Privacy Policy Effective Date: 2026-05-12 Last Updated: 2026-05-12 This Privacy Policy explains how Nutraware AB ("Nutraware", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our mobile application, website, and related services, collectively referred to as the "Service". This Privacy Policy is intended to describe our processing of personal data in accordance with applicable data protection laws, including the EU/UK GDPR where applicable, and relevant Apple and Google platform requirements. 1. Data Controller and Contact Nutraware AB, Swedish company registration number 559484-9902, with registered address Årgångsgatan 1, 117 57 Stockholm, Sweden, is the controller of your personal data for the Service. Contact: info@nutraware.com If we appoint a Data Protection Officer, EU representative, UK representative, or other privacy contact where required by law, relevant contact details will be made available on our website. 2. Categories of Personal Data We Process We may process the following categories of personal data: Identification and account data – name, email address, authentication data, profile photo, language, region, account settings, and similar information. Device and technical data – device model, operating system, app version, device identifiers, crash logs, diagnostics, IP address, and technical metadata. Usage data – features used, in-app events, preferences, session metadata, interactions with the Service, and app performance data. Health, fitness, nutrition, biometric, and wellness data – nutrition data, activity data, fitness data, biometric data, goals, food logs, meal history, weight-related information, and similar data entered manually by you or accessed from Apple HealthKit, Apple Health, Google Health Connect, Google Fit where available, Samsung Health, or similar mobile health frameworks. Some of this data may constitute special category data under applicable data protection laws. Images and media – photos and media that you upload or generate within the Service, such as meal images, and associated metadata. Communications – support requests, feedback, survey responses, customer service messages, and other communications with us. Marketing preferences – whether you have opted in to or opted out of marketing communications. Location data – coarse or precise location data, if enabled and only where used for core functionality or where you have granted permission. Payment and subscription data – subscription status, plan type, purchase confirmation, transaction identifiers, billing country, renewal status, and similar subscription-related information. Payments are processed by Apple or Google, and we do not store full payment card details. AI interaction data – prompts, inputs, outputs, logs, feedback, and related metadata necessary to provide AI features, troubleshoot issues, monitor safety, improve reliability, and prevent misuse. Where feasible, such data is aggregated, anonymised, or de-identified. 3. Sources of Personal Data We collect personal data from the following sources: Directly from you – for example when you create an account, enter profile information, log meals, upload photos, use AI features, contact support, or provide feedback. From your device or operating system – where you grant permission, including health, fitness, nutrition, activity, photo, camera, or similar device-based data. From connected health frameworks – such as Apple HealthKit, Apple Health, Google Health Connect, Google Fit where available, Samsung Health, or similar services, only where you have authorised such connection. From app stores and subscription platforms – such as Apple App Store and Google Play, including subscription status, purchase tokens, plan type, and renewal information. From analytics, diagnostics, and crash reporting tools – configured as processors or service providers to help us operate, secure, and improve the Service. From cookies and similar technologies – used on our website as described in Section 13. 4. Purposes and Legal Bases for Processing We process personal data for the following purposes and legal bases under the GDPR and other applicable data protection laws: Providing, operating, and securing the Service We process account data, device data, usage data, subscription data, and related information to create and manage your account, provide app functionality, maintain the Service, and secure the Service. Legal basis: performance of contract, legitimate interests, and legal obligation where applicable. Personalising content and features We process information such as profile data, preferences, usage data, nutrition data, and other user inputs to personalise your experience and provide relevant features. Legal basis: performance of contract, consent where required, and legitimate interests where applicable. Providing health, nutrition, and wellness functionality We process health, fitness, nutrition, biometric, and wellness data to provide features such as nutrition tracking, activity insights, goals, meal analysis, and related functionality. Legal basis: explicit consent for special category data, performance of contract where applicable, and consent where required by platform rules. Providing AI features and insights We process user inputs, meal images, logs, nutrition data, lifestyle data, and other information to generate AI-supported insights, suggestions, summaries, or recommendations. Legal basis: performance of contract where required to provide requested features, explicit consent where special category data is processed, consent where required by law or platform rules, and legitimate interests for safety, troubleshooting, abuse prevention, and service improvement. Customer support and communications We process contact details, account data, support messages, and technical information to respond to support requests and communicate with you about the Service. Legal basis: performance of contract and legitimate interests. Security, fraud prevention, and enforcement We process technical data, usage data, device data, logs, and related information to detect misuse, prevent fraud, protect users, enforce our Terms, and maintain security. Legal basis: legitimate interests, legal obligation, and establishment, exercise, or defence of legal claims where applicable. Analytics and product improvement We process usage data, diagnostics, aggregated data, and de-identified data to understand how the Service is used, improve functionality, resolve errors, and develop new features. Legal basis: legitimate interests and consent where required. Marketing communications We may process your contact details and marketing preferences to send newsletters, product updates, offers, or similar communications where permitted. Legal basis: consent, or legitimate interests with opt-out where permitted by applicable law. Legal compliance We process personal data where necessary to comply with legal obligations, regulatory requirements, tax or accounting obligations, lawful requests, or court orders. Legal basis: legal obligation and legitimate interests. 5. Health Data Access to Health Data is voluntary and requires your explicit permission through system prompts, device settings, or similar permission mechanisms. We only access the specific Health Data categories that you choose to permit. You may grant, deny, change, or revoke permissions at any time through your device settings or connected health framework settings. Health Data is used only to provide app functionality, such as nutrition tracking, activity analytics, meal insights, goals, and related wellness features. We do not sell, rent, or use Health Data for advertising or targeted marketing. We do not share Health Data with third parties for advertising purposes. Health Data is not used for credit, insurance, employment, eligibility, or similar decision-making purposes. Health Data is not combined with other data for advertising purposes. We comply with applicable Apple HealthKit terms and Google Play policies for health and sensitive data. 6. AI Transparency and Safeguards Some features of the Service use artificial intelligence or machine learning to analyse user inputs, meal images, nutrition data, lifestyle data, activity data, or other information and generate insights, suggestions, summaries, or recommendations. Where required, we disclose when a feature uses AI and provide appropriate information about the nature, purpose, and limitations of AI-generated outputs. AI-generated outputs may be inaccurate, incomplete, outdated, biased, or misleading. They are not a substitute for professional medical, nutritional, psychological, fitness, or other expert advice. We may use technical and organisational measures, including testing, monitoring, quality review, and human review where appropriate, to improve reliability, reduce harmful outputs, address bias, and prevent misuse. We do not engage in automated decision-making that has legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. 7. Disclosure of Personal Data We may disclose personal data to the following categories of recipients: Service providers and processors – including hosting providers, database providers, analytics providers, crash reporting providers, customer support tools, email delivery providers, subscription management tools, payment/subscription verification tools, and AI infrastructure providers. Such providers may only process personal data according to our instructions and are subject to appropriate contractual obligations, including data processing agreements and confidentiality obligations where required. App stores and platform providers – such as Apple and Google, where necessary for subscription management, in-app purchases, account verification, platform compliance, or app functionality. Professional advisers – such as legal, accounting, tax, insurance, or compliance advisers where necessary. Authorities and legal recipients – where required by law, court order, regulatory request, legal process, or to protect our rights, users, systems, or the public. Corporate transactions – in connection with a merger, acquisition, financing, reorganisation, sale of assets, or similar transaction, subject to appropriate safeguards and notice where required. We do not sell personal data, and we do not share Health Data with third parties for advertising or marketing. 8. International Transfers Where we transfer personal data outside the EU/EEA or the United Kingdom, we use appropriate safeguards where required by law. Such safeguards may include Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, adequacy decisions, supplementary technical and organisational measures, and transfer risk assessments where appropriate. 9. Retention We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required or permitted by law. Retention periods depend on the type of data, the purpose of processing, account status, legal obligations, limitation periods, security needs, and whether you request deletion. Account data is retained while your account is active and may be retained for up to three years after last activity or account closure, unless earlier deletion is requested or longer retention is required or permitted by law. Health Data is retained while your account is active or until you delete it, revoke consent, disconnect a health integration, or request deletion, unless retention is required or permitted by law. Subscription and transaction records may be retained as necessary for accounting, tax, audit, fraud prevention, and legal compliance. Support communications may be retained as necessary to provide support, resolve issues, document communications, and handle disputes. Security logs and technical data are retained for a limited period unless needed for fraud prevention, abuse prevention, security investigations, legal claims, or compliance. Aggregated, anonymised, or de-identified data may be retained for longer where it can no longer reasonably be linked to you. When personal data is no longer needed, we delete