Privacy Policy

This Privacy Policy describes how the Nutryx mobile application ("Nutryx", "the app", "we", "us", "our") collects, uses, stores and shares information about you when you use our service. By using Nutryx you agree to the practices described here. If you do not agree, please do not use the app.

1. Who we are

Nutryx is operated by Nacho Bausá (sole trader), based in Spain ("the Controller"). You can reach the Controller at info@transformtoapp.com for any privacy-related question.

2. Data we collect

2.1 Account data

When you sign in with Google Sign-In or Sign in with Apple we receive: your unique provider ID, your email address, and your public display name. We do not receive your social-network password.

2.2 Health & nutrition data you provide

• Photos of food you choose to scan, and any image you send to the AI Coach.
• The nutritional data computed from those photos (calories, macros, ingredients, health score).
• Barcodes you scan and the resulting product information.
• Optional profile information (age, sex, height, weight, activity level, dietary preferences, goals, allergies) entered during onboarding.
• Meal plans, chat messages with the AI Coach, and notes you save.

2.3 Device & usage data (collected automatically)

• Device model, operating system version, app version, language, time zone, country.
• Pseudonymous identifiers (Firebase Installation ID, Advertising ID where allowed).
• Usage events (which screens you visit, which actions you perform — e.g. food_image_analyzed, paywall_view, purchase).
• Crash reports including stack traces and device state at the moment of crash.
• Performance metrics (network latency, screen render times).

2.4 Payment data

Subscription purchases are processed by Apple (App Store) and Google (Play Store). We never see your card number. We receive only the purchase confirmation, product ID, transaction ID and renewal status from RevenueCat.

3. How we use your data

• Provide the service: analyse your food images, generate meal plans, give nutritional estimates and AI Coach responses, sync your data across your devices.
• Personalise: tailor calorie targets, recommendations and notifications to your profile.
• Operate accounts and subscriptions: sign-in, manage Premium status, send transactional emails.
• Improve the app: analyse usage patterns, fix crashes, measure performance.
• Communicate: send push notifications (which you can disable at any time).
• Show ads (free users only): serve advertising via Google AdMob.
• Comply with the law and prevent fraud.

4. Legal basis for processing (EU/UK GDPR)

Purpose	Legal basis
Providing the service you requested	Performance of a contract
Health and dietary profile data	Your explicit consent (Art. 9 GDPR — special category data)
Analytics, performance, crash reporting	Legitimate interest in improving the app, or your consent where required
Personalised advertising	Your consent (App Tracking Transparency on iOS)
Legal obligations (tax, fraud)	Legal obligation

You can withdraw your consent at any time by deleting your account or by disabling the relevant tracking in your device settings.

5. Third-party services

We rely on the following processors. Each one is bound by contract or by their own terms to process your data only on documented instructions and with appropriate security.

Provider	Purpose	Privacy policy
Google Firebase (Authentication, Firestore, Storage, Cloud Functions, Crashlytics, Analytics, Performance, Messaging)	Sign-in, cloud storage, push notifications, analytics, crash reporting	firebase.google.com/support/privacy
Groq, Inc.	AI inference (food image analysis, AI Coach responses)	groq.com/privacy-policy
RevenueCat, Inc.	Subscription management and entitlement validation	revenuecat.com/privacy
Google AdMob	Advertising to non-premium users	policies.google.com/privacy
Open Food Facts	Product lookup from scanned barcodes	openfoodfacts.org/terms-of-use
Apple (Sign in with Apple, In-App Purchase, HealthKit)	Authentication, payments, health data sync (when you opt in)	apple.com/legal/privacy

6. AI processing of food images and Coach messages

When you submit a photo of food or a chat message to the AI Coach, the image / text is sent to our secured Cloud Functions backend and from there to Groq's inference servers. Groq processes the request in real time and returns a structured nutritional estimate or text response. We do not authorise Groq to train models on your data and the request is not stored on Groq's side beyond the duration needed for processing, according to Groq's policy.

AI-generated estimates are approximations. They are provided for educational and informational purposes only and are not medical advice. See our in-app Sources & Methodology screen for the references behind every nutritional figure.

7. Apple Health and Google Fit

If you choose to connect Apple Health (HealthKit) or Google Fit, the app may read step count, active energy burned, sleep, heart rate and exercise sessions to personalise your daily calorie target. This data is processed locally on your device and only summarised values (not the raw samples) are sent to our servers if you have enabled cloud backup. You can revoke this access at any time in your device's Health / Fit settings.

We do not use HealthKit data for advertising, do not share it with third parties for marketing, and do not sell it.

8. Data retention

• Account data: while your account is active and for 30 days after deletion.
• Food logs and meal plans: while your account is active. You can delete individual entries from the app at any time.
• Crash and analytics data: up to 14 months (Firebase default).
• Subscription receipts: as long as legally required for tax / accounting (up to 7 years in Spain).

9. Your rights

Under GDPR and similar laws you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten") — you can delete your account directly from Settings → Account inside the app, or by emailing us.
• Restrict or object to processing.
• Data portability (export your data in machine-readable format).
• Withdraw consent at any time.
• Lodge a complaint with your local supervisory authority (e.g. AEPD in Spain).

To exercise these rights write to info@transformtoapp.com. We respond within 30 days.

10. Children

Nutryx is rated 4+ but is intended for users aged 13 and older (16 in the EU). We do not knowingly collect personal data from children below that age. If you believe a child has provided us with data, contact us and we will delete it.

11. Security

We use industry-standard measures: TLS encryption in transit, encryption at rest on Firebase, secret management for API keys, principle of least privilege on service accounts, and Firebase Authentication for access control. No system is 100% secure; in the event of a personal-data breach we will notify affected users and the competent authority within 72 hours as required by GDPR.

12. International transfers

Some of our processors (Google, Groq, RevenueCat) are located in the United States. Where personal data is transferred outside the European Economic Area we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

13. California (CCPA / CPRA) rights

If you are a California resident you have additional rights: to know what categories of personal information we collect, to delete that information, to correct it, to opt out of "selling" or "sharing" (we do not sell personal information in the traditional sense), and to non-discrimination. To exercise these rights write to info@transformtoapp.com.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced inside the app and the "Last updated" date above will reflect the revision. Continued use of Nutryx after a change constitutes acceptance.

15. Contact

Privacy questions, data requests, complaints:
info@transformtoapp.com

← Back to legal