Privacy Policy

1. Data Controller

The data controller for all personal data processed through the Nutri Macro India mobile application and website (nutrimacro.in) is:

Vinodh Jeganathan
Sole Trader, Registered Business Name: Limerick Family Farm (CRO No. 750471)
Ireland
Email: support@nutrimacro.in

As the operator is established in Ireland (an EU member state), the EU GDPR applies as the primary data protection framework. The India DPDP Act 2023 applies additionally for users who are Indian residents.

2. What Data We Collect

We collect the following categories of personal data:

2.1 Account & Identity Data

• Email address (required to create an account)
• Display name (optional)
• Profile photo (optional)
• Country and region (used for regional food database and pricing)

2.2 Health & Body Data

• Height, weight, and body measurements (entered by you)
• Age and biological sex (used for TDEE/calorie target calculation)
• Activity level and fitness goals
• Weight trend history and body measurements over time
• Sleep duration logs (manually entered or synced from Apple Health / Google Health Connect)
• Step counts (synced from Health Connect or Apple Health, if you grant permission)
• Mood and stress ratings (manually logged by you)
• Water intake logs
• Fasting windows (if you use the fasting tracker)

2.3 Nutrition & Food Logs

• All food items logged (name, quantity, macros)
• Food photos submitted for Photo Calorie Scan (processed in real-time, not stored on our servers after processing)
• Fridge photos submitted for Fridge Scan (processed in real-time, not retained)
• Receipt photos submitted for Receipt Scan (processed in real-time, not retained)
• Pantry items and expiry dates
• Meal plans generated (plan content is stored so you can view previous plans)

2.4 Dietary Preferences & Health Conditions

• Dietary preference (vegetarian, vegan, omnivore, etc.)
• Food allergies and intolerances
• Cuisine region preference
• Medical conditions you choose to disclose (optional — used only for personalisation)

2.5 Subscription & Transaction Data

• Subscription plan type and status (provided by RevenueCat)
• Purchase date and renewal date
• We do not receive or store payment card details — billing is handled entirely by Apple App Store or Google Play

2.6 Usage & Technical Data

• App usage patterns (screens viewed, features used, frequency of use)
• Device type and operating system version
• App version
• Crash reports and error logs
• IP address (used for security and geographic routing; not linked to your nutrition profile)

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• Delivering core app features: Calculating your daily calorie targets (TDEE), displaying nutrition logs, tracking macros, managing your pantry, generating recipe suggestions and meal plans.
• AI-powered features: Sending food photos to the Gemini AI API for calorie estimation (photo scan), sending pantry contents and preferences to the AI for meal plan generation. AI inputs are processed in real-time and are not stored by the AI provider for training.
• Subscription management: Verifying your active subscription status through RevenueCat to unlock paid features.
• Family plan coordination: Linking family members to a shared subscription and shared pantry under the plan owner's account.
• Improving the service: Aggregated, anonymised usage analytics help us understand which features are used and improve the app. We do not use individual identifiable data for product development without your consent.
• Security and fraud prevention: Detecting and preventing abuse, automated attacks, and unauthorised access.
• Legal compliance: Retaining data as required by applicable tax, financial, and data protection law.
• Customer support: Using your account data and logs to investigate and resolve support requests you submit to us.

We do not use your data for advertising, do not build advertising profiles, and do not sell or rent your data to any third party.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the subscription service you have purchased — account management, feature delivery, subscription verification.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, aggregated analytics, crash reporting. We have assessed that these interests do not override your rights.
• Consent (Art. 6(1)(a) and Art. 9(2)(a)): Health data (weight, sleep, nutrition logs) is processed on the basis of your explicit consent, given during onboarding. You can withdraw this consent at any time by deleting your account.
• Legal obligation (Art. 6(1)(c)): Data retained to comply with Irish tax and financial law.

Under the India DPDP Act 2023, processing is based on your consent given at account creation. You retain the right to withdraw consent at any time (see Section 8).

5. Data Sharing & Sub-processors

We share personal data only with the following sub-processors, under data processing agreements, and solely to the extent necessary to operate the service:

RevenueCat (Revenue Cat, Inc., USA)
Purpose: Subscription management — verifying purchase status, entitlements, and renewal dates. RevenueCat receives your App Store / Play Store receipt token and subscription status. They do not receive your health or nutrition data.
Privacy: revenuecat.com/privacy

Railway (Railway Corp., USA)
Purpose: Backend API hosting and database hosting. All nutrition logs, food data, and user profiles are stored on Railway-hosted servers. Data is encrypted at rest and in transit.
Privacy: railway.app/legal/privacy

Google Gemini AI API (Google LLC, USA)
Purpose: AI features — photo calorie scan, fridge scan, AI meal plan generation, recipe remix. Food photos and pantry data are sent to the Gemini API for real-time processing. Google's API terms prohibit using this data to train Gemini models. Photos are not retained after the API response is returned.
Privacy: policies.google.com/privacy

Apple App Store / Google Play (for iOS and Android users)
Purpose: In-app purchase billing and subscription management. Billing details are handled entirely by Apple or Google under their own terms. We receive only a purchase confirmation token.
Apple Privacy: apple.com/legal/privacy
Google Privacy: policies.google.com/privacy

We do not share your data with any other third parties, advertisers, data brokers, or analytics platforms.

6. Data Retention

We retain your personal data for the following periods:

• Account and profile data: Until you delete your account, plus 30 days for backup recovery.
• Nutrition and food logs: For the lifetime of your account. You can delete individual log entries at any time from within the app.
• Meal plans: Retained for 12 months from creation, then automatically deleted.
• Food and fridge photos: Not retained on our servers after the AI processing response is returned (typically within a few seconds of upload).
• Subscription and billing records: 7 years, as required by Irish revenue law.
• Support correspondence: 3 years from the date of the last communication.
• Server logs (IP, usage): 90 days, then deleted.

If you submit an account deletion request, all personal data (excluding financial records required by law) is deleted within 30 days.

7. International Data Transfers

As the data controller is based in Ireland (EU), the primary data infrastructure is EU-based where possible. Some sub-processors (RevenueCat, Railway, Google) are based in the United States. Where data is transferred outside the EU/EEA:

• Transfers to the USA rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
• RevenueCat and Google are certified under applicable frameworks.

For users in India: transfers of your personal data to Ireland and the USA are made under the terms of this Privacy Policy. You consent to these transfers by creating an account. If you have questions about international transfers, contact us at support@nutrimacro.in.

8. Your Rights

Under the GDPR (for all users) and India DPDP Act 2023 (for Indian-resident users), you have the following rights:

Right of Access: You can request a copy of all personal data we hold about you. We will provide this within 30 days in a machine-readable format (JSON).

Right to Rectification: You can correct inaccurate data directly in the app (Settings → Profile) or by contacting us.

Right to Erasure ("Right to be Forgotten"): You can delete your account and all associated data via Settings → Account → Delete Account. All personal data is erased within 30 days (except data we are legally required to retain).

Right to Data Portability: You can request an export of your data in JSON format via Settings → Account → Export Data, or by emailing support@nutrimacro.in.

Right to Withdraw Consent: You can withdraw consent to health data processing at any time by deleting your account. Withdrawal does not affect the lawfulness of prior processing.

Right to Restrict Processing: You may ask us to restrict processing in certain circumstances (e.g., while you contest accuracy of data).

Right to Object: You may object to processing based on legitimate interests.

DPDP Act Rights (India): Indian users additionally have the right to nominate a nominee to exercise data rights in the event of death or incapacity, and the right to grieve in case of a breach of the DPDP Act obligations.

To exercise any of these rights, email support@nutrimacro.in with the subject line "Data Rights Request — [Right Type]". We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or the Data Protection Board of India once established.

9. Security

We implement industry-standard security measures:

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is encrypted using AES-256.
• Authentication uses salted bcrypt password hashing; session tokens are rotated on each login.
• Access to production databases is restricted by IP and requires multi-factor authentication.
• No employee has routine access to individual user nutrition logs.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.

10. Children's Privacy

Nutri Macro is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@nutrimacro.in and we will delete it promptly.

Family plan members under 18 must have their subscription managed by a parent or guardian. The parent or guardian is responsible for ensuring the minor's use of the app is appropriate.

11. Cookies & Analytics

The Nutri Macro mobile app does not use cookies. The nutrimacro.in website uses only essential session cookies required for normal page operation — no advertising or tracking cookies are set.

We do not use Google Analytics, Facebook Pixel, or any third-party web analytics service on this website.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes that affect how we process your personal data, we will notify you via a push notification in the app and by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent version.

Continued use of the app after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to raise a concern:

Email: support@nutrimacro.in
Subject line for data requests: "Data Rights Request"
Response time: Within 30 days (typically sooner)

Postal address available on request. We are a small team based in Ireland and prefer email for data requests as it provides a clear written trail for your protection.