Privacy Policy

Last updated: April 5, 2026

1. Information We Collect

Nutosa collects minimal information necessary to provide our services:

• Account data: If you register, we store your name, email, and hashed password. Social login stores your provider ID and avatar URL.
• Usage data: Pages visited, search queries, and interactions with the site (via Google Analytics with consent).
• Technical data: IP address, browser type, and device information for security and rate limiting.
• AI Chat data: Questions asked to the AI nutrition assistant are processed but not permanently stored or linked to your identity.
• Food log data: If you use the food logging feature, your meal entries are stored in your account.
• Uploaded images: Body transformation images are processed by our AI provider and stored temporarily.

2. How We Use Your Information

We use collected information to:

• Provide nutrition search, food logging, and AI-powered meal planning
• Process AI assistant queries and body transformation requests
• Manage your account, subscriptions, and points balance
• Analyze usage patterns to improve the user experience
• Maintain the security and integrity of our website

3. Cookies

We use essential cookies for site functionality (session management, authentication) and analytics cookies (Google Analytics) to understand how visitors use our site. You can manage cookie preferences through the consent banner or your browser settings.

4. Third-Party Services

We may share data with the following categories of third-party services:

• Analytics: Google Analytics (anonymous usage data)
• AI Processing: OpenRouter (meal planning queries), fal.ai (image transformation)
• Payment Processing: Stripe (donation processing — we do not store card details)
• Advertising: Google AdSense (see Section 5 below for full details)
• Authentication: Google OAuth (if you choose social login)

Each service operates under its own privacy policy, linked above.

5. Advertising & Google AdSense

We use Google AdSense to display advertisements on our website. Google AdSense uses cookies and similar technologies to serve ads based on your prior visits to this and other websites. Specifically:

• DoubleClick Cookie: Google's DoubleClick cookie enables it and its partners to serve ads based on your visits to this site and/or other sites on the Internet.
• Personalized Ads: Google may use information about your visits to this and other websites to provide relevant advertisements about goods and services that may interest you.
• Third-Party Vendors: Third-party vendors, including Google, use cookies to serve ads based on your prior website visits.

Your Choices:

• You may opt out of personalized advertising by visiting Google Ad Settings.
• You may opt out of third-party vendor cookies for personalized advertising by visiting Network Advertising Initiative opt-out page.
• You may also visit aboutads.info to opt out of interest-based advertising by participating companies.

For more information about how Google uses data when you use our site, please visit How Google uses data when you use our partners' sites or apps.

6. Data Security

We implement industry-standard security measures including HTTPS encryption, secure session management, bcrypt password hashing, CSRF protection, and rate limiting. Uploaded images are stored securely and accessible only to the account owner.

7. Data Retention

Account data is retained as long as your account is active. Food log entries and meal plans are retained until you delete them. AI chat queries are not permanently stored. Rate-limiting data is automatically deleted after 24 hours. Analytics data is retained for 26 months in aggregate form.

8. Your Rights

You have the right to:

• Access any personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your food log and meal plan data
• Opt out of analytics tracking via cookie settings
• Disable cookies through your browser settings

9. Children's Privacy

Our services are not directed to children under 13 years of age. We do not knowingly collect personal information from children.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request what personal information we collect, use, and disclose.
• Right to Delete: You can request deletion of personal information we hold about you.
• Right to Opt-Out: You can opt out of the sale of personal information. Note: we do not sell your personal information. You can also opt out of personalized advertising via Google Ad Settings.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right of Access: You can request a copy of your personal data.
• Right to Rectification: You can request correction of inaccurate data.
• Right to Erasure: You can request deletion of your personal data.
• Right to Restrict Processing: You can request limitation of how we process your data.
• Right to Data Portability: You can request your data in a machine-readable format.
• Right to Object: You can object to processing based on legitimate interests, including advertising profiling.

Legal Basis for Processing: We process data based on (a) your consent (analytics cookies, advertising cookies), (b) contractual necessity (account services, meal planning), (c) legitimate interests (site security and improvement).

Advertising Consent: Advertising cookies are denied by default until you provide consent via our cookie banner. You can withdraw consent at any time by clearing your browser cookies.

Data Retention: Analytics data is retained for 26 months. Advertising cookie data is retained per Google's policies. AI queries are not permanently stored. Rate-limiting data is deleted after 24 hours. Account data is retained until deletion request.

To exercise your rights, email [email protected]. We will respond within 30 days. If unsatisfied, you have the right to lodge a complaint with your local data protection authority.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this privacy policy, please email us at [email protected].