Privacy Policy
Last updated: 31 March 2026
1. Introduction
This Privacy Policy explains how Apeka Group Limited (registered in England and Wales, company no: 17105369) collects, uses, stores, and protects your personal data through the Arori mobile application ("App").
By using the App, you agree to the practices described in this policy. If you do not agree, please do not use the App.
2. Data We Collect
2.1 Data You Provide
- Account information: Email address, password (stored in hashed form). If you use Sign in with Apple or Google OAuth, your name and email as shared by the identity provider
- Profile information: First name, last name, username, profile photo, date of birth, gender
- Health data (GDPR Article 9 — special category): Height, weight, activity level, nutrition goals, daily calorie target, health conditions (e.g. diabetes, hypertension), food allergies, physical injuries/limitations, personal challenges (e.g. emotional eating)
- Nutrition data: Food photos, meal logs (food name, calories, protein, fat, carbs, portion), water intake, barcode scan history, favourite products
- Lifestyle data: Household size, monthly food budget, budget currency, eating-out frequency, whether cooking for self or family
- User content: AI chat history, community posts, comments, likes, community food database contributions
- Bug reports: User-submitted bug report title, description, and screenshots
2.2 Automatically Collected Data
- Device information: Device model, operating system, app version
- Usage data: In-app interactions, feature usage frequency, usage streaks, food search history
- Notification data: Expo push token (device identifier), timezone (for notification scheduling), notification preferences
- Location data: If you grant permission, approximate location (low accuracy ~100m) and country code (ISO 3166-1). Location is requested once at first app launch and used for food database selection. If denied, your country is detected from device locale settings
2.3 Camera Access
The App requests camera access for food photography, barcode scanning, and nutrition label reading features. Camera data is only used when you actively take a photo — there is no continuous access. If you deny camera permission, these features will be unavailable but other App features will continue to work.
2.4 Social Features
When you use the App's community features, the following data becomes visible to other users:
- Your username and profile photo
- Your posts and food photos
- Your follower count and following list
Your email address, health data, location information, and other personal details are not shared with other users.
3. How We Use Your Data
We use the collected data for the following purposes:
- Providing nutrition tracking and calorie calculation services
- AI-powered food analysis and personalised recommendations
- Calorie-aware recipe suggestions from our AI chef
- AI nutrition coach chat and weekly meal/fitness plan generation
- Account creation and management
- Providing community and social features (posts, comments, follows)
- Sending meal reminder notifications and social interaction notifications
- Using location data for appropriate food database selection
- Managing subscription and payment processes
- App performance improvement and bug fixing
- Providing user support
- Meeting legal obligations
Your data is never sold to or shared with third parties for advertising purposes.
4. Artificial Intelligence and Data Processing
Arori uses Google Gemini 2.5 Flash AI model for nutrition analysis. Our AI data processing works as follows:
- Food photos: Your photos are sent to the Google Gemini API for nutritional analysis. Google retains this data for 55 days for abuse monitoring purposes, after which it is permanently deleted. This data is not used for model training.
- AI chat and nutrition coach: Your chat history and profile information (weight, height, goal, activity level, daily calorie target, preferred language) are sent to the Gemini API to provide personalised nutrition advice. Chat history is stored in our database.
- AI chef recipe suggestions: Your food photos, calorie deficit, target calories, and nutrition goal are sent to the Gemini API to generate recipe suggestions.
- Barcode/label scanning: Product images are analysed by AI to extract nutritional information.
- Weekly plan generation: Your profile data and preferences are used to generate personalised weekly nutrition/fitness plans.
AI processing results are saved in association with your account, but raw images are not stored on our servers. Chat history is retained until your account is deleted.
5. Third-Party Service Providers
We work with the following third-party providers to deliver our services:
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database, authentication, file storage | supabase.com/privacy |
| Google Gemini | AI nutrition analysis, image processing | ai.google.dev/terms |
| Railway | Backend API hosting | railway.com/legal/privacy |
| RevenueCat | Subscription and payment management | revenuecat.com/privacy |
| Resend | Transactional emails (OTP, notifications) | resend.com/legal/privacy |
| Expo | Mobile app build, updates, and push notification delivery | expo.dev/privacy |
| Notion | Bug report tracking (internal tracking of user-submitted reports) | notion.so/privacy |
| PostHog | App analytics, user experience improvement, session replay | posthog.com/privacy |
| OpenFoodFacts | Food database search (barcode and product information) | openfoodfacts.org/terms |
| Spoonacular | Food database search (nutritional values) | spoonacular.com/terms |
| FatSecret | Food database search (calorie and macro information) | fatsecret.com/privacy |
| Edamam | Food database search (nutrition analysis) | edamam.com/privacy |
| USDA FoodData Central | Food database search (official US nutrition data) | fdc.nal.usda.gov |
Food Search Services: When you perform a food search, your search query is sent to the food database providers listed above. No personal information (email, name, etc.) is shared with these providers; only the search query text is transmitted.
AI Usage Tracking: To maintain service quality and ensure fair usage, we track monthly usage statistics of AI features (nutrition analysis, recipe suggestions, chat, etc.). This data includes token consumption amounts and function call counts, and is stored at the account level only.
Search Logs: To improve our food search service, your search queries and the number of returned results may be temporarily logged. This data is used for aggregate statistics and is not used for individual identification.
These providers only access data necessary for service delivery and are subject to their own privacy policies. No directly identifying personal information (email, full name) is shared with any provider; only data strictly necessary for service delivery is transferred.
6. Data Storage and Security
Your data is stored on Supabase infrastructure hosted in the EU/UK region (eu-west-2, London). We implement the following security measures:
- Passwords are stored using hash algorithms (never in plain text)
- All data transmission is protected by TLS/SSL encryption
- Database access is restricted with Row Level Security (RLS) policies
- JWT (JSON Web Token) based authentication is used
- API access is limited by authorisation controls
No system is 100% secure. In the event of a security breach, we will notify you within the legally required timeframe.
7. Data Retention
- Account and profile data: Retained for as long as your account is active.
- Meal and nutrition logs: Retained for as long as your account is active.
- AI chat history: Retained for as long as your account is active; used to provide personalised recommendations.
- Search history: Retained for as long as your account is active.
- Social content: Posts, comments, and likes are retained for as long as your account is active.
- Account deletion: When you request account deletion, your account enters a 30-day grace period. During this period, you can cancel the deletion by simply logging back in. After 30 days, all personal data (profile, meals, chat history, posts, comments, likes, follower relationships, scan history, weekly plans, stored files) is permanently deleted. Deletion also covers third-party service data: RevenueCat subscription data, PostHog analytics data, and Notion bug report pages.
- AI processing data: Data sent to the Google Gemini API is retained by Google for 55 days for abuse monitoring, then deleted.
- Error logs: Anonymised error logs may be retained by our infrastructure providers for a limited period.
8. Your Rights
Under UK GDPR, EU GDPR, and KVKK (Turkish Data Protection Law), you have the following rights:
- Right of access: You may request a copy of data held about you.
- Right to rectification: You may request correction of inaccurate or incomplete data.
- Right to erasure (Right to be forgotten): You may request deletion of your personal data.
- Data portability: You may receive your data in a structured, machine-readable format.
- Right to object: You may object to certain data processing activities.
- Withdrawal of consent: You may withdraw previously given consent at any time.
To exercise your rights, please email privacy@arori.app. We will respond to your request within 30 days.
In-app data rights:
- Download My Data: You can download all your personal data in JSON format by tapping "Download My Data" on the Profile → Delete Account screen.
- Delete Account: You can request account deletion from the same screen. You have a 30-day grace period to cancel by logging back in.
9. KVKK Disclosure (Turkish Data Protection)
In compliance with Turkish Law No. 6698 on the Protection of Personal Data ("KVKK"), we provide the following information for our users in Turkey:
Data Controller
Apeka Group Limited (registered in England and Wales, company no: 17105369) processes your personal data as the data controller.
