HealioV App Privacy Policy
This "HealioV App Privacy Policy" (hereinafter referred to as the "Policy") aims to protect the privacy rights of personal data subjects. Inventec Corporation (hereinafter referred to as "the Company") is committed to protecting your privacy rights in accordance with the Personal Data Protection Act and implementing appropriate protective measures. This App is a daily posture reference tool (not a medical device). All results are for daily activity reference only and do not constitute medical diagnosis, treatment recommendations, or professional medical advice. By accessing or using this application (hereinafter referred to as "the App"), you signify that you have read, understood, and agree to accept all the contents of this Policy. The Company may modify or change this Privacy Policy at any time. The revised content will be published on the VRSTATE official website without individual notice.
Article 1: Applicable Subjects
The subjects to whom this Policy applies include: users of the App services (hereinafter referred to as "You"). Children under the age of 13 must obtain the consent of a legal guardian to use this App.
Article 2: Definition of Personal Data
The Personal Data collected by the App includes, but is not limited to, the following categories:
- Account data: nickname, avatar, email address
- Usage data: posture scan records, AI posture assistant Q&A records
- Camera and image data: full-body images captured during posture scans (may incidentally include facial pixels)
- Device information: operating system type, application version, language preference
The App collects posture scan images for daily posture reference only. Scan results are not used for medical analysis, medical diagnosis, or any clinical decision-making. The data is not uploaded to any medical institution or health database.
Article 3: Collection, Processing, Storage, and Use of Personal Data
I. Scope of Information Collection: For the specific purpose of providing services, the Company may collect or obtain your Personal Data under the following circumstances:
- Actively provided information: nickname, avatar, and posture scan photos you proactively upload, language preferences, etc.
- Device information and usage records: operation logs, interaction behaviors, AI assistant Q&A records, etc.
- Posture scan photos: processed only when you actively initiate a camera scan.
II. Purposes of Information Use: The Company collects, processes, and uses your Personal Data primarily for the following purposes:
- Core functionality implementation: used for posture scanning, AI posture assistant, and other core features.
- Service optimization and security: used for data analysis, product improvement, service optimization, and security maintenance, including fraud prevention and monitoring abnormal behavior.
- Scan record management: used to generate posture scan records and support user-initiated sharing.
III. Data Retention: The Company will retain your Personal Data for the period necessary to fulfill the purpose for which it was collected. Personal Data may continue to be retained and used, but you have the right to request the Company to delete your Personal Data according to Clause 6 of Article 6 of this Policy.
IV. Camera and Image Data: The posture scan feature captures full-body images through your device's front camera. These images may contain your face. The App uses these images solely to: (a) display the live camera preview to you during the scan; (b) extract 33 skeletal keypoints on-device via MediaPipe Pose; and (c) upload the full-body JPEG to the Company's backend (api.vrstate.com) for report generation.
V. Face Data: The App does not perform face recognition, face authentication, or any biometric identification. Your face is incidentally present in the captured frames but is not the subject of any analysis or storage beyond the posture scan report.
VI. On-device Facial Landmarks: 10 MediaPipe keypoints within the face region (nose, eyes, ears, mouth corners) are computed on your device. These coordinates are NOT uploaded to the Company's backend — they are stripped before transmission.
VII. Image Retention: Full-body images are retained on the Company's backend until you delete the scan history manually or delete your account. Account deletion completes within 20 business days.
Article 4: Protection of Personal Data and Information Security Management Mechanism
I. Information Security Measures: The Company employs necessary technical and organizational protective measures, including but not limited to encryption mechanisms, firewalls, HTTPS encrypted data transmission, restriction of server access permissions, and execution log control, to prevent Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorized access. If you believe the security of your Personal Data has been compromised, you may contact the Company immediately.
II. Outsourcing Management: If the Company entrusts a third party to provide services due to business needs, the Company will strictly require them to comply with this Policy and implement necessary inspection procedures to ensure their compliance.
III. Internal Management and Supervision: Only authorized personnel may access your Personal Data, and such personnel are required to comply with the Company's relevant policies and regulations.
IV. Zero-Tolerance Policy: The Company adopts a zero-tolerance policy towards acts that infringe upon privacy rights and Personal Data protection. If an investigation confirms a violation of relevant privacy protection and Personal Data protection laws and regulations, the Company will impose penalties on the violator according to regulations and pursue legal liability when necessary.
Article 5: Principles for Sharing Personal Data with Third Parties
I. Commitment: The Company undertakes that it will not arbitrarily provide, exchange, lease, or sell any of your Personal Data to other third parties. Exceptions apply where the recipient is one to whom you have consented, a party bound by a confidentiality agreement with the Company, an entity with legal grounds or contractual obligations, and/or where such sharing complies with the provisions of this Policy.
II. Third-Party Services: To implement certain functions (such as data analysis, social sharing), the App may need to share the necessary, minimalized data with third-party service providers. When you use such third-party services, you must comply with their own privacy policies.
III. Transaction Redirection: When you use the App to redirect to a third-party platform for purchases or interactions, the data processing on that third-party platform will be subject to its own privacy policy. Our platform does not assume data protection responsibility in such cases.
IV. Service Infrastructure (All Operated by the Company): All AI and voice services used by the App are operated by the Company (the same entity that operates this App). No data is shared with any third-party AI provider.
api.vrstate.com — Posture Analysis Backend — Operator: the Company. Hosting: Microsoft Azure East Asia region (Hong Kong). Purpose: process scan images, generate reports, synchronize data across user devices. Data shared: full-body images (with incidental face pixels) + posture score JSON. Retention: until user manually deletes scan history, or within 20 business days of account deletion.
vpr123.com — Voice AI (TTS / ASR) — Operator: the Company. Hosting: Mainland China. Purpose: text-to-speech for scan voice guidance; speech-to-text for voice chat. Data shared: text strings only (TTS, no biometric data); audio bytes from microphone (ASR, no biometric identification, not retained post-transcription). Retention: audio processed in real-time; not stored.
sso.vrstate.com — Authentication — Operator: the Company. Hosting: Microsoft Azure East Asia region (Hong Kong). Purpose: OAuth 2.1 + PKCE login. Data shared: email and hashed credentials.
Supabase Edge Function — Account Deletion — Operator: Supabase Inc. (data processor under a Data Processing Agreement with the Company). Purpose: receive and queue account deletion requests. Data shared: email and platform metadata. The Company has a DPA with Supabase Inc. governing this limited data processing. Supabase does not use the data for its own purposes.
Article 6: Your Rights
Regarding your Personal Data, you may exercise the following rights towards the Company under lawful circumstances:
I. Right to Decide: You have the right to decide whether to provide the Company with your Personal Data. When the Company requests Personal Data, you have the right to refuse. However, if you choose not to provide your Personal Data, the Company may be unable to fully provide the relevant functions or services of this App.
II. Right to Withdraw Consent: The Company processes your Personal Data based on your consent. Nevertheless, you have the right to withdraw your consent at any time. Such withdrawal does not affect the lawfulness of the Company's collection and processing of your Personal Data prior to the withdrawal.
III. Right to Query or Access.
IV. Request a copy of your Personal Data.
V. Request supplementation or correction of your Personal Data.
VI. Request deletion, or cessation of the collection, processing, or use of your Personal Data.
VII. Data Portability: Where technically feasible and necessary to exercise your rights, you may request the transfer of your Personal Data in an electronic and machine-readable format to a designated third-party service provider.
Article 7: Cross-Border Transfer
As the Company is a multinational enterprise, there may be circumstances involving cross-border transfer and use of Personal Data. Such activities will occur without exceeding the specific purpose for which the Personal Data was originally collected, processed, and used, and within the scope of this Policy. The Company will adhere to this Policy and comply with the privacy protection and Personal Data protection laws and regulations applicable in the regions involved in the cross-border transfer.
Article 8: Risk Management Policy and Procedures
I. Risk Assessment: In accordance with its risk management policy and procedures, the Company regularly conducts privacy protection risk management to identify and assess factors that may pose risks, including: unauthorized access, data breaches, data corruption, and other cybersecurity threats.
II. Risk Mitigation Measures: For identified risks, the Company will implement appropriate mitigation measures, including: strengthening data encryption technologies, enhancing cybersecurity protection levels, conducting regular security audits and penetration testing, and developing and updating response plans and measures.
III. Risk Monitoring and Audits: The Company will continuously monitor and assess privacy protection risks, and conduct regular or ad hoc internal and external audits to ensure the security and integrity of Personal Data.
Article 9: Governing Law and Jurisdiction
The interpretation and application of this Privacy Policy, as well as any disputes related to this Privacy Policy, shall be governed by the laws of the Taiwan. If litigation becomes necessary, both parties agree that the Taiwan Shilin District Court shall be the court of first instance.
Article 10: Incident Contact
If you wish to exercise your rights under Article 6 of this Policy, or if you discover any suspected violation of this Policy, you may contact the Company through in-app customer service or the following designated channels:
- Email: service@vrstate.com
- Address: Metaverse Technology Department, Inventec Corporation, No. 166, Sec. 4, Chengde Rd., Shilin Dist., Taipei City 11167

