This Privacy Policy explains how Nutrea ("Nutrea", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website and mobile application (together, the "Services"). Nutrea acts as the data controller under the EU General Data Protection Regulation (GDPR). Where processing is based on consent, you may withdraw it at any time (this will not affect the lawfulness of processing before withdrawal).

1) Scope

• the website https://www.foodways.be (the "Site");
• the Nutrea iOS/Android App;
• related communications (support emails, push notifications, in-app messages).

2) Key definitions

"Personal data" means any information relating to an identified or identifiable natural person.

"Special category data / health data" includes, for example, dietary habits, meal photos, weight, body metrics, intolerances, and goals. We only process such data with your explicit consent (GDPR Art. 9(2)(a)).

"Cookies/SDKs" are trackers placed on your browser or device (see Section 9).

3) What data we collect

3.1 Data you provide to us

• Identity & contact: first name, last name, email, phone (optional).
• Account: hashed password, language, time zone.
• Nutrition profile (optional; requires explicit consent): age, height, weight, targets, dietary preferences/restrictions, logged foods, meal photos, notes.
• Support & surveys: content of messages, form responses, reviews.

3.2 Data collected automatically

• Usage/technical data: IP address, device identifiers, OS/app version, pages/screens viewed, session durations, clickstream, crash reports, diagnostics, and similar logs.
• Cookies/SDK data: see Section 9.

3.3 Data from third parties (when you choose to use them)

• Single Sign-On (e.g., Sign in with Apple/Google).
• Payments (e.g., App Store/Play billing providers). We do not store full card numbers.

4) Purposes and legal bases

Purpose	Examples	Legal basis
Provide and operate the Services	Create/maintain your account; personalize content; core app features	Contract (Art. 6(1)(b))
Nutrition features involving health data	Storing/viewing weight, goals, meal photos, recommendations	Explicit consent (Art. 9(2)(a))
Customer support & communications	Responding to requests; service notifications	Contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))
Security, fraud prevention, abuse	Access controls; monitoring suspicious activity	Legitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c))
Analytics & product improvement	Aggregated usage metrics, crash diagnostics	Legitimate interests (Art. 6(1)(f)); where required, consent
Marketing (emails, in-app, push)	News, offers, features	Consent (Art. 6(1)(a)) or legitimate interests with opt-out, per e-privacy rules
Comply with laws	Tax/audit, user rights requests	Legal obligation (Art. 6(1)(c))
Business changes	M&A, reorganization	Legitimate interests (Art. 6(1)(f))

You may withdraw consent at any time in the App settings or by contacting us (see Section 17).

5) How we share personal data

We do not sell your personal data. We share it only with:

• Service providers (processors) working on our behalf and under contract, such as: Hosting & cloud ([e.g., AWS in EU]), analytics ([e.g., Firebase Analytics]), crash reporting ([e.g., Firebase Crashlytics/Sentry]), email delivery ([e.g., MailerSend/SendGrid]), customer support ([e.g., Help Scout/Intercom]), authentication ([e.g., Apple/Google sign-in]).
• Business transferees in case of merger, acquisition, or asset transfer.
• Authorities where required by law or to protect rights, safety, or prevent fraud.
• With your direction/consent, for example when you share content externally.

Processors are bound by data processing agreements, confidentiality, and security obligations.

6) International transfers

We primarily store data in the EEA. If personal data is transferred outside the EEA to a country without an adequacy decision, we use Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures; if a US recipient participates in the EU-US Data Privacy Framework, we may rely on that certification.

7) Your rights

Subject to conditions and exemptions under the GDPR, you have the right to access, rectify, erase, restrict, object, data portability, and to withdraw consent at any time.

To exercise your rights, contact us (see Section 17). You also have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA).

8) Cookies and mobile SDKs

We use cookies (on the Site) and SDKs (in the App) to make the Services work, remember preferences, measure usage, improve features, and (with consent) deliver or measure marketing.

Types: Strictly necessary; Preferences/functional; Analytics; Marketing (only with consent).

On the Site, you can manage cookies via our [Cookie Banner/Preferences Center] and your browser settings. In the App, you can manage consent in Settings > Privacy.

9) Retention

• Account & identity data: for your account lifetime and up to 24 months after closure/inactivity.
• Health/nutrition logs & photos (consent-based): until you delete them or your account, otherwise up to 36 months after last activity for your convenience.
• Analytics & diagnostics logs: 3–12 months.
• Marketing preferences & suppression lists: until you opt out + a minimal period to honor the opt-out.
• Invoices/transactional records: as required by applicable tax/accounting law.

10) Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, least-privilege, monitoring, and staff confidentiality commitments. No system is 100% secure; we continuously improve our safeguards.

11) Children's privacy

Our Services are not intended for children below the age at which they can lawfully consent to online services. Where consent is the legal basis, parental consent is required below that age. In Belgium, the age of digital consent is 13 for information society services.

If you believe a child has provided personal data without appropriate consent, contact us and we will take steps to delete such data.

12) Features and device permissions

Some features may request device permissions (e.g., camera or photos to log meals; notifications for reminders). You can change permissions in your device settings. Certain features may not work without the relevant permission.

13) Automated decision-making

We do not engage in automated decision-making that produces legal or similarly significant effects. We may use limited profiling (e.g., tailoring nutrition insights) to improve your experience; you can disable such features where based on consent.

14) Third-party links

The Services may link to third-party sites or services. We are not responsible for their privacy practices. Review their policies before providing data.

15) Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and, if changes are material, notify you via email or in-app notice before they take effect. The "Last updated" date shows the latest revision.

16) Contact

Questions about this Policy or about your data?

Email: contact@foodways.be

Postal address: Elif Ergun, Avenue des pagodes, 430, 1020 Brussels, Belgium

Supervisory authority: APD/GBA, Rue de la Presse 35, 1000 Brussels, contact@apd-gba.be