Privacy Policy

Welcome to Nutio (“we”, “our”, “us”). Nutio is a food-centric social platform that combines visual meal sharing with AI-powered nutrition analysis. By using Nutio, you agree to the collection and use of information described in this policy.

• Account information: name, email address, username, password (hashed with bcrypt), bio, profile photo
• Content you create: food photos, captions, dietary preference tags (e.g. vegan, halal, keto)
• Dietary profile: your dietary style (e.g. halal, vegan, keto), allergen restrictions (e.g. nut-free, gluten-free), and cuisine interests — used to personalise your experience and power allergen safety alerts
• Usage data: posts you like, save, comment on, repost, or follow; your notification history (who interacted with your content and when)
• AI nutrition analysis data: food images you submit for analysis, and the resulting nutrition results (food name, confidence score, calories, protein, carbs, fat, fiber, micronutrients) stored against your account
• Social graph data: accounts you follow or block — stored to personalise your feed and enforce content boundaries
• Report data: if you submit a report, we store the report reason, optional details, and the content you flagged. This information is shared with our internal review team
• Push notification tokens: if you opt in to push notifications, we collect your device's Firebase Cloud Messaging (FCM) token and platform (iOS or Android) to deliver notifications to your device
• Device and technical data: technical metadata such as IP address, device type, OS, and app version — used for security, fraud prevention, and rate-limiting. This data is not persistently linked to your account profile

• To provide and improve the Nutio social feed and features (posts, likes, comments, replies, follows, saves, reposts)
• To run AI-powered nutrition analysis on food images you submit
• To display allergen and dietary safety alerts when a scanned food may conflict with your restrictions
• To personalise your feed based on who you follow
• To allow other users to discover your posts via search (caption full-text search, username prefix search)
• To maintain your nutrition analysis history
• To send push notifications about social activity (likes, comments, follows, reposts) — only if you have opted in
• To review reports of content that may violate our community guidelines
• We never sell your personal data to third parties
• We do not use third-party advertising or behavioural analytics platforms

When you submit a food image for nutrition analysis, it is forwarded to LogMeal, a third-party food recognition API. The image and the resulting nutrition data (food name, confidence score, calories, macros, micronutrients) are stored in our database and linked to your account. You can view your analysis history at any time. Analysis is rate-limited to 10 requests per hour per user. LogMeal may retain submitted images under their own data retention policy — please refer to LogMeal's Privacy Policy for details.

When you scan food for nutrition analysis, Nutio may compare the detected ingredients and allergen data against your dietary restrictions to surface a safety alert (e.g. “This food may contain nuts”). This processing happens server-side using your stored dietary profile and the allergen data returned by LogMeal. Dietary safety alerts are informational only and should not be used as a substitute for reading product labels or consulting a medical professional.

Your data is stored in a PostgreSQL database. Media files (food photos, profile pictures, nutrition analysis images) are stored on S3-compatible cloud storage (Cloudflare R2). Passwords are hashed using bcrypt with a minimum of 12 salt rounds. All data is transmitted over HTTPS (TLS 1.2+). Authentication OTP codes are hashed before storage and expire within 15 minutes. We never expose your API keys or server-side credentials to the client.

Nutio uses JWT-based authentication. Access tokens expire after 15 minutes and refresh tokens expire after 30 days. Refresh tokens are stored as httpOnly cookies to prevent client-side access. We do not use advertising cookies. We do not use any third-party behavioural tracking or analytics cookies (no Mixpanel, Amplitude, Segment, or equivalent).

• LogMeal (food recognition AI): Receives food images for ingredient recognition and nutritional analysis. See LogMeal's Privacy Policy at logmeal.com/privacy.
• Cloudflare R2 (media storage): Stores food photos, profile pictures, and nutrition scan images. Served via Cloudflare's CDN.
• Firebase / Google (push notifications): Receives device tokens and notification payloads to deliver push notifications to iOS and Android devices. See Google's Privacy Policy at policies.google.com/privacy.
• SMTP email provider: We send transactional emails (OTP verification, password reset, internal moderation alerts) via an SMTP provider. Email content is processed in transit but not stored by the provider.

Nutio is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at nutio.privacy@gmail.com and we will promptly delete the account and associated data.

We may update this Privacy Policy from time to time. We will notify you of material changes via push notification or email before they take effect. Continued use of Nutio after changes constitutes acceptance of the updated policy. The “Last updated” date at the top of this page reflects the most recent revision.

For privacy-related questions: nutio.privacy@gmail.com