Privacy Policy

1. Introduction & Data Controller

This Privacy Policy describes how personal data is collected, used, and processed by the NutriRecom mobile application (the "App"). This App is a research project conducted by researchers at the University of Oulu.

2. What Information We Collect

We collect information you provide directly to us when you create an account, build your profile, and use the App.

Account Information: Your email address and a securely hashed password.
User Profile Data: Age, gender, height, weight, and activity level.
Health & Dietary: This includes information on your dietary restrictions, food allergies, health conditions (e.g., diabetes, hypertension), and your taste preferences.
Usage and Feedback Data: Your interactions with the App, including your ratings and feedback on the recommendations you receive.

3. How and Why We Use Your Data (Purpose of Processing)

Your personal data is processed for two main purposes:

To Provide the App's Service: We use your profile and other data to generate personalized AI-powered food recommendations and to operate, maintain, and improve the App's functionality.
For Academic Research: We use the data to conduct our research study on the effectiveness of AI in nutritional guidance. For any academic publications or presentations, all data will be anonymized and aggregated.

4. Our Lawful Basis for Processing (GDPR)

We process your personal data on the following legal bases:

Performance of a Contract: We process your basic Account Information (email) to fulfill our agreement with you (our Terms of Service) and provide the app's core functionality (e.g., login, password reset).
Explicit Consent: We process all your User Profile Data and Sensitive Personal Data (health, diet, allergies) only based on your clear, explicit consent. You provide this consent via a mandatory checkbox in the App before you can use the service.

5. Data Sharing and Third-Party Processors

We do not sell your data. We only share it in the following, limited circumstances:

Research Teams: Your data is accessible to the designated researchers for the purposes described above.
AI Service Provider (Sub-processor): To generate your recommendations, we send your profile data to the Microsoft Azure AI Service. All data processing is secure, complies with GDPR, and is conducted under the university's data processing agreement with Microsoft.

6. Data Security

We take data security seriously. We implement technical and organizational measures to protect your data, including:

Encryption in Transit: All communication between the App and our backend servers is encrypted using HTTPS/TLS.
Hashing: Your password is not stored in plaintext; it is protected using strong (bcrypt) hashing and salting.

7. Data Retention and Deletion

We will store your personal data for the duration of the research project. You may request the deletion of your account and all associated personal data at any time by contacting us. Upon receiving such a request, we will delete your identifiable data.

8. Your Rights Under GDPR

As a user, you have the following rights regarding your personal data:

Right to Access: You can request a copy of the data we hold about you.
Right to Rectification: You can correct inaccurate data (most of which can be done in the App's "Edit Profile" section).
Right to Erasure (Right to be Forgotten): You can request that we delete your personal data.
Right to Withdraw Consent: You have the right to withdraw your consent for the processing of your sensitive data at any time. If you withdraw consent, we will no longer be able to provide the service to you, and your account and data will be deleted.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, such as the Finnish Data Protection Ombudsman.

9. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact the research team directly: