Privacy Policy: How We Collect, Use, and Protect Your Personal Data

Quick Answer: We collect only the data necessary to provide personalized nutrition guidance: profile information, dietary preferences, food logs, and optional biometric data. Your health information is encrypted, never sold to third parties, and processed under GDPR/CCPA compliance. You retain full rights to access, correct, export, or delete your data anytime. AI model training uses only anonymized, aggregated data — you can opt out anytime via account settings.

Last updated: April 8, 2026 | Next review: October 2026 | Version: 3.2

1. Privacy Overview & Our Commitment

Your privacy is not an afterthought — it's foundational to our mission of making AI-powered nutrition accessible, trustworthy, and empowering. This Privacy Policy explains in clear, plain language what personal information we collect, why we collect it, how we use it, and what rights you have over your data.

Our Core Privacy Principles:

Transparency: No hidden data collection. We tell you exactly what we collect and why.
Minimization: We collect only what's necessary to provide our Services — nothing more.
Control: You own your data. Access, correct, export, or delete it anytime.
Security: Enterprise-grade encryption and access controls protect your information.
Accountability: We document our practices, conduct regular audits, and appoint a Data Protection Officer.
AI Ethics: Your personal health data is never used to train AI models without explicit, opt-in consent.

Scope: This policy applies to all users of nutrition.web2ai.eu, our mobile applications, API integrations, and related services (collectively, the "Services"). If you use our Services through a third-party platform (e.g., employer wellness program), additional terms may apply.

Controller Information: AI Nutrition Platform is the data controller for personal information processed through our Services. Registered office: [Your Legal Address], European Union. Data Protection Officer contact: dpo@nutrition.web2ai.eu

2. Information We Collect

We collect information in three ways: (1) data you provide directly, (2) data collected automatically, and (3) data from third-party integrations you authorize.

📝 Information You Provide

Account Data: Name, email address, password (hashed), country, language preference, date of birth (for age verification)
Profile Information: Dietary preferences (vegan, keto, etc.), food allergies, intolerances, cultural preferences, cooking skill level, budget constraints
Health & Goal Data: Weight, height, activity level, health goals (weight loss, muscle gain, etc.), optional medical conditions (only if you choose to share)
Food Logging: Meals you log, portion sizes, timestamps, photos (optional), ratings, and notes
Feedback: Survey responses, support tickets, feature requests, and AI recommendation ratings
Communication: Emails or messages you send to our support team

🤖 Information Collected Automatically

Usage Data: Pages visited, features used, time spent, click patterns, error logs
Device Data: Device type, operating system, browser version, screen resolution, language settings
Network Data: IP address (anonymized for analytics), approximate location (country-level only), connection type
Cookie Data: Preferences, session identifiers, consent status — see our Cookie Policy for details

🔗 Information from Third Parties

Only if you explicitly authorize integration:

Fitness Apps: Step counts, workout duration, heart rate data (via Apple Health, Google Fit, etc.)
Wearables: Sleep patterns, activity levels, biometric trends (via Oura, Whoop, etc.)
Payment Processors: Transaction confirmations, billing address (via Stripe, PayPal — we never store full card details)
Authentication Providers: Basic profile info if you sign in with Google or Apple (email, name, profile picture)

❌ What We Do NOT Collect

Full IP addresses for tracking purposes (anonymized after 24 hours)
Precise geolocation data (we only store country-level for compliance)
Biometric identifiers like fingerprints or facial recognition
Financial information beyond payment confirmation
Personal health records from medical providers (unless you manually enter them)
Data from children under 16 without verified parental consent

3. How We Use Your Information

We process your personal data only for specific, legitimate purposes. Here's exactly how we use each category:

Data Category	Purpose	Legal Basis (GDPR)
Account & Profile Data	Create/manage your account; personalize recommendations; communicate about your subscription	Contract performance; Legitimate interest
Health & Goal Data	Generate personalized meal plans; track progress; adapt AI recommendations	Explicit consent; Vital interests (if health-related)
Food Logging Data	Provide macro tracking; identify patterns; improve meal suggestions	Contract performance; Consent for AI optimization
Usage & Device Data	Improve site performance; fix bugs; understand feature adoption	Legitimate interest (with opt-out)
Communication Data	Respond to support requests; send service updates; request feedback	Contract performance; Consent for marketing

🤖 AI-Specific Usage

When your data informs our AI systems:

