Effective Date: October 25, 2025
Last Updated: October 25, 2025
This Privacy & Consumer-Health-Data Policy (“Policy”) explains how Incision, Inc. (“Company,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information when you use Superfood AI on mobile, web, and related sites (the “App” or “Service”). It applies globally and is designed to align with major privacy frameworks (e.g., EU/UK GDPR, California CPRA, Washington’s My Health My Data Act “MHMDA”).
Relationship to Terms. Capitalized terms not defined here have the meaning in our Terms & Conditions. “Model Providers” means external AI inference or analytics providers engaged by Incision to deliver the Service. We may change Model Providers over time. Details about current Model Providers, the categories of data shared, purposes, and retention are described in this Policy and in our Subprocessors List.
We collect information that you provide, information collected automatically, and information derived through processing.
Data you provide includes:
Account and contact information such as name, email, and a hashed password.
Images and prompts such as food photos you upload and any notes you add.
Nutrition logs, including entries, tags, serving sizes, and custom foods.
Support content such as messages to support, feedback, and survey responses.
Data collected automatically includes:
Device and technical details such as device identifiers, operating system or browser, IP address, language, and time zone.
Usage and diagnostics such as app interactions, performance events, and crash logs.
Approximate location derived from IP (country/region only).
Data we derive includes:
Estimated nutrition metrics such as calories, macronutrients, fiber, glycemic load, and other attributes produced from your images and logs via our Model Providers.
Some of the above may constitute Consumer Health Data (CHD) or special category data. Where required, we obtain separate, opt-in consent before collecting or sharing CHD (see Section 8).
We use data to:
Provide and operate the Service, including account creation, scans, logs, and syncing. (Legal bases: contract; legitimate interests.)
Perform AI inference through Model Providers to generate nutrition estimates from your uploads. (Legal bases: contract; consent where required, e.g., CHD.)
Improve and secure the Service, including analytics, debugging, fraud prevention, and rate-limit enforcement. (Legal bases: legitimate interests; legal compliance.)
Communicate with you about the Service, including transactional notices and product updates. (Legal bases: contract; consent where required.)
Conduct research and development using de-identified or aggregated data. (Legal bases: legitimate interests; consent where required.)
Comply with law and enforce our Terms. (Legal bases: legal obligation; legitimate interests.)
We do not use your images or logs to train third-party foundation models unless we present an opt-in and you agree.
To deliver the Service, we share limited data with vendors under written agreements and access controls.
Model Providers (AI inference).
We currently use OpenAI, L.L.C. (United States) to process uploaded images and prompts/metadata in order to return nutrition estimates. Where a Model Provider offers controls, we instruct them not to use your content to train their models. The Subprocessors List provides the current roster and links to provider policies.
Backend and infrastructure (Firebase / Google Cloud).
We use Google Firebase and Google Cloud Platform for authentication, databases (Firestore or Realtime Database), storage (including images), Cloud Functions, Crashlytics, push notifications, and analytics (Google Analytics for Firebase). Data is encrypted in transit and at rest using provider defaults; access is role-based and logged.
Additional recipients may include:
Analytics and diagnostics services (primarily through Firebase/Crashlytics).
Regulators or law enforcement where required by law or to protect rights, safety, and security.
Parties to a corporate transaction (e.g., merger, acquisition) with appropriate safeguards.
We do not sell your Personal Data for money. Where “share” or “sell” have specific legal meanings (e.g., CPRA), we honor your rights and provide required controls.
On the web, we use cookies/SDKs for authentication, security, and analytics. Where required, we display a consent banner and honor your choices. You can manage cookies via browser settings, though some features may not function without them.
We keep data only as long as necessary for the purposes described above or as required by law.
Account data (name, email). Retained for the life of your account and deleted within 90 days after account closure.
Images you upload. By default deleted after processing; if you enable backups/history, retained for up to 30 days (or as shown in-app) and then permanently deleted.
Nutrition logs and derived metrics. Retained for the life of your account and deleted within 90 days after account closure.
Crash and diagnostic logs. Retained for up to 30 days and then aggregated or anonymized.
Support tickets. Retained for up to 3 years and then anonymized.
