⚠️ DRAFT — pending qualified legal review before publication.
This document must be reviewed by a qualified EU data protection professional before it is made available to users. It is not legally final and must not be published to data subjects in this form.
Effective date: Not yet in force
Version: 1.1-draft
Last updated: 2026-07-06
Nutians is built EU-first and privacy-first: your data is hosted in the European Union, processed by an EU-hosted AI provider under a zero-retention agreement, never sold, and never used to train AI models. This policy explains what we collect, why, who processes it, how long we keep it, and the rights you have under the GDPR (Articles 13–22).
Who we are
Nutians is currently developed and operated by an individual developer based in Porto, Portugal. The final legal name, business registration, VAT status, and full postal address will be completed before public launch. That operator is the data controller responsible for your personal data. We operate a nutrition and wellness tracking platform.
Data protection contact: [email protected]
We have not formally appointed a Data Protection Officer (DPO) at this stage. Whether a DPO is required under Art. 37 GDPR will be determined at legal review. Until then, all data protection enquiries should be directed to the contact address above.
What this policy covers
This Privacy Policy explains what personal data we collect, why we collect it, who receives it, how long we keep it, and what rights you have under GDPR (Arts. 13 and 14).
This policy covers the Nutians mobile app, web application, landing site, API, and related services. It does not cover third-party websites or services linked from our platform.
Health-adjacent data and explicit consent
Nutians is a wellness tool, not a medical service, but some data you choose to enter — such as weight, body measurements, nutrition goals, dietary restrictions, eating-disorder risk signals, menstrual-cycle logs, imported activity data, or food logs that reveal a condition — may qualify as data concerning health or otherwise sensitive data under GDPR Article 9.
Where Article 9 applies, we rely on your explicit consent under Art. 9(2)(a), in addition to the Art. 6 basis listed below. Consent is collected separately during onboarding or before the relevant feature is used. You can withdraw that consent at any time via You → Privacy & data in the app or by contacting [email protected]. If you withdraw it, we may not be able to provide features that need nutrition, body, or health-adjacent data, but withdrawal does not affect processing already carried out lawfully before withdrawal.
If you do not provide required data
Some data is required to provide the Service: account credentials, core profile inputs, and the food or body data you choose to log. If you do not provide account data, we cannot create an account. If you do not provide nutrition or profile data, the Service can only provide limited or generic functionality.
Data we collect and why
1. Account and authentication data
What we collect: Email address, name, hashed password (if you register with email/password), or OAuth provider credentials and tokens (if you sign in with a third-party provider). We also store session tokens, email-verification tokens, your IP address, and browser user agent (associated with each session for security purposes), your 18+ age attestation, and — if you verify one — your phone number and its verified status (see the “Phone number and SMS verification” section below). We also keep a sign-in and verification event log for security; it stores a keyed hash (HMAC) of the phone number, never the plaintext.
Why: To create and secure your account and authenticate your sessions.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing the service requires an account). Art. 6(1)(f) for the security event log (account protection and abuse prevention).
Retention: Session tokens are valid until their expiry time. Email-verification tokens expire within 24 hours. Sign-in/verification security events are deleted after 90 days. Account data is retained for the lifetime of your account and is deleted within 30 days of a confirmed account erasure request.
2. Profile and nutrition targets
What we collect: Age, biological sex (optional), height, weight (latest logged value), body fat percentage (optional), activity level, nutrition goal, macro priorities, dietary restrictions, disordered-eating risk flag (internal; derived from our onboarding screener; never shared), unit preferences (metric / imperial, kcal / kJ).
Why: To compute your personalised calorie and macro targets using the Mifflin-St Jeor formula and to tailor nutrition guidance to your profile.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where this data qualifies as health or other Article 9 data, Art. 9(2)(a) explicit consent.
Retention: Lifetime of your account; deleted on account erasure.
3. Food logs (raw text) and meal entries
What we collect: Your original log text (e.g. “chicken salad, large bowl, lunch”), the AI-extracted structured entries derived from it (food name, quantity, unit, macro values, confidence score, timestamp, validation notes), and the source food reference.
Why: To track your nutrition intake, compute your daily and weekly macro totals, and generate insights.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where this data reveals health information or other Article 9 data, Art. 9(2)(a) explicit consent.
Retention: Raw log text is retained for 18 months from submission. After that, the text and extraction metadata are removed (anonymised) while the row skeleton is kept as a referential anchor for linked meal entries. Structured meal entries are retained for the lifetime of your account.
4. Body metrics
What we collect: Body weight, body fat percentage, waist, hip, and neck measurements, recorded with a timestamp and linked to the original log that captured them.
Why: To track body composition alongside nutrition data and include trends in your weekly summaries.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where this data qualifies as health data, Art. 9(2)(a) explicit consent.
Retention: Lifetime of your account; deleted on account erasure.
5. Nutrition summaries
What we collect: Daily, weekly, and monthly summary documents. Each contains: computed metrics (calories consumed, macro adherence vs targets, trends vs the prior period); an AI-generated narrative that cites those metrics; and optionally, a suggested target adjustment (always presented as a proposal that you must explicitly accept — it is never auto-applied).
Why: To give you insight into your nutrition patterns over time and surface meaningful trends.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where summary metrics or narratives reveal Article 9 data, Art. 9(2)(a) explicit consent.
Retention: Lifetime of your account; deleted on account erasure.
6. Food overrides and personalised corrections
What we collect: Your personal food customisations (custom food definitions and macro values) and alias mappings (e.g. “protein shake” → a specific food with specific macros, saved when you correct an extraction and choose “save as override”).
Why: To improve extraction accuracy for foods you log repeatedly without re-resolving them each time.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where custom foods or corrections reveal Article 9 data, Art. 9(2)(a) explicit consent.
Retention: Lifetime of your account; deleted on account erasure.
7. Chat history
What we collect: Your conversations with the AI assistant — your messages, the assistant’s responses, any tool-call proposals the assistant made (log_entry, update_target, request_export), and your accept or reject decisions.
Why: To provide the conversational assistant and maintain thread continuity within a session. Chat history is an audit log; the structured ledger (meal entries, targets) remains the data of record — deleting chat history never affects your nutritional log.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Where chat content you provide reveals Article 9 data, Art. 9(2)(a) explicit consent.
Retention: 90 days from each message. Messages are deleted automatically after this period.
8. AI usage (anonymised cost accounting)
What we collect: Token counts, cost in EUR, AI provider name, model name, and the processing step (extraction, summary, chat), associated with your user ID while your account is active.
Why: To monitor per-user AI cost and enforce the service’s cost ceiling for sustainable pricing.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (cost management and sustainable service delivery). We have assessed that this interest is not overridden by your interests or fundamental rights: the data is minimised (no content, only tokens and cost) and anonymised on account erasure.
Retention: 24 months. Your user ID is removed (set to null) on account erasure, leaving an anonymised cost row.
9. Error and performance monitoring (operational)
What we collect: Application error logs, stack traces, and request metadata (which may incidentally include anonymised user identifiers, IP addresses, or browser user agents). This data is processed by Sentry and Better Stack. We configure these to minimise PII in log context — nutrition log content and auth tokens must not appear in error logs.
Why: To identify and fix software bugs and maintain service reliability.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (operational reliability of the service).
Retention: Per sub-processor configuration (typically ≤90 days).
10. Product analytics
What we collect: Anonymised usage events and feature interaction data. We do not send nutrition log content, profile data, or macro figures to analytics tools.
Why: To understand how the product is used and improve it.
Legal basis: Art. 6(1)(a) GDPR — consent for non-essential analytics storage or cookies on the web, otherwise Art. 6(1)(f) — legitimate interest for essential first-party operational metrics.
Retention: Up to 13 months.
11. Cycle tracking (optional)
What we collect: Menstrual-cycle events you choose to log — event dates and symptoms. This feature is strictly opt-in.
Why: To show cycle context alongside your nutrition and body-metric trends.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract, and Art. 9(2)(a) — explicit consent, collected before the feature is enabled.
