Priority Number One

TL;DR: We prioritize the protection of your biometric and personal data. This document details the information we collect, how it powers our artificial intelligence, and the legal rights you hold regarding your digital footprint.

Welcome to Vitto AI ("Company," "we," "our," or "us"). We provide a mobile application (the "App") that utilizes advanced artificial intelligence to assist users in tracking their nutritional intake and achieving wellness goals. We recognize that health and dietary data are profoundly sensitive. We are absolutely committed to protecting your personal information and your fundamental right to privacy. This Privacy Policy governs our data collection, processing, and disclosure practices when you utilize our App and associated services.

TL;DR: We collect data you actively provide (such as your height, weight, and food photographs) and technical data collected automatically (such as your device type and IP address) to ensure the application functions correctly.

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("Personal Information").

2.1. Information You Provide Directly:

• Identity and Account Data: During account creation via our authentication provider, we collect your email address, name, password, and profile identifiers.
• Health and Biometric Data: To calculate your Basal Metabolic Rate and provide personalized algorithmic recommendations, we collect self-reported physical attributes, including your height, weight, age, biological sex, activity level, dietary goals, and known food allergies.
• User-Generated Content: We collect your granular dietary logs, which include text descriptions of meals, timestamps, and photographs of food submitted explicitly for artificial intelligence analysis.

2.2. Information Collected Automatically:

• Device and Usage Data: We automatically collect diagnostic and technical data, including your specific device model, operating system (iOS or Android), IP address, unique device identifiers, feature utilization metrics, and crash logs. This data is essential to monitor service stability, deploy updates, and detect fraudulent activity.

2.3. Information from Third-Party Health APIs:

If you explicitly grant us permission through your device settings, we may connect with platform health ecosystems such as Apple HealthKit or Google Health Connect.

• Apple HealthKit: We may request read and write access to specific data points, such as active energy burned, step count, and weight history. We guarantee that we do not use HealthKit data for advertising purposes, nor do we sell it to data brokers.
• Google Health Connect: We may request access to health and fitness data types. Our acquisition and use of information received from Health Connect adheres strictly to the Health Connect Permissions Policy, including the rigorous Limited Use requirements.

TL;DR: We process your health data based on your explicit consent to provide the core service. We process technical data to maintain application security and fulfill our contract with you.

We process your Personal Information for the following purposes, relying on specific, codified legal grounds under applicable international laws (including the GDPR and UK GDPR):

TL;DR: Your food photographs and text descriptions are transmitted securely to our algorithmic partners to calculate calories. Under our enterprise contracts, they are strictly prohibited from utilizing your private data to train their public artificial intelligence models. We never sell your data.

To provide automated, highly accurate meal analysis, the application integrates securely with third-party artificial intelligence providers, including OpenAI and/or Google Gemini.

• Data Transmission for Inference: When you prompt the algorithmic analysis, the text description or photograph of your meal is transmitted via secure, encrypted application programming interfaces to our algorithmic partners solely for computational processing (inference).
• Zero Retention for Model Training: We utilize highly restrictive Enterprise API agreements with our artificial intelligence providers. Under the explicit terms of these agreements, your submitted images, text, and biometric data are not utilized by the providers to train, fine-tune, or improve their foundational public artificial intelligence models.
• Service Providers and Infrastructure: We share necessary data with secure cloud hosting and authentication providers (e.g., Google Firebase) solely to operate the platform infrastructure. These entities act as data processors and are bound by stringent Data Processing Agreements ensuring total confidentiality.
• Absolute Prohibition on Data Sales: We do not sell your personal information, biometric data, or Health API data to data brokers, advertising networks, or any other third parties under any circumstances.

TL;DR: You possess the fundamental right to access, correct, or permanently delete your data at any time. California residents hold specific rights to limit the processing of their sensitive health information.

Depending on your geographic jurisdiction, you possess specific, legally enforceable rights regarding your Personal Information:

• Right to Access and Portability: You may request a comprehensive, machine-readable copy of the personal data we hold concerning your account.
• Right to Correction: You may correct inaccurate biometric, health, or profile data directly within the application's account settings interface.
• Right to Deletion (Erasure): You may request the permanent, irreversible deletion of your account and all associated data. Upon verifying a valid deletion request, we will expunge your profile, health data, and food logs from our active databases within thirty (30) days.
• Right to Limit Use of Sensitive Personal Information (California CPRA): California residents hold the statutory right to direct us to limit the use or disclosure of their sensitive personal information, which explicitly includes health data, to only that which is strictly necessary to perform the services reasonably expected by an average consumer.
• Withdrawal of Consent: You may withdraw your consent for us to process your health data at any time by deleting your account or severing the API connection to Apple HealthKit or Google Health Connect within your device settings.

To exercise any of these fundamental rights, please utilize the automated in-app account management tools or submit a formal request to [email protected].

TL;DR: If you reside in Washington State, you possess unique statutory rights regarding health inferences drawn by our algorithms. Please review our dedicated Washington Health Data Policy for complete details.

For consumers residing in, or whose data is collected within, the State of Washington, the application collects Consumer Health Data as defined by the Washington My Health My Data Act. Because our artificial intelligence algorithms may draw inferences regarding your dietary habits, restrictions, and nutritional intake based on your user-generated food logs, these algorithmic inferences constitute regulated Consumer Health Data under Washington law.

We absolutely do not sell Consumer Health Data. For an exhaustive detailing of our collection, processing, and disclosure of Consumer Health Data, and precise instructions on how to exercise your rights under the legislation, please review our separate, dedicated Washington Health Data Privacy Policy.

TL;DR: We employ cryptographic security measures to protect your information. We retain your data only for the duration that your account remains active.

We implement robust administrative, technical, and physical security measures to protect your personal information against unauthorized access, alteration, or destruction. This includes enforcing data encryption in transit utilizing Transport Layer Security (TLS) and encrypting data at rest within our infrastructure utilizing advanced Firebase security rules.

We retain your personal data only for as long as your account remains active or as strictly necessary to provide the Services and fulfill our legal obligations. If you initiate an account deletion request, your primary records are expunged within thirty days. Any residual encrypted data residing in secure, offline disaster-recovery backups will be routinely overwritten and permanently destroyed within ninety (90) days of the deletion event.

TL;DR: The application is strictly prohibited for children under the age of 13 (or 16 in Europe). We will immediately delete any data collected from a minor upon discovery.

The application is not intended for, nor directed at, children. We do not knowingly collect, solicit, or process personal information from children under the age of 13 within the United States, or under 16 within the European Economic Area and the United Kingdom. If we receive actual knowledge that we have inadvertently collected personal data from a child without verified, explicit parental consent, we will take immediate technical steps to permanently expunge that information from our servers.

TL;DR: Your data is processed and stored on secure servers located within the United States. We utilize legally recognized frameworks to protect data transferred from international jurisdictions.

Our infrastructure operates globally, and your data is hosted on secure servers located within the United States. If you access the application from the European Economic Area, the United Kingdom, or other regions possessing stringent laws governing data collection and use, please note that you are transferring your data to the United States. We rely on legally recognized transfer mechanisms, including the execution of Standard Contractual Clauses and adherence to the principles of the EU-U.S. Data Privacy Framework (where applicable), to ensure your personal information receives an adequate and lawful level of protection.

If you have inquiries, concerns regarding our data practices, or wish to formally exercise your data rights, please contact our Data Protection Officer at:

Email: [email protected]