Privacy Policy

Who we are and what this covers

FitHamAI is an AI-powered calorie counting app operated by Mateusz Kaczmarczyk ("we", "us", "our") — a private individual based in Poland, acting as the sole data controller. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the FitHamAI mobile app and our website at fitham.ai.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the Google Play Developer Policy, and applicable data protection laws. By using FitHamAI, you agree to the practices described here.

If you do not agree with this policy, please do not use the app. You can contact us at any time at privacy@fitham.ai with questions or concerns.

What data we handle

We collect only the data required to operate the service. Specifically:

• Account information: email address and display name, received from Google when you sign in with Google Sign-In.
• Meal photos: images you take of your food. Photos are sent to our AI provider for analysis and are not stored on our servers. Only the extracted nutritional values (calories, macros, identified items) are saved to your account.
• Nutrition & activity data: logged meals, water intake, weight entries, goals, and daily totals you record in the app.
• Usage data: scan counts, subscription tier, feature usage, referral activity, and anonymized device identifier used for rate limiting.
• Diagnostic data: anonymized crash reports and performance metrics collected via Sentry to detect and fix bugs.
• Payment information: handled entirely by Google Play. We receive only the subscription status and billing events — we never see your card details.

We do not collect location data, contacts, browsing history, or any data from other apps on your device.

The purposes we process data for

Your data is used strictly to operate and improve the service:

• AI meal analysis: meal photos are sent to Google Gemini to identify food items and estimate nutritional values.
• Personalization: your logged data powers your dashboard, goal tracking, meal-plan suggestions, and AI voice coach responses.
• Daily tracking: to show your calorie and macro progress across the day, week, and month.
• Service improvement: aggregated, anonymized usage statistics help us understand which features matter and where bugs occur.
• Subscription management: we send transactional receipts and renewal notices when required.
• Referral program: when you share your unique referral code, we track redemptions so we can grant the reward to both parties.

We do not sell your data, and we do not use it for behavioral advertising. Ads shown to free-tier users are served contextually by Google AdMob without cross-app tracking.

Why we're allowed to process your data

Under GDPR, we rely on the following legal bases:

• Contract performance (Art. 6(1)(b)): to deliver the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): for anonymized analytics, bug tracking, fraud prevention, and rate limiting.
• Consent (Art. 6(1)(a)): for any optional processing, such as push notifications — which you can withdraw at any time in app settings or device settings.
• Legal obligation (Art. 6(1)(c)): for tax records and compliance with subscription billing regulations.

Who we share data with

We use a small set of carefully chosen service providers. Each is bound by a data processing agreement and may only process your data on our instructions:

• Google Sign-In: authenticates your account using your Google email. Google's own privacy policy applies to the sign-in flow.
• Google Gemini AI: processes meal photos to extract nutritional data. Photos are sent over encrypted connections and are not retained by Google beyond the analysis request.
• Google AdMob: serves ads to free-tier users. AdMob may use a resettable advertising ID to prevent the same ad repeating — no personal data is shared.
• Google Play Billing: handles all subscription payments. We never see or store your card details.
• Sentry: receives anonymized crash reports and error stack traces to help us fix bugs.
• Railway: hosts our backend servers and database in the European Union.

We do not share, sell, rent, or trade your personal information with any other parties.

How we protect your data

• Location: account data is stored on Railway servers in the European Union. Aggregated metrics may be processed elsewhere by the providers listed above, each under GDPR-compliant data transfer agreements.
• Encryption at rest: AES-256 for stored data on our database servers.
• Encryption in transit: TLS 1.3 for all communications between your device, our servers, and third-party services.
• Meal photos: processed in real time by Gemini AI, never written to our own storage.
• Access control: only authorized engineers can access production systems, with audit logging on every access.
• Retention: we keep your account data until you delete your account. Diagnostic logs are retained for 90 days and then permanently deleted.

What you can ask us to do

If you are in the European Economic Area, the UK, or Switzerland, you have the following rights over your personal data:

• Right of access: request a copy of all personal data we hold about you.
• Right to rectification: ask us to correct any inaccurate or outdated information.
• Right to erasure ("right to be forgotten"): delete your account and all associated data directly from the app (Profile → Delete account), or email privacy@fitham.ai.
• Right to data portability: export your data in a structured, machine-readable format. FitHamAI PRO+ users can export logs as CSV or PDF directly from the app. Other users may request an export by email.
• Right to object: opt out of any processing based on legitimate interest. We do not send marketing emails, so there is nothing to unsubscribe from.
• Right to restrict processing: ask us to pause processing your data while a concern is investigated.
• Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of earlier processing.
• Right to lodge a complaint: contact your national data protection authority if you believe your rights have been infringed.

To exercise any of these rights, email privacy@fitham.ai. We respond within 30 days as required by GDPR. There is no fee for reasonable requests.

Age requirement

FitHamAI is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please email privacy@fitham.ai and we will promptly delete the account and any associated data.

How the website uses cookies

Our website at fitham.ai uses a minimal set of cookies, strictly limited to:

• Essential cookies: to remember your language selection and ensure the site works correctly.
• Analytics (anonymized): Google Analytics to count page visits and measure performance, only after you accept the cookie banner. No personal data is stored.

We do not use tracking cookies, third-party advertising cookies, or cross-site trackers. The mobile app itself does not use cookies.

How we notify you of updates

We may update this Privacy Policy to reflect changes in the service, the law, or our practices. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify active users via an in-app notice before the change takes effect, typically 30 days in advance for significant changes.
• Preserve earlier versions so you can compare what changed.

Continued use of FitHamAI after the updated policy takes effect means you accept the revised policy. If you do not agree, you can delete your account at any time.