Privacy Policy — Nouri
Effective date: [fill in the date you publish this page] Last updated: [same date]
Nouri AI FZ-LLC ("Nouri", "we", "us", "our") operates the Nouri mobile application and the services available at https://nouri-ai.com (the "Service"). This Privacy Policy describes what personal information we collect when you use Nouri, how we use it, with whom we share it, and the choices you have. We take your privacy seriously; reading this document in full takes about five minutes.
1. Who we are and how to contact us
- Company: Nouri AI FZ-LLC [update with your exact legal entity]
- Registered office: Dubai, United Arab Emirates [update]
- Email for privacy questions, access requests, and complaints:
privacy@nouri-ai.com
If you would prefer to reach us about a specific privacy concern, use the email above with the word "PRIVACY" in the subject line — we route those separately.
2. Information we collect
2.1 Information you provide directly
When you create an account and use Nouri, you give us:
- Account identifiers. Your name (first and last), email address, and the authentication credentials associated with your Google account or Apple ID if you sign in with one of those providers. If you choose Apple's "Hide My Email", we receive only the relayed email address Apple generates for you and never see your real one.
- Profile and health data. Date of birth, biological sex, height, current weight, goal weight, activity level, dietary preferences, food allergies and restrictions, and any weight log entries you add over time. This data is needed to generate your nutrition plan and weekly reports.
- Food logs. Every meal you record — whether typed, photographed, or scanned via barcode — including the macro and calorie values we compute for it and any notes you attach.
- Photos. When you use the camera-based meal logger we upload your photo to our servers so it can be analysed.
- Subscription data. Your purchase token from Google Play (Android) or the original transaction identifier and signed renewal info from the Apple App Store (iOS). We never see, store, or process your card details — Google and Apple do all payment handling. We also keep the SKU you purchased and the subscription status derived from the store's server-to-server notifications.
- Support correspondence. If you email us or respond to an in-app prompt, we keep the text of that message.
2.2 Information we collect automatically
- Device and app telemetry. App version, OS version, device model, approximate region (derived from IP, not precise location), crash reports, performance traces, and aggregate feature-usage metrics. Collected via Firebase Analytics and Firebase Crashlytics.
- Session and authentication data. Secure tokens that keep you signed in and that protect your account from unauthorised access.
2.3 Information we do not collect
- We do not access your precise GPS location.
- We do not read your contacts, SMS messages, or other apps' data.
- We do not record audio. The microphone permission is not requested.
- We do not collect camera data in the background; only when you actively use the camera-based meal logger.
- We do not use third-party ad networks and do not serve advertising of any kind.
3. How we use your information
We use what we collect to:
- Build and maintain your personalised nutrition plan.
- Analyse the meals you log and return calorie and macro estimates.
- Generate your daily summary and weekly reports.
- Process and verify your subscription.
- Send you essential service communications (e.g. account security, subscription renewals, major policy changes).
- Investigate crashes and fix bugs.
- Improve the product in aggregate — always using de-identified or aggregated data when improving models or measuring usage patterns.
We do not sell your personal information to anyone. We do not use your food logs, photos, or profile data to train public AI models.
4. Who we share your information with
Nouri relies on a small number of specialist vendors to deliver the service. We share the minimum data each of them needs to do their job.
| Vendor | Purpose | What is shared |
|---|---|---|
| Google (Firebase) | Analytics and crash reporting (Android & iOS). Authentication uses Firebase when you sign in with Google. Push notifications are not delivered in v1.0. | Account identifiers, device telemetry, crash logs |
| Google (Play Billing) | Android subscription purchase and verification | Purchase token, SKU, subscription status |
| Apple (App Store / Sign in with Apple) | iOS subscription purchase, server-to-server renewal notifications, and Sign in with Apple | Original transaction id, signed renewal info, SKU, subscription status. For Sign in with Apple: a stable user identifier and either your email or Apple's relayed alias if you chose "Hide My Email". |
| OpenAI | Photo and text analysis for meal logging [adjust if you change model provider] | The photo or description you submit to the logger. Photos are transmitted, analysed, and deleted from the OpenAI pipeline within 30 days per their API terms. |
| Railway [or your hosting provider] | Backend hosting | All data stored server-side |
We do not share your data with any party beyond the list above except: (a) when you explicitly instruct us to; (b) when legally compelled (subpoena, court order, equivalent); or (c) during a corporate transition (merger, acquisition, asset sale), in which case the acquiring entity will honour this policy or give you an opportunity to delete your data first.
