Policy

Privacy Policy

Last updated: April 28, 2026

1. Who We Are

NutriText AI is developed and operated by APPCODE S.R.L., a company registered in Romania. Throughout this policy, "NutriText", "we", "us", or "our" refer to APPCODE S.R.L. We are the data controller for the personal data you provide to us.

If you have any questions about this policy, you can contact us at privacy@nutritextai.com.

2. What Data We Collect

We collect only the data necessary to provide and improve our service. This includes:

2.1 Information You Provide via OAuth

When you sign in using Google or Apple, we receive:

  • Name — your display name from the provider
  • Email address — used for your account identifier and communications
  • Avatar image — a profile picture URL from the provider (you may replace this)

We do not offer email/password registration. Authentication is exclusively through Google and Apple OAuth.

2.2 Information You Provide Directly

  • Recipes and food text — the recipe descriptions you type or paste for nutrition analysis
  • Daily food logs — what you eat and when
  • Weight history — body weight entries you log
  • Body metrics — age, sex, height, weight, activity level, dietary preferences, and goals
  • Ingredient corrections — if you correct AI-matched nutrition data, those corrections are stored
  • Profile photo — optionally uploaded to our storage

2.3 Information Collected Automatically

  • IP address and user agent — captured at session creation for security and analytics-free operations
  • Session token — stored on your device via your OS-level encrypted storage (Keychain on iOS, EncryptedSharedPreferences on Android) to keep you signed in
  • Unit preferences — weight unit, height unit, and nutrition display mode stored locally on your device

2.4 AI-Processed Data

When you submit a recipe, our AI services process the text to generate nutritional breakdowns. The resulting nutritional data (macronutrients, micronutrients, glycemic index) is stored and associated with your account.

3. How We Use Your Data

We use your data for the following purposes:

  • To provide the service — analyze recipes, generate nutrition breakdowns, track food diaries, create meal plans, suggest ingredient swaps
  • To personalize your experience — tailor calorie goals, dietary recommendations, and meal plans based on your preferences and metrics
  • To improve AI accuracy — crowd-sourced ingredient corrections help improve nutrition matching for all users (anonymized)
  • To communicate with you — send service-related emails (e.g., account changes, subscription status) if needed
  • To enforce rate limits — prevent abuse of the API

3.1 Legal Bases (GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing your data are:

  • Consent — when you sign in and choose to use the app
  • Contract performance — processing is necessary to perform the nutrition analysis and tracking services you request
  • Legitimate interests — improving our AI models through anonymized corrections, and ensuring the security and integrity of our service

4. How We Share Your Data

We share your data only with the third-party services necessary to operate the app. We never sell your personal data.

ServicePurposeData Shared
Google OAuth Authentication Name, email, avatar URL (as provided by Google)
Apple Sign-In Authentication Name, email, or anonymous relay (as chosen by you)
Google Gemini AI recipe parsing, meal plan generation, smart swaps Recipe text, dietary preferences (anonymized)
OpenAI (text-embedding-3-small) Ingredient name embeddings for vector search Ingredient names (anonymized, no personal identifiers)
RevenueCat In-app purchase and subscription management App user ID, subscription status (no payment card data)
Hetzner (Cloud & S3) Server hosting, avatar storage Encrypted database contents, uploaded avatar images

4.1 Payment Processing

All payments are processed through Apple's App Store and Google Play. NutriText never receives or stores your payment card details. RevenueCat receives only your app-level user identifier and subscription status — not your financial information.

5. Cookies and Local Storage

We use a minimal set of cookies and local storage:

  • Better Auth session cookie — a single HTTP cookie that is secure (HTTPS-only), httpOnly (inaccessible to JavaScript), and uses SameSite=Lax (CSRF protection). This cookie expires after 30 days of inactivity.
  • expo-secure-store — on your mobile device, we store a session token and unit preferences using the OS-level encrypted storage (Apple Keychain / Android EncryptedSharedPreferences). This data never leaves your device except when the session token is used to authenticate API requests.

We do not use tracking cookies, analytics cookies, advertising cookies, or third-party tracking scripts of any kind.

6. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data (name, email, avatar) — retained until you delete your account
  • Recipes, logs, goals, weight history — retained until you delete them or your account
  • Session data — retained for the life of the session (30 days) or until you sign out
  • Ingredient corrections — retained in anonymized form even after account deletion to maintain nutrition reference accuracy
  • LLM usage logs — retained for up to 90 days for operational monitoring and abuse prevention

When you delete your account, all personally identifiable data is permanently deleted from our database via cascading deletion. Anonymized, aggregated data (such as ingredient corrections without user identifiers) may be retained.

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

7.1 For All Users

  • Access — you can view your profile, recipes, logs, goals, and weight history at any time through the app
  • Rectification — you can update your name, avatar, goals, and body metrics in the app settings
  • Erasure (Deletion) — you can delete your account and all associated data through the app's Settings screen. This immediately and permanently removes your data from our database

7.2 Additional Rights for EEA/UK Users (GDPR)

  • Data portability — you can request a copy of your data in a structured, machine-readable format by contacting us
  • Restriction of processing — you can request that we limit how we use your data
  • Objection — you can object to our processing of your data for legitimate interests
  • Withdraw consent — you can withdraw your consent at any time by deleting your account

7.3 Additional Rights for California Users (CCPA)

  • Right to know — you can request the categories and specific pieces of personal information we have collected about you
  • Right to delete — you can request deletion of your personal information (handled through account deletion)
  • Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights
  • Notice — we do not sell your personal information, nor do we share it for cross-context behavioral advertising

To exercise any of these rights, contact us at privacy@nutritextai.com or use the account deletion option in the app Settings.

8. International Data Transfers

Your data is processed and stored on servers located in the European Union (Hetzner, Finland/Germany). Our AI service providers (Google, OpenAI) may process anonymized recipe data in the United States and other jurisdictions where they operate. When data is transferred outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The provider's adherence to applicable data protection frameworks

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit via TLS 1.2+ (HTTPS) for all communications
  • Encryption at rest for database storage
  • OS-level encrypted storage for session tokens on mobile devices (Keychain / EncryptedSharedPreferences)
  • HTTP-only, Secure, SameSite cookies for session management
  • Rate limiting on API endpoints to prevent abuse
  • No storage of raw payment card information

10. Children's Privacy

NutriText is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@nutritextai.com and we will delete it.

11. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will notify you through the app or by email.

12. Contact

If you have any questions, concerns, or requests regarding this privacy policy or your data, please contact us:

  • Email: privacy@nutritextai.com
  • Account deletion: available in the NutriText app under Settings → Delete Account

APPCODE S.R.L.
Romania
Email: privacy@nutritextai.com