Privacy Policy

Effective Date: December 2, 2025 | Last Updated: December 6, 2025

Introduction

This Privacy Policy ("Policy") explains how FeedAI ("we," "us," "our," or "Company") collects, uses, discloses, and protects your personal information when you use our mobile application and related services (collectively, the "Services"). This Policy applies to all users of the Services.

BY USING FEEDAI, YOU EXPRESSLY CONSENT TO THE COLLECTION AND USE OF INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY. If you do not agree with this Policy, you must not access or use the Services.

1. Age Restrictions

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (via Google Sign-In authentication)
• Google Account profile information (name and profile picture, if provided by Google and authorized by you)
• Unique user identifier (internally generated for account management)
• Account metadata including creation date and last login timestamp

2.2 Food Logging Data

When you use the food logging features, we collect:

• Food log entries including meal descriptions, timestamps, and meal types (breakfast, lunch, dinner, snack)
• Nutritional data including calories, protein, carbohydrates, fats, fiber, and net carbohydrates
• Meal photographs that you capture or upload through the application
• AI-generated nutritional estimates produced by analyzing your meal photos using third-party AI services (see Section 4)
• Manual entries and edits you make to food logs

2.3 Water Intake Data

When you use water tracking features, we collect:

• Water consumption logs including volume (in milliliters or ounces) and timestamps
• Hydration goals if you configure them in the application settings

2.4 Device and Technical Information

We automatically collect certain technical information:

• Device identifiers including device model, manufacturer, and unique device ID
• Operating system information including OS version and system language
• Application version and build number
• Push notification tokens (only if you enable push notifications)
• IP address and general location information (city/region level, not precise GPS coordinates)
• Usage data including features accessed, session duration, and interaction patterns
• Error logs and crash reports to diagnose technical issues and improve application stability

2.5 Behavior Analytics

We collect detailed analytics data to improve the app experience:

• Navigation Events: Screen views, tab selections, navigation patterns
• Engagement Events: Button clicks, camera usage, photo captures, voice input usage
• Conversion Events: Meal logging activity, water tracking, analysis completions
• System Events: App opens, backgrounding, login/logout activities
• Error Events: API errors, analysis failures (for debugging)
• Device Context: App version, device model, OS version, timezone
• Session Data: Session identifiers to understand user journeys

This analytics data is:

• Used solely for product improvement and understanding user behavior
• Analyzed in aggregate to identify usage patterns and feature effectiveness
• Retained for service improvement purposes
• NOT sold to third parties
• NOT used for advertising purposes

2.6 Location Information (Optional)

Location data collection is entirely optional:

• Approximate location (city or region level) may be collected when you log meals if you grant location permissions in your device settings
• We do NOT collect precise GPS coordinates or track your real-time location
• You can disable location access at any time through your device settings without affecting core functionality

2.7 Information from Third-Party Integrations

If you choose to connect third-party services via Model Context Protocol (MCP) integration:

• Authorization tokens to enable data sharing with connected services
• Connection metadata including which services you've authorized and when

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Consent: You provide explicit consent when you create an account and use the Services
• Contract Performance: Processing is necessary to provide the Services you requested
• Legitimate Interests: We process data to improve the Services, prevent fraud, and ensure security, provided such processing does not override your fundamental rights

You have the right to withdraw consent at any time by deleting your account, though this will not affect the lawfulness of processing based on consent before withdrawal.

4. How We Use Your Information

4.1 Service Delivery and Core Functionality

We use your information to:

• Create, maintain, and authenticate your user account
• Process and store food logs and meal photographs
• Generate AI-powered nutritional estimates from meal photos using third-party artificial intelligence services (OpenAI GPT-4o Vision and Anthropic Claude)
• Track water intake and display hydration data
• Store and retrieve your nutrition history
• Synchronize data across your devices (if you use multiple devices)

4.2 MCP Integration (Optional)

If you explicitly authorize Model Context Protocol (MCP) connections:

• To enable third-party AI assistants (such as ChatGPT or Claude) to access your food and nutrition data
• To provide authenticated API access to your nutrition information for connected services

IMPORTANT: MCP integration is entirely optional. You control which services can access your data and can revoke authorization at any time through the application settings. Once data is shared with a third-party service via MCP, that service's privacy policy governs their use of your data.

