Privacy Policy

Effective as of: August 13, 2025

1. Scope & Roles

This Policy applies to information processed by us in connection with the Services. For some processing we act as processor on your behalf (e.g., storing your logs).

1. Children & Minimum Age

The Services are not directed to children under 13. Users must be old enough to lawfully consent to data processing in their jurisdiction (typically 16 in many countries). In the United States, users 13–15 may use the Services only with verifiable parental consent. We do not knowingly collect personal data from children under 13; if we learn we have, we will delete it.

1. Personal Data We Collect

3.1 Information You Provide

• Account & Profile. Name, email, avatar, age band, settings.

• AI Coach & Logs. Prompts, messages, notes, annotations you enter.

• Meal Images. Photos you capture or upload for analysis; associated metadata (e.g., timestamp, device type).

• Plans & Goals. Targets, reminders, and preferences you set.

• Support & Feedback. Messages, attachments, ratings, survey responses.

• Purchases. Subscription tier, transaction identifiers, and platform receipts (we do not store full payment card numbers for App Store/Play purchases).

3.2 Information From Device/Services (with your permission)

• Health & Fitness Data. If you connect Apple Health (HealthKit) / Google Fit: energy intake/outtake, steps, weight, body measures, nutrition metrics, workouts, etc., as explicitly authorized by you. You can revoke access at any time in device settings.

• Photos/Camera. Access to capture/select images for food analysis and to save/share results.

• Notifications. Token to send reminders.

3.3 Information Collected Automatically

• Usage & Diagnostics. App interactions, device identifiers, crash logs, performance metrics, IP (coarsened), and basic device data.

• Analytics. Event metrics to understand feature usage and improve quality.

1. Why We Use Personal Data (Purposes & Legal Bases)

• Provide the Services (contract): account, features, syncing, and support.

• Health & Wellness Features (consent): reading/writing health data you authorize; personalized tips; stats.

• AI Processing (contract/legitimate interests; consent where required): transforming your inputs and images to generate outputs; improving quality and safety.

• Safety, Security & Integrity (legitimate interests/legal obligation): abuse detection, troubleshooting, preventing fraud.

• Communications (contract/consent): transactional emails, reminders; optional marketing with opt‑out.

• Research & Improvement (legitimate interests/consent for sensitive data): de‑identified and aggregated analytics to enhance features and models; you may opt out of training use as described in Section 5.

When required (e.g., processing sensitive data like health information or precise location), we seek explicit consent and allow withdrawal at any time without affecting core functionality.

1. How We Share Information

We do not sell your personal information. We do not use or disclose HealthKit/fitness data for advertising or marketing. We share data only with:

• Service Providers / Processors under contracts that require confidentiality and security (e.g., cloud hosting, analytics, crash reporting, customer support, content moderation, push notifications, optional AI processing).

• Affiliates (where applicable) under this Policy.

• Legal & Safety: to comply with law or protect rights, safety, and integrity.

• Business Transfers: in connection with a merger, acquisition, or asset sale (with notice as required by law).

We do not share HealthKit data with data brokers or for third‑party advertising.

1. App Tracking Transparency (ATT) & Ads

We do not track you across other companies’ apps and websites for targeted advertising. If we ever introduce features that constitute “tracking,” we will first present Apple’s ATT prompt and update this Policy. We may use Apple’s SKAdNetwork for privacy‑preserving attribution.

1. Your Choices & Rights

• Permissions. Grant or revoke device permissions (Health, Camera/Photos, Notifications) in Settings at any time.

• Access, Port, Correct, Delete. Depending on where you live (e.g., EU/UK GDPR; California CPRA; Virginia VCDPA), you may request access, portability, correction, or deletion.

• Opt‑Outs. Opt out of marketing emails via the footer; opt out of model‑training use via in‑app settings (where available) or by emailing [privacy@your‑site.com].

• Do Not Sell/Share (US states). You can request we do not “sell” or “share” personal information (as defined by state law). We do not sell personal information, and we do not share it for cross‑context behavioral advertising.

To exercise rights, email [privacy@your‑site.com]. We will verify your request and respond as required by law. You may designate an authorized agent where permitted.

1. Data Security

We maintain administrative, technical, and physical safeguards appropriate to the nature of the data. No method of transmission or storage is 100% secure.

1. International Transfers

We may process and store data in countries outside your own. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses) and ensure equivalent protection.

1. Data Retention

We retain personal data for as long as needed to provide the Services and for legitimate business or legal purposes. You may delete content within the App and/or request account deletion. We also honor HealthKit’s revocation: if access is revoked, we cease new collection and, upon request, delete previously collected health data (unless retention is required by law).

1. Health Data Specifics (Apple Health / HealthKit)

• We only access the specific categories of data you authorize and only for the stated, user‑facing purposes.

• We do not use HealthKit data for advertising, marketing, or use‑based data mining.

• We do not store personal health information in iCloud.

• We do not write false or inaccurate data to HealthKit.

• You can revoke access anytime in Settings › Privacy & Security › Health.

1. Third‑Party Content & Links

Third‑party websites and services are governed by their own policies. We are not responsible for their practices.

1. Changes to This Policy

We may update this Policy from time to time. We will post the effective date and provide additional notice where required. Continued use means you accept the changes.

1. State & Regional Notices (Summary)

• California (CPRA): you may request access, correction, deletion, and limit use of sensitive personal information; you also have the right to know, portability, and non‑discrimination. We do not sell or share personal information.

• Virginia/Colorado/Connecticut/Utah (US state laws): you may opt out of targeted advertising, sales, or profiling; access, correct, delete, and portability.

• EEA/UK/Swiss (GDPR/UK GDPR): legal bases include consent, contract, legitimate interests; you may contact your supervisory authority; where required we appoint an EU/UK representative and DPO.

1. App Privacy “Nutrition Label” (Disclosure Map)

The App may collect the following data types when features are enabled, for the purposes shown below. Exact data types and linkage depend on your settings and region; we keep this table current on our website.

• Contact Info (email): App Functionality, Support.

• User Content (meal photos, notes, chat inputs): App Functionality, Product Personalization, Analytics.

• Health & Fitness (authorized HealthKit categories): App Functionality (wellness), Product Personalization; never for ads/marketing.

• Identifiers (user ID/device token): App Functionality, Security, Analytics.

• Usage Data & Diagnostics: Analytics, App Functionality (performance, crash logs).

• Purchases (receipt identifiers): App Functionality, Fraud Prevention.

We link these data types to your account only as needed to provide the Services and do not use them for cross‑app tracking.

1. Regional Age Thresholds (Reference)

We do not permit accounts for users under 13. Where law sets a higher age of digital consent (e.g., 16 in many countries), that higher age applies unless verifiable parental consent is provided where permitted. For US residents 13–15, certain state laws require opt‑in for “selling” or “sharing” personal data; we do not engage in such practices.

1. Data Deletion & Account Closure

You can request account and data deletion in‑app. After verification, we will delete or de‑identify your personal data, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, accounting records).

Last updated: August 13, 2025