Privacy Policy & Terms of Service

Last updated: December 2025

Introduction

Welcome to ARFID Wellness Tracker. We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller

The data controller for ARFID Wellness Tracker is:

Dr. Odet Aszkenasy

Email: aszkenasy@gmail.com

For privacy-related inquiries, data subject access requests, or to exercise your GDPR rights, please email us at the address above with the subject line "Privacy Request" or "Data Protection".

We aim to respond to all privacy requests within 30 days as required by GDPR.

1. What Data We Collect

Account Information

  • Email address
  • Encrypted password
  • Account creation date

Food Tracking Data

  • Photos of food items
  • AI-generated nutritional analysis data
  • Meal times and dates
  • Manual notes about foods

Child Profile Information (Optional)

  • Child names
  • Birth dates
  • Physical measurements (height, weight, BMI)

Consent Records

  • Cookie consent acceptance
  • Medical disclaimer acknowledgment
  • GDPR consent acceptance
  • Timestamps and IP addresses for consent records

Usage Data

  • Device type and browser information
  • Pages visited within the application
  • Features used

2. How We Use Your Data

We process your personal data for the following purposes:

  • Service Provision: To provide nutritional tracking, analysis, and reporting features
  • AI Analysis: To analyze food photos using AI and generate nutritional estimates
  • Growth Tracking: To calculate and display growth charts and BMI percentiles based on WHO standards
  • Account Management: To manage your account, authenticate access, and provide support
  • Legal Compliance: To maintain consent records and comply with legal obligations
  • Service Improvement: To improve our features, fix bugs, and enhance user experience

Legal Basis: We process your data based on your consent (GDPR Article 6(1)(a)) and for the performance of our service contract with you (GDPR Article 6(1)(b)).

3. Data Storage & Security

Where We Store Your Data

All data is stored on secure servers within the European Union (EU) using Supabase infrastructure. Data does not leave the EU unless you explicitly request data export.

Security Measures

  • Encryption: All data is encrypted both in transit (TLS/SSL) and at rest
  • Access Control: Row Level Security (RLS) ensures only you can access your data
  • Authentication: Industry-standard secure authentication protocols
  • Password Protection: Passwords are hashed and never stored in plain text
  • Regular Backups: Automated backups with disaster recovery procedures

4. Data Sharing

We do NOT sell, rent, or share your personal data with third parties for marketing purposes.

We may share data with the following service providers under strict data processing agreements:

  • Supabase: For database hosting and authentication (EU-based)
  • Google Gemini AI: For food image analysis (data is processed and not retained by Google)
  • Vercel/Hosting Provider: For application hosting and delivery

All service providers are GDPR-compliant and process data only as instructed by us.

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct any inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data
  • Right to Data Portability: Export your data in JSON or CSV format
  • Right to Restriction: Limit how we process your data
  • Right to Object: Object to certain types of processing
  • Right to Withdraw Consent: Withdraw consent at any time by deleting your account

To exercise any of these rights, please use the data export feature in Settings or contact our support team.

6. Data Retention

We retain your data according to the following schedule:

  • Active accounts: Data is retained for as long as your account is active
  • Inactive accounts: If you do not log in for 7 consecutive years, we may contact you before deleting your account
  • Account deletion: When you request account deletion, all personal data is permanently deleted within 30 days
  • Backups: Backups containing your data are automatically purged within 90 days of account deletion
  • Consent records: Records of your consent (for GDPR compliance) are retained for 7 years after account deletion as required by law
  • Statistical data: Anonymized statistical data (with no personally identifiable information) may be retained indefinitely for service improvement

Right to erasure: You can request immediate deletion of all your data at any time using the "Delete Account" feature in your Settings.

7. Data Breach Notification

We take data security seriously and have implemented robust measures to protect your information. However, in the unlikely event of a data breach that poses a risk to your rights and freedoms:

  • Regulatory notification: We will notify the relevant data protection authority (ICO in the UK) within 72 hours of becoming aware of the breach
  • User notification: If the breach is likely to result in a high risk to you, we will notify you without undue delay via email
  • Information provided: We will explain the nature of the breach, the likely consequences, and the measures we have taken or propose to take
  • Support: We will provide guidance on steps you can take to protect yourself (e.g., changing passwords)

Our security measures: We use industry-standard encryption, secure authentication (Supabase Auth), Row Level Security (RLS) policies to ensure users can only access their own data, and regular security updates. Your password is never stored in plain text.

8. Cookies & Tracking

We use only essential cookies required for the application to function:

  • Authentication cookies: To keep you logged in securely
  • Session cookies: To remember your preferences during your visit
  • Consent cookies: To record your cookie and privacy preferences

We do NOT use:

  • Advertising or tracking cookies
  • Third-party analytics (e.g., Google Analytics)
  • Social media tracking pixels

9. Children's Privacy & Parental Consent

This application is designed for use by parents and caregivers. Users must be 18 years or older to create an account.

Parental Consent Required (GDPR Compliance)

When you create a child profile, you must explicitly consent to the processing of your child's personal data, including health-related information (special category data under GDPR Article 9). This consent is:

  • Specific: You understand exactly what data is collected and how it's used
  • Informed: You have read and understand this privacy policy
  • Freely given: You can choose not to create a child profile
  • Unambiguous: You must actively check a consent box to proceed
  • Withdrawable: You can withdraw consent at any time by deleting the child's profile

What data we collect about children:

  • Name (first name only, no surname required)
  • Date of birth (for age-appropriate recommendations)
  • Sex (for growth chart calculations)
  • Height and weight measurements
  • Food intake records and nutritional data
  • Food milestone achievements

Your responsibilities as a parent/guardian:

  • You confirm you are the legal parent or guardian of any child whose data you input
  • You are responsible for keeping your account secure (as it contains your children's data)
  • You should not share your account credentials with anyone
  • You can delete a child's profile at any time, which permanently removes all their data

Record keeping: We keep a secure record of your parental consent (including timestamp and IP address) for legal compliance and audit purposes. This consent record is retained for 7 years as required by GDPR.

10. Terms of Service

Acceptable Use

You agree to use this service only for lawful purposes and in accordance with its intended use as a nutritional tracking tool. You must not use the service to harm others, violate laws, or abuse the platform.

Disclaimer of Medical Advice

This application provides nutritional tracking and information for educational purposes only. It does NOT provide medical advice, diagnosis, or treatment. Always consult with qualified healthcare professionals for medical concerns.

This tool is for tracking purposes only and is not medical advice. Nutritional analyses are estimates based on AI image recognition and food databases. Results may not reflect actual nutritional content and should be used for general awareness only. Do not rely on this information for medical or therapeutic decisions. Always consult a healthcare professional, dietitian, or feeding therapist for dietary concerns, especially regarding ARFID management.

Accuracy of Information

Nutritional estimates are based on AI analysis and food databases. We strive for accuracy but cannot guarantee the precision of all nutritional data. Use this information as a general guide only.

Limitation of Liability

We provide this service "as is" without warranties of any kind. We are not liable for any decisions made based on information from this application. Health and dietary decisions should always involve professional medical guidance.

Service Modifications

We reserve the right to modify, suspend, or discontinue the service at any time with reasonable notice. We will provide options to export your data before any service discontinuation.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice in the application. Your continued use of the service after changes indicates your acceptance of the updated policy.

Questions or Concerns?

If you have any questions about this Privacy Policy, your data, or how to exercise your rights, please contact us through the application's support section.

You also have the right to lodge a complaint with your local data protection authority if you believe your data protection rights have been violated.