Last updated: May 18, 2025
Vitamin GPT (“we,” “us,” “our”) is an open‑source chatbot hosted on Vercel. Source code is publicly available at https://github.com/kevink520/vitamin-gpt. To contact us, email kevin@digitalmedia.nyc.
This Privacy Policy explains how we collect, use, disclose, and safeguard information obtained when you interact with the chatbot located at https://vitamin-gpt.vercel.app (the “Service”).
| Category | Examples | Collected How | Purpose |
|---|---|---|---|
| Chat Content | Free‑form text you enter | Directly from you | Provide responses, improve Service |
| Analytics Data | Page‑views, anonymised IP (last octet removed), device/OS, geographic region (city/country) | Google Analytics 4 JavaScript (gtag.js) cookies & local‑storage | Measure traffic patterns, improve performance |
| Device & Usage | IP address, browser type, timestamps, referrer | Automated logs | Security, analytics |
| Optional Identifiers | Email (if voluntarily provided) | Directly from you | Account linking, support |
We do not intentionally collect special categories of personal data (e.g., health, biometric).
Consent – when you click the “Send” button, you consent to processing the text you enter.
Legitimate Interests – to prevent abuse, maintain logs, and improve the Service.
Contract – if you sign up for an account or API key.
Generate and display chatbot responses.
Analyse usage trends via Google Analytics 4 to understand which prompts and pages are most helpful and to diagnose errors.
Monitor performance and debug errors.
Anonymize conversations for research or documentation.
Comply with legal obligations.
We share data only with:
| Provider | Role | Safeguards |
|---|---|---|
| Google LLC (Google Analytics 4) | Web analytics & performance metrics | IP-anonymisation, no PII per GA ToS, EU Standard Contractual Clauses for cross-border transfers |
| Amazon Web Services (DynamoDB, Region us-east-1) | Primary database | Encryption at rest (KMS); AWS DPA |
| Vercel Inc. | Hosting & edge caching | Standard Contractual Clauses (for EU data) |
| GitHub Inc. (Actions logs) | Continuous deployment | Access restricted |
No data is sold or rented.
Chat logs are kept for 30 days, then irreversibly anonymized; system backups are deleted within 90 days. Aggregated statistics may be kept indefinitely.
Google Analytics reports are automatically set to 26-month rolling deletion, the shortest GA4 retention period, after which only aggregated statistics remain.
We employ TLS 1.3 for all network traffic, encryption at rest via AWS KMS, IAM least‑privilege policies, and routine vulnerability scans.
GDPR/UK GDPR: access, rectification, erasure, restriction, data portability, object.
California: right to know, delete, correct, and opt‑out of selling/sharing personal info.
To exercise any right, email kevin@digitalmedia.nyc or open an issue on the GitHub repo. We will respond within 30 days.
Users may also opt out of analytics tracking at any time via the methods listed in §10 or by e‑mailing us.
The Service itself sets no first‑party cookies, but Google Analytics 4 places the following cookies or uses local‑storage keys:
| Name | Lifetime | Purpose |
|---|---|---|
| _ga | 24 months | Distinguish users |
| _ga_<container‑id> | 24 months | Persist session state |
| _gid | 24 h | Session counter |
Opt‑out: Visitors can install the Google Analytics Opt‑out Browser Add‑on or use browser Do Not Track settings. We honour these signals by disabling GA4 collection when consent is not granted (see banner on first visit).
The Service is not directed to children under 13. We do not knowingly collect info from children. If you believe we have inadvertently collected such info, contact us for deletion.
We may update this Policy from time to time. Material changes will be announced on the GitHub repository’s Releases page and take effect 14 days after posting.
Questions? Email kevin@digitalmedia.nyc.