Privacy Policy
Effective July 3, 2026 · Last updated July 3, 2026
This Privacy Policy explains how Vexo Ring ("Vexo," "we," "us," or "our") collects, uses, discloses, and protects your information when you use the Vexo Ring smart ring (the "Ring"), the Vexo iOS application (the "App"), our websites and developer documentation (the "Site"), and related services (collectively, the "Services").
Vexo is built on a single principle, which shapes everything in this policy: your data belongs to you, and it does not leave your devices without your explicit consent. Please read this policy carefully. If you do not agree with it, do not use the Services.
SECTION 01
Who This Policy Applies To
This policy applies to individuals who purchase or use a Vexo Ring and the Vexo App, visitors to our Site, and developers who build on the Vexo platform. If you are under the age of 16 (or the minimum age of digital consent in your jurisdiction), you may not use the Services, and we do not knowingly collect data from you (see Section 12).
SECTION 02
The Short Version
The essentials at a glance. The rest of this document is the long version.
SECTION 03
The Information We Collect
Health & Biometric Information (Sensitive Data)
The Ring contains an optical PPG sensor, a skin-temperature sensor, and a motion sensor (accelerometer + gyroscope). From these, Vexo collects and processes:
- Heart rate (beats per minute)
- Blood oxygen saturation / SpO₂ (percentage)
- Skin temperature
- Heart-rate variability (HRV)
- Sleep score
- Steps and active calories (derived on your phone from the Ring's motion data)
- Motion & gesture data — accelerometer, gyroscope, and tap gestures. Raw motion streams are processed on your phone and are not uploaded in raw form.
This is sensitive personal information / special category data under laws such as the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar state laws. We process it only to provide the Services to you and only on the legal bases described in Section 6.
Voice & Speech Information
The Ring includes a microphone that captures audio in two modes you control: voice notes (audio you intentionally capture, e.g. by double-tapping the Ring) and speech capture (voice-activity-gated capture of your own speech while you wear the Ring).
How your voice is handled — please read this carefully:
- Audio is captured by the Ring and streamed over Bluetooth to your iPhone. Your iPhone's own microphone is never used and the App never requests microphone permission.
- Your iPhone transcribes the audio to text on the device, using Apple's on-device speech-recognition framework. No cloud transcription service is used, and the audio never leaves your Ring-and-phone boundary.
- We do not receive, store, or have any access to your raw audio. It is not uploaded to our servers or to any third party.
- The resulting text transcript is stored on your phone and, if you keep your account synced, is synced to your Vexo account as text. We store only this text.
Recording others. Because the Ring can capture voice, you are responsible for complying with applicable laws when recording. Some jurisdictions require the consent of all parties to a conversation before recording ("two-party" or "all-party" consent). The Ring includes a visible indicator light during capture. You must obtain any consent required by law before recording other people, and you must not use Vexo to record anyone unlawfully.
Profile Information You Provide
When you set up the App, you may provide your name / display name, age, weight (and unit preference), fitness goals (e.g. move more, sleep better, heart health), and speech goals (e.g. fewer fillers, steady pacing, confidence).
Account & Identity Information
To create and secure your account (via our authentication provider, Supabase), we collect your email address (and one-time verification codes), your phone number if you use SMS sign-in, your Apple account identifier if you use Sign in with Apple, your Google account identifier if you use Google sign-in, and authentication tokens stored securely in your device's Keychain.
We do not receive your Apple or Google password. If you use Sign in with Apple, Apple may provide us a private relay email address rather than your real one, at your choice.
Ring Device Information
To operate and maintain your Ring, we collect its serial number and hardware identifiers, firmware version, battery level, and connection timestamps. The Ring itself stores only its own settings; it does not retain a history of your biometric or voice data. Your phone is the primary store.
Reminders
If — and only if — you tap to route a note into Apple Reminders, the App requests access to your Reminders and writes the item you selected. We do not read your existing reminders and do not access this data on our servers.
Information We Do Not Collect
For clarity, the current Services do not collect:
- Location data. The App contains no location tracking.
- Apple Health / HealthKit data. The App does not read from or write to Apple Health.
- Your iPhone microphone audio. The phone never records.
- Camera, photos, or contacts.
- Advertising or third-party analytics identifiers. We embed no advertising, analytics, or crash-reporting SDKs.
The Site
Our marketing and developer-documentation website collects no personal information. It has no sign-up forms, no newsletter, no cookies, no advertising, and no third-party analytics or trackers. Standard, transient server logs may be generated by our hosting provider for security and reliability.
SECTION 04
How Your Data Flows (Ring → Phone → Cloud)
Understanding the architecture is the best way to understand your privacy:
- On the Ring. Sensors measure vitals and motion; the microphone captures audio only in the modes above. The Ring transmits over Bluetooth to your paired phone and stores no history.
- On your Phone. The App is the source of truth. It decodes vitals, derives steps and calories, transcribes audio to text on-device, and runs on-device AI chat. Raw audio is discarded after transcription and is never persisted or uploaded.
- In the Cloud (only what you sync). If your account is synced, the App uploads text and numbers — biometric samples, transcript text, profile fields, and device status — tied to your user ID and readable only by you and services you explicitly authorize.
SECTION 05
How We Use Your Information
We use your information to:
- Provide the core Services — display your live and historical vitals, activity, sleep, and transcripts; power on-device insights and chat.
- Sync and back up your data to your account so you don't lose it.
- Operate your Ring — manage pairing, firmware updates, and battery/connection status.
- Authenticate and secure your account and detect abuse or fraud.
