Skip to main content
nourli

Privacy policy

How we protect your privacy and handle your data

Last updated: April 22, 2026

Key Points

  • We never store your food photos - processed in memory only
  • Your data is encrypted using industry-standard security
  • Access, export, or delete all your data at any time
  • We never sell your personal information
  • EU and California residents have additional protections

1.Our commitment to privacy

At Nourli, we are committed to protecting your privacy and maintaining the security of your personal information. This Privacy Policy explains how we collect, use, and protect your data when you use our service.

2.Data controller

The data controller responsible for your personal data is:

MB Marerisoft

Registration No. 307611399

VAT No. LT100019941819

Vilnius, Lithuania

Email: privacy@nourli.health

The supervisory authority for data protection in Lithuania is the State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija, VDAI). You have the right to lodge a complaint with the VDAI or with the supervisory authority in your country of residence.

3.Zero photo retention policy

We do not store your food photos.

When you upload or take a photo of your food:

  • Photos are processed in memory only for AI analysis
  • Images are immediately deleted after analysis is complete
  • No photos are saved to our servers or databases
  • Only the extracted nutrition data is stored in your account

4.Information we collect

Account information

  • Email address (for account creation and communication)
  • Profile information (age, height, weight, activity level - provided when setting nutrition goals)
  • Nutrition goals and preferences

Usage data

  • Food entries and nutrition data you manually input or that we extract from photos
  • App usage analytics (anonymous and aggregated)
  • Device information and IP address

5.How we use your information

  • To provide and improve our AI-powered nutrition analysis
  • To track your progress and provide personalized recommendations
  • To communicate with you about your account and our service
  • To provide customer support
  • To improve our service through anonymous analytics

6.Data security

We implement industry-standard security measures to protect your data:

  • End-to-end encryption for all data transmission
  • Secure cloud infrastructure with regular security audits
  • Access controls and authentication protocols
  • Regular security updates and monitoring

7.Your rights

You have the right to:

  • Access your personal data
  • Correct or update your information
  • Delete your account and all associated data
  • Export your nutrition data
  • Opt out of marketing communications

8.Data retention

  • Account profile and nutrition data: Retained until you delete your account. Upon deletion, erased within 48 hours (maximum 30 days)
  • Food photographs: Never stored. Processed in memory only
  • Payment records: Retained for 10 years following the last transaction, as required by Lithuanian tax law
  • Server logs: Rotated automatically by our hosting provider. Nourli does not store IP addresses in its database
  • Error reports (Sentry): Retained for 90 days, then deleted
  • Product analytics events: Raw event rows retained for 25 months, then automatically dropped. See Section 9 for detail
  • Aggregated, de-identified analytics: May be retained indefinitely for product improvement

9.Product analytics

Nourli records first-party product-usage events to measure how the app is used, find bugs, and prioritise improvements. This processing is separate from the health data you enter (covered in Section 4) and never contains raw health values.

Legal basis

Article 6(1)(f) GDPR — legitimate interest in product improvement, service reliability, and security. A written Legitimate Interest Assessment is on file and available to supervisory authorities on request.

Event categories we collect

  • Onboarding: welcome viewed, consent gate, goals-wizard step progression, first activation
  • AI food pipeline: capture started, analysis succeeded or failed (with latency bucket and error category), analysis edited, meal logged
  • Paywall and subscription: paywall shown or dismissed, subscribe tapped, subscription activated or cancelled
  • Withdrawal flow: page viewed, request blocked (with reason), request outcome
  • Feature usage: water, weight, and activity logged; fasting started, completed, or broken; Coach opened and messaged; streak milestones

Each event carries a pseudonymous account identifier, an anonymous device identifier, a session identifier, your platform (web, iOS, or Android), and the app version.

What we never collect in analytics

  • Raw calorie, macronutrient, weight, or measurement values — only categorical buckets (for example “1500–2000 kcal” or a trend flag) are ever transmitted
  • Food photos, photo bytes, or image hashes
  • Coach message text or AI response text
  • Your email address, name, or any free-text input
  • Precise GPS or location
  • Your IP address (not persisted on our side)

Retention

Raw events are retained for 25 months, then automatically dropped by scheduled database maintenance. Aggregate statistics derived from those events (funnel rates, cohort counts) may be retained indefinitely.

Recipients

None. Product analytics are first-party only. We do not use Mixpanel, PostHog, Amplitude, Segment, or any equivalent third-party analytics service. Events are stored in our Supabase database (listed as a processor in Section 12). See our Cookies notice for the Vercel Analytics and Sentry sub-processor details that also rely on this legal basis.

Your right to object

Because this processing relies on legitimate interest, you may object at any time. In the app, open Settings → Privacy → Help improve Nourli and switch it off. Turning the toggle off stops all product analytics. Error reporting (Sentry crash reports) continues under the same legitimate-interest basis because it is necessary to keep the service working; it carries no health values either.