Personalization: Your preferences and logs train a personalized model instance that runs locally or in a secure, isolated environment
Model Improvement: Only anonymized, aggregated patterns (e.g., "users with goal X prefer recipe type Y") may inform global model updates — never your individual identity or health records
Explainability: Where feasible, we generate human-readable explanations for recommendations (e.g., "This meal plan prioritizes protein to support your muscle gain goal")
Opt-Out: You can disable AI training usage anytime via Account Settings → Privacy → AI Preferences

4. Legal Basis for Processing (GDPR Compliance)

Under the EU General Data Protection Regulation (GDPR), we process personal data only when we have a valid legal basis. Here's how we align:

✅ Our Legal Bases

Consent: For optional features like AI training participation, marketing emails, or sharing data with third-party integrations. You can withdraw consent anytime.
Contract Performance: To deliver core Services you requested (account creation, meal planning, progress tracking).
Legitimate Interest: For security monitoring, fraud prevention, service improvement, and aggregated analytics — balanced against your rights and freedoms.
Legal Obligation: To comply with tax, accounting, or regulatory requirements (e.g., retaining transaction records).
Vital Interests: Rarely, to protect your health or safety in emergency situations (e.g., detecting dangerous dietary patterns).

🎯 Special Category Data (Health)

Health information is "special category data" under GDPR Article 9, requiring heightened protection. We process it only when:

You provide explicit, informed consent via a separate opt-in
Processing is necessary for preventive or occupational medicine (with professional confidentiality)
You have manifestly made the data public

We default to the consent basis and make withdrawal simple via account settings.

🌍 Non-EU Jurisdictions

For users outside the EU, we align with local frameworks:

CCPA/CPRA (California): We do not "sell" or "share" personal information as defined by CCPA. You have rights to know, delete, correct, and opt out of targeted advertising.
PIPEDA (Canada): Meaningful consent, limited collection, individual access, and accountability principles guide our practices.
LGPD (Brazil): Lawful processing bases, data subject rights, and transparency obligations are fully implemented.
Other Regions: We apply GDPR-level protections globally as our baseline standard.

🔄 Balancing Test for Legitimate Interest

When relying on legitimate interest, we conduct a documented assessment weighing: (1) our purpose, (2) necessity of processing, (3) your reasonable expectations, and (4) safeguards like anonymization or opt-outs. Available upon request at privacy@nutrition.web2ai.eu.

5. Data Sharing & Third Parties

We do NOT sell your personal data. Period. However, limited sharing occurs in specific, controlled circumstances:

✅ Who We Share With (and Why)

Service Providers: Trusted vendors who help us operate (hosting, email delivery, payment processing). All sign data processing agreements with strict confidentiality and security requirements.
Research Partners: Academic or non-profit institutions conducting nutrition research. Only anonymized, aggregated datasets are shared, with IRB/ethics approval and your explicit consent.
Legal Authorities: Only when required by law, court order, or to protect rights/safety. We challenge overly broad requests and notify you when legally permitted.
Business Transfers: In case of merger, acquisition, or asset sale, user data would be transferred subject to this policy and prior notice.

🔐 Safeguards for Shared Data

Data Processing Agreements (DPAs) with all third parties
Minimum necessary data sharing principle
Regular security audits of vendors
Right to audit clauses in contracts
Immediate termination rights for breaches

❌ Who We Do NOT Share With

Advertising networks or data brokers
Social media platforms for targeting (unless you explicitly connect accounts)
Employers or insurers (unless you use a workplace wellness program with separate consent)
Any entity for purposes not disclosed in this policy

📊 Aggregated & Anonymized Data

We may publish or share insights that cannot identify individuals, such as:

"Users following keto plans average 25g net carbs/day"
"Recipe X was rated 4.8/5 by 1,200 users"
"Protein intake correlates with energy scores in our dataset"

This data is statistically aggregated, stripped of identifiers, and reviewed to prevent re-identification.

6. International Data Transfers

Our Services operate globally, which may involve transferring your data across borders. We ensure all transfers comply with applicable laws:

🌐 Transfer Mechanisms

EU → Non-EU: Transfers outside the European Economic Area rely on: (1) EU Standard Contractual Clauses (SCCs), (2) adequacy decisions by the European Commission, or (3) your explicit consent for specific transfers.
Supplementary Measures: For transfers to countries without adequacy decisions, we implement technical safeguards like encryption in transit and at rest, pseudonymization, and strict access controls.
Transparency: A list of countries where we process data and the safeguards applied is available at privacy@nutrition.web2ai.eu/transfers.

🔍 Your Rights Regarding Transfers

Request details about specific transfers involving your data
Obtain a copy of SCCs or other transfer mechanisms
Lodge a complaint with your local data protection authority
Withdraw consent for transfers based on consent (may limit Service functionality)

Note: We host primary infrastructure in EU-based data centers (Frankfurt, Amsterdam) to minimize cross-border transfers where possible.

7. AI-Specific Data Processing

Because our Services rely on artificial intelligence, additional privacy considerations apply:

🤖 How AI Uses Your Data

Personalization (Your Private Model)

Your preferences and logs train a personalized AI instance that runs in a secure, isolated environment
This model is used only to generate recommendations for you — not shared or used for other users
You can reset or delete your personalized model anytime via Account Settings

Global Model Improvement (Opt-In Only)

Only anonymized, aggregated patterns may inform updates to our global AI models
Example: "Users with goal X tend to prefer recipe type Y" — no individual identities or health records
You can opt out anytime: Account Settings → Privacy → AI Training Preferences
Opting out does not affect core Service functionality or your personalized recommendations

Explainability & Transparency

Where feasible, we provide plain-language explanations for AI recommendations
You can request more detail about how a specific suggestion was generated
We publish annual transparency reports on AI model updates and data usage

AI Act Compliance (EU)

Our nutrition AI is classified as "limited risk" under the EU AI Act
We maintain technical documentation, risk assessments, and human oversight protocols
Users receive clear information about AI involvement and limitations
High-risk use cases (e.g., medical diagnosis) are explicitly excluded from our scope

8. Special Protections for Health Data

Health information receives heightened protection under our policies and applicable law.

🔐 Enhanced Safeguards

Explicit Consent: Health data is collected only after a separate, informed opt-in explaining specific uses
Encryption: Health fields are encrypted at rest using AES-256, with keys managed in hardware security modules
Access Controls: Strict role-based permissions limit which team members can access health data (and only for support/security purposes)
Audit Logs: All access to health data is logged and monitored for unusual activity
Data Minimization: We collect only health information necessary for personalized recommendations — no exhaustive medical histories

⚠️ Important Limitations

Our AI is not a medical device and does not diagnose, treat, or prevent disease
Recommendations are general guidance — always consult healthcare providers for medical conditions
We cannot guarantee outcomes; individual responses to dietary changes vary widely
Emergency health situations require immediate professional care, not app-based guidance

Your Control: You can delete health data anytime via Account Settings → Data Management → Delete Health Information. This action is irreversible and may affect recommendation accuracy.

9. Data Retention Periods

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Here's our retention schedule:

Data Type	Retention Period	Deletion Method
Account & Profile Data	Duration of Account + 30 days after deletion request	Automated purge + manual verification
Health & Goal Data	Duration of Account + immediate deletion upon request	Cryptographic erasure + audit log
Food Logs & Usage Data	24 months for personalization; anonymized thereafter	Automated anonymization pipeline
Communication Records	24 months for support quality; then deleted	Scheduled database cleanup
Transaction Records	7 years (legal/tax compliance)	Archived with restricted access
Anonymized Analytics	Indefinite (cannot identify individuals)	N/A — already anonymized

Early Deletion: You can request deletion of specific data categories anytime by contacting privacy@nutrition.web2ai.eu. We respond within 30 days as required by GDPR/CCPA.

10. Your Privacy Rights

Depending on your location, you have legal rights regarding your personal data. We make exercising these rights simple:

🇪🇺 GDPR Rights (EU/UK/EEA)

Access: Request a copy of your personal data in a structured, machine-readable format
Rectification: Correct inaccurate or incomplete information
Erasure ("Right to be Forgotten"): Delete your data, subject to legal exceptions
Portability: Receive your data in a commonly used format to transfer to another service
Restriction: Limit how we process your data while disputes are resolved
Objection: Opt out of processing based on legitimate interest or direct marketing
Automated Decision-Making: Request human review of significant AI-generated decisions

🇺🇸 CCPA/CPRA Rights (California)

Right to Know: Request categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information (with exceptions)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of "sharing" for cross-context behavioral advertising (we don't do this)
Non-Discrimination: Receive equal service and pricing regardless of privacy choices

🌍 How to Exercise Your Rights

Account Settings: Many rights (access, correction, deletion, AI opt-out) are available directly in your Account → Privacy dashboard
Email Request: Send details to privacy@nutrition.web2ai.eu with subject "Privacy Rights Request" + your Account email
Verification: We may request additional info to confirm your identity before fulfilling requests
Timeline: We respond within 30 days (GDPR/CCPA requirement); complex requests may take up to 60 days with notice
Appeals: If unsatisfied with our response, you may lodge a complaint with your local data protection authority

🔐 Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf. We require: (1) written permission signed by you, (2) verification of the agent's identity, and (3) confirmation that you directly provided the personal information in question.

