Privacy

A privacy notice you can actually read.

How Vitamet collects, uses, shares, and protects your personal and health information, written in plain English and structured for the underwriters, regulators, and patients who need to read it carefully. Effective June 21, 2026. Last updated June 21, 2026.

1. Who we are

Vitamet Clinical Formulations, Inc. ("Vitamet," "we," "us," "our") is a Delaware corporation headquartered at 6507 Jester Blvd 510Q, Austin, TX 78750, United States. We operate an FDA-registered dietary supplement manufacturing facility under 21 CFR Part 111 cGMP.
This Privacy Policy explains how we collect, use, share, and protect personal information when you visit vitamet.com, create an account, place an order, communicate with our pharmacy team, or interact with us in any other way.
If you have questions about this policy or how we handle your information, contact our Privacy Officer at privacy [at] vitamet.com or by mail at the address above.

2. Scope of this policy

This policy applies to information we collect online through our website and applications, in person at our facility, by phone or email with our pharmacy team, through our physician portal, and through third-party services that integrate with our platform.
This policy does not apply to information collected by third parties through their own services, even when we link to them. We are not responsible for the privacy practices of third parties.

3. Information we collect

We collect only the information we need to manufacture, ship, and stand behind your formulation, plus the records we are legally required to keep. Categories include:

Category	Details
Identifiers	Name, postal address, email, phone number, account credentials, IP address, device identifiers.
Customer records	Billing and shipping address, order history, formulation records, communications with our team.
Commercial information	Products purchased or considered, subscription cadence, payment status (we do not store full card numbers).
Health information	Intake answers, allergies, current medications, bloodwork files, and physician protocols that you voluntarily share with us so a pharmacist can review your formulation.
Sensitive personal information	Date of birth (optional), precise health information (only when you provide it). Treated as sensitive under U.S. state privacy laws.
Internet activity	Pages visited on vitamet.com, referring URL, browser type, session timing, and interactions with our builder. Collected via first-party, privacy-respecting analytics.
Geolocation	Approximate location derived from IP address. We do not collect precise geolocation.
Inferences	Limited inferences about preferences (e.g., suggested ingredient categories) drawn from your builder activity and prior orders.
Payment data	Tokenized payment credentials returned by Stripe. We do not see or store full card numbers, CVV, or bank account numbers.

4. How we collect it

Directly from you: when you create an account, build a formulation, upload bloodwork, place an order, contact support, or respond to a survey.
From your healthcare provider: if you authorize your physician to send a protocol or share clinical notes with us through our physician portal.
Automatically: through cookies, log files, and analytics tools when you visit our website. See Section 11 for details on cookies.
From service providers: payment, shipping, and laboratory partners return order status, delivery events, and Certificates of Analysis to us.

5. How we use your information

Formulating, manufacturing, releasing, and shipping your individualized bottles.
Conducting pharmacist review and flagging dosages that exceed safe upper limits or interact with disclosed medications.
Processing payments, refunds, exchanges, and chargebacks.
Sending transactional messages: order confirmations, shipping updates, lot recalls, formulation expiration reminders.
Sending marketing emails about products and content you have opted in to receive. You can unsubscribe at any time.
Operating, securing, and improving the Vitamet website, builder, and physician portal.
Maintaining batch records, complaint files, and adverse event logs as required by 21 CFR Part 111, state pharmacy boards, and FDA reporting obligations.
Detecting and preventing fraud, abuse, and security incidents.
Defending and enforcing our legal rights, including responding to subpoenas and lawful government requests.

6. Legal bases (EEA/UK residents)

If you are in the EEA or UK, we process your personal information under one or more of the following legal bases: performance of a contract (to fulfill your order), legitimate interests (to operate and improve our service, prevent fraud, and communicate with you about orders), consent (for marketing email, optional health information, and non-essential cookies), and legal obligation (to maintain manufacturing and complaint records, respond to lawful requests, and comply with tax law).
You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

8. Subprocessors

Our current list of subprocessors who may process personal information on our behalf:

We update this list when subprocessors change. Material changes are announced by email at least 30 days in advance for customers who have opted into compliance notifications.

Vendor	Details
Stripe, Inc.	Payment processing (US)
Amazon Web Services	Cloud hosting and storage (US-East)
Postmark (ActiveCampaign)	Transactional email delivery (US)
Plausible Analytics	Privacy-respecting site analytics (EU)
Datadog	Operational logging and monitoring (US)
Eurofins Scientific	Third-party analytical testing of finished lots
UPS / USPS	Outbound shipping
Twilio	Optional SMS shipping notifications

9. How long we keep information

We keep personal information only as long as we need it for the purposes described in this policy, or as long as the law requires.