it, anonymise it, or otherwise process it in accordance with applicable law. 10. Security We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction. Such measures may include encryption in transit and at rest where applicable, access controls, least-privilege access, authentication controls, monitoring, vulnerability management, backup routines, and internal security procedures. Access to Health Data and other sensitive data is restricted to authorised personnel and systems with a need to access such data. No system is completely secure. However, we continuously work to improve our safeguards. In the event of a personal data breach, we will notify affected users and relevant authorities where required by law. 11. Your Rights under EU/UK GDPR Depending on your location and applicable law, you may have the right to: a) request access to your personal data; b) request correction of inaccurate or incomplete personal data; c) request deletion of your personal data; d) request restriction of processing; e) object to certain processing; f) request data portability; g) withdraw consent at any time where processing is based on consent; and h) lodge a complaint with a supervisory authority. Where processing is based on consent, withdrawal of consent does not affect the lawfulness of processing carried out before the consent was withdrawn. For Sweden, the supervisory authority is Integritetsskyddsmyndigheten, IMY. You may exercise your rights by contacting: info@nutraware.com. 12. California and U.S. State Privacy Rights Where applicable, residents of California and certain other U.S. states may have rights to know/access, correct, delete, and receive personal information in a portable format, as well as the right to opt out of "sale" or "sharing" of personal information and to limit the use of sensitive personal information. Nutraware does not sell personal information and does not share personal information for cross-context behavioural advertising. Nutraware does not use Health Data for advertising or targeted marketing. These rights apply only where the relevant law applies to Nutraware and to your personal data. You may submit privacy requests by contacting: info@nutraware.com. We will not discriminate against you for exercising your privacy rights. 13. Cookies and Tracking We use cookies and similar technologies on our website for essential functionality, analytics, performance, security, and user experience. Where required, non-essential cookies are used only with your consent. You can manage cookie preferences through our cookie banner or your browser settings. In the mobile app, cookies are limited, but software development kits, device identifiers, or similar technologies may perform similar functions. Such technologies are used with appropriate disclosures, permissions, and controls where required. 14. Account Deletion You can delete your account directly in the app. You may also request account deletion by contacting: info@nutraware.com. Upon verification, we will delete your account and associated personal data, including Health Data, unless retention is required or permitted by law, for example for fraud prevention, security, accounting, tax, audit, legal compliance, or dispute resolution purposes. Where we retain limited information after account deletion, we retain only what is necessary and for no longer than required for the relevant purpose. 15. Children's Privacy The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate authorisation, we will take reasonable steps to delete such data. Parents or guardians may contact us at info@nutraware.com to request deletion of personal data inadvertently collected from a child. 16. Third-Party Links and Services The Service may contain links to or integrations with third-party websites, tools, platforms, or services. Such third parties process personal data according to their own privacy policies and terms. We are not responsible for the privacy practices, security, content, or terms of third-party services. 17. Changes to this Privacy Policy We may update this Privacy Policy from time to time. For material changes, we will provide notice through the Service, on our website, by email, or by other appropriate means before the changes take effect where required by law. Where required by law, we will request your consent before applying changes to processing activities that require consent. The updated Privacy Policy will state the effective date and the date of the latest update. Please also review our Terms & Conditions, which govern your use of the Service. 18. Contact Nutraware AB Swedish company registration number: 559484-9902 Årgångsgatan 1 117 57 Stockholm Sweden Privacy contact: info@nutraware.com Notice at Collection for California Residents – Summary This section applies only where California privacy law applies to Nutraware and to your personal information. Categories collected: identifiers, account data, commercial information, subscription information, internet or electronic network activity, device data, in-app activity, geolocation data if enabled, inferences for personalisation, images and media, communications, and Health Data with consent. Purposes: to provide, operate, personalise, secure, analyse, and improve the Service; provide support; manage subscriptions; prevent fraud and misuse; comply with law; and communicate with users. Disclosures: service providers and processors, app stores and platform providers, professional advisers, legal recipients, and parties involved in corporate transactions where applicable. Sale or sharing: Nutraware does not sell personal information and does not share personal information for cross-context behavioural advertising. Sensitive personal information: Health Data and similar sensitive data is used only for permitted purposes, such as providing requested Service functionality, security, legal compliance, and user-authorised features. Retention: personal information is retained as described in Section 9. Rights: see Section 12.