Your privacy matters. This policy explains what Nodesto collects, why, and the controls you have over your information.
1. Introduction
Nodesto Inc. ("Nodesto," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and services (collectively, the "Services").
By using our Services, you consent to the data practices described in this policy. If you do not agree with our practices, please do not use our Services.
2. Information we collect
2.1 Information you provide
We collect information you directly provide to us, including:
- Account information: name, email address, username, password, profile photo
- Profile information: dietary preferences, favorite cuisines, food allergies, bio
- User content: reviews, ratings, photos, lists, comments, and other content you post
- Communication data: messages, feedback, support requests
2.2 Information collected automatically
When you use our Services, we automatically collect:
- Device information: device type, operating system, unique device identifiers
- Usage data: pages visited, features used, time spent, clicks, interactions
- Behavioral signals: dwell time, engagement patterns, and saved/skipped content used to personalize your feed and recommendations
- Location data: GPS data, IP address, and location inferred from nearby restaurants you search or check into (with your permission)
- Log data: access times, error logs, referring URLs
- Diagnostic data: crash reports, stack traces, and device state captured at the time of a crash. To help us reproduce and fix the issue, a crash report may be tagged with identifiers — such as your account ID — that link the crash to the affected account. Diagnostic data is used only to investigate stability and quality issues; it is not used for advertising, profiling, or sold.
2.3 Information from third parties
We may receive limited information about you from third parties, including:
- Identity providers you choose to sign in with (e.g., Apple, Google)
- Public restaurant data sources used to populate places, hours, and menu information
If you sign in with Apple and choose Hide My Email, Apple supplies a private-relay address ending in @privaterelay.appleid.com that forwards messages to your real e-mail. We store and contact you at the private-relay address; you can manage or revoke forwarding at any time at appleid.apple.com.
2.4 Sensitive personal information
Some of the information you provide is treated as sensitive personal information under laws such as the California Privacy Rights Act (CPRA). We collect this only to deliver features you have asked for, and never use it for advertising, profiling for advertising, or sale.
| Category | Examples | Why we collect it |
|---|---|---|
| Health-adjacent data | Food logs, weight entries, workouts, calorie scan history, dietary preferences, food allergies | Powers the calorie scan, daily targets, and personalized recommendations you opt in to |
| Precise location | GPS coordinates when you search nearby or check into a restaurant | Map display and "near me" search; collected only with system-level permission you can revoke at any time |
| Account credentials | Password hash, sign-in tokens | Authentication; never displayed back to you in plaintext |
You can ask us to limit our use of sensitive personal information to what is strictly necessary to provide the Services. See Section 7.
2.5 HealthKit data (iOS)
If you grant Nodesto access to Apple HealthKit, any HealthKit information we read remains on your device. We do not transmit, store, or share HealthKit data with our servers or any third party. Apple's HealthKit framework guidelines forbid this, and we comply.
3. How we use your information
We use the information we collect to:
| Purpose | Legal basis |
|---|---|
| Provide and maintain our Services | Contract performance |
| Personalize your experience and recommendations | Legitimate interest |
| Process transactions and send related information | Contract performance |
| Send promotional communications (with consent) | Consent |
| Respond to your comments and questions | Legitimate interest |
| Analyze usage patterns to improve our Services | Legitimate interest |
| Detect and prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations | Legal compliance |
3.1 Automated decisions and profiling
To personalize your feed, search results, and recommendations, we use automated processing — including machine-learning models — that builds a "taste profile" from the dishes, places, captions, and creators you engage with. This processing does not produce legal effects or similarly significant consequences for you. You can ask us about the logic involved, request that we stop using these signals to personalize your experience, or delete the profile entirely by contacting support@nodesto.com.
6. Data security
We implement industry-standard security measures to protect your information, including:
- Encryption of data in transit and at rest
- Secure server infrastructure
- Regular security audits and testing
- Employee access controls and training
- Incident response procedures
No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.
6.1 Breach notification
If we confirm a personal-data breach that creates a meaningful risk to your rights — for example, unauthorized access to account credentials or sensitive personal information — we will notify affected users without undue delay, and in any case within 72 hours of confirming the breach, in line with the GDPR (Art. 33–34) and applicable U.S. state breach-notification laws. Notification will describe what happened, what information was involved, what we are doing in response, and steps you can take to protect yourself.
7. Your rights
Depending on where you live, you have rights over the personal information we hold about you. The rights below are available to all users; additional region-specific rights are described in the subsections that follow.
7.1 Rights available to everyone
- Access: request a copy of the personal information we hold about you
- Correction: update or correct inaccurate information directly in the app or via support
- Deletion: delete your account and associated personal information from inside the app at any time (see how to delete your account)
- Portability: receive your data in a structured, commonly used, machine-readable format (JSON)
- Opt-out of marketing: unsubscribe from any promotional e-mail at any time
7.2 California residents (CCPA / CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know: request disclosure of the specific pieces of personal information we have collected about you, the categories collected, the sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it
- Right to delete: request deletion of personal information we have collected, subject to legal exceptions
- Right to correct: request correction of inaccurate personal information
- Right to limit use of sensitive personal information: direct us to use sensitive personal information (food/calorie/weight logs, precise location, credentials) only for purposes strictly necessary to provide the Services you have requested
- Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising — see Section 4.6 — so there is nothing to opt out of, but you may still exercise this right by contacting us
- Right to non-discrimination: we will not deny you services, charge you different prices, or provide a different level of quality because you exercised any of these rights
The categories of personal information we have collected in the preceding 12 months, mapped to CCPA categories under Cal. Civ. Code §1798.140(v), are:
| CCPA category | What we collect |
|---|---|
| Identifiers | Name, e-mail, username, device identifiers |
| Commercial information | In-app purchase history (handled by the app platform) |
| Internet or network activity | App usage, feature interactions, log data |
| Geolocation data | Precise GPS when you opt in; IP-derived approximate location |
| Sensory data | Photos you upload, including calorie scan photos |
| Inferences | Taste profile, dietary signals, recommended dishes and places |
| Sensitive personal information | Health-adjacent data, precise location, account credentials — see Section 2.4 |
You may designate an authorized agent to make a request on your behalf, in line with Cal. Code Regs. tit. 11 §7063. We may require the agent to provide signed permission and may verify your identity directly.
