone OTP verification | United States | Phone number (transient) |
| YouTube / Google | Live coaching session broadcast | United States | Stream delivery; no Veast user PII passed to YouTube |
Coaches access member data only within the scope of their coaching relationship and are bound by the Veast Data Processing Agreement.
| Data Category | Retention Period | Notes |
|---|---|---|
| Health data, journal, posts, chat | 30-day grace period after deletion request, then hard purge | Soft delete on request; permanent erasure after 30 days |
| Account profile data | 30-day grace period, then hard purge | Same soft-delete flow |
| Auth records, subscriptions, payment records | 7 years from last transaction | Required by Canada Revenue Agency minimum |
| Security event logs | 2 years | Fraud investigation and legal compliance |
| Anonymized aggregate analytics | Indefinitely | Cannot be re-identified; not personal data under GDPR |
If you are located in the EEA or United Kingdom, you have the following rights:
Request a copy of all personal data we hold about you. We will respond within 30 days.
Correct inaccurate or incomplete data at any time via Profile settings or by contacting us.
Request deletion of your account and all associated personal data. We initiate a soft delete and permanently purge all data after 30 days, except records retained for legal obligation and on-chain data (see Section 11).
Request restriction of processing in certain circumstances (e.g., while a dispute is pending).
Request an export of your personal data in machine-readable JSON format. Available via Settings > Export My Data in the app, or by contacting us.
Object to processing based on legitimate interests (e.g., analytics). We will cease such processing unless we can demonstrate compelling legitimate grounds.
Where processing is based on consent (marketing, health data), you may withdraw at any time. Withdrawal does not affect the lawfulness of prior processing.
You have the right to lodge a complaint with your local supervisory authority (EU: national DPA; UK: Information Commissioner's Office).
Request disclosure of the categories and specific pieces of personal information we have collected, the sources, our business purpose, and third parties with whom we share it.
Request deletion of personal information we have collected, subject to the same retention exceptions in Section 6.
Request correction of inaccurate personal information.
We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
We use sensitive personal information (health data, precise geolocation) only for Platform functionality and token reward validation, not for inferring characteristics unrelated to the service.
We will not discriminate against you for exercising any CCPA rights.
Your data is hosted on AWS us-east-1 (North Virginia, United States) via Supabase. Backups remain within the same AWS region.
For users in the EEA: Your data is transferred to the United States under Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c), as executed between Veast X LTD and Supabase. Copies of relevant SCCs are available on request.
EU data residency pinning (dedicated eu-west region) is on the roadmap for v1.1 (2027).
For third-party processor locations, see veast.life/privacy or the full Data Residency document.
The veast.life website uses cookies. We obtain your consent before loading non-essential cookies via our cookie consent banner. Categories:
Your preference is stored in cookie veast_consent_v1 for 365 days. Change your preferences at any time via the link.
The mobile app does not use cookies. Platform analytics in the app are handled via server-side event logging.
The following data is recorded on-chain and cannot be erased by Veast or any party:
Upon account deletion: Veast will disassociate your wallet address from your user ID in Veast's internal database. The on-chain records remain permanently on the Solana blockchain and are publicly visible to anyone with your wallet address.
Before joining the $VEAST ecosystem, you are shown a clear disclosure of this immutability during onboarding (Step 9). Proceeding constitutes informed consent.
The Platform is not directed to persons under the age of 16. We do not knowingly collect personal data from anyone under 16. Users must confirm their age during signup.
This age threshold reflects GDPR Article 8 (digital consent age) and aligns with the majority of EU member states that have set their age of digital consent at 16.
If we become aware that we have collected data from a person under 16, we will delete that data immediately. Contact us at veganbeast@veast.life if you believe we have inadvertently collected such data.
We implement appropriate technical and organizational measures including:
In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, where required by GDPR Article 33.
We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and/or email at least 14 days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
Veast X LTD
Vancouver, BC, Canada
Email: veganbeast@veast.life
Website: veast.life
For privacy-specific requests, use subject line "Privacy Rights Request."