Section 1

Information We Collect

For the purposes of this Policy, “Personal Information” means any information that identifies, relates to, or describes, directly or indirectly, an individual. We collect the following categories of Personal Information when you use the Platform.

1.1  Information You Provide Directly

Account Information

When you register for an account, we collect your username, email address, and a password (stored as a one-way cryptographic hash — we cannot read or recover your password). We also collect the date and time your account was created and the date and time of your most recent login.

Health Profile — Health Conditions & Allergies

You may voluntarily add health conditions, disorders, and food allergies to your Health Profile. This is sensitive personal data. You provide this information entirely at your own choice to enable the Platform to personalise its nutritional information to your stated health profile. See Section 2 for full details.

Physical Profile

You may voluntarily enter physical profile information including your age, sex, height (feet and inches), and weight (pounds). This information is used to personalise nutritional context within the Platform.

Food Preferences

You may select food likes and dislikes across multiple food categories (e.g., fruits, vegetables, proteins, cuisines, diets). These preferences are stored in your account and used to personalise your AI nutrition assistant’s responses and coverage analysis.

Food Log Entries

When you use the Food Logging tool, we collect the food items you log, including: food description, date, time, meal type, quantity or amount, and any notes. When the Platform automatically matches a food entry to the USDA nutritional database, we also store the matched food name, estimated weight in grams, and the full nutrient profile for that food.

AI Conversation History

When you use the AI nutrition assistant, we store a record of your questions and the AI’s responses. This conversation history is retained across sessions to enable contextual, coherent conversations and to support the automatic summarisation feature. See Section 5 for how AI conversations are processed.

Saved Items

If you save recipes, meal plans, or other content generated through the Platform, we store the content, title, and type of each saved item associated with your account.

Food Log Archive

If you use the food log archive feature (saving a week’s log before clearing it), we store the archived entries with a week-start date. Archived logs are retained in your account until you delete them or close your account.

Support Communications

If you contact us by email at support@nutricern.tech, we collect and retain the content of your communications and your email address in order to respond to your enquiry.

Password Reset Information

If you request a password reset, we temporarily store a one-time reset code associated with your account. This code expires after 30 minutes and is marked as used after a single successful use. We do not store the code in readable form after it has been consumed.

1.2  Information We Collect Automatically

Session and Authentication Data

When you log in, we create a session to keep you authenticated. We store a session identifier in a secure browser cookie. This session expires after 2 hours of inactivity.

IP Address and Device Information

Our web server automatically records your IP address and standard HTTP request headers (including browser type, operating system, and referring URL) when you access the Platform. This information is used for security monitoring, abuse prevention, and server diagnostics.

API Usage Data

For each AI session you initiate, we record the date, the number of input tokens, the number of output tokens, and the number of requests made. This data is associated with your account and is used to track usage for fair-use monitoring and to display your usage history in your Account Usage tab.

Server and Error Logs

Our web server generates access logs that record requests made to the Platform, including timestamps, HTTP status codes, and response sizes. These logs are used for operational monitoring, security analysis, and diagnosing technical issues. Logs are retained for a limited period and then deleted or overwritten.

1.3  Information We Do Not Collect

Nutricern does not collect the following:

• Payment card numbers, bank account details, or other payment instrument information — all payment processing is handled directly by Polar (our billing provider) and we receive only a subscription status confirmation, not your payment details;
• Government identification numbers, passports, or driver’s licence information;
• Location data beyond the general location inferred from your IP address;
• Biometric data;
• Social media profile information (we have no social login or social media integration);
• Data from advertising networks or data brokers.

Section 2

Health Information — Special Notice

2.1  What Health Data We Hold

You may voluntarily add to your Health Profile:

• Health conditions and disorders — selected from a list of conditions (e.g., Type 2 Diabetes, Cardiovascular Disease, Arthritis, Osteoporosis) that you confirm apply to you;
• Food allergies and intolerances — selected from a list of common allergens and dietary intolerances;
• Physical profile — age, sex, height, and weight, which together can infer body mass index and other health-adjacent information.

2.2  Why We Collect It and Our Legal Basis

We collect your health information solely to personalise the nutritional information the Platform provides you. Specifically, health conditions are used to:

• Display disorder-specific nutrient coverage charts in the food log, showing how your meals cover nutrients relevant to your stated conditions;
• Personalise AI assistant responses to reflect your health context;
• Power the disorder-coverage analysis feature that identifies foods and nutrients of potential therapeutic relevance.

We do not use your health information for advertising, profiling for marketing purposes, or sale to third parties. We do not share your health information with insurers, employers, or government agencies except as required by law.

Legal basis (UK/EU GDPR): By actively entering health conditions and allergies into your Health Profile, you provide explicit consent to our processing of this special-category data for the purposes described above (Article 9(2)(a) UK GDPR / EU GDPR). You may withdraw this consent at any time by deleting individual health profile entries from your account settings, or by requesting account deletion (see Section 7).

2.3  How We Protect Health Data

Health profile data is stored in our database with access restricted to authenticated account holders and authorised platform operations. Health data is not exposed in server logs, error messages, or analytical aggregates.

Health information you enter is visible to you within your account. It is not visible to other Members. It is visible to Nutricern’s administrative team in the context of operating and supporting the Platform, subject to the access controls described in Section 10.

2.4  Voluntary Nature of Health Data

Providing health information is entirely voluntary. You may use the Platform without entering any health conditions or allergies. However, certain features — specifically the disorder coverage charts and health-personalised AI responses — will be less relevant or unavailable without this information. You may add, edit, or remove health profile entries at any time through your account settings.

Section 3

How We Use Your Information

We use the Personal Information we collect for the following purposes.

Platform Operation and Service Delivery

• Create and manage your account;
• Authenticate your identity when you log in;
• Deliver the personalised AI nutrition assistant responses, food log nutrient analysis, disorder coverage charts, and all other Platform features;
• Store and retrieve your food log entries, health profile, food preferences, saved items, and conversation history;
• Process password reset requests;
• Send transactional emails (account registration welcome, password reset codes, subscription notifications).

Subscription and Payment Management

• Verify your subscription status with Polar to control access to paid features;
• Record subscription events (creation, renewal, cancellation) in your account;
• Respond to billing-related support enquiries.

Platform Improvement and Security

• Monitor server performance and availability;
• Diagnose and resolve technical errors and security incidents;
• Analyse usage patterns (in aggregated, de-identified form) to improve Platform features and performance;
• Detect and prevent abuse, fraud, and violations of our Terms of Service;
• Maintain server access logs for security auditing.

Legal and Compliance

• Comply with applicable laws and regulations;
• Respond to lawful requests from law enforcement or government authorities;
• Establish, exercise, or defend our legal rights.

With Your Consent

• For any other purpose for which you give us specific consent.

We do not use your Personal Information — and specifically never use your health information — to train AI models, serve targeted advertising, compile marketing profiles, or sell data to third parties.

We may aggregate or de-identify Personal Information so that it can no longer reasonably identify you. We may use and share such anonymised, aggregated data for any lawful business purpose including research and product development.

Section 4

How We Share Your Information

We do not sell your Personal Information. We share your Personal Information only in the limited circumstances described below.

4.1  Service Providers

We share Personal Information with third-party service providers who perform services on our behalf. These providers are permitted to use your information only to provide services to us and are bound by contractual obligations to protect your data.

4.2  Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of Nutricern’s assets, your Personal Information may be disclosed to and transferred to the acquiring entity or its advisors as part of the transaction. We will notify you by email or by prominent notice on the Platform before your Personal Information becomes subject to a different privacy policy.

4.3  Legal Compliance and Protection

We may disclose your Personal Information if we believe in good faith that such disclosure is reasonably necessary to: (i) comply with a legal obligation, court order, or valid governmental request; (ii) enforce our Terms of Service or this Policy; (iii) protect the rights, property, or safety of Nutricern, our Members, or the public; or (iv) detect, prevent, or address fraud, security incidents, or technical issues.

4.4  With Your Explicit Consent

We may share your information with third parties when you have given us specific, informed consent to do so. You may withdraw such consent at any time.

4.5  Aggregated or De-Identified Data

We may share aggregated, anonymised, or de-identified data — from which individual Members cannot be identified — with third parties for research, analytics, and business purposes. Such data is not Personal Information and is not subject to this Policy.

Section 5

AI Processing & Third-Party Services

5.1  Anthropic and the Claude AI

The Nutricern AI nutrition assistant is powered by Claude, an AI language model developed by Anthropic, PBC (“Anthropic”). When you send a message to the AI assistant, your message — together with relevant context from your conversation history, health profile, and food preferences — is transmitted to Anthropic’s API for processing. Anthropic returns an AI-generated response that is then displayed to you.

Your AI conversation data is processed by Anthropic in accordance with Anthropic’s API usage policies and privacy practices. Nutricern does not control how Anthropic stores or uses API inputs after they are processed. We encourage you to review Anthropic’s privacy documentation if you have concerns about how your messages are handled by the AI provider.

5.2  Polar — Subscription Billing

Subscription payment processing is handled by Polar (polar.sh). When you subscribe, you are redirected to Polar’s checkout interface. Polar collects and processes your payment card or other payment method details directly. Nutricern receives from Polar only: confirmation of subscription status, subscription period dates, and a Polar-generated subscription identifier. Nutricern never receives, stores, or processes your raw payment card details.

Your relationship with Polar is governed by Polar’s own Terms of Service and Privacy Policy. For questions about payment data, please contact Polar directly.

5.3  Email Service — Hostinger SMTP

Transactional emails (account welcome, password reset codes, and subscription notifications) are delivered via Hostinger’s SMTP mail relay service. Hostinger receives your email address and the content of each transactional message we send you. These emails are sent from noreply@nutricern.tech or a similar address.

Section 6

Cookies and Session Technology

6.1  Session Cookies

Nutricern uses a session cookie to keep you authenticated between page loads after you log in. This cookie contains a session identifier — a randomly generated token — that references your session on the server. The cookie is:

• HTTP-only: not accessible to JavaScript, reducing XSS risk;
• Secure: transmitted only over HTTPS connections;
• Session-scoped: it expires when you close your browser or after 2 hours of inactivity, whichever comes first.

This session cookie is essential for the Platform to function. Blocking it will prevent you from logging in.

6.2  No Third-Party Tracking Cookies

Nutricern does not currently use third-party advertising cookies, behavioural tracking cookies, or analytics platform cookies (such as Google Analytics) on the Platform. We do not allow advertising networks to place tracking technologies on the Platform.

We do not use cookies to track you across other websites, build advertising profiles, or share your browsing behaviour with third parties.

6.3  Future Cookie Use

If we introduce additional cookies or tracking technologies in the future — for example, first-party analytics — we will update this Policy and, where required by law, present you with a cookie consent notice before deploying such technologies.

Section 7

Your Rights & Choices

You have a number of rights and choices regarding your Personal Information. Depending on your jurisdiction, these may include the rights described below. We will not discriminate against you for exercising any of these rights.

7.1  Access Your Information

You may access much of your Personal Information directly through your account:

• Account details (username, email, join date) — visible on the Account → General tab;
• Health profile (disorders, allergies) — visible and editable in your Member Settings;
• Physical profile — visible and editable in your Member Settings;
• Food preferences — visible as your selected checkboxes in the main member application;
• Food log — visible in the Food Log tool, including archived weeks;
• AI token usage — visible on the Account → Usage tab;
• Subscription status — visible on the Account → Billing tab.

For a complete export of all Personal Information we hold about you, please contact us at support@nutricern.tech with the subject line “Data Access Request.” We will respond within 30 days.

7.2  Correct Your Information

You may update your email address, password, physical profile, health profile, and food preferences directly in your account settings at any time. If you need to correct information that cannot be edited in-app, contact us at support@nutricern.tech.

7.3  Delete Your Information

You may request deletion of your account and associated Personal Information by contacting us at support@nutricern.tech with the subject line “Account Deletion Request.” Upon verification of your identity, we will delete your account and Personal Information within 30 days, subject to any legal retention requirements (see Section 11).

You may also delete individual data within your account at any time: food log entries, archived logs, saved items, and health profile entries can all be removed from the relevant sections of the Platform.

Note: Deleting your account or health profile information will disable the personalised features of the Platform. Some residual data may remain in server backups for a limited period before those backups are overwritten.

7.4  Withdraw Consent for Health Data

If you wish to withdraw consent for our processing of your health conditions and allergies, you may remove all entries from your Health Profile at any time through your account settings. Removal of health data will disable disorder-specific coverage charts and health-personalised AI responses.

7.5  Email Communications

You will receive transactional emails relating to your account (welcome email, password reset, subscription notifications). These are necessary for operating your account and cannot be unsubscribed from while your account is active. If we introduce promotional or marketing emails in the future, we will include an unsubscribe mechanism in each such email.

7.6  Account Closure

You may close your account at any time by contacting us at support@nutricern.tech. Closing your account cancels your Membership and initiates deletion of your Personal Information.

Section 8

UK, European Economic Area & International Users

If you are located in the United Kingdom or the European Economic Area (“EEA”), the following additional provisions apply under UK GDPR and EU GDPR.

8.1  Data Controller

For the purposes of UK and EU data protection law, Nutricern acts as the Data Controller of the Personal Data described in this Policy. Our contact details are set out in Section 15.

8.2  Legal Bases for Processing

We only process your Personal Data where we have a valid legal basis.

8.3  Your GDPR Rights

Under UK and EU data protection law, you have the following rights in relation to your Personal Data:

• Right of access: Request a copy of the Personal Data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete Personal Data.
• Right to erasure: Request deletion of your Personal Data (“right to be forgotten”), subject to legal retention requirements.
• Right to restriction: Request that we restrict processing of your Personal Data in certain circumstances.
• Right to data portability: Receive your Personal Data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests. You have an absolute right to object to processing for direct marketing.
• Right to withdraw consent: Where processing is based on consent (including for special-category health data), withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: Lodge a complaint with your local data protection authority (UK: ICO; EU: your national supervisory authority).

To exercise any of these rights, contact us at support@nutricern.tech. We will respond within 30 days. We may ask you to verify your identity before processing your request.

8.4  International Data Transfers

If you access the Platform from the UK or EEA, your Personal Data may be transferred to and processed in a country outside the UK/EEA — including the United States (for AI processing by Anthropic and subscription management by Polar). Where such transfers occur, we rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO;
• The UK International Data Transfer Agreement (IDTA), where applicable;
• Adequacy decisions by the European Commission or UK Secretary of State, where applicable.

You may request information about the transfer mechanisms we use by contacting us at support@nutricern.tech.

Section 9

California Residents — CCPA Privacy Rights

If you are a California resident, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act, “CCPA/CPRA”) provides you with certain additional rights regarding your Personal Information.

9.1  Categories of Personal Information We Collect

9.2  We Do Not Sell or Share Your Personal Information

Nutricern does not sell your Personal Information for monetary consideration. Nutricern does not share your Personal Information with third parties for cross-context behavioural advertising purposes. We do not have actual knowledge that we sell or share the Personal Information of consumers under 18 years of age.

9.3  Your CCPA/CPRA Rights

California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of Personal Information we have collected about you, the categories of sources, our business purposes, and the categories of third parties with whom we share it.
• Delete: Request deletion of Personal Information we have collected about you, subject to certain exceptions (e.g., legal obligations).
• Correct: Request correction of inaccurate Personal Information.
• Opt out of sale/sharing: As noted above, we do not sell or share Personal Information, so no opt-out is required.
• Limit use of Sensitive Personal Information: You may limit our use of Sensitive Personal Information (including health data) to the purposes necessary to provide the Platform services. You exercise this right by removing health data from your Health Profile.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA rights request, email us at support@nutricern.tech with the subject line “California Privacy Request.” We will verify your identity and respond within 45 days.

Section 10

Data Security

We implement technical and organisational security measures appropriate to the sensitivity of the Personal Information we process.

• Encrypted transmission: All data transmitted between your browser and the Platform is encrypted using TLS (HTTPS).
• Password hashing: Account passwords are stored using bcrypt, a one-way cryptographic hash function. We cannot read or recover your password.
• Session security: Authentication sessions use HTTP-only, secure cookies. Sessions expire after 2 hours of inactivity.
• Database access controls: The database is accessible only via Unix socket on the server — it is not exposed to the public internet. Database access requires dedicated application credentials.
• Admin access controls: Administrative access to the Platform requires mutual TLS certificate authentication and SSH tunnelling — it is not accessible via a public URL.
• Rate limiting: API endpoints are protected against brute-force attacks, including rate limits on login attempts and password reset requests.
• Server hardening: The production server runs fail2ban intrusion prevention and firewall rules. SSH access logs are monitored.

Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your Personal Information. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

Section 11

Data Retention

We retain your Personal Information for as long as your account is active and for a reasonable period afterwards to comply with our legal obligations, resolve disputes, and enforce our agreements.

Where we are required by law to retain Personal Information for a longer period (for example, financial records), we will retain the minimum necessary data and restrict access to it to those who require it for the legal purpose.

Section 12

Third Party Links

The Platform may contain links to third-party websites, resources, or services — for example, links within help content or support communications.

When you follow a link to a third-party site, you leave the Nutricern Platform and your activities on that site are governed by that site’s own privacy policy and terms, not by this Policy.

Nutricern does not control and is not responsible for the privacy practices, content, or availability of third-party sites. We encourage you to read the privacy policy of any third-party site you visit.

Section 13

Children’s Privacy

The Platform is intended for use by adults aged 18 and over.

We do not knowingly collect Personal Information from individuals under the age of 18. If you are under 18, please do not use the Platform or provide any information to us.

If a parent or guardian believes that a child under 18 has provided us with Personal Information, please contact us immediately at support@nutricern.tech. We will delete the information from our records as promptly as possible upon verification.

Section 14

Updates to this Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in the law, technology, our data practices, or our Platform’s features.

The “Effective Date” at the top of the Overview indicates when the current version was last updated.

If we make material changes to this Policy — particularly changes that affect how we process your health information — we will notify you by email to the address associated with your account and/or by a prominent notice on the Platform, at least 14 days before the changes take effect. For changes to how we process special-category health data, we will seek your explicit consent again where required by law.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the revised Policy, you must cease using the Platform and request account deletion.

Section 15

How to Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or to how Nutricern handles your Personal Information, please contact us.

We aim to respond to all privacy-related enquiries within 30 days. For urgent matters relating to a potential data breach, please include “URGENT” in the subject line.

If you are located in the UK or EEA and are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with the relevant supervisory authority:

• UK: Information Commissioner’s Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• Other EU member states: Your national data protection supervisory authority.