Purposes of Processing
- Providing App functionality and account management
- AI-powered nutrition analysis and personalised recommendations
- Managing subscription and payment processes
- Handling user support requests
- Meeting legal obligations
Categories of Personal Data Processed
- Identity data: Name, date of birth, gender
- Contact data: Email address
- Health data: Height, weight, nutrition goals (with your explicit consent)
- Visual data: Profile photo, food photos
- Usage data: App interactions, food logs
Data Transfers
Your personal data may be transferred to our service providers abroad (listed in Section 5 of this policy) for the purpose of service delivery. These transfers are carried out in accordance with Article 9 of the KVKK, with adequate protective measures and undertakings in place.
Legal Basis
- Performance of a contract (KVKK Art. 5/2-c)
- Legitimate interest (KVKK Art. 5/2-f)
- Explicit consent — for health data (KVKK Art. 6/2)
Your Rights Under KVKK
Under Article 11 of the KVKK, you have the right to:
- Learn whether your personal data is being processed
- Request information about processing if your data has been processed
- Learn the purpose of processing and whether it is used in accordance with its purpose
- Know the third parties to whom your data is transferred domestically or abroad
- Request correction if your data is incomplete or inaccurate
- Request deletion or destruction under the conditions set forth in Article 7 of the KVKK
- Request notification of correction, deletion, or destruction to third parties to whom your data has been transferred
- Object to any result arising against you through the analysis of processed data exclusively by automated systems
- Claim compensation for damages arising from unlawful processing of your data
You may submit your requests to privacy@arori.app. Requests will be resolved free of charge within 30 days at the latest.
10. Analytics and Tracking
The Arori mobile application does not use cookies. Our website (arori.app) does not use cookies or third-party tracking tools.
10.1 App Analytics
The Arori mobile app uses PostHog analytics to improve user experience. Data collected through PostHog includes:
- Screen views: Which screens are visited
- Feature usage: Frequency of use for features such as AI analysis, recipe suggestions, and calorie tracking
- Device information: Device type, OS version, app version
- Location (country level): Country derived from IP address only (exact address or coordinates are NOT collected)
- Session duration: Total time spent in the app
10.2 Session Replay
PostHog session replay may be used to analyse user experience. Under this feature:
- Text input fields (passwords, emails, etc.) are automatically masked and not recorded
- Food images may be visible (required for analysis quality)
- Recordings are used solely for UX improvement purposes
10.3 Data Not Collected
The following data is never collected through PostHog:
- Content of your food photographs
- Your health conditions or medical information
- Your AI chat history
- Your exact address or GPS coordinates
- Advertising identifiers (IDFA/GAID)
10.4 Data Location
PostHog analytics data is hosted in the European Union (Frankfurt, Germany). Data is not transferred to the United States.
10.5 Opt-Out
You can disable analytics data collection at any time:
- In-app: Go to Settings → Privacy → Analytics Management to disable tracking
- When analytics is disabled, no usage data is sent to PostHog
- To request deletion of previously collected data, contact privacy@arori.app
Analytics is disabled by default; your consent is requested on first use.
11. Children's Privacy
Arori is not intended for children under the age of 13. We do not knowingly collect personal data from individuals under 13. If we become aware that a child under 13 has provided data, we will promptly delete it.
If you believe your child has provided data to Arori, please contact us at privacy@arori.app.
12. International Data Transfers
Our primary databases are hosted in the EU/UK region (London). However, our third-party service providers (Google Gemini, Railway, etc.) may process data in other regions. In such cases, we ensure data is transferred under appropriate security measures and contractual safeguards.
13. Policy Changes
We may update this Privacy Policy from time to time. When significant changes are made, we will notify you through the App or via email. The current policy is always available on this page.
14. Contact Us
Data Controller: Apeka Group Limited
Country: Registered in England and Wales
Company No: 17105369
Privacy requests: privacy@arori.app
General support: support@arori.app
General enquiries: info@arori.app