Retention & protection: Cycle data is encrypted at the application level with a dedicated per-user key, separate from all your other data. It is kept for the lifetime of your account and included (decrypted) in your data export. If you withdraw cycle consent, the logs are deleted and the dedicated key is destroyed (“crypto-shredding”), which renders any residual encrypted copies permanently unreadable.
12. Phone number and SMS verification
What we collect: If you verify a phone number (required to start the free trial): the phone number and its verified status on your account; an append-only SMS send/refusal audit that stores only keyed hashes (HMAC-SHA256) of the phone number and IP address — never the plaintext; and, on the web, the result of a Cloudflare Turnstile anti-bot check.
Why: To confirm you are a real person, protect the SMS sending budget from abuse, and enforce the one-free-trial-per-person rule.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract (verification you request); Art. 6(1)(f) — legitimate interest (fraud and abuse prevention) for the hashed audit records.
Retention: The phone number lives on your account for its lifetime and is deleted on erasure. The hashed trial-redemption record is retained after erasure to prevent trial abuse — see “What is retained after erasure” below.
13. Health platform imports (optional)
What we collect: Daily step counts imported from Apple Health or Health Connect, plus the connection state (which source is linked, sync status). Imports happen only after you grant permission at the operating-system level.
Why: To show your activity as context alongside nutrition data. Imported activity is context only — it is never used to compute your energy targets.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 9(2)(a) — explicit consent (health data).
Retention: Lifetime of your account; deleted on account erasure. Disconnecting the source stops all further reads. Imported activity is included in your data export.
14. Notifications
What we collect: Your device push token (managed by WonderPush), a log of notifications we sent you (kind, date, whether you opened or dismissed them), and your notification preferences and mutes.
Why: To deliver the reminders and nudges you enable, avoid duplicates, and respect dismissals.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Retention: Lifetime of your account; deleted on account erasure. The notification history and your preferences are included in your data export.
15. Saved meals, plans, and templates
What we collect: Saved meals and their items, reusable plan templates, dated meal plans, and the link between a planned item and the log entry that fulfilled it.
Why: One-tap re-logging and meal planning.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Retention: Lifetime of your account; deleted on account erasure; included in your data export.
16. Referrals and milestones
What we collect: Your personal referral code, referral attribution records (which account referred which), milestone awards (e.g. “first log”), and earned assistant-message credits.
Why: To operate the referral programme and progress milestones.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) — legitimate interest (referral fraud prevention).
Retention: Lifetime of your account. On erasure, referral attribution records are anonymised (the account references are removed) rather than deleted, so the referral cannot be re-credited by deleting and re-creating accounts.
17. Coach sharing (optional)
What we collect: If you invite a coach or partner: the sharing grant — the invitee’s email address, the shared scope, and its status (pending / active / revoked).
What is shared: A read-only weekly view: weekly summary, weight trend, adherence calendar, and target history. Chat content and raw food logs are never shared.
Legal basis: Art. 6(1)(b) GDPR — processing at your direction; the invitee’s email is processed on your instruction to deliver the invite.
Retention: Until you revoke the link or either account is erased; your sharing grants are included in your data export.
18. Subscription and entitlement data
What we collect: Your subscription status and tier, and a log of purchase-lifecycle events received from RevenueCat and the app stores (renewal, cancellation, refund). We never receive or store your payment card details.
Why: To know which features your account is entitled to.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Retention: Lifetime of your account; deleted on account erasure (the financial record of record remains with Apple, Google, or Stripe under their own retention obligations). Included in your data export.
How AI processes your data
Nutians uses large language models from Mistral AI, an EU-based provider, to power three features:
- Food log extraction — your log text and, for photo or label capture, the submitted image are sent to an AI model to identify food items, quantities, and timestamps. This is the only AI processing that sees your raw log text or images.
- Summary narratives — the AI receives only computed numeric metrics and a profile slice (not raw log text) to generate the narrative commentary in your daily and weekly summaries.
- Conversational assistant — the AI receives a composed context of your profile, recent summaries, and targets. Raw logs are not included by default; they are retrieved just-in-time only if you reference a specific past date.