5. International data transfers
Nouri operates globally. Your data may be stored or processed in the United States, the European Union, the United Arab Emirates, or India depending on where our vendors run. Where required by law (e.g. GDPR in the EU), we rely on Standard Contractual Clauses or equivalent safeguards with our processors.
6. How long we keep your data
| Data | Retention |
|---|---|
| Active account profile, food logs, weight history | Kept while your account is active |
| Deleted account | Permanently purged within 30 days of your deletion request |
| Crash and analytics logs | 90 days (Firebase default) |
| Purchase receipts | 7 years (accounting and tax obligation) |
| Support correspondence | 3 years after last interaction |
You can request deletion at any time; see Section 8.
7. Security
We protect your data with:
- HTTPS for all network traffic between the app and our servers.
- Encrypted storage of authentication tokens on your device (Android EncryptedSharedPreferences / iOS Keychain).
- Principle-of-least-privilege access controls on the backend; only a small engineering team reaches production data, and access is logged.
- Google Play App Signing for release integrity.
No internet service is perfectly secure. In the unlikely event of a data breach that materially affects you, we will notify you by email within 72 hours of confirming the breach.
8. Your rights
Depending on where you live you have some or all of the following rights. We honour all of them for every user worldwide, regardless of local law.
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your account and all associated data.
You can trigger this from inside the app (Settings → Delete account) or
by emailing
privacy@nouri-ai.com. - Portability — request your data in a structured, machine-readable format (JSON).
- Withdraw consent — where we rely on consent (e.g. optional analytics), you can withdraw it at any time in Settings.
- Complain — you can complain to your local data protection authority. In the UAE this is the UAE Data Office; in the EU it is your national supervisory authority; in India it is the Data Protection Board of India under the DPDP Act.
We respond to rights requests within 30 days. We do not charge a fee except for manifestly unfounded or repeated requests.
9. Children
Nouri is not intended for use by anyone under 13 years old. We do not
knowingly collect personal data from children under 13. If you believe a
child has given us personal data, email privacy@nouri-ai.com and we
will delete it promptly.
In jurisdictions where the minimum age is higher than 13 (for example, the EU sets it at 16 in some member states), we apply the local minimum.
10. Changes to this policy
We update this policy when our practices change. Material changes will be announced in-app and by email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent version.
11. How to contact us
- Privacy email:
privacy@nouri-ai.com - General support:
support@nouri-ai.com - Postal address: [fill in a postal address, required in EU/UK]
Jurisdiction-specific supplements
11.1 European Economic Area and United Kingdom (GDPR / UK GDPR)
- Legal bases we rely on: performance of a contract (delivering the service you paid for), legitimate interests (security, product improvement), your consent (optional analytics), and legal obligations (accounting, lawful-request responses).
- Data Protection Officer: [either name a DPO or remove this line; solo-operator apps are not legally required to appoint one].
- Representative in the EU: [appoint an Article 27 representative if you target EU users at scale — not required for UAE + India + USA only].
11.2 California (CCPA / CPRA)
- Categories of personal information collected: identifiers (name, email), account info, internet activity (app usage), geolocation (approximate only), and health/fitness data.
- "Sale" of personal information: we do not sell. We do not share for cross-context behavioural advertising.
- Right to limit use of sensitive personal information: California residents can request that we limit use of sensitive data (e.g. precise weight history) to the minimum necessary to deliver the service. Email us to invoke.
11.3 India (DPDP Act 2023)
- Consent Manager: Nouri acts directly; we do not route consent through a third-party Consent Manager at this time.
- Grievance Officer: [name someone — the Act requires a named
contact. For solo-founder stage this can be you]. Email:
grievance@nouri-ai.com.
11.4 United Arab Emirates (PDPL)
- Nouri complies with UAE Federal Decree-Law No. 45 of 2021 (PDPL). UAE users can contact the UAE Data Office for regulatory complaints.
End of policy.