7.3 EU / EEA / UK residents (GDPR / UK GDPR)
If you are in the European Union, the European Economic Area, or the United Kingdom, you have the following additional rights under the GDPR and the UK GDPR:
- Restriction of processing: ask us to limit how we process your data while a request is being reviewed
- Objection: object to processing based on legitimate interests, including profiling, at any time
- Withdraw consent: withdraw any consent you have given, without affecting the lawfulness of processing before withdrawal
- Lodge a complaint: file a complaint with your local supervisory authority — for EU residents, a list is maintained at edpb.europa.eu; for the UK, the Information Commissioner's Office at ico.org.uk
Nodesto Inc. is based in the United States and currently does not have an establishment in the EU. We respond to data-subject requests from EU/UK residents on the same terms described below.
7.4 How to exercise your rights
To exercise any of these rights, e-mail support@nodesto.com from the address associated with your account, or write to us at the address in Section 12. Please tell us which right you are exercising and include enough information for us to verify your identity. We do not require you to create an account to make a request.
| Region | Response window |
|---|---|
| European Union, EEA, United Kingdom (GDPR Art. 12) | Within 30 days; extendable by up to 2 additional months for complex requests, with notice |
| California (CCPA §1798.130) | Within 45 days; extendable once by 45 additional days, with notice |
| Other U.S. states with a comprehensive privacy law (e.g., VA, CO, CT, TX, OR, MT, DE, NJ, NH, IA, TN, IN, MD, MN) | Within 45 days; extendable once by 45 additional days, with notice |
| Everywhere else | Within 30 days, where applicable law allows |
For portability requests specifically, we deliver your data as a single JSON file in a structured, commonly used, machine-readable format. There is no charge for a first request in a 12-month period; we may charge a reasonable fee for repeated or excessive requests, or refuse to act, as permitted by law.
8. Data retention
We retain your information for as long as necessary to:
- Provide our Services to you
- Comply with legal obligations
- Resolve disputes and enforce agreements
- Support business operations
When you request account deletion, your account is first deactivated and your content is hidden from other users. After a 7-day grace period — during which you can sign back in to cancel the request — your account and all associated personal information are permanently deleted. This includes your profile, username, posts, photos, comments, ratings, lists, taste profile, calorie history, saved bookmarks, follow connections, notifications, and uploaded media.
The following information may persist after deletion, for the reasons listed:
| What | Why | How long |
|---|---|---|
| Messages you sent to other users | The recipient retains their own copy of conversations they were part of; we cannot unilaterally delete data held in another user's account. | Until the recipient deletes it |
| System backups and server logs | Our infrastructure providers maintain rolling backups and execution logs for reliability and incident response. Your data is removed from these as the backup window rotates. | Up to 30 days |
| Aggregate, de-identified analytics | Counts and metrics that no longer identify you personally (e.g., total posts created in a given month). | Indefinite, in aggregated form only |
| Legal-hold or safety records | If your account was the subject of a court order, regulatory request, law-enforcement preservation request, or a confirmed abuse / safety report, we retain only the records strictly necessary to meet that obligation or to enforce our Terms. | For the duration of the obligation |
9. Minimum age and children's privacy
Nodesto is intended for users 16 years and older globally. We do not knowingly create accounts for, or collect personal information from, anyone under 16. During signup, we ask for your date of birth and decline to create an account if the date you provide indicates you are under 16.
This 16-and-over floor is set above the thresholds required by the U.S. Children's Online Privacy Protection Act (COPPA, under 13) and the EU GDPR Article 8 digital-consent age (13 to 16, depending on member state). If you believe a child under 16 has provided personal information to us, please e-mail support@nodesto.com and we will delete the account and any associated data.
10. International data transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
When we transfer data internationally, we implement appropriate safeguards such as Standard Contractual Clauses to protect your information.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending you an email notification (for significant changes)
We encourage you to review this policy periodically.
12. Contact us
If you have questions or concerns about this Privacy Policy or our data practices, or if you want to exercise any of the rights described in Section 7, please contact us:
For data-protection inquiries from the EU, EEA, or UK, please use the same e-mail address. Nodesto does not currently maintain an establishment in the European Union; processing of EU/UK personal data is occasional in scope under GDPR Article 27(2). If this changes, we will appoint and identify an Article 27 representative here.
You also have the right to lodge a complaint with your local data-protection authority — for EU residents, your national supervisory authority; for UK residents, the Information Commissioner's Office; for California residents, the California Privacy Protection Agency.