Effective: May 8, 2026 · Last updated: May 8, 2026

Privacy Policy

This policy describes what data NutriAI Pro (https://ai-nutri.net and Telegram bot @botnutraibot) collects, why, how we store it, and how you can manage it. Aligned with GDPR (Art. 13-22) and Russian Federal Law 152-FZ.

1. Data Controller

Data controller: NutriAI Pro (individual entrepreneur — registration in progress). Email: [email protected]. Telegram: @botnutraibot.

2. What We Collect

Category	Fields	Purpose
Identifiers	telegramId, name from Telegram, language	Auth, addressing you
Contact (optional)	email	Recovery, retention pings (consented)
Anthropometrics	age, gender, weight, height	Daily kcal target (Mifflin-St Jeor)
Goals	weight goal, activity level, target weight	AI personalisation
Special category (health)	allergies, chronic conditions, pregnancy, diet notes	Safety warnings in AI analysis
Activity	food logs (name + macros), weight history, analytics events	History, progress, product analytics
Payments	amount, provider, transaction status	Subscription billing
Technical	IP via Cloudflare, User-Agent, timestamps	Security, anti-abuse, debugging

💡 Food photos are NOT stored. The image is forwarded to AI for real-time analysis and discarded after the result is received. Only the result (dish name, macros, AI text) is saved.

3. Legal Basis

Consent (GDPR Art. 6(1)(a), 152-FZ Art. 6 p.1) — you provide it at first Mini App launch via a checkbox. Special category (health) requires explicit consent (GDPR Art. 9, 152-FZ Art. 10).
Contract performance (Art. 6(1)(b)) — processing payments per your chosen plan.
Legitimate interest (Art. 6(1)(f)) — security, anti-abuse, error monitoring.

4. Cross-Border Transfer

⚠ Important: Food photos and context (goals, allergies, conditions) are sent to Google Gemini API (servers in the US/EU). This is a cross-border transfer under GDPR Art. 44-49 and 152-FZ Art. 12. The transfer is pseudonymised to Google (UUID, not your name). By accepting this Policy you consent to this transfer.

Third-party recipients:

Google LLC (US, EU) — Gemini API for image analysis
Anthropic PBC (US) — text AI chat (Premium tier only)
Cloudflare Inc. (US + edge) — DDoS protection, static caching (no access to food log content)

5. Retention

Data	Period
Profile, food logs, weight history	Until account deletion or 3 years of inactivity
Health data (allergies, conditions)	Until consent withdrawal or account deletion
Payments	5 years (accounting requirement)
Analytics events	90 days (auto-TTL)
AI request logs (no photo content)	60 days (auto-TTL)
IP in server logs	30 days

6. Your Rights

Access (GDPR Art. 15) — export your data as JSON via GET /api/user/data-export or button in Profile
Rectification (Art. 16) — update any field in Profile
Erasure / Right to be forgotten (Art. 17) — button "Delete my account" in Profile or DELETE /api/user/me. Removal within 7 business days. Payment records kept 5 years (accounting law).
Withdraw consent at any time
Restriction of processing (Art. 18)
Objection (Art. 21)
Complaint — to your national DPA (UK ICO, French CNIL etc.) or Russian Roskomnadzor

7. What We Don't Do

Don't sell data to third parties
Don't profile for ad targeting
Don't share with employers, insurers, banks
No automated decisions with legal effects (only recommendations)

8. Data Security

TLS 1.2+ via Cloudflare
Bcrypt for passwords (email-flow users)
JWT with 30-day TTL (scheduled to drop to 24h within 30 days)
Hosting servers physically in Russia (per 152-FZ Art. 18)
Standard injection/XSS/CSRF/rate-limit protections

9. Children

Service not intended for users under 14. If you notice data of a minor processed without parental consent, contact us — we remove within 24 hours.

10. Policy Changes

Material changes announced 14 days in advance via Mini App and bot. Version date in header reflects current state.

11. Contact

Email: [email protected] (reply within 30 days)
Telegram: @botnutraibot → /privacy
Complaints: your national Data Protection Authority