Record type	Details
Batch records, master formulas, complaint files	7 years (21 CFR Part 111.605)
Order, shipping, and payment records	7 years (tax and consumer-protection compliance)
Clinical intake files and uploaded bloodwork	3 years after your last order, or until you request deletion, whichever is sooner
Account profile	Until you delete your account, then purged within 30 days
Marketing email list	Until you unsubscribe, then suppressed (not retained) indefinitely to honor your opt-out
Server and security logs	90 days, then aggregated and anonymized
Backups	35 days rolling, then overwritten

10. How we protect information

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction.
Transport encryption (TLS 1.2+) for all data in transit between your browser, our servers, and our subprocessors.
Encryption at rest for production databases and clinical document storage.
Role-based access controls. Clinical intake files are accessible only to pharmacy staff with a documented need to review them; access is logged.
Mandatory multi-factor authentication for all employee accounts and administrative tooling.
Quarterly access reviews and annual third-party penetration testing.
Documented incident response plan; notification of affected individuals and regulators within the timeframes required by applicable law (typically within 72 hours of discovery for jurisdictions that require it).
No system is perfectly secure. If you believe your account has been compromised, contact security [at] vitamet.com immediately.

11. Cookies and similar technologies

Strictly necessary cookies: session and authentication cookies that keep you signed in and remember your formulation in progress. These cannot be disabled without breaking core functionality.
Preference cookies: remember choices like region and notification preferences.
Analytics cookies: a single first-party cookie used by our privacy-respecting analytics provider (Plausible) to count unique visitors. No cross-site tracking and no advertising cookies.
We do not use third-party advertising cookies, retargeting pixels, social media tracking pixels, or session-replay tools.
Your browser's Global Privacy Control (GPC) signal is honored as an opt-out of any sale or sharing of personal information, where applicable.

12. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal information. We extend these rights to all U.S. residents as a matter of policy, regardless of state.

Right to know what personal information we hold about you.
Right to access a copy of that information in a portable, machine-readable format.
Right to correct inaccurate information.
Right to delete information, subject to our recordkeeping obligations under 21 CFR Part 111.
Right to opt out of marketing communications at any time.
Right to opt out of any sale or sharing of personal information for targeted advertising, note: we do not sell or share for advertising in the first place.
Right to limit the use of sensitive personal information to what is necessary to provide the service you requested.
Right to non-discrimination for exercising any of these rights.
Right to appeal a decision we make about your request, where state law provides for an appeal.
To exercise any of these rights, email privacy [at] vitamet.com or write to our Privacy Officer at the postal address in Section 1. We will respond within 45 days (or sooner where law requires), and we may need to verify your identity before fulfilling the request. You may authorize an agent to act on your behalf with written documentation.

13. U.S. state-specific disclosures

California (CCPA/CPRA): We disclose the categories of information collected and shared in Section 3, the purposes in Section 5, and the categories of recipients in Section 7. We have not sold or shared personal information for cross-context behavioral advertising and have no actual knowledge of selling or sharing personal information of consumers under 16. California residents may designate an authorized agent.
Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and similar state laws: you have access, correction, deletion, portability, and opt-out rights as described in Section 12.
Nevada: we do not sell covered information as defined by Nevada SB 220.
If you are a resident of a state with a private-action notice requirement, please send statutory notices to our Privacy Officer at the address in Section 1.

14. International transfers

Vitamet is based in the United States and our primary servers are located in the U.S. If you access our service from outside the U.S., your personal information will be transferred to, stored, and processed in the U.S., which may not provide the same level of data protection as your home country.
Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our subprocessors located outside the U.S.

15. Children's privacy

Vitamet products are not formulated or marketed for individuals under 18. We do not knowingly collect personal information from anyone under 18.
If you believe a child has provided us with personal information, please contact privacy [at] vitamet.com and we will delete it.

16. Do Not Track

Our website does not respond to Do Not Track (DNT) browser signals because there is no industry consensus on how to interpret them. We do honor Global Privacy Control (GPC) signals as an opt-out where applicable, as described in Section 11.

17. Third-party links

Our site may link to third-party websites, including those of healthcare providers, news outlets, and ingredient suppliers. We are not responsible for the privacy practices of these sites. Review their policies before submitting any personal information.

18. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision.
If we make material changes, we will notify affected users by email at least 30 days before the change takes effect, and we will post a notice on this page. Continued use of the service after the effective date constitutes acceptance of the revised policy.

19. How to contact us

Privacy Officer · Vitamet Clinical Formulations, Inc. · 6507 Jester Blvd 510Q · Austin, TX 78750 · United States.
Email: privacy [at] vitamet.com (general privacy questions and rights requests).
Email: security [at] vitamet.com (suspected security incidents).
Email: care [at] vitamet.com (orders, formulations, shipping).
Phone: +1 504 [dot] 261 [dot] 7222, Monday–Friday, 9:00 a.m. – 5:00 p.m. Central Time.