Nori
NutriNoriAI-powered nutrition
Nori

Last updated: May 1, 2026

Privacy Policy

This policy explains in detail what data NutriNori collects, why, how it's protected and what your rights are. Estimated read: 4 minutes.

1

Who we are

NutriNori is a mobile and web AI-powered nutrition assistance app. The publisher is the data controller within the meaning of the GDPR (EU 2016/679).

2

Data we collect

You provide directly

  • Email and password (or Google ID via OAuth)
  • Name or first name
  • Profile picture (optional, via Google or uploaded)
  • Nutritional data: weight, height, age, biological sex, activity level, goal, allergies/diets
  • Logged meals (text, photo, scanned barcode), favorite meals, weight tracking over time
  • Conversations with Nori AI assistant

Collected automatically

  • Device identifier (anti-fraud referral)
  • IP address (rate limiting & security)
  • Operating system, app version
  • Push notification token (if enabled)
  • Activity logs (logins, errors) — kept 30 days

We do NOT collect

  • Precise geolocation
  • Contact book
  • SMS, calls, microphone outside explicit use
  • Sensitive health data other than what you enter voluntarily
3

What we use this data for

  • Nutritional calculation: estimate your calorie needs (BMR/TDEE), target macros, track your progress.
  • Food recognition: photos and barcodes are analyzed by our AI partner to identify food and nutritional values. Images are not retained by the AI provider beyond the request.
  • Nori assistant: answer your nutrition questions. Conversations are stored by us and sent to the AI model for generation.
  • Account & authentication: log you in securely, manage your subscription.
  • Notifications: meal reminders (if enabled), goal alerts, subscription info.
  • Security: detect fraud attempts, multiple accounts, promo code abuse.
4

Legal basis (GDPR)

  • Contract performance: processing necessary to provide the service you subscribed to.
  • Consent: push notifications, profile picture, Google OAuth. You can withdraw consent at any time.
  • Legitimate interest: platform security, fraud prevention, service improvement.
  • Legal obligation: keeping invoices for accounting (10 years).
5

Security — how your data is protected

Protecting your data is our priority. Here are the technical measures in place:

Encryption at rest

Email, name, photo encrypted via Fernet AES-128-CBC + HMAC-SHA256. Weight, height, age, BMI, macros also encrypted. Email search via indexed HMAC-SHA256 fingerprint — irreversible.

Encryption in transit

HTTPS (TLS 1.2+) enforced on all app ↔ server communications. HSTS header to prevent downgrades.

Passwords

Hashed via bcrypt with automatic salt. No one can read your passwords in clear text. Reset via 6-digit code expiring in 15 minutes, max 5 attempts.

Auth & sessions

JWT tokens signed HS256, limited duration. Strict rate limiting on login / signup / forgot password. Google OAuth managed by Emergent.

App security

Restricted CORS, hardened HTTP headers (X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy), immutable audit log, strict Pydantic validation.

Hosting

Emergent cloud infrastructure (EU), isolated Kubernetes containers. MongoDB on private network. Daily encrypted backups.

In case of breach

If a breach occurred despite these protections, we commit to notifying you within 72 hours in accordance with article 33 of the GDPR, and to reporting the incident to the CNIL.

6

Sub-processors & data sharing

We use a limited number of carefully selected sub-processors:

  • Google (Gemini AI) — food photo analysis + Nori assistant. Ephemeral retention, no training on your data.
  • Google OAuth — login via Google account.
  • RevenueCat — technical management of Pro subscriptions (US, GDPR-compliant via SCC).
  • Apple App Store / Google Play — payments and billing.
  • Resend — transactional emails (welcome, password reset).
  • Emergent — hosting, MongoDB, OAuth.

We never sell your data to advertisers or data brokers.

7

Data retention

  • Account data: as long as your account is active.
  • Meals, photos, scans, Nori conversations: as long as your account is active.
  • Technical logs: 30 days.
  • Invoices and receipts: 10 years (accounting obligation).
  • After account deletion: immediate erasure of everything except invoices.
8

Your rights (GDPR)

  • Access: get a copy of all your data (JSON export on request).
  • Rectification: edit your info from Profile → Edit.
  • Erasure: delete your account from Profile → Security → Delete my account. Immediate effect.
  • Portability: receive your data in JSON on request at support@nutrinori.com.
  • Objection: refuse certain processing (notifications, AI profiling).
  • Restriction: request freezing of certain data.
  • Complaint: you can file with the CNIL at cnil.fr if your rights are not respected.
9

Minors

NutriNori is forbidden to users under 13. Users between 13 and 16 must have parental consent. If you are a legal guardian and notice a minor under 13 using the app, contact us: we will immediately delete the account.

10

Cookies and local storage

The mobile app does not use cookies in the web sense but stores locally on your device (AsyncStorage / SecureStore):

  • Authentication token (encrypted on iOS via Keychain, on Android via Keystore)
  • Preferences (language, theme, notifications)
  • Optimized image cache

This data is automatically erased when you log out or uninstall the app.

11

Push notifications

If you allow notifications, we send local meal reminders (scheduled on your device, not via a third-party server for daily reminders). You can disable notifications at any time from Profile → Notifications or your device system settings.

12

Transfers outside the EU

Some sub-processors (Google, RevenueCat) may process your data in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCC) and the Data Privacy Framework (DPF) for certified providers.

13

Changes to this policy

We may modify this policy to reflect new features or legal obligations. In case of substantial change, you will be notified in-app and by email before it takes effect. The last update date is at the top of this page.

14

Contact

For any question, GDPR rights request or incident report:

support@nutrinori.com

Response time: 30 days maximum (often within 72h).

🔒

Your data belongs to you. Always.