Privacy Policy

This Privacy Policy describes our policies and procedures on the collection, use, and disclosure of your information when you use the Service, and tells you about your privacy rights and how the law protects you.

Interpretation and Definitions

Definitions

• Account: While FODMAPai does not require traditional account creation, this may refer to your device-specific app configuration and stored data.
• Application: The software program provided by the Company, named FODMAPai.
• Company: Refers to LinTech AS (referred to as "the Company", "we", "us", or "our").
• Country: Norway.
• Data Controller: For GDPR purposes, refers to the Company as the legal person which determines the purposes and means of processing Personal Data.
• Device: Any device that can access the Service, such as iPhone, iPad, or iPod touch.
• Health Data: Sensitive personal information related to your digestive health, including food intake logs, symptom records, bowel movement data, stress levels, medication logs, and other health-related information you enter into the Application.
• Personal Data: Any information that relates to an identified or identifiable individual.
• Service: Refers to the Application.
• Third-Party AI Service: External artificial intelligence services used by the Application, primarily accessed via OpenRouter, for food analysis, image recognition, and health-related insights.
• You: The individual accessing or using the Service.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

FODMAPai is designed with a privacy-first approach. We do not require account creation or personal identification information to use the core app.

Information you provide directly:

• Contact information: Only if you contact support (e.g. email).
• Health profile data: Age, weight, dietary restrictions, and similar fields you choose to enter — stored locally on your device (and optionally synced via iCloud if you enable it).

We do not require:

• Email (unless you contact support)
• Physical address
• Phone number
• Payment card data processed by us — payments are handled by Apple In-App Purchase (StoreKit)
• Social media login to use the app

Health Data (stored locally)

FODMAPai stores Health Data on your device using Apple's SwiftData framework (and may sync via iCloud if enabled):

• Food intake: Names, descriptions, photos, portions, meal times, FODMAP-related assessments, ingredients
• Symptom logs: Types, severity, timing, duration, notes
• Bowel movement records: Bristol Stool Scale type, timing, frequency
• Stress level data: Levels, timing
• Medication logs: Names, dosages, timing, notes
• Health profile: Age, sex, weight, dietary restrictions, trigger foods

Usage data and diagnostics (third-party SDKs)

The app integrates Google Firebase and Meta (Facebook) SDK, which collect usage and diagnostic data when you use the app, including:

• App and feature usage patterns, screens, and events we log in code (e.g. scans, logging, chat, recipes)
• Device and technical information (e.g. device model, OS version, app version)
• Crash and stability data via Firebase Crashlytics
• App events and advertising measurement data via the Meta SDK, consistent with Apple's App Tracking Transparency (ATT) rules and your choices

This data is transmitted to Google and Meta as described in Sharing of your personal data below — it is not limited to your device only.

Camera and photo library access

FODMAPai may request access to:

• Scan food images for FODMAP analysis
• Scan restaurant menus
• Attach photos to food entries

How we handle photos:

• Photos are stored locally on your device as part of your diary.
• If you use AI features, photos (or derived content) may be sent to OpenRouter for processing.
• With Zero Data Retention (ZDR) enabled by default for OpenRouter, we configure requests to limit retention of your content; see OpenRouter's policy for details.
• You can delete photos in the app; you can deny camera/photo access where the OS allows, and still use manual logging where applicable.

Information shared with third-party AI services (OpenRouter)

When you use AI-powered features, the following may be transmitted to OpenRouter (and providers it routes to):

• Food descriptions and names
• Food photographs (for image analysis)
• Restaurant menu images
• Chat messages and queries
• Context such as summaries derived from your logs, when a feature sends that context

Analytics, advertising measurement, and crash reporting

We use:

• Google Firebase — Analytics: Product analytics (events, parameters, usage patterns).
• Google Firebase — Crashlytics: Crash reports and diagnostics.
• Meta (Facebook) SDK: App events and advertising measurement / attribution, subject to ATT and device settings.

Cookies: The native iOS app does not use website cookies. SDKs may use device identifiers and similar technologies as described in Google's and Meta's policies and subject to Apple's controls.

Use of Your Personal Data

We use your data to:

• Provide and maintain the Service (store logs, symptom data locally)
• Process AI analysis when you use those features
• Display trends, insights, and correlations
• Generate charts and in-app analytics views
• Sync data across devices via iCloud (if enabled)
• Manage device-level settings and preferences
• Run Firebase analytics and Crashlytics
• Run Meta app events and advertising measurement (where permitted)
• Contact you for support (only if you email us)
• Respond to your requests
• Comply with legal obligations

We will not:

• Send marketing emails without appropriate legal basis and, where required, your consent
• Use push notifications for third-party advertising in violation of platform rules
• Sell your diary contents to data brokers

Sharing of Your Personal Data

We may share or enable processing of data as follows.

Third-party AI service providers (OpenRouter)

• When: You use AI features.
• What: Text, images, prompts, and context sent for processing.
• Why: To perform analysis and return results.
• Retention: ZDR enabled by default where supported; otherwise subject to OpenRouter's policy.

Google (Firebase — Analytics and Crashlytics)

• What: Usage events, parameters attached to events, app instance / device-related identifiers, crash logs and diagnostics.
• Why: Analytics and crash reporting.
• Further information: Google Firebase Privacy and Security

Meta (Facebook SDK)

• What: Standard and custom app events (e.g. trial/subscription-related events, engagement events such as food logged, scans, AI usage, paywall), and data used for advertising measurement and attribution in line with ATT.
• Why: Advertising measurement, campaign optimization, and related analytics.
• Further information: Meta Privacy Policy

Product lookup services (e.g. barcode / nutrition databases)

• What: Barcode or product identifiers and public product/nutrition information.
• Why: Identifying packaged foods for logging.

Apple

• StoreKit: Apple processes payments; we receive subscription status, not your full payment card details.
• iCloud (optional): If enabled, data is processed under Apple's iCloud terms.
• HealthKit (optional): If you authorize, we read Health data on demand for features such as BioScope; we do not persist that Health data in our app database for that integration (fetched for display/correlation as described in-app).

For business transfers

If the Company is involved in a merger, acquisition, or asset sale, we will provide notice where required; the successor must honor this policy or notify you of changes.

With law enforcement

If required by law, court order, or valid regulation — only the minimum necessary.

With your explicit consent

Where applicable law requires consent for additional sharing, we may share for those purposes; you may withdraw consent where the law allows.

What we do not do

• We do not sell your health diary as a commercial "data set" to unrelated third parties.
• We do not send diary content to OpenRouter until you use a feature that transmits it.

Retention of Your Personal Data

• Local device storage: Data remains until you delete it or uninstall the app (copies may remain in iCloud until removed there if sync was enabled).
• Firebase / Meta: Retained according to Google and Meta policies; you can limit tracking via iOS Settings and ATT where applicable.
• OpenRouter (ZDR on): Processed for the request; minimal or no retention as described under ZDR / provider terms.
• Support communications: Up to approximately two years from last contact unless you request earlier deletion.
• Legal obligations: We may retain information if required by law, for the minimum period necessary.
• Deleted data: When you delete data in the app, it is removed from the device; iCloud copies may require separate deletion. Recovery may not be possible after deletion.

Transfer of Your Personal Data

• Local storage: Primary diary data stays on your device.
• Third-party AI services: When you use AI features, data may be processed in the United States or other regions where OpenRouter and its providers operate. Transmission uses HTTPS/TLS.
• Firebase / Meta: Data may be processed globally per provider policies.
• iCloud (optional): Apple's infrastructure and terms apply.
• International transfers: If you are in the EEA/UK, we take steps consistent with applicable law (e.g. appropriate safeguards as required).

Security of Your Information

Technical measures

• Local data protected by iOS Data Protection
• HTTPS/TLS for network communications
• API keys and secrets stored using secure iOS practices (e.g. Keychain where applicable)

Organizational measures: Limited access; incident response procedures.

Limitations: No transmission or storage is 100% secure; you should use a device passcode and current iOS updates.

Support / security contact: support@fodmapai.com

Collection and Use of Food Images

The Application collects photos of food and menus that you voluntarily capture.