EU-hosted, zero-retention, no training: Mistral processes your data within the EU under a data-processing agreement that prohibits retaining your content beyond the request and prohibits using your data to train models. When you delete your account, there is no data to erase at the AI provider.
Proposals, not decisions: AI-generated target adjustment proposals are never automatically applied — you must click an explicit “Apply” button. AI-proposed log entries or target changes suggested by the chat assistant also require your explicit confirmation before being executed. The platform is architected so no AI output takes effect without your approval.
Sub-processors
The following sub-processors process personal data on our behalf. All are bound by a Data Processing Agreement (DPA) or equivalent contractual safeguard. This list is synchronised with our Art. 30 Processing Register.
| Sub-processor | Role | Data received | Location |
|---|---|---|---|
| Neon | Managed PostgreSQL database | All DB-resident personal data | EU |
| Mistral AI | AI inference (extraction, vision, summaries, coach) | Log text / images / computed metrics (transient, zero-retention, no training) | EU (France) |
| Brevo | Transactional email + SMS verification codes | Email, phone number, message content | EU |
| RevenueCat | Subscription & entitlement management | Pseudonymous app user ID, purchase status | US (SCCs) |
| Apple App Store / Google Play | In-app purchase processing | Purchase token; payment handled by the store | Per store |
| Stripe | Web card payment processing via RevenueCat Web Billing | Email, payment status (card data held by Stripe) | US (SCCs) |
| WonderPush | Push notifications | Device push token, notification content | EU |
| Backblaze B2 | Export & PDF-report file storage (signed links) | Your export / report packages | EU |
| Cloudflare (Turnstile) | Bot protection on web sign-in and phone-verification pages | Turnstile challenge token, IP address, browser signals | Global (SCCs) |
| Sentry | Error monitoring | Stack traces, anonymised request metadata | US (SCC) |
| Better Stack | Log aggregation, uptime monitoring | Application logs | EU |
Product analytics is first-party: anonymised usage events are stored in our own EU database (see category 10 above). No third-party analytics service receives your data.
Food database lookups: to resolve foods and barcodes, our servers query the public food databases OpenFoodFacts (France) and USDA FoodData Central (US). Only the food name or barcode from your log is sent — never your identity, account identifiers, or any other personal data.
We will notify you before any new sub-processor that materially affects your personal data is added.
International transfers
Your personal data is hosted in the EU (Neon EU region). Where sub-processors outside the European Economic Area (EEA) process your data — specifically RevenueCat, Stripe, and Sentry — we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under Chapter V GDPR. Core processing for the database, AI, email/SMS, push, and export storage stays in the EU.
Your rights under GDPR
Right of access (Art. 15)
You can request a copy of the personal data we hold about you. Use the in-app You → Privacy & data → Export my data feature, or contact [email protected]. We will respond within one month.
Right to rectification (Art. 16)
You can correct your profile, edit any meal entry, update your targets, and adjust your food overrides directly in the app at any time.
Right to erasure (Art. 17)
You can delete your account and all associated personal data. The process works as follows:
- Go to You → Privacy & data → Delete account and confirm your intention.
- You will receive a confirmation email containing a link you must click to proceed. This two-step process protects against accidental or unauthorised deletion.
- Once you click the confirmation link, your login is disabled immediately and a hard purge of all your personal data is scheduled to complete within 30 days.
- Once the purge is complete, you will receive a completion email.
You can cancel the deletion before the purge completes by contacting [email protected].
What is retained after erasure:
- A minimal compliance record in the
erasure_audittable — containing only an opaque non-reversible hash of your user ID, timestamps of the request, confirmation, and completion, and the list of data categories that were purged. It contains no name, email, or nutrition data, has no database link to your deleted account, and is retained for 7 years as proof of Art. 17 compliance. - If you redeemed the free trial: a keyed hash (HMAC) of your verified phone number in the trial-redemption record. This is retained after erasure under Art. 6(1)(f) — legitimate interest (preventing repeated free-trial redemption by deleting and re-creating accounts). The record contains no plaintext phone number and cannot be reversed without a server-side secret. You may object to this retention (see “Right to object” below).
- Anonymised operational rows: AI cost-accounting rows and security sign-in events have their account reference removed (set to null); anonymised referral-attribution records are kept for fraud prevention. None of these can be linked back to you.
AI provider data: Because Mistral operates under zero-retention terms for this processing, there is no user data to erase at the AI provider level when you delete your account.
Right to data portability (Art. 20)
You can request a machine-readable export of your personal data (JSON and CSV format per category):
- Go to You → Privacy & data → Export my data and choose your date range (or request all history).
- We assemble your export in the background and send you a download link by email.
- The download link is valid for 7 days.
The export includes every user-facing data category: account identity, profile, targets, raw logs, meal entries, body metrics, summaries, food overrides, chat history, cycle logs (decrypted), notification history and preferences, consent history, subscription records, manual metric overrides, sign-in history, milestone awards, saved meals, imported health activity, expenditure estimates, plan templates, meal plans, and coach-sharing grants. A manifest file in the ZIP lists exactly what was included. Operational data (auth tokens, quota counters and message-battery state, AI usage rows, push-delivery infrastructure, referral codes) is not included.
Right to restriction of processing (Art. 18)
You may request that we restrict processing of your data in certain circumstances (e.g. while you contest the accuracy of data). Contact [email protected].
Right to object (Art. 21)
Where processing is based on legitimate interest (AI cost accounting, error monitoring, essential operational metrics), you may object. Contact [email protected]. We will assess whether our legitimate grounds override your interests. We explicitly draw this right to your attention because GDPR requires the right to object to be presented clearly and separately.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent, you can withdraw it at any time: health-adjacent feature consents (including cycle tracking) via You → Privacy & data in the app, and website analytics consent via the cookie banner on the landing site (or by clearing browser storage). You can also contact [email protected]. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to lodge a complaint (Art. 77)
You have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is maintained at: edpb.europa.eu/about-edpb/board/members_en.
Automated decision-making and profiling (Art. 22)
The platform uses AI and algorithmic processing to extract structure from your logs, generate summaries, and power the chat assistant. These processes constitute profiling (Art. 4(4) GDPR) in that they analyse your personal data to produce insights about your nutrition patterns.
No solely-automated decisions with legal or similarly significant effects are made about you (Art. 22). Specifically:
- AI-suggested target adjustments in summaries are proposals that require your explicit acceptance.
- AI-proposed log entries or target changes via chat require your explicit confirmation.
- Validation rules that block a draft entry hold it for your review — they never silently discard your data and you can override them.
You can edit or delete any entry, target, or correction at any time.
Children’s data
Our service is for users aged 18 and over. We require an age attestation at signup. We do not knowingly process personal data of persons under 18. If we become aware that a minor has created an account, we will delete that account promptly.
Security
We protect your personal data using encryption at rest (managed by our database provider, Neon) and in transit (TLS). In addition, the most sensitive content — raw food-log text, chat messages, and cycle logs — is encrypted a second time at the application level with per-user keys, so it is stored as ciphertext even inside the database; cycle data uses its own dedicated key so cycle consent withdrawal can destroy it independently (“crypto-shredding”). Access is restricted to authenticated users for their own data only. AI provider API calls are made over TLS to EU endpoints operating under zero-retention agreements. We maintain an audit log for privileged operations.
A detailed threat model and description of our security controls is maintained internally and reviewed regularly.
Changes to this policy
We will notify you by email and via an in-app notice before making material changes to this policy. The effective date above will be updated. Continued use of the service after the effective date constitutes acceptance. You retain the right to delete your account if you do not accept the updated policy.
Contact us
For all data protection enquiries:
Email: [email protected]
Postal address: Nutians, Porto, Portugal (full legal name, registration number, VAT details, and complete postal address to be finalised before launch where applicable)
This document is a review-ready draft. It has not been reviewed by qualified legal counsel and is not legally final. It must be reviewed and approved by a qualified EU data protection professional before being published to users.