Privacy Policy
Last updated: March 7, 2026
Nutrina ("we", "our", or "us") operates the Nutrina mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy is prepared in accordance with the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK).
1. Data Controller
The data controller responsible for your personal data is:
2. Information We Collect
We may collect the following types of information:
- Account Information: When you create an account, we collect your email address and password (stored securely using Argon2id hashing).
- Food and Nutrition Data: Photos of meals you upload, food entries you log, and nutritional data generated from AI analysis.
- Usage Data: Information about how you use the app, including features accessed, time spent, and interaction patterns.
- Device Information: Device type, operating system version, unique device identifiers, and crash reports.
- Third-Party Authentication: If you sign in using Google or Apple, we receive your name and email address from the respective provider.
- Subscription Data: Subscription status, plan type, and purchase history (managed through RevenueCat and Apple/Google payment systems).
3. How We Use Your Information
We use the collected information for the following purposes and legal bases:
- Contract Performance: Provide, maintain, and improve the Service; track and display your nutrition history and trends.
- Legitimate Interest: Monitor and analyze usage patterns to improve user experience; detect, prevent, and address technical issues.
- Consent: Analyze food images using AI to generate nutritional information; send you promotional updates about the Service.
- Legal Obligation: Comply with applicable laws and regulations.
4. AI Data Processing
Important: When you use our food analysis feature, your food photos and related text are sent to third-party AI providers (OpenAI and/or Google Gemini) for processing. Specifically:
- Food images you upload are transmitted to AI providers for nutritional analysis.
- Text descriptions of food are sent to AI providers for nutritional data generation.
- AI providers process this data according to their own privacy policies and data processing agreements.
- We use API agreements with these providers that prohibit them from using your data for training purposes.
- AI-processed data may be temporarily stored on servers located in the United States (OpenAI) and/or the European Union (Google).
By using the food analysis feature, you consent to this data transfer. You can choose not to use AI features and instead log food entries manually.
5. Data Storage and Location
Your data is stored on secure servers with encryption at rest and in transit:
- Primary Database: Hosted on Hetzner servers in Germany (European Union).
- File Storage: Food-related images and assets are stored on Cloudflare R2 (European Union region).
- Crash Reports: Processed by Google Firebase (servers in the EU and US).
Security measures include:
- TLS/SSL encryption for all data transmission.
- Secure password hashing (Argon2id).
- Regular security audits and updates.
- Access controls and monitoring.
6. Sub-Processors and Third-Party Services
We use the following third-party services (sub-processors) to operate the Service:
| Provider |
Purpose |
Data Processed |
Location |
| Hetzner |
Server hosting & database |
All user data |
Germany (EU) |
| OpenAI |
AI food analysis (vision & text) |
Food photos, text descriptions |
United States |
| Google (Gemini) |
AI food analysis (vision & text) |
Food photos, text descriptions |
EU / United States |
| Google Firebase |
Authentication, push notifications, crash reporting |
Email, device tokens, crash logs |
EU / United States |
| Cloudflare R2 |
File storage (images) |
Generated food images |
European Union |
| fal.ai |
Image generation (fallback) |
Text prompts for image generation |
United States |
| RevenueCat |
Subscription management |
User ID, subscription status |
United States |
| Apple / Google |
In-app purchases & authentication |
Payment info (managed by Apple/Google), email |
United States |
| Emailable |
Email address validation |
Email addresses |
United States |
| Resend |
Transactional emails (verification, password reset) |
Email addresses, email content |
United States |
7. International Data Transfers
Some of our sub-processors are located outside the European Union and Turkey. When your data is transferred to countries outside the EU/EEA (such as the United States), we ensure adequate protection through:
- EU-US Data Privacy Framework (for US-based providers that are certified).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all sub-processors.
Under KVKK Article 9, cross-border data transfers are made based on your explicit consent provided when you accept this Privacy Policy and use AI-powered features.
8. Data Sharing
We do not sell, trade, or rent your personal information to third parties. We may share information only in the following cases:
- With sub-processors listed in Section 6, solely for operating the Service.
- With your consent.
- To comply with legal obligations or court orders.
- To protect our rights, safety, and property.
9. Data Retention
We retain your data for the following periods:
- Account data: For as long as your account is active. Deleted within 30 days of account deletion request.
- Food entries and nutrition data: For as long as your account is active. Deleted with account deletion.
- Food photos sent to AI: Not stored by us after analysis. AI providers may retain temporarily per their policies (typically deleted within 30 days).
- Usage and analytics data: Up to 24 months, then anonymized or deleted.
- Crash reports: Up to 90 days (managed by Firebase).
- Server logs: Up to 90 days, then automatically deleted.
10. Your Rights
Under GDPR and KVKK, you have the following rights:
- Right of Access: Request a copy of your personal data.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your account and all associated data.
- Right to Restrict Processing: Request limitation of processing in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interest.
- Right to Withdraw Consent: Withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal).
- Right to Lodge a Complaint: File a complaint with a supervisory authority (see below).
To exercise any of these rights, contact us at bgprojects.nutrition@gmail.com. We will respond within 30 days.
Supervisory Authorities
- Turkey (KVKK): Personal Data Protection Authority (KVKK) — www.kvkk.gov.tr
- EU (GDPR): You may contact the data protection authority in your country of residence.
11. Children's Privacy
Our Service is not directed to children under 16 in the EU or under 13 in other regions. We do not knowingly collect personal information from children under these ages. If you become aware that a child has provided us with personal information, please contact us so we can take appropriate action.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending a notification through the app where appropriate.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
bgprojects.nutrition@gmail.com