• How images are used: Analysis (including via AI), FODMAP estimates, ingredient insights, attachment to diary entries.
• Where stored: On your device; temporarily sent to OpenRouter when you use AI analysis. We do not operate our own servers storing your images.
• Retention: On device until you delete; OpenRouter processing subject to ZDR / provider policy.
• Control: You may restrict camera/photos in iOS Settings; you may delete images in the app.

GDPR Privacy (EEA / UK)

Legal bases may include: contract (providing the app), legitimate interests (security, product improvement, analytics, crash reporting, fraud prevention), consent where required (e.g. certain tracking via ATT or optional features).

Your rights may include: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable.

Exercising rights

• In-app: Access, edit, delete, and export data where the app provides these features.
• Email: aksel.lindberg@lintech.no with subject "GDPR Data Rights Request" — include the specific right, reasonable identity verification details, and what data your request concerns.

Response time: We aim to respond within 30 days; complex cases may extend up to 60 days with notice.

Complaints: You may lodge a complaint with your local supervisory authority. EU authorities: EDPB members.

CCPA Privacy (California Residents)

Categories of personal information we may collect include identifiers, usage/internet activity, sensory information (photos you provide), health-related information you enter, and inferences — as described in this policy.

Sharing / "sale": We do not sell personal information for money in the traditional sense. Advertising measurement through Meta may constitute "sharing" under California law; you may limit certain tracking via ATT and device settings.

Your rights may include: right to know, delete, correct, opt out of sale/sharing (where applicable), and non-discrimination.

To exercise rights: Email aksel.lindberg@lintech.no with subject "CCPA Rights Request". We may verify your identity. We aim to respond within 45 days (up to 90 if reasonably necessary).

Authorized agents: You may use an authorized agent where permitted by law; we may require proof of authorization.

Children's Privacy

FODMAPai is intended for users 13 and older. We do not knowingly collect personal information from children under 13. If you believe we have, contact support@fodmapai.com and we will take steps to delete it. Parents or guardians may request deletion of a minor's data where applicable.

Links to Other Websites and Services

The Service may reference or link to third parties, including:

We are not responsible for third-party sites' practices; read their policies before using them.

International Users

The Company is LinTech AS, Norway. Providers may process data outside your country (e.g. US, EU). We use technical measures such as TLS and select providers with appropriate agreements where required.

Data Retention and Deletion (Summary)

• Device: Delete entries or all data in app settings where available; uninstall removes local app data (iCloud may retain copies until removed).
• Firebase / Meta: Governed by provider tools and your device privacy choices.
• OpenRouter: ZDR default limits retention for AI requests.
• Support email: Request deletion at support@fodmapai.com.

Changes to This Privacy Policy

We may update this policy from time to time. We will update the Last updated date and, for material changes, provide notice as appropriate (e.g. in-app or on this page). Continued use after changes may constitute acceptance where permitted by law.

Your Privacy Choices and Controls

• iOS Settings - Privacy & Security - Tracking: Controls ATT for cross-app tracking where applicable.
• Firebase / Meta: Limited by Apple's frameworks and provider policies; see device settings.
• AI features: You choose when content is sent to OpenRouter.
• ZDR: Keep enabled (default) for stronger privacy for OpenRouter requests.
• Export / delete: Use in-app data management features where available.

Summary of Key Privacy Points

What we do

• Store diary and health inputs primarily on your device
• Use HTTPS for network requests
• Use OpenRouter with ZDR on by default where supported
• Use Firebase for analytics and crash reporting
• Use Meta SDK for app events and advertising measurement (subject to ATT)
• Let you export/delete local data where the app provides it

What we don't do

• Require social login for core features
• Process your payment card — Apple does
• Sell your diary as a commodity to unrelated data brokers

Third parties: Google (Firebase), Meta, OpenRouter, optional Apple iCloud, barcode/product APIs, and Apple for purchases — as described in this policy.

Contact Us

What to include in a rights request

• Your name
• Nature of request (access, deletion, correction, export, etc.)
• Information to verify your identity
• Specific data or time period concerned

Typical response times

• General inquiries: within approximately 7 business days where feasible
• GDPR requests: within 30 days (may extend as permitted by law)
• CCPA requests: within 45 days (may extend as permitted by law)

Regulatory authorities

• EEA: Your local Data Protection Authority — EDPB list
• California: California Attorney General — Privacy