PRIVACY POLICY

Effective Date: March 13, 2026 | Last Updated: March 13, 2026

1. Introduction

NutriWellMe ("Company", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, share, and protect information in connection with our website (https://nutriwell.me), mobile applications (iOS and Android), and all related services (collectively, the "Platform" or "Services").

This Policy applies to all users of the Platform worldwide. Where specific data protection laws apply to you based on your jurisdiction, additional rights and provisions are detailed in the jurisdiction-specific sections of this Policy.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices as described in this Policy, you should not use the Services.

Important: This Privacy Policy covers the Free, Pro, and AI subscription tiers. If you subscribe to our Elite or AI Elite tiers, additional privacy terms and consent requirements apply and will be presented to you separately during the subscription process.

2. Information We Collect

We collect information to provide, maintain, and improve our Services. The types of information we collect include:

2.1. Information You Provide Directly

Account Information:

Full name, email address, phone number, and mobile number
Date of birth (used to verify you are at least 18 years old)
Country and timezone
Profile image
Account credentials (password is stored in securely hashed form; we never store plain-text passwords)

Health and Wellness Data:

Meal logs: Food items consumed, ingredients, nutritional data, meal timing
Workout logs: Exercise type, duration, intensity, calories burned
Sleep logs: Sleep duration and quality metrics
Weight logs: Body weight measurements and trends
Blood pressure logs: Systolic and diastolic readings
Blood sugar logs: Glucose measurements, timing context (fasting, postprandial, random), and units
Hydration logs: Water intake tracking
Mood logs: Mood tracking and emotional state records
Meditation logs: Meditation session duration and frequency
Wellness activity logs: General wellness activity tracking

Pantry and Inventory Data:

Food items in your pantry, quantities, and expiration dates

Communication Data:

Messages sent through the Platform's in-app messaging features
Support requests and feedback

Goal and Preference Data:

Health and wellness goals
Dietary preferences, restrictions, and allergies
Fitness level and exercise preferences

2.2. Information Collected Through AI Features

When you use our AI-powered features, we collect:

Food scan images: Photographs of food items captured through your device camera. Images are processed for AI analysis and a thumbnail (approximately 10KB) is retained in your scan history.
Label scan images: Photographs of product labels and nutrition facts panels.
AI interaction data: Your interactions with AI-generated meal plans, workout plans, and recommendations, including modifications and feedback.
AI credit usage: Records of AI feature usage and credit consumption.

AI Processing Disclosure: Food images and health data submitted to AI features are processed by Google Vertex AI (Gemini models) hosted on Google Cloud infrastructure. Images are sent to Google's servers for analysis and are subject to Google's data processing terms. We do not retain the full-resolution images beyond the processing session; only thumbnails are stored in your scan history.

2.3. Information Collected Automatically

Device and Usage Information:

Device type, operating system, and version
Unique device identifiers
App version
IP address
Browser type and language preferences
Pages visited, features used, and actions taken on the Platform
Date and time of access
Referring URLs

Analytics Data:

Firebase Analytics data including app usage patterns, feature engagement, and crash reports
Performance metrics and error logs

Push Notification Tokens:

Firebase Cloud Messaging (FCM) tokens for delivering push notifications to your device

2.4. Information from Third-Party Sources

If you choose to register or log in using a third-party authentication service (Google Sign-In or Apple Sign-In), we receive your name, email address, and profile identifier from that service. We only access the information you authorize the third-party service to share with us.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1. Providing and Maintaining the Services

Creating and managing your account
Enabling health and wellness tracking features
Processing AI-powered food scans and generating nutritional analysis
Generating personalized AI meal plans, workout plans, and wellness recommendations
Managing your pantry inventory
Facilitating in-app messaging
Processing subscriptions and managing AI credit allocations
Sending transactional communications (account verification, password resets, subscription confirmations)

3.2. Improving and Personalizing the Services

Analyzing usage patterns to improve Platform features and user experience
Personalizing content and recommendations based on your health data, goals, and preferences
Developing new features and services
Conducting internal analytics and research

3.3. Safety and Security

Detecting, preventing, and addressing fraud, security issues, and technical problems
Enforcing our Terms of Service
Protecting the rights, property, and safety of NutriWellMe, our users, and the public
Verifying age eligibility (18+ requirement)

3.4. Legal Compliance

Complying with applicable laws, regulations, and legal processes
Responding to lawful requests from public authorities
Establishing, exercising, or defending legal claims

3.5. Communications

Sending push notifications about your health tracking, goals, and reminders (with your consent)
Communicating about service updates, security alerts, and administrative messages

4. Legal Bases for Processing

We process your personal data on the following legal bases, depending on the context:

Legal Basis	Description	Examples
Consent (GDPR Art. 6(1)(a))	Where you have given explicit consent for specific processing activities	Processing health data, AI feature usage, push notifications, analytics cookies
Contract Performance (GDPR Art. 6(1)(b))	Processing necessary for the performance of our contract with you	Account creation, providing tracking features, subscription management
Legitimate Interests (GDPR Art. 6(1)(f))	Processing necessary for our legitimate interests, balanced against your rights	Service improvement, fraud prevention, security, internal analytics
Legal Obligation (GDPR Art. 6(1)(c))	Processing necessary for compliance with applicable law	Tax obligations, regulatory reporting, responding to legal requests

Special Category Data: Health data (including blood pressure, blood sugar, weight, sleep, and dietary information) constitutes special category data under GDPR Article 9. We process this data solely based on your explicit consent, which you provide when you voluntarily input health data into the Platform. You may withdraw your consent at any time by ceasing to use the relevant features or by deleting your health data through the Platform.

5. AI Processing and Automated Decision-Making

5.1. AI Technologies Used: We use Google Vertex AI (Gemini models) for the following automated processing activities:

Food Recognition: Analysing images you capture to identify food items and their ingredients.
Nutritional Analysis: Estimating nutritional content of identified food items, including calories, macronutrients, and micronutrients.
Label Scanning: Reading and extracting information from product nutrition labels.
Meal Plan Generation: Creating personalized meal plans based on your health data, dietary preferences, and goals.
Workout Plan Generation: Creating personalized exercise routines based on your fitness level and goals.
Wellness Recommendations: Providing wellness activity suggestions based on your tracked data.

5.2. How AI Processing Works: When you use AI features, your data is transmitted to Google Cloud servers (located in the United States, us-central1 region) for processing. The AI models analyse your inputs and return results to the Platform. We use the following models: gemini-2.5-flash (primary), gemini-2.5-flash-lite (food scanning), and gemini-3-flash-preview (ingredient analysis).

5.3. Your Rights Regarding AI Processing: Under applicable data protection laws (including GDPR Article 22), you have the right to:

Know when content or recommendations are generated by AI (all AI-generated content is labelled as such on the Platform)
Request human review of any AI-generated recommendation
Opt out of AI-powered features while continuing to use manual tracking features
Request an explanation of how AI-generated recommendations were derived

5.4. AI Limitations: AI-generated content is not guaranteed to be accurate and should not be relied upon as medical advice. AI processing is used to assist your personal wellness journey and is not used for profiling that produces legal or similarly significant effects on you.

6. Sharing and Disclosure of Your Information

We do not sell your personal data. We share your information only in the following circumstances:

6.1. Service Providers and Processors

We share information with third-party service providers who process data on our behalf to help us operate the Platform:

Provider	Purpose	Data Shared	Location
Google Cloud / Vertex AI	AI processing, cloud storage, analytics	Food images, health data for AI features, usage analytics	United States (us-central1)
Firebase (Google)	Push notifications, analytics, crash reporting	Device tokens, usage events, crash logs	United States
RevenueCat	Subscription management	User ID, subscription status, purchase events	United States
Apple App Store	iOS subscription billing	Purchase data (managed by Apple)	United States / Ireland
Google Play Store	Android subscription billing	Purchase data (managed by Google)	United States
Zoho Mail	Email communications	Email addresses, email content	India / United States

All service providers are bound by data processing agreements that restrict their use of your data to the purposes specified by us and require them to implement appropriate security measures.

6.2. Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal processes, including court orders, subpoenas, or requests from government authorities.

6.3. Protection of Rights

We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service, or as evidence in litigation.

6.4. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

6.5. With Your Consent

We may share your information for purposes not described in this Policy when we have obtained your explicit consent.

7. International Data Transfers

7.1. NutriWellMe is based in India. Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including India and the United States, where our service providers operate.

7.2. These countries may have data protection laws that differ from the laws of your country. When we transfer your data internationally, we implement appropriate safeguards to protect your information, including:

Standard Contractual Clauses (SCCs): For transfers from the EU/EEA to India or the United States, we rely on EU Standard Contractual Clauses (2021 version) as approved by the European Commission.
UK International Data Transfer Addendum: For transfers from the United Kingdom, we use the UK International Data Transfer Addendum in addition to SCCs.
Data Processing Agreements: All service providers are bound by contractual obligations to protect your data and process it only as instructed by us.
Transfer Impact Assessments: We conduct assessments of the legal framework in recipient countries to ensure adequate protection of your data.

7.3. By using our Services, you acknowledge and consent to the transfer of your data to countries outside your jurisdiction, subject to the safeguards described above.

8. Data Retention

8.1. We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

8.2. Our general retention periods are as follows:

Data Category	Retention Period	Basis
Account information	Duration of account + 30 days after deletion request	Contract performance; legal compliance
Health and wellness logs	Duration of account or until deleted by user	Consent; contract performance
AI scan history (thumbnails)	12 months, or until deleted by user	Consent; legitimate interest
Subscription and billing records	7 years after last transaction	Legal obligation (tax/accounting)
Device and usage analytics	26 months (Firebase default)	Legitimate interest
Communication records	Duration of account + 90 days	Contract performance; legitimate interest
Security logs	12 months	Legitimate interest; legal obligation

8.3. When data is no longer required, it is securely deleted or anonymised. Anonymised data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

9. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

9.1. Rights Under GDPR (EU/EEA and UK)

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy of that data.
Right to Rectification (Art. 16): Request correction of inaccurate personal data.
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
Right Not to be Subject to Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing, including profiling, that produces legal or similarly significant effects.
Right to Withdraw Consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.

To exercise these rights, contact our Data Protection representative at team@nutriwell.me. We will respond within 30 days (extendable by 60 days for complex requests). You also have the right to lodge a complaint with your local supervisory authority.

9.2. Rights Under CCPA/CPRA (California, USA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of personal information we have collected from you.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
Right to Limit Use of Sensitive Personal Information: Limit the use of sensitive personal information (including health data) to purposes necessary to provide the Services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at team@nutriwell.me. We will verify your identity before processing your request and respond within 45 calendar days (extendable by 45 days with notice).

Disclosure: In the preceding 12 months, we have collected the categories of personal information described in Section 2 of this Policy. We have not sold personal information. We share personal information with the service providers listed in Section 6.1 for the business purposes described in Section 3.

9.3. Rights Under DPDPA 2023 (India)

If you are located in India, the Digital Personal Data Protection Act, 2023 (DPDPA) provides you with the following rights:

Right to Access Information: Obtain a summary of your personal data and processing activities.
Right to Correction and Erasure: Request correction of inaccurate or misleading personal data, and completion of incomplete data.
Right to Grievance Redressal: Lodge a grievance with our Grievance Officer (details below) and receive a response.
Right to Nominate: Nominate another person to exercise your rights in case of your death or incapacity.

As a Data Fiduciary under the DPDPA, we process your data only for lawful purposes with your consent or for legitimate uses as permitted under the Act. We provide notice in English and, upon request, in Hindi and other languages scheduled under the Indian Constitution.

9.4. Rights Under Other Jurisdictions

Users in other jurisdictions (including Brazil under LGPD, South Korea under PIPA, Australia under the Privacy Act, and Singapore under PDPA) may have similar rights. Please contact us at team@nutriwell.me to exercise your rights under your applicable local data protection law.

10. Data Security

10.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption: Data is encrypted in transit using TLS/SSL. Sensitive health data is encrypted at rest using AES-256 encryption.
Authentication: Secure password hashing (BCrypt), JWT-based session management, and support for OAuth 2.0 (Google, Apple).
Access Controls: Role-based access control (RBAC) limiting data access to authorised personnel and functions.
Account Security: Account lockout mechanisms after failed login attempts, secure password reset procedures with time-limited tokens.
Infrastructure: Hosting on secure cloud infrastructure with regular security updates and monitoring.
Rate Limiting: API rate limiting to prevent abuse and denial-of-service attacks.

10.2. While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

10.3. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with applicable law, including within 72 hours as required by GDPR and within the timelines prescribed by the DPDPA and other applicable regulations.

11. Children's Privacy

11.1. The Platform is intended for users who are at least eighteen (18) years of age. We do not knowingly collect, use, or disclose personal data from individuals under the age of 18.

11.2. If we become aware that we have collected personal data from an individual under 18, we will take immediate steps to delete such data and terminate the associated account.

11.3. If you believe that a minor has provided us with personal data, please contact us immediately at team@nutriwell.me so we can take appropriate action.

12. Cookies and Tracking Technologies

12.1. Our website uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve our Services.

12.2. Types of Cookies We Use:

Essential Cookies: Necessary for the operation of the website, including authentication and security. These cannot be disabled.
Analytics Cookies: Help us understand how visitors interact with our website (via Firebase Analytics). These are set only with your consent.
Preference Cookies: Remember your settings and preferences (language, display options). These are set only with your consent.

12.3. You can manage cookie preferences through our cookie consent banner displayed on first visit to our website. You can also manage cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

12.4. Our mobile applications use Firebase Analytics to collect usage data. You can opt out of analytics data collection through the app settings.

12.5. Do Not Track: We currently do not respond to "Do Not Track" browser signals. However, you can control tracking through the cookie consent banner and app settings as described above.

12.6. Global Privacy Control (GPC): We honour Global Privacy Control signals as a valid opt-out request for the sale or sharing of personal information under CCPA/CPRA.

13. Third-Party Links and Services

13.1. The Platform may contain links to third-party websites, applications, or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

13.2. We encourage you to review the privacy policy of every third-party site or service that you visit or interact with.

14. Changes to This Privacy Policy

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.2. We will notify you of material changes by:

Posting a prominent notice on the Platform
Sending an email to the address associated with your account
Updating the "Last Updated" date at the top of this Policy

14.3. Your continued use of the Services after the effective date of any update constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Services.

14.4. For changes that require your consent under applicable law (such as new processing of health data), we will obtain your explicit consent before implementing the change.

15. Grievance Officer (India)

In accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000, we have appointed a Grievance Officer to address your concerns regarding the processing of your personal data.

Grievance Officer

Name: [To be appointed]

Email: grievance@nutriwell.me

Address: [Registered office address, Tamil Nadu, India]

The Grievance Officer will acknowledge your complaint within 48 hours and resolve it within 30 days from the date of receipt. If you are not satisfied with the response, you may file a complaint with the Data Protection Board of India.

16. Data Protection Representative (EU/UK)

If you are located in the EU/EEA or the UK and have questions about our data processing practices, you may contact:

Data Protection Contact

Email: privacy@nutriwell.me

You also have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

NutriWellMe

Email: team@nutriwell.me

Privacy inquiries: privacy@nutriwell.me

Website: https://nutriwell.me

For data subject access requests (DSARs), please email team@nutriwell.me with the subject line "Data Subject Request" and specify the nature of your request. We will respond within the timeframes required by your applicable data protection law.

End of Privacy Policy