- Communicate with you about your account, security, and material changes.
- Comply with law and enforce our terms.
We do not use your health, voice, or biometric data to build advertising profiles, and we do not sell it.
SECTION 06
Legal Bases for Processing (EEA/UK Users)
Where GDPR or UK GDPR applies, we rely on the following legal bases:
- Consent (Art. 6(1)(a); Art. 9(2)(a) for health/biometric data) — for your health data, voice-derived transcripts, and any sharing you initiate. You may withdraw consent at any time (Section 9).
- Contract (Art. 6(1)(b)) — to provide the Services you request.
- Legitimate interests (Art. 6(1)(f)) — to secure our Services and prevent abuse, balanced against your rights.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
SECTION 07
How We Share Information — and When
We share your personal information only in these limited circumstances:
Service Providers (Processors)
We use Supabase for database, authentication, and file storage, processing your synced data on our behalf under contract. Our backend is hosted on Render. Authentication one-time codes may be delivered by email or SMS providers integrated through our auth provider. We do not use third-party analytics, advertising, or data-broker services.
Sharing You Initiate — External AI Assistants (MCP)
Vexo lets you connect your data to an external AI assistant (such as Claude or ChatGPT) through a personal connection link you generate. When enabled, the assistant can read the categories you've turned on — profile, latest vitals, activity summaries, metric history, and transcripts.
- This happens only when you turn it on. It is off by default.
- The connection link is a credential: anyone who has it can access the enabled data until you disable it. Keep it private.
- You can revoke it instantly in the App, which cuts off access.
- Once your data reaches a third-party assistant, its handling is governed by that provider's privacy policy, not ours.
Sharing You Initiate — Marketplace Apps
Third-party "mini-apps" may request scoped, revocable access to specific data categories (e.g. "latest vitals" or "read captures"). Access is deny-by-default: an app receives only the scopes you approve, and you can revoke them. These features operate only on your explicit, per-grant consent.
Apple Reminders
We write to Apple Reminders only when you explicitly route a note there.
Legal & Safety
We may disclose information if required by law, subpoena, or legal process, or where we believe in good faith it is necessary to protect the rights, safety, or property of you, us, or others.
Business Transfers
If Vexo is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you and honor the commitments in this policy.
SECTION 08
Data Retention
- Synced biometric, transcript, profile, and device data is retained in your account until you delete the specific data, delete your account, or request deletion — so your history stays available across devices.
- On-device data (including any buffered audio prior to transcription) remains on your phone and is removed when you delete the App or clear its data. Audio is not retained after transcription.
- We retain limited records as required to comply with legal obligations, resolve disputes, and enforce agreements.
SECTION 09
Your Rights & Choices
Depending on where you live, you may have rights to access, correct, delete, export/port, restrict, or object to processing, and to withdraw consent. Vexo honors these rights for all users regardless of location, to the extent practicable.
You can exercise many of these directly:
- Access / view — your data is visible in the App.
- Correct — edit your profile in the App.
- Disconnect external AI access — disable your connection link at any time.
- Revoke app grants — manage scoped permissions in the App.
- Stop collection — power down or unpair the Ring; revoke Bluetooth, Speech, or Reminders permissions in iOS Settings.
- Delete your account or export your data — email us and we will process your request, deleting your synced biometric, transcript, profile, and device data, or providing a copy on request.
To make a rights request, email privacy@vexoring.com. We will verify your identity (typically by confirming control of your account email) before acting, and respond within the timeframe required by applicable law (generally 30–45 days). You will not be discriminated against for exercising your rights.
California residents (CCPA/CPRA): You have the rights to know, delete, correct, and to limit the use of sensitive personal information. We use sensitive information only to provide the Services and do not use it to infer characteristics for advertising. We do not sell or share your personal information.
EEA/UK residents: You may also lodge a complaint with your local data protection authority. Authorized agents may submit requests on your behalf with proof of authorization.
SECTION 10
Security
We protect your information with technical and organizational measures, including:
- Encryption in transit (TLS/HTTPS) between the App and our backend, and secure Bluetooth between the Ring and your phone.
- Per-user access controls (row-level security) so each account's data is isolated and readable only by that account and services it authorizes.
- Secure credential storage — authentication tokens are stored in the iOS Keychain; server-side secrets are access-controlled.
- Minimized cloud exposure — audio and raw motion never reach our servers; transcription and AI happen on your device.
- Access logging with redaction of sensitive fields such as tokens and transcript text.
No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and regulators as required by law.
SECTION 11
International Data Transfers
We and Supabase may process and store your data in the United States and other countries where our providers operate, which may have data-protection laws different from your own. Where required (for example, for transfers out of the EEA/UK), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. By using the Services, you understand your information may be transferred to these locations.
SECTION 12
Children's Privacy
The Services are not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us information, email privacy@vexoring.com and we will delete it.
SECTION 13
Third-Party Services
The Services integrate with third parties you choose to use — Apple (Sign in with Apple, on-device speech and AI, Reminders), Google (sign-in), and any external AI assistant or marketplace app you connect. Your use of those services is governed by their privacy policies. We encourage you to review them.
SECTION 14
Changes to This Policy
We may update this policy from time to time. If we make material changes — for example, to the categories of data we collect or how we share it — we will notify you through the App or by email before the change takes effect, and we will update the "Last updated" date. Your continued use of the Services after an update means you accept the revised policy.
SECTION 15
Contact Us
If you have questions, requests, or complaints about this policy or your data, contact us:
Vexo Ring — email privacy@vexoring.com