Aggregated or de-identified data. May be retained indefinitely in non-identifiable form.
We implement administrative, technical, and physical safeguards proportional to risk, including encryption in transit and at rest, least-privilege access, multi-factor authentication for staff accounts, and continuous logging/monitoring. No system is perfectly secure.
Incidents and notifications. We maintain an incident-response program and will notify you and/or regulators of a breach as required by law.
In jurisdictions with CHD or sensitive-data rules (such as Washington MHMDA or EU/UK GDPR special categories), we obtain separate, opt-in consent before collecting or sharing CHD.
You may withdraw consent at any time in Settings, without affecting prior lawful processing.
We do not use geofencing advertising around healthcare locations.
Where required, we provide additional deletion rights specific to CHD (see Section 10).
We are headquartered in the United States. When transferring Personal Data internationally, we rely on legally recognized transfer mechanisms (for example, Standard Contractual Clauses with supplementary measures) where required. Additional details are available on request.
Your rights depend on where you live, and we will honor all applicable rights without discrimination.
EU/UK GDPR rights may include:
Access to your data; rectification of inaccuracies; erasure; restriction of processing; portability; and objection to certain processing.
The right to lodge a complaint with a supervisory authority.
How to exercise: use the in-app request flow or email privacy@[your-domain].com.
California (CPRA) rights may include:
Right to know/access, delete, and correct; right to opt out of “sale/share”; right to limit use of sensitive personal information.
How to exercise: use our webform or call our toll-free number [Number].
Washington (MHMDA) rights may include:
Separate consent for collection and sharing of CHD; right to withdraw consent; right to request separate deletion of CHD; right to appeal a decision.
How to exercise: use in-app controls or email privacy@[your-domain].com.
Verification and timelines. We verify requests (e.g., email plus one-time code) and respond within legally required timeframes. If we cannot verify your request, we will explain why.
Global Privacy Control (GPC). Where applicable on the web, we honor GPC signals for “sale/share” opt-outs.
The Service is not directed to children under 13, and we do not knowingly collect their Personal Data. If you believe a child provided data, contact us so we can delete it.
We use AI to generate estimates from images. Outputs are advisory/educational and are not used to make decisions that produce legal or similarly significant effects without human involvement. You may request high-level information about how inputs generally influence outputs.
We disclose information to:
Model Providers such as OpenAI, L.L.C. so they can process uploaded images and related prompts/metadata to produce nutrition analysis.
Backend and infrastructure providers such as Google Firebase and Google Cloud for hosting, storage, authentication, analytics, crash reporting, messaging, and related operations.
Regulators and law enforcement as required by law or to protect rights, safety, and security.
Corporate transaction partners (e.g., in a merger or acquisition) with appropriate safeguards.
For the most up-to-date list of vendors and details (role, data types, purpose, region, links to policies), see our Subprocessors List.
We do not sell Personal Data for money. Where “share” includes cross-context behavioral advertising under CPRA, we do not engage in such sharing for CHD. We provide opt-out controls for other data types where applicable.
Primary storage is provided by Google Firebase/Google Cloud in regions we select for performance and compliance. Backups follow the same controls. Exact regions may be listed in our Subprocessors List or provided upon request.
We may update this Policy from time to time. When changes are material, we will provide notice in-app or by email with reasonable advance notice where required. Your continued use after the effective date constitutes acceptance.
Privacy Office / Data Protection Officer
Incision, Inc.
548 Market St PMB 57188
Email: superfoodai.contact@gmail.com
Phone: (254) 256-4060
EU/UK residents may also contact their local data protection authority.
Categories collected may include: identifiers (name, email, device IDs, IP), images you upload, derived nutrition metrics, usage and diagnostics, and approximate location.
Purposes include: providing the Service, AI inference through Model Providers, security/fraud prevention, analytics, communications, and legal compliance.
Selling/Sharing: we do not sell Personal Data for money; we do not share CHD for cross-context behavioral advertising; where applicable, we provide opt-out controls and honor GPC.
Retention: see Section 6 for our retention practices.
Sensitive data: collected and processed only with required consents; additional rights apply as described above.