11. Security Measures

Protecting your data is a top priority. We implement technical, organizational, and physical safeguards aligned with industry best practices:

🔐 Technical Safeguards

Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
Access Controls: Role-based permissions, multi-factor authentication for staff, principle of least privilege
Monitoring: 24/7 security monitoring, intrusion detection, automated alerting for anomalous activity
Secure Development: Code reviews, penetration testing, dependency scanning, and bug bounty program
Backups: Encrypted, geographically distributed backups with regular restoration testing

👥 Organizational Safeguards

Privacy training for all employees and contractors
Data Processing Agreements with all vendors
Regular privacy impact assessments for new features
Incident response plan with defined escalation paths
Annual third-party security audits and certifications (SOC 2, ISO 27001 roadmap)

🚨 Breach Notification

In the unlikely event of a data breach affecting your personal information, we will: (1) contain and assess the incident, (2) notify affected users and regulators within 72 hours as required by GDPR, and (3) provide clear guidance on protective steps you can take.

12. Children's Privacy

Our Services are not directed to children under 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children without verified parental consent.

👧 If You're a Parent or Guardian

If you believe your child has provided us with information without your consent, contact privacy@nutrition.web2ai.eu immediately
We will investigate and, if appropriate, delete the information and terminate the child's Account
For users aged 16-18, we recommend parental involvement in privacy settings and data sharing decisions

🔍 Age Verification

During registration, we ask for date of birth to verify age eligibility. For accounts flagged as potentially underage, we may request additional verification before enabling certain features.

13. Changes to This Policy

We may update this Privacy Policy to reflect: (1) changes in our Services or data practices, (2) evolving legal requirements, (3) user feedback, or (4) technological advancements.

How Changes Are Communicated

Material Changes: Prominent website notice + email to registered users + updated "Last updated" date + summary of key changes
Minor Changes: Updated policy posted with revision history available upon request
Emergency Changes: Immediate posting with explanation (e.g., security vulnerability response)

Your Choices

If you disagree with revised terms, your option is to discontinue use of our Services before the changes take effect. Continued use after the effective date constitutes acceptance of the updated policy.

Next scheduled review: October 2026

14. Contact Us

Questions about this Privacy Policy or your data? We're here to help:

📧 Privacy Inquiries

Email: privacy@nutrition.web2ai.eu
Response time: Within 30 days (GDPR/CCPA requirement)
Preferred format: Include "Privacy Request" in subject line + your Account email

⚖️ Data Protection Officer

DPO Email: dpo@nutrition.web2ai.eu
For: Formal GDPR requests, complaints, or escalation
Independence: Our DPO operates independently and reports directly to executive leadership

Supervisory Authority: If you're in the EU and believe we've violated your privacy rights, you have the right to lodge a complaint with your national data protection authority. Find yours at edpb.europa.eu.

Frequently Asked Questions About Our Privacy Practices

Do you sell my personal data to advertisers? ▼

Never. We do not sell, rent, or trade your personal information to third parties for advertising or marketing purposes. This is a core principle of our privacy policy.

Can I use your Services without sharing health data? ▼

Yes. Health-related fields (weight, medical conditions, etc.) are optional. You can use core features like meal planning and macro tracking with minimal profile information. Personalization may be less precise without health data.

How do I delete all my data? ▼

Go to Account Settings → Data Management → Delete Account. This permanently removes your personal data within 30 days. For immediate deletion of specific categories (e.g., health data), contact privacy@nutrition.web2ai.eu.

Is my data safe if I connect a fitness app? ▼

Yes. Third-party integrations require explicit authorization, use OAuth for secure token exchange, and follow the same encryption and access controls as our native data. You can revoke access anytime in Account Settings → Connected Apps.

What happens to my data if I stop using the app? ▼

Inactive accounts are retained for 12 months to allow reactivation. After that, personal data is anonymized or deleted per our retention schedule. You can request immediate deletion anytime via Account Settings or by emailing privacy@nutrition.web2ai.eu.

Can I get a copy of my data? ▼

Yes. Use Account Settings → Data Management → Export Data to download your information in JSON or CSV format. This includes your profile, logs, preferences, and AI interaction history — all in a machine-readable format for portability.

Your Privacy, Empowered

We believe powerful AI nutrition tools and strong privacy protections can — and must — coexist. Thank you for trusting us with your health journey.

Explore Our Platform →