4.3 Service Improvement and Analytics

We use aggregated and anonymized data to:

• Improve AI nutritional estimation accuracy
• Identify and fix technical issues, bugs, and crashes
• Understand usage patterns to enhance user experience
• Develop new features and functionality
• Behavior Analytics: Understand how users interact with the app (screen flows, feature adoption, conversion rates)
• Funnel Analysis: Track user journeys to identify and fix friction points
• Error Monitoring: Detect and fix bugs, performance issues
• A/B Testing: Test feature variations to improve user experience (when applicable)

4.4 Communications

We may use your email address to:

• Send critical service notifications (account security, policy updates, service disruptions)
• Respond to your support inquiries
• Send push notifications if you enable them (meal logging reminders, hydration reminders)

You can disable push notifications in your device settings at any time. You cannot opt out of critical service communications related to your account security or legal notifications.

5. How We Share Your Information

WE DO NOT SELL YOUR PERSONAL INFORMATION.

We share your information only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We engage third-party service providers to perform functions on our behalf. These providers have access to your personal information only to perform specific tasks and are contractually obligated to protect your information:

• Google Cloud Platform: Provides cloud infrastructure, database hosting (Cloud SQL PostgreSQL), and object storage (Cloud Storage) for meal photographs. Google processes data in accordance with their Data Processing Amendment.
• OpenAI: Processes meal photographs via GPT-4o Vision API to generate nutritional estimates. According to OpenAI's API policies, data submitted via API is not used to train their models. See OpenAI API Data Usage Policy.
• Anthropic: Provides Claude AI services for Model Context Protocol (MCP) integration and AI-powered nutritional analysis. See Anthropic Privacy Policy.
• Apple Inc.: Delivers push notifications via Apple Push Notification Service (APNs) to iOS devices. See Apple Privacy Policy.

5.2 User-Authorized Third-Party Services (MCP)

If you explicitly authorize MCP integrations, your food logs and nutritional data will be shared with the services you connect (e.g., ChatGPT, Claude, or other MCP-compatible applications). You have full control over these connections and can revoke access at any time.

Once data is transmitted to a third-party service you authorize, that service's privacy policy and terms govern their use, storage, and protection of your data. We are not responsible for the privacy practices of third-party services you connect.

5.3 Legal Compliance and Protection

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, search warrant)
• Government or regulatory requests
• Requests from law enforcement agencies
• Investigations of potential violations of our Terms of Service
• Situations involving potential threats to physical safety
• Protection of our legal rights, property, or safety, or that of our users or the public

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding involving FeedAI, your personal information may be transferred to a successor entity. You will be notified via email and/or prominent notice in the application of any such change in ownership or control of your personal information.

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. Such data is not considered personal information and may be used for research, analytics, marketing, or other business purposes without restriction.

6. Data Retention

We retain your personal information for as long as necessary to provide the Services and fulfill the purposes described in this Policy:

• Account information: Retained for the duration of your active account, plus 30 days after account deletion to allow for recovery requests
• Food logs and meal photographs: Retained for the duration of your active account, plus 30 days after account deletion
• Water intake logs: Retained for the duration of your active account, plus 30 days after account deletion
• Usage and analytics data: Retained for up to 24 months, or until aggregated and anonymized
• Crash reports and diagnostic logs: Retained for up to 12 months for troubleshooting purposes

After the retention period expires, we will permanently delete your personal information from our active databases and backups, except where we are required to retain information to comply with legal obligations (e.g., tax records, legal disputes).

7. Your Privacy Rights

7.1 Access and Data Portability

You have the right to:

• Access your personal information stored in FeedAI
• Export your data in a structured, machine-readable format (JSON)
• Request a copy of your data by contacting privacy@feedai.app

You can access and export your food logs, water logs, and account information directly through the application settings.

7.2 Correction and Deletion

You have the right to:

• Correct inaccurate or incomplete personal information
• Edit food logs and meal entries directly in the application
• Delete individual food logs or meal photographs
• Delete your entire account and all associated data using the "Delete Account" option in settings

When you delete your account, we will permanently delete your personal information within 30 days, except where retention is required by law.

7.3 Opt-Out and Restrictions

You have the right to:

• Disable push notifications through your device settings
• Disable location tracking through your device settings
• Revoke MCP connections and third-party data sharing through application settings
• Object to processing based on legitimate interests (contact privacy@feedai.app)

7.4 GDPR Rights (EEA, UK, Switzerland Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR:

• Right to Access (Art. 15): Request confirmation of processing and a copy of your data
• Right to Rectification (Art. 16): Correct inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a portable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise GDPR rights, contact privacy@feedai.app. We will respond within 30 days.

7.5 CCPA/CPRA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of "sale" or "sharing" of personal information (note: we do not sell your data)
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit use of sensitive personal information (health data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

We do not sell or share your personal information for cross-context behavioral advertising.

To exercise CCPA/CPRA rights, contact privacy@feedai.app or use the in-app "Delete Account" feature. We will respond within 45 days.

8. Data Security

We implement commercially reasonable technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
• Encryption at Rest: Data stored in our databases (Cloud SQL PostgreSQL) and object storage (Cloud Storage) uses AES-256 encryption
• Authentication Security: OAuth 2.1 protocol with secure token storage and refresh mechanisms
• Access Controls: Role-based access controls limit employee access to personal data on a need-to-know basis
• Infrastructure Security: Services hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and other security certifications
• Secure Development Practices: Regular security audits, vulnerability scanning, and secure coding practices

IMPORTANT: No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. You acknowledge and accept the inherent security risks of transmitting data over the Internet.

8.1 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users via email within 72 hours of discovering the breach (as required by GDPR)
• Notify applicable regulatory authorities as required by law
• Provide information about the nature of the breach, affected data, and steps you can take to protect yourself

9. International Data Transfers

FeedAI is based in the United States. Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to countries that do not provide an equivalent level of data protection. We rely on the following safeguards for international transfers:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with service providers
• Adequacy Decisions: We transfer data to countries recognized by the EU Commission as providing adequate protection

By using the Services, you consent to the transfer of your information to the United States and other countries for processing and storage.

10. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services (including those connected via MCP integration). This Privacy Policy does not apply to third-party services.

We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

Third-party services that may access your data include:

• Google Sign-In: Google Privacy Policy
• OpenAI (GPT-4o Vision): OpenAI Privacy Policy
• Anthropic (Claude): Anthropic Privacy Policy
• ChatGPT (if connected via MCP): OpenAI Privacy Policy

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes to this Policy:

• We will update the "Last Updated" date at the top of this Policy
• We will notify you via email at the address associated with your account
• We will display a prominent notice in the application for at least 30 days
• For material changes that expand our use of personal information, we will obtain your consent where required by law

Your continued use of the Services after the effective date of the revised Policy constitutes acceptance of the changes. If you do not agree with the revised Policy, you must stop using the Services and delete your account.

We encourage you to review this Policy periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

• Privacy Inquiries: privacy@feedai.app
• Data Protection Officer: dpo@feedai.app
• Security Issues: security@feedai.app
• General Support: support@feedai.app

We will respond to your inquiry within 30 days (or as required by applicable law).

12.1 EEA/UK Data Protection Authority

If you are located in the EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

• EU Data Protection Authorities: List of EU DPAs
• UK Information Commissioner's Office: ico.org.uk

---

Version: 2.1 | Document ID: FEEDAI-PP-2025-001