Most apps ask for your health information and then treat it like marketing data. We don't. VitalLoop is built on the same infrastructure and standards that hospitals and insurers use — so the moment you hand us your data, it's held to a healthcare standard, not a consumer-app standard.
Here's what that means, in plain English.
From the moment it leaves your device to the moment it's stored, your data is scrambled with the same encryption standards banks use (TLS 1.2+ in transit, AES-256 at rest).
HIPAA is the U.S. law that tells healthcare companies how they must protect patient data. We designed VitalLoop to meet those requirements before we launched, not as an afterthought.
It's your data. If you want it gone, you tap one button and it's gone — from your account, from our backups, from everywhere. No "we'll keep a copy just in case." No 30-day waiting period to change your mind. Deleted means deleted. We give you the power so you'll never have to jump through hoops to clear your data.
What data isn't deleted?
Not to advertisers. Not to insurers. Not to employers. Not to data brokers. Our business model is you paying us for a product you love.
You shouldn't have to take our word for it. Here's who we've partnered with, and why those names matter.
VitalLoop stores your health data in Medplum, an open-source healthcare platform used by digital health companies, hospitals, and research institutions. Medplum is built on FHIR (the global standard for healthcare data) and is SOC 2 Type II certified and HIPAA compliant.
Why this matters to you: Your data lives in a system purpose-built for healthcare.
Learn more about Medplum →All of our infrastructure runs on Google Cloud Platform under a signed Business Associate Agreement — a legal contract that makes Google jointly responsible for protecting your health data under HIPAA.
Why this matters to you: Google Cloud is used by the Mayo Clinic, HCA Healthcare, and thousands of other healthcare organizations.
Learn more about GCP healthcare →We designed VitalLoop from the first line of code to meet HIPAA's Security Rule and Privacy Rule:
Why this matters to you: Compliance isn't a certificate we earn later — it's how the product was built.
As in any hospital and healthcare system, IT admins with elevated privileges technically are able to see health data within our Medplum healthcare database. In practice that information is not accessed, and if it's ever needed for troubleshooting there are audit trails.
HIPAA doesn't have an official "certification" — it has compliance. We've built VitalLoop to meet HIPAA's Security and Privacy Rules from the ground up, and we're completing a third-party HIPAA attestation. We'll post the attestation letter here when it's done.
On Google Cloud servers located in the United States. Data never leaves U.S. servers.
No. The only parties that touch your data are:
Only if you explicitly share it with them as a caregiver — and then they'll need to use VitalLoop to access your data. We don't push any data to outside systems.
We started VitalLoop because we've felt the same frustration you have — managing your health and that of your loved ones is a full-time job. We promised ourselves that if we ever built something in this space, we'd hold it to a higher standard from the first day.
This page is our first accountability check. If we ever fall short of anything written here, we want to hear about it — and we want to fix it. Tell us at support@getvitalloop.com.
— Alejandro Naranjo