Privacy Policy
Last updated: 7 April 2026 · Terms of use · Medical disclaimer · Data sources
We store no personal information about you. No name, no email, no health records, no device fingerprint. The only identifier is an anonymous session token (a random UUID) generated in your browser — used only to power push alerts and feedback correlation. You can clear it at any time by clearing your browser data.
1. Who we are
vasus.ai is the consumer-facing brand name of the environmental health intelligence platform operated under the exposomic.ai infrastructure. References to vasus.ai, exposomic.ai, we, us, or our in this policy all refer to the same operating entity. The platform is accessible at vasus.ai (marketing site), app.vasus.ai (consumer SPA), and via the exposomic.ai API.
For data protection enquiries: privacy@vasus.ai
2. What we collect — and what we do not
What we never collect
The following data is never collected, processed, or stored by vasus.ai:
- Your name, email address, or any contact details
- Health records, medical history, or diagnosed conditions
- Device identifiers, IP address logs tied to individuals, or browser fingerprints
- Location data beyond the location string you explicitly enter into a query
- Any data that constitutes Special Category Data under GDPR Article 9 (health data, biometric data, genetic data)
- Cookies beyond what is strictly necessary for the service to function
What we do collect
Anonymous session token
When you first use the app at app.vasus.ai, a random UUID (universally unique
identifier) is generated in your browser and stored in localStorage.
This token is:
- Generated entirely client-side — we never create or assign it server-side
- Not linked to any personal identity, device fingerprint, or IP address
- Used only to associate your push alert subscription and optional feedback with your device session
- Cleared permanently if you clear your browser’s local storage
Location strings
When you submit a query, your location string (e.g. “London, UK”) is sent to the API to retrieve the nearest monitored tile. Location strings are:
- Not stored beyond the request processing lifecycle
- Not associated with your session token
- Not used for any purpose other than resolving the nearest environmental data tile
Query logs (aggregated, anonymous)
Each API call to /v1/insight generates a structured log record in
the insight_requests table. This record contains:
- The condition key (e.g.
migraine) — not a diagnosis - The resolved tile ID (a geographic grid reference, not a precise location)
- The risk level returned and the number of citations
- Processing timestamps and pipeline performance metrics
- The session token (anonymous UUID) if provided
This data is used exclusively for system performance monitoring, pipeline debugging, and aggregate usage analytics. No individual is identifiable from this data.
Feedback (optional, anonymous)
If you submit feedback via the thumbs-up / thumbs-down mechanism, we store: your helpful/not-helpful rating, any category chips you selected, the optional free-text comment (max 200 characters), and your session token. No personal data is required or requested.
Push alert subscriptions (optional)
If you subscribe to push alerts, we store the Web Push subscription object (endpoint URL and encryption keys) from your browser alongside your session token, condition, and location tile. This subscription is tied to your device only — not to any user account. Subscriptions expire after 30 days of inactivity.
Contact form submissions
If you submit a contact form on vasus.ai, your submission is processed by Formspree (a third-party form service). Data submitted via contact forms (name, email, message) is subject to Formspree’s privacy policy and is retained only as long as needed to process and respond to your enquiry. Contact form submissions are entirely separate from the app and API and are not linked to any session token.
3. How we use data
We use the data described above solely for the following purposes:
- Service delivery: Processing your environmental health query and returning a response
- Push alerts: Delivering Web Push notifications when your subscribed risk threshold is met
- System performance: Monitoring API latency, pipeline reliability, and EHSPI scoring accuracy
- Product improvement: Aggregated, anonymised analysis of which conditions and locations are queried, and whether responses are rated as helpful
- Correspondence: Responding to contact form submissions and research enquiries
We do not use your data for advertising, profiling, or any form of automated decision-making that produces legal or similarly significant effects.
4. Legal basis for processing (GDPR)
For users in the UK and European Economic Area, our legal basis for processing is:
- Legitimate interests (Article 6(1)(f)): System monitoring, security, and aggregate analytics. Our legitimate interest in operating a reliable service does not override your rights, given the absence of personal data.
- Contract (Article 6(1)(b)): Processing necessary to deliver the service you have requested (i.e., responding to your query).
- Consent (Article 6(1)(a)): Push alert subscriptions, where the browser permission request constitutes explicit consent.
Because we do not process Special Category Data (Article 9) — we never store health records or process health data as defined under GDPR — the heightened requirements of Article 9 do not apply.
5. Data retention
| Data type | Retention period | Basis for deletion |
|---|---|---|
Query log records (insight_requests) | 90 days | Automated scheduled deletion |
| Feedback records | 12 months | Automated scheduled deletion |
| Push alert subscriptions | 30 days of inactivity | Automated TTL cleanup job |
Environmental data cache (env_hourly_cache) | 48 hours | Cache TTL — not user data |
EHSPI scores (ehspi_scores) | Indefinite | Location-level aggregate — not user data |
| Contact form submissions | Until enquiry resolved | Manual deletion upon resolution |
6. Third-party services
vasus.ai uses the following third-party services. Each is subject to its own privacy policy:
- Google Cloud Platform (GCP): Hosting infrastructure (Cloud Run, Cloud SQL). Data processed within GCP EU/US regions. Google is a data processor under our configuration.
