Privacy Policy
Last updated: July 2026
1. Who is the data controller
The controller responsible for processing your personal data is:
Name: IntOut
Contact email: support@intout.app
2. What data we collect and why
2.1 Registration data
- Email and password: to create and manage your account. Your password is stored encrypted and is never accessible in plain text, not even to us.
- Date of birth: to verify that you are over 14 years old and to personalize your experience. IntOut does not allow users who indicate being under 14 to complete registration.
2.2 Health data (special category)
- Food intolerances and severity level: for example, gluten intolerance (severe) or lactose intolerance (moderate). This data is considered health data under the General Data Protection Regulation (GDPR) and receives special protection.
- Scan history: the foods you have analyzed and the results obtained (safe, caution, avoid).
- Symptom diary: the wellbeing status you voluntarily log and the foods consumed each day.
We use this data exclusively to personalize food analysis according to your specific intolerance profile and to show you a history of your previous scans. We do not use it for any other purpose.
2.3 Usage data
Basic technical information about how you use the app (errors, number of scans) to improve the service. This information is anonymous and aggregated.
2.4 Payment data
IntOut does not directly store your credit card data. Payments are handled by the Apple App Store, Google Play Store, and RevenueCat, each with its own privacy policy.
3. Legal basis for processing
| Type of data | Legal basis |
|---|---|
| Email and account | Performance of a contract (art. 6.1.b GDPR) |
| Date of birth | Performance of a contract (art. 6.1.b GDPR) |
| Intolerances and health data | Explicit consent (art. 9.2.a GDPR) |
| Scan history | Performance of a contract (art. 6.1.b GDPR) |
| Symptom diary | Consent (art. 6.1.a GDPR) |
| Anonymous usage data | Legitimate interest (art. 6.1.f GDPR) |
Health data (intolerances) is only processed with your explicit consent, which you grant during registration. You can withdraw this consent at any time by deleting your account.
4. Who we share your data with
We share your data only with the following trusted providers, necessary for the app to function:
Supabase (database and authentication)
- Purpose: stores your profile, intolerances, scan history, and diary.
- Servers: Europe (Frankfurt, Germany). GDPR-compliant.
- Policy: supabase.com/privacy
OpenAI (AI-powered photo and label analysis)
- Purpose: when you take a photo of a food item or label, the image is sent to OpenAI's servers for analysis. Your intolerance profile is sent along with the image to personalize the result.
- Servers: United States. The transfer is carried out under appropriate safeguards (EU Standard Contractual Clauses).
- Important: OpenAI does not use data sent through the API to train its models.
- Policy: openai.com/privacy
Google (AI-powered restaurant menu analysis — Gemini)
- Purpose: when you scan a restaurant menu, the photo is sent to Google's servers (Gemini model) to identify dishes and allergens, along with your intolerance profile to personalize the result.
- Servers: United States / global Google Cloud infrastructure. Transfer under appropriate safeguards (EU Standard Contractual Clauses).
- Policy: policies.google.com/privacy
RevenueCat (subscription management)
- Purpose: manages the status of your premium subscription.
- Servers: United States. Transfer under appropriate safeguards.
- Policy: revenuecat.com/privacy
Open Food Facts and Barmanager (public product and menu databases)
Purpose: when you scan a barcode or a restaurant's QR menu, we query the public Open Food Facts or Barmanager database to retrieve ingredients or dishes. These queries do not include any personal data of yours — only the barcode or restaurant identifier. Comparison with your intolerance profile always happens on your own device or on our servers; your profile is never sent to these services.
We never sell your data to third parties. Never. Under no circumstances.
5. International data transfers
Some of our providers (OpenAI, Google, RevenueCat) operate from the United States. These transfers are carried out solely under the guarantees required by GDPR (Standard Contractual Clauses approved by the European Commission) and only with the data strictly necessary to provide the service.
6. How long we keep your data
- While your account is active: we keep all your data to provide you the full service.
- After deleting your account: we immediately erase all your personal data (scan history, diary, profile, and account), within a maximum of 30 days in the case of technical backups.
- Anonymous usage data: retained indefinitely, as it is not linked to any identifiable person.
7. Your rights
As a user in the European Union, you have the following rights over your data:
- Access: you can request a copy of all the data we hold about you.
- Rectification: you can correct any incorrect data directly from the app (Profile section) or by contacting us.
- Erasure: you can delete your account and all your data at any time from the app (Profile → Delete account).
- Portability: you can request your data in a machine-readable format.
- Objection: you can object to processing based on legitimate interest.
- Withdrawal of consent: you can withdraw your consent for the processing of health data at any time, which will result in the deletion of your account.
- Complaint: you have the right to file a complaint with the Spanish Data Protection Agency (aepd.es).
To exercise any of these rights, write to us at: support@intout.app
8. Minors
IntOut is not directed at children under 14 years of age. The app verifies your date of birth during registration and does not allow anyone who indicates being under 14 to continue. If, despite this verification, we become aware that we have collected data from a child under 14, we will delete that data immediately.
9. Security of your data
- Passwords are stored using encryption (hashing). No one, including our team, can see your password.
- All data is transmitted encrypted via HTTPS/TLS.
- Database access is restricted through Row Level Security: no user can access another user's data.
- Health data is handled with the highest level of technical and organizational protection available.
10. Important notice about using the app
IntOut is an informational and guidance tool. The results it provides do not constitute or replace the advice, diagnosis, or recommendation of a medical professional, dietitian, or nutritionist.
Food analyses performed by artificial intelligence may not be 100% accurate. Always consult a healthcare professional if you have questions about your diet or health.
11. Changes to this policy
If we make significant changes to this privacy policy, we will notify you through the app or by email at least 15 days in advance. Continued use of the app after such notice implies acceptance of the changes.
12. Contact
For any questions, inquiries, or to exercise your rights:
- Email: support@intout.app
- Subject line: Privacy — [your inquiry]
We respond within a maximum of 30 days.
This privacy policy has been drafted in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights.