Nuvvoo logo
Nuvvoo

Privacy Policy

Last updated: May 4, 2026

1. Who We Are

Nuvvoo is operated by Pryvus Inc., a company incorporated in the State of Wyoming, United States.

This Privacy Policy covers both the Nuvvoo website (nuvvoo.app) and the Nuvvoo mobile application for iOS.

For privacy-related inquiries, contact: [email protected]

2. Information We Collect

Account Information

  • User ID (generated automatically)
  • Name (optional), language, timezone, measurement preferences

Health & Nutrition Data

  • Meals: food descriptions, calories, macronutrients, meal components
  • Weight, height, sex, date of birth (all optional)
  • Activity level, calorie targets, dietary goals
  • Custom trackers: sleep, water, mood, exercise, and user-defined trackers
  • Dietary preferences: allergies, avoided foods, liked foods

Chat Messages

Text you send in chat is processed by AI and stored on our servers for your conversation history.

Chat history can be deleted per date or by deleting your account.

Device Information

  • Push notification token (for daily reminders)
  • Timezone (for scheduling and date handling)

Analytics & Crash Reports (mobile app)

The Nuvvoo iOS app uses Firebase Analytics and Firebase Crashlytics, provided by Google LLC, to understand how users interact with the app and to detect crashes. The data collected is:

  • Vendor identifier (IDFV) — an identifier scoped to your device and this app, which resets when you uninstall and reinstall the app
  • Usage data — screens viewed, features used, session duration, app version, OS version, device model, language, and region
  • Crash reports — stack traces, app state at the time of the crash, and OS version

This data is aggregated and not linked to your name, email, or any account-level information. We use it solely to improve the app and fix bugs. It is never used for advertising or to identify you personally.

You can disable analytics and crash reports at any time in Settings → Privacy → Analytics inside the app.

Website

  • Email address (if you join the early access list)
  • Analytics data via Google Analytics (aggregated, country-level)

Website Cookies & Tracking

Our website uses essential cookies for basic functionality and Google Analytics cookies (with your consent in the EU) for aggregated, anonymized usage statistics. You can manage cookie preferences via the cookie banner shown on first visit.

Cookies set on nuvvoo.app include _ga and _ga_<property-id> (Google Analytics, ~2 years) and _gcl_au (Google Ads conversion linker, ~90 days). These cookies do not contain your name or email and are used solely for aggregated analytics and advertising-attribution measurement.

3. How We Use Your Data

  • Provide meal logging, calorie tracking, and progress summaries
  • Process chat messages through AI to analyze food and generate responses
  • Send push notification reminders at your chosen time
  • Manage subscriptions and trial periods
  • Improve the service based on aggregated analytics

4. AI Data Processing

Chat messages are sent to third-party AI providers (OpenAI, Google) through OpenRouter for processing.

Data is processed to generate responses and returned to the app.

Your data is not used to train AI models. This is guaranteed by the API terms of our providers (OpenRouter, OpenAI, Google). AI providers do not retain your messages after processing.

You can revoke AI processing consent at any time in Settings. For full details, see our AI Disclosure.

5. Third-Party Services

We use the following third-party services to operate Nuvvoo:

  • OpenRouter (routes to OpenAI, Google): AI chat processing
  • RevenueCat: subscription and payment management
  • Apple Sign-In / Google Sign-In: authentication
  • Apple Push Notification service (APNs): push notifications
  • Firebase Analytics & Crashlytics (Google LLC, mobile app only): aggregated in-app usage analytics and crash reporting
  • Google Analytics (website only): aggregated usage analytics
  • Brevo (website only): email communication for early access

Apple App Tracking Transparency (ATT) and SKAdNetwork

Nuvvoo does not use the IDFA (Identifier for Advertisers) and does not show the App Tracking Transparency prompt. We do not track you across other apps or websites.

For aggregate, privacy-preserving measurement of advertising effectiveness, we use Apple’s SKAdNetwork, which does not involve user-level tracking and does not require your consent.

6. Data Sharing

We do not sell personal data.

We do not share food logs or health data for advertising purposes.

Data is shared only with the service providers listed above, solely to operate the service.

7. Data Storage & Security

  • Data at rest is encrypted using AES-256
  • Communications use TLS 1.3 with HTTPS
  • Authentication tokens are encrypted and stored in iOS Keychain on your device
  • JWT-based authentication with expiring tokens

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and the relevant data protection authorities within 72 hours of becoming aware, as required by GDPR Article 33.

8. Your Rights & Controls

  • Export: Download all your data from the app (meals, trackers, settings, saved foods)
  • Delete account: Permanently removes all data — meals, trackers, settings, chat history, tokens, and subscription records
  • Revoke AI consent: Disables AI chat features; manual logging still works
  • Disable analytics: Turn off Firebase Analytics and Crashlytics in Settings → Privacy → Analytics
  • Delete chat history: Clear conversation history for any date
  • Manage notifications: Enable/disable and set reminder time in Settings

EU / UK / Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR / UK GDPR / FADP), including:

  • The right to access, rectify, erase, restrict, or object to the processing of your personal data
  • The right to data portability
  • The right to withdraw consent at any time, where processing is based on consent (for example, AI processing or analytics) — without affecting the lawfulness of processing carried out before withdrawal
  • The right to lodge a complaint with your local data protection authority

To exercise these rights, contact [email protected]. We respond within 30 days.

Data Protection Officer / EU Representative

For users in the European Union, you may contact our designated EU representative at [email protected]. We will respond to all GDPR-related inquiries within 30 days.

California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • The right to know what personal information we collect, use, and share
  • The right to delete your personal information
  • The right to opt out of the sale or sharing of personal information (we do not sell or share your data, but you have this right by law)
  • The right to correct inaccurate personal information
  • The right to limit the use of sensitive personal information
  • The right to non-discrimination for exercising these rights

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

9. Data Retention

Your personal content is retained until you delete your account or request deletion — there is no automatic expiration.

Specific retention periods for system-level data:

  • Account data: until account deletion
  • Chat messages: until manually deleted by user, or until account deletion
  • Firebase Analytics events: 14 months (Google’s default retention)
  • Firebase Crashlytics: 90 days
  • Server access logs: 30 days

10. International Transfers

Your data may be processed in the United States or other countries where our service providers operate. Specifically:

  • Firebase Analytics & Crashlytics (Google LLC): processed on Google’s servers in the United States and the European Union, under Google’s Data Processing Addendum and EU Standard Contractual Clauses (SCCs)
  • OpenRouter, OpenAI, Google AI: chat messages processed primarily in the United States
  • RevenueCat, Apple, Brevo: processed in the United States and the European Union

For residents of the EU, EEA, UK and Switzerland, transfers outside the EU/EEA/UK are made under appropriate safeguards (Standard Contractual Clauses or equivalent legal mechanisms).

11. Children’s Privacy

Nuvvoo is not intended for children under 13. We do not knowingly collect personal information from children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date reflects the latest revision.

13. Contact

For privacy-related questions, contact:

[email protected]

Pryvus Inc.
Wyoming, United States