- Google Environmental APIs (Air Quality, Weather, Pollen): Environmental data source. Query requests include geographic tile coordinates — no user identifiers.
- OpenAI API (gpt-4.1-mini): LLM synthesis layer. Queries include environmental context and retrieved paper abstracts — no user data.
- NCBI / PubMed: Scientific corpus source. No user data transmitted.
- Formspree: Contact form processing. Subject to Formspree’s own privacy policy. Used only for vasus.ai contact forms, not the app.
- Cloudflare / CDN: Static asset delivery and DNS. Standard access logs apply; not linked to user sessions.
We do not sell, rent, or share data with third parties for marketing or advertising purposes. We never have and do not intend to.
7. Your rights
Under GDPR and UK GDPR, you have the right to:
- Access: Request confirmation of what data (if any) we hold associated with your session token
- Erasure: Request deletion of any data associated with your session token. Because no personal data is linked to your session token, erasure primarily means deletion of your feedback records and push subscription.
- Object: Object to processing under legitimate interests
- Portability: Request a copy of your data in machine-readable format
To exercise any of these rights, email privacy@vasus.ai
with your session token (visible in the app settings or browser local storage under the
key vasusSessionToken). We will respond within 30 days.
You also have the right to lodge a complaint with your supervisory authority. In the UK: the Information Commissioner’s Office (ico.org.uk). In the EU: your national data protection authority.
8. Security
Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 on Google Cloud SQL. Database access is restricted to Cloud Run service accounts with principle of least privilege. No data is transmitted over unencrypted channels.
We do not store passwords (there are no user accounts) and do not process payment information (there is currently no paid consumer tier).
9. Medical disclaimer
vasus.ai is not a medical device and does not provide medical advice. The information provided by vasus.ai is for educational and informational purposes only. It is not intended to be, and should not be used as, a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition.
Environmental intelligence outputs from vasus.ai represent evidence-informed assessments of environmental conditions relative to published clinical literature. They are not diagnoses, prognoses, or clinical recommendations. The relationship between environmental conditions and individual health outcomes varies significantly between individuals. A “High Risk” rating does not mean you will experience symptoms. A “Low Risk” rating does not mean you will not.
Recommendations included in vasus.ai outputs are general in nature, grounded in peer-reviewed environmental health literature, and not personalised medical advice. Do not disregard professional medical advice or delay seeking it based on information from vasus.ai.
10. Terms of use
Permitted use
vasus.ai is provided for personal, non-commercial, educational use. B2B and API use requires a separate agreement and API credentials issued by vasus.ai / exposomic.ai. Contact ops@exposomic.ai or visit the API access page to enquire.
Prohibited use
You may not use vasus.ai to:
- Provide medical advice to third parties
- Make clinical decisions in a healthcare setting without appropriate clinical oversight
- Attempt to reverse-engineer, scrape, or systematically extract data from the platform
- Misrepresent vasus.ai outputs as definitive medical guidance
- Use the API without a valid API key issued by vasus.ai / exposomic.ai
Intellectual property
The vasus.ai platform, EHSPI methodology, weight vectors, scoring algorithms, and associated software are the intellectual property of the operating entity. Scientific citations displayed in outputs are the intellectual property of their respective authors and publishers and are displayed in accordance with fair use and educational use principles.
Limitation of liability
To the maximum extent permitted by applicable law, vasus.ai and its operators shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, use, goodwill, or other intangible losses, resulting from your use of or inability to use the service.
11. Data sources & attribution
vasus.ai uses the following environmental data sources:
- Google Air Quality API: Hourly AQI, PM2.5, pollutant breakdown. © Google LLC.
- Google Weather API: Hourly temperature, pressure, humidity, heat index, UV index. © Google LLC.
- Google Pollen API v2.0: Daily tree, grass, and weed pollen Universal Pollen Index (UPI). © Google LLC.
- PubMed / NCBI Entrez: Scientific article metadata and abstracts. National Library of Medicine, National Institutes of Health. Public domain for metadata; individual article rights vest in respective publishers.
The EHSPI (Environmental Health Sensitivity Performance Index) is an original methodology developed by vasus.ai. It uses the above data sources as inputs but the scoring methodology, weight vectors, and composite index are proprietary to vasus.ai. Full methodology is published at /research.
Scientific citations displayed in outputs are attributed to their authors and journals. They are retrieved from the vasus.ai evidence corpus (sourced from PubMed) and are displayed in short-form citation format for educational purposes. vasus.ai does not reproduce full article text.
12. Changes to this policy
We will update this policy as the platform evolves. Material changes will be noted at the top of this page with an updated date. Continued use of the platform following a material change constitutes acceptance of the updated policy. The current version is always available at vasus.ai/privacy.