10.For European users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal basis for processing

  • Contract: To provide our nutrition tracking service as agreed in our Terms of Service
  • Legitimate Interest: To improve our service, prevent fraud, and ensure security
  • Consent: For optional marketing communications (you may withdraw consent at any time)
  • Explicit Consent (Article 9): For processing health-related data (see below)

Health-related data (GDPR Article 9)

Nourli processes health-related personal data, including your height, weight, body measurements, age, activity level, nutrition goals, food intake records, and intermittent-fasting data. This data qualifies as a "special category of personal data" under Article 9 of the General Data Protection Regulation (Regulation (EU) 2016/679).

The legal basis for processing this data is your explicit consent under Article 9(2)(a) GDPR. You provide this consent during account registration, prior to submitting any health-related information.

You may withdraw your consent at any time by deleting your account via nourli.health/delete-account or by emailing privacy@nourli.health. Withdrawal does not affect the lawfulness of processing before withdrawal, but will result in your account being closed and your health-related data being erased within 30 days. Without this consent, Nourli cannot provide its core nutrition-tracking service.

International data transfers

Your data is transferred to and processed by US-based services: OpenAI (AI analysis), Supabase (data storage), RevenueCat (subscriptions), Sentry (error monitoring), and Vercel (hosting). We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

Automated decision-making

Nourli uses AI to estimate nutritional values from food photos and to generate personalized nutrition recommendations. These are estimates and general wellness suggestions, not medical decisions. No access to the service is restricted based on automated processing. You may contact us at privacy@nourli.health with questions about how AI is used.

Your additional rights

  • Right to data portability (receive your data in a structured format)
  • Right to restrict processing
  • Right to object to processing based on legitimate interests
  • Right to not be subject to solely automated decisions with legal or significant effects
  • Right to lodge a complaint with your local data protection authority

11.For California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights.

Categories of personal information collected

  • Identifiers (email address, IP address, device ID)
  • Personal information (name, physical characteristics for nutrition calculations)
  • Internet activity (app usage, browsing history within the app)
  • Geolocation data (timezone only, for accurate date tracking)

We do not sell your personal information

Nourli does not sell, rent, or share your personal information with third parties for their direct marketing purposes. We do not participate in data broker activities.

Your California privacy rights

  • Right to know what personal information is collected
  • Right to delete your personal information
  • Right to opt-out of sale or sharing (we do not sell your data)
  • Right to non-discrimination for exercising your rights
  • Right to correct inaccurate personal information

How to exercise your rights

To submit a request, email us at privacy@nourli.health. We will respond within 45 days. You may also delete your account directly in the app under Settings.

12.Third-party services

Nourli is the data controller for your personal data. The following services process data on our behalf or as part of service delivery:

OpenAI (AI provider)

Powers our AI food analysis and nutrition coach.

  • Food analysis: Food photos and text descriptions are sent to OpenAI for nutritional estimation. Photos are not stored by Nourli and are discarded after analysis.
  • Nutrition coach: Your nutrition logs, goals, dietary preferences, and chat messages are sent to provide personalized coaching responses.
  • Data use: API data is not used for model training. No email addresses, IP addresses, or user identifiers are sent to OpenAI. Transfers to OpenAI (United States) are governed by Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

Supabase (data processor)

Stores all account data, nutrition logs, and handles authentication on our behalf. Data is encrypted at rest and in transit.

RevenueCat (data processor)

Manages subscription state using your account identifier. No health or nutrition data is shared with RevenueCat.

Stripe (payment processor, via RevenueCat)

Processes web payments through RevenueCat. Nourli never receives or stores payment card details.

Sentry (data processor)

Receives error reports for app stability monitoring. Sentry does not collect email addresses or IP addresses. Health data (weight, calorie, and food fields) is excluded from error reports. Only anonymized user identifiers, error stack traces, and device information are transmitted for debugging. Reports are retained for 90 days, then deleted.

Vercel (hosting provider)

Hosts the web application and collects anonymous page view and performance metrics. No cookies are set and no personal data is collected by Vercel Analytics.

13.Children's data

Nourli is intended for users aged 18 and older, as stated in our Terms of Service. We do not knowingly collect personal data from users under 18. If we become aware that a user is under 18, we will close the account and erase associated personal data within 30 days.

If you are a parent or guardian and believe your child has created an account, please contact privacy@nourli.health.

14.Updates to this policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the updated policy on this page
  • Sending you an email notification
  • Displaying a notice in the app

Changes are effective immediately upon posting.

Questions about your privacy?

We're committed to transparency and protecting your privacy

Contact privacy team

privacy@nourli.health