NutriRoot Privacy Policy
Effective date: July 17, 2026 ยท Operator: Jordan Schaefer d/b/a Aevum Dynamics
1. Who We Are
NutriRoot (the "App") is operated by Jordan Schaefer d/b/a Aevum Dynamics. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights over it. Because NutriRoot is a nutrition and wellness app, some of the data we process is health-related ("consumer health data" under certain state laws); we treat it with heightened care as described below.
2. Data We Collect
- Account data: name, email address (stored encrypted; hashed for lookup).
- Profile data: date of birth, biological sex, body weight, height, body fat percentage โ used to compute your calorie and macro targets.
- Health & activity data: daily step count, exercise minutes by zone, food logs (foods eaten, portions, timestamps), water intake logs, and weight history, including readings you choose to import from Apple HealthKit or Google Health Connect.
- Goal settings: calorie target, macro split, goal type (lose / maintain / gain), target rate, calorie cycling schedule.
- Device & usage data: App version, device OS version, crash reports. We do not use persistent advertising identifiers.
- AI scan inputs: photos or text descriptions you submit to the AI food scanner. These are transmitted to Google Gemini for analysis and are not retained by us after the response is returned. Please avoid including people, faces, or other personal information in scanner photos โ anything in the frame is transmitted to Google for processing.
- Payment data: subscription status and expiry date synced from RevenueCat. We never see or store your card number.
Data we do NOT collect: we do not collect allergy information, medical conditions, diagnoses, or medication data, and the App does not provide allergen information. Nutrition values shown in the App come from published sources listed in the App's Sources section at the bottom of the Daily page.
We collect data directly from you, from your device (with permission), and from the service providers listed in Section 4. We do not collect data from data brokers and we do not track you across other companies' apps or websites.
3. How We Use Your Data (and Our Legal Bases)
- Provide the service: compute TDEE, macro targets, and adaptive calorie recommendations; store and display your food and weight history (performance of contract; your consent for health data).
- AI food scanner: forward your photo or description to Google Gemini to identify foods and estimate nutritional values (your consent โ each scan is initiated by you).
- Subscriptions: verify and sync entitlement status via RevenueCat to gate premium features (performance of contract).
- Security: authenticate you, detect abuse, protect your account (legitimate interest).
- Communications: transactional email only (verification, password reset). No marketing email without separate opt-in.
- App improvement: aggregate, anonymised analytics for crashes and performance (legitimate interest). We do not build advertising profiles.
We do not use your data for third-party advertising, and we do not use data obtained through HealthKit or Health Connect for advertising, marketing, or data mining, consistent with Apple and Google platform policies.
4. Data Sharing and Third Parties
We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising. We share data only with these service providers, only as needed to operate the App:
- Google Gemini (Google LLC) โ AI food identification. Photos/text you submit to the scanner are processed by Gemini under Google's terms.
- RevenueCat Inc. โ subscription management. We share a numeric user ID and sync subscription status.
- Apple Inc. / Google LLC โ HealthKit and Health Connect (opt-in only), sign-in, and App Store / Play Store purchases.
- USDA FoodData Central & Open Food Facts โ food database lookups. Only search queries (no personal identifiers) are sent.
- Hosting โ our servers and managed PostgreSQL database run on Replit; Replit's data processing terms apply.
We may disclose data if required by law, court order, or to protect the safety of users or third parties. If the App's operation is transferred to a successor entity (e.g., an LLC we form, or an acquirer), your data may be transferred to that entity under this same Policy; we will notify you of any material change in ownership or use.
5. How We Protect Your Data
Sensitive fields โ email address, name, date of birth, body weight, and body fat percentage โ are encrypted at rest using AES-256. Email addresses are additionally HMAC-hashed for secure lookup. All data in transit uses TLS. Access tokens expire after 1 hour; refresh tokens after 30 days. We apply least-privilege access. No system is perfectly secure; if a breach affects your personal data we will notify you as required by applicable law.
6. Data Retention
We retain your data while your account is active. Free accounts inactive for 90 days, and expired subscriber accounts 90 days past subscription end, are automatically purged. You can delete your account at any time via Settings โ Delete Account โ this permanently removes your profile, food logs, weight history, and all other personal data. We do not retain data after deletion except where required by law.
7. HealthKit and Health Connect
If you grant permission, NutriRoot reads weight and body-fat readings from Apple HealthKit (iOS) or Google Health Connect (Android) and may write weight entries back. This integration is entirely opt-in and revocable at any time in your device's health settings. Imported readings are stored on our servers, encrypted at rest like manually entered weight, and used the same way as manual entries. We never use HealthKit or Health Connect data for advertising or disclose it to third parties for their own purposes.
8. Children's Privacy
NutriRoot is not directed at children under 13, and we do not knowingly collect their personal data. If we learn a user is under 13, we will delete their data promptly. Users 13โ17 must have a parent or guardian review and agree to this Policy on their behalf.
9. Your Rights
Depending on your location, you may have the right to:
- Access โ request a copy of the personal data we hold about you.
- Correction โ ask us to fix inaccurate or incomplete data.
- Deletion โ delete your account and data via Settings โ Delete Account or by contacting us.
- Portability โ receive your data in a structured, machine-readable format.
- Objection / restriction โ object to certain processing or ask us to restrict it.
- Withdraw consent โ where processing is based on consent (e.g., health data, AI scans), withdraw it at any time without affecting prior processing.
To exercise any right, email aevumdynamics@gmail.com. We will verify your identity and respond within 30 days (or the period required by your local law). We will not discriminate against you for exercising your rights. If we deny a request, you may appeal by replying to our decision; where applicable law provides, you may also complain to your local data-protection or consumer-protection authority.
10. United States State Privacy Rights
California (CCPA/CPRA): you have the rights to know, delete, correct, and port your personal information, and to opt out of sale or sharing. We do not sell or share personal information as defined by the CCPA, and we do not use or disclose sensitive personal information for purposes requiring a right to limit. Submit requests to aevumdynamics@gmail.com.
Washington (My Health My Data Act) and similar state laws: food logs, weight, body-fat, and related data are "consumer health data." We collect and share such data only with your consent and only as described in this Policy; we do not sell consumer health data and would never do so without your separate, explicit authorization. You may withdraw consent and request deletion at any time as described in Section 9.
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have comparable rights, exercisable the same way.
11. Users in the EEA, UK, and Switzerland (GDPR)
Health-related data we process is "special category" data under the GDPR. We process it only with your explicit consent, given when you create an account and enter health information, and revocable at any time by deleting the data or your account. Our legal bases are set out in Section 3. Our servers are in the United States; transfers from the EEA/UK rely on your explicit consent and, where applicable, standard contractual clauses with our processors. You may lodge a complaint with your local supervisory authority.
12. International Transfers
Our servers are located in the United States. If you access the App from elsewhere, your data will be transferred to and processed in the US. We take steps to ensure your data receives an adequate level of protection wherever it is processed.
13. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes via in-app notice or email before they take effect. The effective date above reflects the latest revision. Continued use after the revised effective date constitutes acceptance; where a change requires fresh consent (e.g., a new use of health data), we will ask for it.
14. Contact Us
Questions, concerns, or requests regarding this Policy or your data: aevumdynamics@gmail.com