Privacy Policy

1. Introduction

Welcome to Nutri ("App," "we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our nutrition tracking and health analytics mobile application.

This Policy describes Nutri's processing of your personal data so you can make informed choices about it. Where we rely on your consent — notably for the processing of special-category health data under GDPR Art. 9(2)(a) — you give that consent through specific in-app prompts, and you may withdraw it at any time from the screen that governs that processing (for example, Profile → Apple Health for health-data sync) — without losing access to the rest of the App. Where we rely on a different lawful basis (such as performance of our contract with you, or our legitimate interest in keeping the App stable and secure), this Policy explains that basis in the relevant section below.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide, including:

• Account information: Name, email address, password
• Profile data: Age, gender, height, weight, activity level
• Nutrition goals: Calorie targets, macronutrient goals
• Meal data: Food items, portions, meal times, nutritional content
• Health metrics: Heart rate, HRV, sleep data, weight measurements
• Photos: Food images you capture or select are first analysed on your device. Detection and segmentation run through Apple's Core ML; the food-recognition step runs through Apple's MLX framework. For images the on-device pipeline cannot identify with sufficient confidence, Nutri uploads the image to its ML service (hosted on Hetzner, EU central) for server-side analysis. Uploaded images are processed in memory only — they are not persisted to disk on Nutri's servers and are not used to train Nutri's models. See the Model Card on the food scan screen for the classifier's biases, limitations, and intended use.
• Notes and comments: Personal notes attached to meals or metrics

2.2 Information Collected Automatically

When you use Nutri, we automatically collect certain information:

• Device information: Device type, operating system, unique device identifiers
• App usage data: Features used, screens viewed, interaction patterns
• Log data: Access times, error logs, performance metrics

2.3 Information from Third Parties

With your permission, we may receive data from integrated health platforms:

• Apple Health (HealthKit): Health metrics, activity data, sleep data — including readings written into Apple Health by third-party wearables (Fitbit, Garmin, Oura, Whoop, etc.) that you have separately authorised. Nutri does not connect to those vendors directly.
• Food databases: Open Food Facts (ODbL 1.0), USDA FoodData Central (public domain) — we send only the barcode or food identifier you provide; no personal information is shared with these public databases.

3. How We Use Your Information

3.1 Primary Uses

We use your information to:

• Provide and maintain the App services
• Track your nutrition intake and health metrics
• Generate personalized nutrition tracking summaries
• Display historical trends and correlations
• Sync data across your devices
• Send important service notifications

3.2 Service Improvement

We may also use your information to:

• Improve and optimize App performance
• Develop new features and functionality
• Operate and improve the food-image classifier (CLIP / Food-101) and ingredient databases using publicly-sourced training data (no user-specific biomarker training)
• Fix bugs and technical issues

3.3 Communications

With your consent, we may send you:

• Service updates and announcements
• Promotional materials (you can opt out at any time)

This release does not deliver push reminders for meal logging or supplement intake, or tip-style nutrition notifications — these categories are temporarily disabled at the build level. If and when they are re-enabled, this Policy will reflect the change, and you will be able to manage each category from Profile → Notifications.

Transactional and promotional emails are sent from separate domains so you can recognise and opt out of each stream independently. Transactional messages (password resets, security notices, subscription receipts) are sent from mail.gonutri.app; promotional messages are sent from marketing.gonutri.app and can be unsubscribed from at any time via the footer link in any marketing email or from Profile → Email. Opting out of marketing does not affect transactional messages, which are required for your account to function (UK PECR reg. 22(2); GDPR Art. 6(1)(b)).

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored with the following infrastructure sub-processors. Hetzner (EU), Supabase (EU), and the self-hosted services on the Hetzner VPS are within the EEA; cross-border transfers to Upstash (used only by our ML service) and to Sentry are governed by EU/UK Standard Contractual Clauses (SCCs) and supplementary measures as described below:

• Hetzner Cloud (Germany, Falkenstein) — compute and API hosting (Coolify orchestration). Hosts the Node.js backend, the ML service, and a self-hosted Redis cache used by the backend. The primary PostgreSQL database lives at Supabase (see next row), not on Hetzner.
• Supabase (EU central / Frankfurt — aws-1-eu-central-1) — managed PostgreSQL database for account, meal, and health-metric records. Article 9 fields are encrypted at rest with our own AES-256-GCM keys before they reach Supabase.
• Self-hosted Redis on the Hetzner VPS (Coolify-managed Docker network) — short-lived backend cache and rate-limit counters. No transfer outside Hetzner.
• Upstash (Redis, scoped to the ML service only) — used by the ML service for inference feature caching. Configured as Upstash Global Database with primary in eu-west-2 (London) and replica fan-out for read latency. Pseudonymous keys only — no direct identifiers and no Article 9 values are cached; raw health-metric values are read on demand from Supabase with field-level decryption. Transfer mechanism: EU/UK Standard Contractual Clauses (SCCs).
• Sentry (Functional Software, Inc. — US region) — error and crash telemetry. Health-data fields are scrubbed on-device before transmission (see §5.1.1). Transfer mechanism: EU/UK Standard Contractual Clauses (SCCs); supplementary measures include the recursive health-field scrubber and a default-deny on request bodies.
• Resend (transactional email; currently disabled in production) — when enabled, would deliver password-reset and account-deletion confirmation emails. Transfer mechanism: EU/UK SCCs. The provider row is listed for completeness so the disclosure stays accurate if email is re-enabled.
• Expo Push Service (Expo / 650 Industries, Inc., US) — relay for iOS push notifications. Transfer mechanism: EU/UK Standard Contractual Clauses (SCCs). Push bodies are data-minimised and do not contain Article 9 health data; see §5.1.2.
• Apple StoreKit (Apple Inc., US) — subscription state for Nutri Pro. Apple is the controller for App Store purchase data under its own privacy policy; we only see your originalTransactionId and entitlement status.

4.2 Security Measures

We implement comprehensive security measures including:

• Encryption for data in transit (TLS 1.2+ with HSTS)
• Encryption at rest via infrastructure-level AES-256 (managed by our database hosting provider)
• Field-level AES-256-GCM encryption applied in our application layer to Article 9 health data before it is written to the database. This covers 101 fields across 17 data models — meal macronutrients and micronutrients (48 fields on Meal), health-metric values (heart rate, HRV, sleep, SpO2 and other Apple Health readings), hydration intake, weight-history entries, activity records (calories burned, heart rate, distance), continuous-glucose-monitor readings and meal-glucose response analyses, fasting-session weights, goal-scoring records (daily scores, nutrient targets, milestones), sensitivity-exposure logs, and user-saved nutrition templates (favourite meals, meal templates, quick-add presets, recent foods). Pregnancy and lactation status, when declared, are Article 9 health data and are protected by the infrastructure-level AES-256 encryption layer listed above (not the per-field application-layer envelope, which is reserved for high-cardinality numeric measurements). Encryption keys are held separately from the database, so a database snapshot alone cannot reveal your health data. Account credentials are protected separately — passwords by bcrypt cost-14 hashing, and OAuth refresh tokens (Apple Sign-In, CGM providers) by the infrastructure-level encryption layer listed above.
• Secure authentication with hashed passwords (bcrypt)
• Regular security audits
• Access controls and per-user data isolation

4.3 Data Retention

We retain your personal data for as long as your account is active. You can request deletion of your account at any time from Profile > Delete Account.

When you schedule deletion from Profile > Delete Account, your account enters a 14-day grace window. During that window the account stays active and your data is intact — the App shows a banner on the Profile screen with a one-tap Cancel button, so you can change your mind without contacting support. After 14 days a daily background job permanently erases your records, revokes any Apple Sign In relationship, clears your push tokens, and purges the data the Nutri ML service holds for you (GDPR Art. 17). Backup snapshots that include the deleted records are overwritten on their normal rotation schedule (see below).

We retain a small set of records beyond account deletion only where applicable law requires it or where a specific legitimate purpose justifies a limited residual period:

• Transactional and subscription-billing records (Apple StoreKit transactionIds, invoices, refund records): retained for 6 years to meet the UK Limitation Act 1980 statute-of-limitations on contract disputes and the HMRC record-keeping rules under the Finance Act.
• Fraud-prevention indicators (failed login fingerprints, suspicious-IP flags): retained for 12 months from the last event, then auto-purged.
• Audit log of consent grants/withdrawals and data-access events (UserConsent, DataAccessLog): retained for 6 years as accountability evidence under GDPR Art. 5(2) and Art. 7(1).
• Records subject to a specific legal hold (e.g. court order, regulator request): retained until the hold is released.

All residual records are pseudonymised or hashed where the named individual is no longer required to fulfil the retention purpose. Backup snapshots that contain deleted records are overwritten on their normal rotation schedule (currently 35 days for daily snapshots, 12 months for monthly point-in-time recoveries).

5. How We Share Your Information

5.1 Service Providers

We share the minimum personal data required to operate the App with the following named sub-processors (see §4.1 for locations and transfer mechanisms):

• Hetzner Cloud (Germany) — infrastructure hosting for the API, the ML service, and our self-hosted Redis cache
• Supabase (EU central / Frankfurt) — managed PostgreSQL database (account, meals, health metrics)
• Upstash (Redis, ML service only — Global Database with primary in eu-west-2) — feature caching for the ML inference pipeline. Transfer mechanism: EU/UK SCCs
• Sentry (Functional Software, Inc., US region) — crash and error telemetry; health-data scrubbed on-device. Transfer mechanism: EU/UK Standard Contractual Clauses (SCCs)
• Resend (transactional email; currently disabled in production — listed in case email is re-enabled). Transfer mechanism: EU/UK SCCs
• Expo Push Service (Expo / 650 Industries, Inc., US) — delivery relay for iOS push notifications. Transfer mechanism: EU/UK Standard Contractual Clauses (SCCs). See §5.1.2 for the data-minimisation rule that governs what can appear in a push notification.
• Apple (StoreKit, US) — In-App Purchase processing for Nutri Pro

The following public nutrition databases are consulted by the App but receive no personal information about you — only the anonymous barcode or search term you enter:

• Open Food Facts — food barcode lookup (licensed under ODbL 1.0)
• USDA FoodData Central — US nutrition facts lookup (public domain)

Nutri does NOT share user data with analytics providers or third-party researchers. No user-specific biomarker or nutrition data is sold, shared for research, or forwarded to third-party analytics services. If this ever changes, we will update this policy and surface an affirmative consent flow before any such processing begins.

5.1.1 Crash and Diagnostics (Sentry)

To detect and fix crashes and stability issues, the App uses Sentry as a data processor. When an error occurs, the App sends a diagnostics report to Sentry containing the error type, the code stack trace, the device model, the operating system version, and the App version. The report is linked to the Nutri developer account, not to your identity.

Sentry is operated by Functional Software, Inc. (United States). Reports leave your device for Sentry's US ingest endpoint; the transfer mechanism is the EU/UK Standard Contractual Clauses (SCCs) plus the supplementary measures described in this section. We pursue Sentry's Data Privacy Framework certification as an additional safeguard where applicable; the canonical mechanism we rely on remains the SCCs.

Before any report leaves your device, the App runs a scrubber that recursively removes every field whose name relates to your health or nutrition data — including meals, food, calories, macronutrients, micronutrients, weight, sleep, heart rate, HRV, blood glucose, supplements, medications, and conditions. Request bodies and free-form context blocks are dropped entirely (default-deny). Stack frame local variables are stripped. We do not enable Sentry's screenshot or view-hierarchy capture. This processing is necessary under GDPR Art. 6(1)(f) for the legitimate interest of maintaining a safe and reliable application, and is never used for advertising, profiling, or marketing.

Sentry's own privacy practices and Data Processing Agreement are published at sentry.io. You may disable crash reporting by uninstalling the App.

5.1.2 Push Notifications (Expo Push Service)

iOS push notifications are routed through Expo Push Service (operated by Expo / 650 Industries, Inc.) under a GDPR Art. 28 processor arrangement. Your Expo push token is stored on our servers and used only to reach your device.

To minimise data exposure to the push relay, notification bodies never contain Article 9 health data — no nutrient names, intake values, thresholds, or medical conditions. Safety-alert notifications use a generic body (for example, "Open Nutri to review your latest safety alert.") and carry only an internal warning code in the data payload; the App fetches the full message from your device after you open it.

Transfer mechanism: EU Standard Contractual Clauses (SCCs) where routing passes through US infrastructure. You can disable push notifications at any time from your device settings or from Profile → Notifications in the App.

5.2 Legal Requirements

We may disclose your information if required by law to:

• Comply with legal obligations or court orders
• Protect our rights, privacy, safety, or property
• Enforce our Terms and Conditions
• Respond to government or regulatory requests

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change and your choices regarding your information.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to:

• Access your personal data at any time through the App
• Export your data in a portable format
• Request a copy of all data we hold about you

We respond to data access and portability requests within 30 days of receipt, as required by GDPR Art. 12(3). If your request is unusually complex we may extend this by up to two further months and will let you know the reason. In-App export and self-service deletion are usually available immediately; the 30-day commitment applies to any request that requires a manual response from our team.

These rights are exercised free of charge, regardless of your subscription plan. Open Profile > Export Your Data inside the App to start an export at any time.

6.2 Correction and Deletion

You can:

• Update or correct your personal information
• Delete individual meals, metrics, or other entries
• Request complete deletion of your account and data

6.3 Opt-Out Rights

You may opt out of:

• Marketing communications and promotional emails
• Push notifications (through device settings)
• Analytics and usage tracking
• Third-party integrations (disconnect at any time)

6.4 Regional Rights

Depending on your location, you may have additional rights under your local privacy law:

• United Kingdom — UK GDPR + Data Protection Act 2018: rights of access, rectification, erasure, restriction, portability, objection, and to be informed about automated decision-making. See sections 6.1, 6.2, 6.5, and 6.6 for how to exercise them.
• European Economic Area — EU GDPR: the same rights as above, exercised through the same in-App and email routes.
• California, USA — where Nutri meets the applicability thresholds in Cal. Civ. Code §1798.140(d), the CCPA / CPRA rights of access, deletion, correction, opt-out of sale or sharing (we do not sell or share your personal information for cross-context behavioural advertising), and limit-the-use-of-sensitive-personal-information also apply. To exercise them, email privacy@gonutri.app or use the in-App routes above; we will respond within 45 days as required by §1798.130(a)(2).
• Other jurisdictions: contact privacy@gonutri.app and we will honour applicable rights.

6.5 Automated decisions and profiling

Nutri uses machine learning and statistical analysis to:

• Classify food images and estimate portions (CLIP / Food-101 / OWL-ViT pre-trained on public datasets; no user data is used to train these models)
• Compute statistical correlations between your nutrition log and your health metrics, so the App can highlight which dietary inputs co-vary with which health outcomes for you personally
• Score your daily progress toward goals you have set
• Detect potentially harmful nutrition patterns — for example, sustained very-low-calorie intake, supplement doses approaching upper safe intake levels, or interactions between supplements and stated medications — and surface a safety alert

These results power the suggestions, charts, and alerts you see in the App. They are decision-support — not solely-automated decisions. None of them produces legal effects, and none of them is the sole basis for decisions that significantly affect you in the sense of GDPR Art. 22. You always retain the ability to override our recommendations, log meals or metrics as you observe them, and reach a human at privacy@gonutri.app if you disagree with any alert. If you prefer not to receive personalised insights, you may withdraw consent for the PERSONALIZATION purpose by emailing privacy@gonutri.app (a dedicated in-App toggle for this purpose is on the backlog and not yet shipped). On withdrawal the App reverts to population-level reference values.

6.6 Right to lodge a complaint

If you believe Nutri's processing of your personal data does not comply with applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

• United Kingdom — Information Commissioner's Office (ICO). Online: ico.org.uk/make-a-complaint. Helpline: 0303 123 1113.
• European Economic Area — the data protection authority of the EU member state in which you reside, work, or where the alleged infringement took place. The full list is maintained by the European Data Protection Board at edpb.europa.eu.
• Other jurisdictions — the privacy regulator competent for your residence.

We would also welcome the opportunity to address your concern directly first — please email privacy@gonutri.app if you wish.

7. Health Data Special Considerations

7.1 Health Data Protection

We treat health-related data with extra care and implement additional safeguards:

• Health data is protected by infrastructure-level encryption at rest and TLS in transit
• Access to health data is strictly controlled via per-user authentication
• Health data is never used for advertising purposes
• We comply with applicable health data regulations (GDPR Art. 9)

7.2 HealthKit/Google Fit Data

Data accessed from Apple Health or Google Fit is only used to provide App functionality. This data is not shared with third parties for marketing or advertising purposes, in compliance with platform requirements.

Specifically, and in line with Apple's Developer Program License Agreement §5.1: HealthKit data is used solely to provide your own health-tracking features inside the App; is never sold; is never used for advertising or marketing; and is shared with sub-processors only where necessary for operating the service (hosting and scrubbed error reporting — see §5.1). Our ML inference service (operated by Nutri in the same EU region) performs correlation analyses on your behalf; outbound calls to that service identify you by an opaque pseudonym where feasible, and no Nutri user data is ever added to model training sets. A detailed data-flow map is maintained internally under MOH-NUTRI-20260422 ticket MOH-T-206 and is available to supervisory authorities on request.

7.3 Specific Apple Health Data We Read

With your explicit consent (a separate prompt shown after the iOS HealthKit permission dialog), the App reads the following Apple Health sample types and uploads them to Nutri's servers (Hetzner + Supabase, see §4.1). Nutri never writes data back to Apple Health.

• Heart rate (instantaneous and resting)
• Heart rate variability (HRV SDNN)
• Respiratory rate
• Blood oxygen saturation (SpO₂)
• VO₂ Max
• Sleep analysis (time in bed, asleep / awake stages)
• Step count
• Active energy burned
• Workouts (type, duration, distance, energy)

You may revoke this consent at any time from Profile → Apple Health inside the App. Revocation stops future syncs, unregisters the background refresh task, and triggers deletion of the synced copy on our servers.

8. Age Requirement and Children's Privacy

Nutri is designed for adults aged 18 and older. Nutritional reference values used in this app are based on adult dietary guidelines and are not appropriate for minors. We enforce an age gate at registration and do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided data to us, please contact us at privacy@gonutri.app.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. We ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by regulators
• Compliance with international data transfer frameworks
• Ensuring recipients maintain adequate security measures

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through:

• In-app notifications
• Email to your registered address
• Prominent notice in the App

Your continued use of the App after changes become effective constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us through the in-App routes below or by email:

In-App routes (primary, fastest — all responses logged to your account):

• Right of access / portability (GDPR Art. 15, 20): Subscription → Export Your Data.
• Right to erasure (GDPR Art. 17): Profile → Delete Account (14-day grace window, cancellable from the Profile screen banner).
• Right to withdraw consent / object (GDPR Art. 7(3), 21): the operative controls live on the screens that govern each kind of processing — Profile → Apple Health (Article 9 health-data sync to our servers), Profile → Email Settings (marketing email), and Profile → Notifications (push categories).
• Right to limit use of sensitive personal information (CCPA §1798.121): toggle Apple Health sync off in Profile → Apple Health, and choose a shorter horizon in Profile → Data Retention.

Email (general inquiries, appeals, and post-deletion contact):

Privacy Inquiries / Data Protection Contact:

privacy@gonutri.app

General Support:

support@gonutri.app

We will respond to your privacy-related inquiries within 30 days. If you do not receive a response within that window — for example because of a delivery problem with the email address — please use the in-App routes above as your primary channel; they create an auditable request on our side that we monitor on a daily basis.