Privacy Policy
Last updated: June 5, 2026
Effective date: 2026-05-01
Last updated: 2026-05-01
Operator: DevX Group LLC ("DevX Group", "we", "us")
Contact: privacy@devxgroup.io
App: Nutrify.AI (Apple App Store ID io.devxgroup.nutrifyai)
Source-of-truth Markdown lives in
PRIVACY_POLICY.mdin the Nutrify.AI repository. This is the per-app addendum to the shared DevX Group corporate privacy policy athttps://devxgroup.io/privacy. The hosted copy athttps://nutrilogical.co/privacyis generated from this file. If the two diverge, the hosted copy controls for users; the file controls for engineering. The corporate-wide sections (who we are, governance, cookie practices, your global rights) live on the parent page; this addendum covers what is specific to Nutrify.AI.
1. Plain-language summary
Nutrify.AI is a personal nutrition, exercise, sleep, and lab-data assistant. We collect what you tell us and what you log, store it in your account, send a bounded slice to third-party AI providers when you ask the AI for help, and use it to generate personalized recommendations only inside your account. We do not sell your data. We do not use your data to train third-party AI models. Every AI request is processed for that single response and not retained for training by our providers under their enterprise terms. You can delete everything from inside the app at any time.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Email, Apple/Google sign-in subject ID, Supabase user ID | You, when you sign up |
| Profile | Name, age, sex, height, weight, goals, dietary preferences, activity level | You, during onboarding & in Settings |
| Health logs | Meals (text + photos), workouts (sets, reps, weight, RPE, duration, extras), sleep (duration, quality, factors), supplements, body weight history | You, in the app |
| Lab results | PDF/image uploads of blood-work reports + structured analyte values extracted by AI OCR | You, when you upload |
| Personal Notes / Journal | Free-form text, biomarkers, symptoms, mood entries you type into the Journal | You |
| Subscription state | Active / inactive Pro tier, RevenueCat anonymous user ID | RevenueCat (our payments processor) |
| Diagnostic | Crash logs, error stack traces (no PII) | Sentry |
| Local-only signals | Streak counts, app preferences, cached AI responses | On-device only (SharedPreferences) |
We do NOT collect: precise location, contacts, browsing history outside the app, microphone audio (the speech-to-text feature converts voice to text on-device or via Apple SpeechFramework before any text leaves the device), Apple HealthKit data (not yet integrated), social-graph data.
3. How we use your data
| Purpose | Legal basis (GDPR) | Data used |
|---|---|---|
| Provide the core service: log + chart + summarize your health data | Contract performance | All health logs, profile |
| Generate personalized AI recommendations (chat replies, daily actions, meal plans, sleep insights, supplement advice, workout plans, lab summaries) | Contract performance | A bounded user-context slice + your prompt; sent to Gemini (Google) and, on quota failover, Anthropic Claude |
| Extract structured analyte values from uploaded lab PDFs/images | Contract performance | The uploaded file; sent to Gemini |
| Bill subscriptions | Contract performance | Apple/Google receipt (handled by Apple StoreKit + RevenueCat) |
| Detect, fix, and prevent crashes | Legitimate interest | Stack traces, device model, OS version |
| Comply with App Store, GDPR, CCPA, and applicable consumer-protection law | Legal obligation | Whatever the law requires |
We do NOT use your data for: advertising, behavioral profiling outside the app, model training (third-party or our own), sale to data brokers.
4. Third-party processors
We share data only with the processors strictly required to operate the app, each under a written data-processing agreement.
| Processor | Role | Region | Data sent |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage | United States | Account + health data + lab files |
| Google LLC (Gemini API) | LLM inference, embeddings, OCR | United States | Per-request user-context slice + prompt |
| Anthropic, PBC (Claude API) | LLM inference fallback when Gemini is rate-limited | United States | Same per-request slice as Gemini |
| Apple Inc. | App Store sign-in, push notifications, StoreKit subscriptions | Region of user's Apple account | Apple-managed identifiers |
| Google LLC (Sign-in with Google) | OAuth sign-in | United States | Google account ID, email |
| RevenueCat Inc. | Subscription management abstraction | United States | Anonymous user ID, Apple/Google receipt |
| Functional Software, Inc. (Sentry) | Crash + error reporting | United States | Stack traces, device model, app version |
| DevX Group LLC | Operator (us) | United States | All of the above, scoped to your account |
Sub-processors of these vendors (e.g., AWS, GCP) operate under each vendor's published sub-processor list. We update this table whenever a primary vendor changes.
5. Where your data is stored
Primary storage is Supabase US-East. Processing for AI inference happens on the AI vendor's infrastructure (Google US, Anthropic US). Crash diagnostics live on Sentry US. By using Nutrify.AI you consent to international transfer of your data, including, where applicable, transfer outside the European Economic Area, the United Kingdom, or other jurisdictions, under the EU Standard Contractual Clauses or equivalent legal mechanism.
6. How long we keep your data
| Data | Retention |
|---|---|
| Account + all health logs + journal entries + lab files | Until you delete your account; deletion is hard-delete (cascade) and irreversible after a 14-day grace window |
| AI inference logs at our vendors | Per vendor terms (Google: ≤ 24 hours abuse-monitoring buffer; Anthropic: ≤ 30 days under enterprise terms; neither uses your data to train models) |
| Backups | Supabase point-in-time recovery up to 7 days for paid plans; we do not retain longer-form backups |
| Crash diagnostics | 90 days at Sentry, then auto-deleted |
| Subscription receipts | 7 years (tax/audit obligation) |
7. Your rights
Regardless of jurisdiction, you can:
- Export your data: email privacy@devxgroup.io from the address on your account and we return a JSON archive of every table within 30 days.
- Correct your data: edit any log directly in the app; the underlying row updates immediately
- Delete your data: Settings → Account → "Delete Account". This hard-deletes your row in
auth.usersand cascade-deletes every child table including journal entries, lab files, and chat history within minutes (and triggers vendor-side deletion within their published windows) - Object / restrict / portability (GDPR / UK GDPR): email privacy@devxgroup.io
- Opt out of sale (CCPA, CPRA): we do not sell. There is nothing to opt out of.
- Children's data: Nutrify.AI is not directed to children under 17. We do not knowingly collect data from anyone under 17. If you believe a child has provided data, email us and we will delete it.
If you live in the EEA, UK, or Switzerland, you may also lodge a complaint with your national data-protection authority.
8. Security
In transit: TLS 1.2+ on every API call. Authentication: Supabase Auth + Apple/Google OAuth + Sign-in-with-Apple. Authorization: Postgres row-level security: every read/write is scoped to your auth.uid(); this is enforced in the database, not the application. Storage: Apple-managed iCloud-encrypted on device; Supabase-managed encryption at rest in the cloud (AES-256). API secrets: never embedded in the app binary; all AI keys live server-side in Supabase Edge Function environment variables.
We are a small team. We will not promise SOC 2 today; we will tell you the truth: we follow the same practices SOC 2 demands (least-privilege access, encrypted at rest and in transit, audit logs, password rotation, deny-by-default RLS) but we are not externally audited yet.
9. Health-data disclaimer
Nutrify.AI is not a medical device. The advice, summaries, and recommendations the app produces are general wellness information, not medical diagnosis or treatment. Always consult a licensed clinician before changing your diet, exercise, supplementation, or medication.
10. Children and parental control
The app is rated 17+ on the App Store given the unrestricted scope of AI conversations on health topics. We do not market to children and do not collect data from anyone under 17.
11. Changes to this policy
If we materially change how we collect or use data, we will (a) update this Markdown file, (b) update the hosted copy, (c) bump the "Last updated" date, and (d) on your next app launch, surface a non-dismissable banner explaining the change before you can continue. Non-material clarifications (typo fixes, layout changes) update silently.
12. Contact
privacy@devxgroup.io. Typical response within 5 business days.DevX Group LLC, PO Box 5010, PMB 76, Rancho Santa Fe, CA 92067