Security Practices

Last Updated: January 5, 2026

Our Security Commitment

At Vedalife, we understand that your health and wellness information is deeply personal. We have designed our platform with security as a foundational principle, implementing industry-leading practices to protect your data at every step.

  • AES-256 encryption for all health data and messages at rest
  • TLS 1.3 encryption for all data in transit
  • De-identification before third-party AI processing
  • HIPAA-aligned security practices
  • GDPR and CCPA compliant

Important: About HIPAA Alignment

Vedalife is a wellness platform, not a healthcare provider. As such, we are not a covered entity under HIPAA (Health Insurance Portability and Accountability Act) and are not legally required to comply with HIPAA regulations.

However, because we handle health-related information that you share with us, we voluntarily implement HIPAA-aligned security practices as a demonstration of our commitment to protecting your wellness data. This means we follow many of the same security standards that healthcare providers use, even though we are not legally obligated to do so.

This voluntary commitment reflects our belief that your health information deserves the highest level of protection, regardless of regulatory requirements.

1. Encryption Standards

Data at Rest

All health and wellness data stored in our systems is encrypted using AES-256 encryption, the Advanced Encryption Standard with 256-bit keys. This includes your conversations with Ginger, health profiles, and any sensitive information you share. This is the same encryption standard used by:

  • Financial institutions for protecting banking data
  • Government agencies for classified information
  • Healthcare organizations for patient records

AES-256 is considered unbreakable with current technology and provides protection against unauthorized access even if physical storage is compromised.

Message Encryption

Your conversations with Ginger are encrypted at rest using AES-256-GCM encryption. This means your messages and health discussions are protected with the same level of security applied to your profile data and health information.

Data in Transit

All communications between your device and our servers are protected using TLS 1.3 (Transport Layer Security), the latest and most secure version of the protocol that underlies HTTPS. This ensures:

  • Your data cannot be intercepted during transmission
  • You are always communicating with our authentic servers
  • Protection against man-in-the-middle attacks

Password Security

Your password is never stored in readable form. We use bcrypt, an industry-standard password hashing algorithm, which means:

  • We cannot see or recover your password
  • Each password is uniquely salted to prevent rainbow table attacks
  • Even if our database were compromised, passwords remain protected

2. De-identification for AI Processing

When you interact with Ginger, our AI wellness assistant, your conversations are processed by Anthropic's Claude AI. Before sending data to Anthropic, we apply a de-identification layer to minimize personal data exposure:

  • Name Removal: Your real name is removed or replaced with a pseudonym
  • Location Generalization: Specific addresses are generalized to region level only
  • Date Conversion: Exact birth dates are converted to age ranges (e.g., "35-44" instead of a specific date)
  • Identifier Stripping: Other direct identifiers like email addresses are removed before transmission

This approach allows Ginger to provide personalized wellness guidance while minimizing the personal information shared with third-party AI services.

3. Access Controls

User Data Isolation

Your data is strictly isolated from other users at the database level. This architectural design ensures that:

  • No user can access another user's conversations or health information
  • Each account's data is logically separated in our systems
  • Even our own systems enforce data boundaries between users

Role-Based Access Control

Internal access to our systems follows the principle of least privilege:

  • Team members only have access to systems required for their role
  • Administrative access is strictly limited and monitored
  • No employee can casually browse user data

4. Audit Logging and Accountability

We maintain comprehensive audit logs to ensure accountability and enable security monitoring:

  • Comprehensive Logging: All access to sensitive data and systems is recorded
  • 6-Year Retention: Audit logs are retained for 6 years, enabling historical security analysis and compliance verification
  • Tamper Protection: Logs are protected against unauthorized modification

5. Third-Party Security

Data Processing Agreements

All third-party service providers that process your data have signed comprehensive Data Processing Agreements (DPAs) that contractually require them to:

  • Implement appropriate security measures
  • Process data only as instructed by Vedalife
  • Assist with data subject rights requests
  • Notify us of any security incidents

AI Processing (Anthropic)

Our AI provider, Anthropic, has committed to the following protections:

  • No Model Training: API inputs are not used for training AI models
  • Limited Retention: Data is retained for up to 30 days for trust and safety purposes only, then deleted
  • Security Standards: Anthropic maintains SOC 2 Type II certification and other security certifications

6. Regulatory Compliance

GDPR (European Union)

For users in the European Union, we comply with the General Data Protection Regulation (GDPR), including:

  • Lawful basis for processing (consent)
  • Data subject rights (access, rectification, erasure, portability)
  • Data minimization and purpose limitation
  • Appropriate safeguards for international data transfers

CCPA (California)

For California residents, we comply with the California Consumer Privacy Act (CCPA), including:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

7. Your Data Rights

Regardless of your location, you have the following rights regarding your data:

  • Access: View all data we store about you through your account settings
  • Rectification: Correct any inaccurate information in your profile
  • Erasure: Delete individual conversations or your entire account permanently
  • Portability: Export your data in machine-readable formats (JSON/CSV)
  • Withdraw Consent: Stop data processing by deleting your account

To exercise these rights, visit your Account Settings or contact us at hello@vedalife.ai.

8. Security Questions and Concerns

If you have questions about our security practices or want to report a security concern, please contact us:

Email: hello@vedalife.ai

Mail:
VEDALIFE INC.
1630 Chicago Avenue STE 1301
Evanston, IL 60201

Related Policies

For more information about how we handle your data, please also review: