Privacy Policy

1. Who We Are

ROVI ("we", "us", "our") is a health, fitness, and nutrition tracking application operated by Vinh Ly. We act as the data controller for all personal data processed through the ROVI app.

If you have any questions about this Privacy Policy or how we handle your data, you can contact us at:

Email: support@rovi-app.com

We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have.

Back to top

2. What This Policy Covers

This Privacy Policy applies to the ROVI mobile application (available on iOS and Android), including all features such as food tracking, activity logging, step counting, social feed, AI chatbot, recipe management, fridge tracking, and any related services.

Back to top

3. Age Restriction and Parental Consent

ROVI is intended for users aged 13 and over. We do not knowingly collect personal data from anyone under the age of 13.

If you are between 13 and 15 years old, you must have your parent or guardian's consent to use ROVI and agree to this Privacy Policy on your behalf.

For users aged 13 to 17: Your parent or guardian should review this Privacy Policy and our Terms of Service before you use ROVI. They should understand that ROVI collects health data including weight, height, menstrual cycle data (if enabled), daily activity and step counts, food and nutrition logs, and social activity and interactions with other users.

For parents and guardians: You are responsible for managing your child's use of ROVI. You can contact us at support@rovi-app.com to request access to your child's account data, request deletion of your child's account and all associated data, or withdraw consent for health data collection on their behalf.

If we become aware that we have collected personal data from a child under 13, we will take steps to delete that data as quickly as possible. If you believe we may have collected data from a child under 13, please contact us at support@rovi-app.com.

Back to top

4. Data We Collect

We collect the following categories of personal data:

4.1 Account Information

• Email address
• Display name and username
• Profile photograph (if you upload one)
• Date of birth (if provided)
• Authentication credentials (managed by Firebase Authentication)

4.2 Health and Fitness Data

• Height, weight, and weight history
• Daily step counts (synced from Apple HealthKit or Google Health Connect)
• Activity and exercise logs (type, duration, calories burned, distance, GPS route data)
• Menstrual cycle tracking data (if you enable this feature). Please note: This data is particularly sensitive as it can reveal information about your reproductive health and pregnancy status. It is processed only with your explicit consent and can be deleted at any time.
• Workout details (exercises, sets, repetitions, weights)

Health platform integration: ROVI requests permission to read step count and workout data from Apple HealthKit (iOS) or Google Health Connect (Android). We sync daily step totals and summary data only — raw health platform data remains on your device. ROVI also writes menstrual cycle data to Apple HealthKit (iOS) or Google Health Connect (Android) to keep your health records synchronised across apps. This write access requires your explicit permission at the operating system level. You can revoke ROVI's access at any time via your device settings: on iOS, go to Settings > Health > Data Access & Devices > ROVI; on Android, go to Settings > Health Connect > App Permissions > ROVI.

4.3 Nutrition Data

• Food diary entries (food names, calories, macronutrients, meal type, serving sizes)
• Recipe details and meal plans
• Fridge inventory items
• Custom food entries and frequently used foods

4.4 Social Data

• Social feed posts and interactions (likes, comments)
• Friends list (followers and following)
• Leaderboard participation data
• Privacy preferences for social features

If you enable notifications for specific friends' activity, we store the list of their user identifiers (a "reaction notification watchlist") so we can deliver notifications when they interact with your content. This list is deleted when you delete your account.

Your leaderboard position (steps and calories burned) is visible to your friends for today and up to the past 365 days, where data is available. You can disable leaderboard visibility entirely in Settings → Privacy.

4.5 Conversations with the AI Chatbot

• Messages you send to the ROVI AI chatbot
• The chatbot's responses
• Any data referenced during conversations (such as your food logs, activity data, step counts, and health metrics), which is provided to the AI to generate personalised responses

4.6 Device and Technical Data

• Device type, operating system, and version
• Push notification tokens
• App crash reports and error logs (linked to your user identifier to help us debug issues specific to your account)
• Security events including failed login attempts, biometric authentication success or failure, account lockouts, session timeouts, and unusual login patterns
• Voice input audio (when using speech-to-text features) — processed by your device's speech recognition service (provided by Apple on iOS and Google on Android)

4.7 App Analytics Data

• Firebase Analytics collects app usage metrics including feature interactions, session data, and stability metrics when you opt in via Settings > Privacy & Data
• Security-related analytics events such as authentication attempts and session events
• This data is used to improve app stability and identify bugs. It does not include your health data, food logs, or conversation content.

4.8 Photos

• Profile photographs
• Activity photographs (taken during or after exercise)
• Photos of food, receipts, or fridge contents (when using camera-based features)
• Weight tracking photographs (optional progress photos taken with the in-app camera or imported from your photo library)

4.9 Location Data

• GPS route data recorded during tracked activities (walks, runs, cycles)
• Location data is collected while you are actively recording a GPS activity. With your permission, tracking continues in the background while a workout is in progress, so your route is recorded even if your screen is locked or the app is in the background. We do not track your location at any other time.
• Important: If you share GPS-tracked activities via the social feed, your route data (including start and end points) may be visible to other users on your friends list. You can hide specific activities or disable social sharing in your privacy settings.

4.10 Administrative and Operational Data

• Account deletion logs: When you delete your account, we record the deletion event (user identifier, timestamp, and completion status) for audit compliance and to confirm that the deletion was carried out successfully. These logs do not contain any of your personal health, nutrition, or social data.
• Community barcode scan cache: When a barcode is scanned by any user, the product information retrieved from Open Food Facts may be cached to improve lookup speed for future scans. This cache contains only product names and nutritional data — no personal information or user identifiers.

4.11 Data Linked to Your Identity (App Store Privacy Label)

The following data is collected and linked to your user identifier: health and fitness data (weight, steps, menstrual cycle, activities), nutrition data (food logs with macronutrients), AI chatbot conversations, app crash reports, and security event logs. This linkage is used solely to provide personalised features, troubleshoot issues, and improve app stability.

4.12 Marketing Waitlist (rovi-app.com)

If you join the waitlist on our marketing site at rovi-app.com, we collect a small amount of contact data separate from the in-app account system:

• Email address — to send you a 6-digit verification code and your beta invite
• Device platform (iOS or Android) — to route your invite to the correct beta channel (Apple TestFlight for iOS, Firebase App Distribution for Android)
• A salted SHA-256 hash of your IP address — for rate limiting only, to prevent abuse of the waitlist form. We do not store your raw IP address.
• A short-lived SHA-256 hash of a 6-digit verification code — stored for up to 10 minutes during the signup flow, then deleted. We do not store the code itself.

This data is collected only if you choose to submit the waitlist form. It is stored separately from any in-app account data and is not linked to your ROVI app account.

To complete the signup, your data is shared with:

• Apple (iOS submissions) via the App Store Connect API — see section 8.11
• Firebase App Distribution (Android submissions) — see section 8.1
• Resend to deliver the verification email — see section 8.12
• Cloudflare for bot-protection challenge — see section 8.13

Retention: until the app reaches general public release, plus 30 days, then deleted. You can request earlier deletion at any time by emailing 27@vinh.ly.

Back to top

5. How We Collect Your Data

We collect data in the following ways:

• Directly from you: When you create an account, enter food logs, record activities, send messages to the chatbot, upload photos, or adjust your settings.
• From your device's health platform: Step counts and health metrics synced from Apple HealthKit (iOS) or Google Health Connect (Android), only with your explicit permission granted at the operating system level.
• Automatically: Crash reports, analytics events, security events, and push notification tokens are collected automatically when you use the app.

Back to top

6. Why We Collect Your Data (Legal Bases)

Under UK GDPR, we process your personal data on the following legal bases:

6.1 Health Data — Special Category Processing (UK GDPR Article 9)

Health and fitness data (including weight, height, step counts, menstrual cycle data, activity logs, food logs, and workout details) is classified as "special category data" under UK GDPR Article 9. We process this data under Article 9(2)(a) — your explicit consent.

How you give consent: You actively choose to enter health data, enable health platform syncing (which requires explicit permission at the operating system level), or enable optional features like menstrual cycle tracking.

Withdrawing consent: You can withdraw consent at any time by disabling specific features in the app's settings, revoking HealthKit or Health Connect access via your device settings, or deleting your account entirely. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Your right to refuse: You can use ROVI's non-health features (such as the social feed and chatbot for general conversation) without providing health data, though some features will have limited functionality.

Back to top

7. How We Use Your Data

We use your personal data to:

• Provide and operate the ROVI app and all its features
• Track and display your health, fitness, and nutrition progress
• Generate personalised AI chatbot responses based on your health data
• Enable social features including the activity feed, leaderboard, and friend interactions
• Send push notifications about social interactions, achievements, and reminders (if you opt in)
• Monitor app stability through crash reporting and analytics
• Protect your account through security monitoring
• Improve the app and fix bugs

We do not use your data for:

• Advertising or ad targeting
• Selling to third parties
• Automated decision-making that produces legal effects concerning you
• Profiling for marketing purposes

Back to top

8. Who We Share Your Data With

We do not sell your personal data to anyone. We share data with the following service providers, who process it on our behalf:

8.1 Google (Firebase)

• What: All app data including account information, health data, nutrition data, social data, photos, crash reports (linked to your user identifier), push notification tokens, and analytics events
• Why: Firebase is our backend infrastructure provider for data storage (Firestore), authentication, file storage (Firebase Storage), push notifications (Firebase Cloud Messaging), crash reporting (Firebase Crashlytics), and analytics (Firebase Analytics)
• Where: Data is stored on Google Cloud servers in the United States
• Analytics specifics: Firebase Analytics collects app usage events, feature interactions, security events, device information, and session metrics automatically. This data is used to improve app stability and identify bugs.
• Their privacy policy: https://firebase.google.com/support/privacy

8.2 Anthropic (AI Chatbot)

• What: When you use the ROVI chatbot, your messages and relevant health data (including your height, weight, goals, recent food logs, activity logs, step counts, and weekly progress) are sent to Anthropic's Claude AI service to generate responses
• Why: To provide personalised, context-aware health and nutrition guidance through the chatbot
• Where: Anthropic processes data in the United States
• Important: Anthropic does not use your messages to improve or train their AI models (per Anthropic's API Terms of Service). However, Anthropic may retain logs and usage analytics for a limited period. Your conversation content is processed and then deleted according to Anthropic's data retention policy. See https://www.anthropic.com/privacy for full details.
• Their privacy policy: https://www.anthropic.com/privacy

8.3 Anthropic Web Search (Automatic Restaurant Menu Lookup)

• What: When you mention a restaurant in the chatbot, ROVI may automatically search the web for that restaurant's menu using Anthropic's web search service. The search query includes the restaurant name and dish descriptions you mentioned.
• Data flow: Restaurant name and dish description are sent to Anthropic's web search, which returns menu results used by the AI to estimate nutrition.
• Your control: This search happens automatically when you use the chatbot and mention a restaurant. You can avoid triggering web searches by not mentioning specific restaurant names. You can also disable the chatbot feature entirely.
• Where: Processed by Anthropic in the United States
• Retention: Anthropic retains search queries according to their data retention policy. See https://www.anthropic.com/privacy for details.

8.4 Apple (Authentication)

• What: If you sign in with Apple, your email address and name are shared with Apple as part of the authentication flow
• Why: To verify your identity and create your account
• Their privacy policy: https://www.apple.com/legal/privacy/

8.5 Google (Authentication)

• What: If you sign in with Google, your email address, name, and profile photo are shared with Google as part of the authentication flow
• Why: To verify your identity and create your account
• Their privacy policy: https://policies.google.com/privacy

8.6 Open Food Facts (Food Database)

• What: When you search for foods or scan a barcode, the product name or barcode number is sent to Open Food Facts to retrieve nutritional information
• Why: To provide accurate calorie and macronutrient data for the foods you log
• Where: Open Food Facts servers (France and international mirrors)
• Data sent: Food product search queries and barcode numbers only — no personal information or account data is included in these requests
• Their privacy policy: https://world.openfoodfacts.org/privacy

8.7 CARTO (Map Tiles)

• What: When you view a GPS-tracked activity route on a map, map tile images are loaded from CARTO's servers. These requests include the geographic coordinates of the area being viewed.
• Why: To display maps for GPS-tracked activity routes
• Where: CARTO servers (international CDN)
• Your control: Map tiles are only loaded when you view a GPS-tracked activity. If you do not use GPS tracking, no map data is requested.
• Their privacy policy: https://carto.com/privacy

8.8 Apple and Google (Speech Recognition)

• What: When you use voice input features, your audio is processed by your device's speech recognition service — Apple Speech on iOS, or Google Speech Services on Android
• Why: To convert your voice into text for natural language commands
• Where: Audio may be processed on your device or on Apple's or Google's servers, depending on your device model and operating system version
• Your control: Voice input is entirely optional. You can use ROVI without ever enabling the microphone.
• Their privacy policies: https://www.apple.com/legal/privacy/ (Apple) and https://policies.google.com/privacy (Google)

8.9 Other Users (Social Features)

• What: If you participate in social features, other ROVI users may see your display name, profile photo, activity posts (including GPS route data if shared), step counts (on the leaderboard), and other content you choose to share
• Why: To enable the social and community features of the app
• Your control: You can control what is shared through your privacy settings within the app. You can hide specific activities, disable leaderboard participation, and control who can see your profile. Other users may screenshot or share content you post; ROVI is not responsible for how other users use content that is visible to them.

8.10 RevenueCat (Subscription Billing & Trial Management)

• What: Subscription state, entitlements, purchase history, trial status, anonymized device identifier.
• Why: To manage in-app subscriptions, deliver the 30-day free trial, and synchronise entitlements across your devices.
• Where: RevenueCat servers (United States). RevenueCat acts as our subscription processor; Apple handles the actual payment.
• Legal basis: Performance of contract — necessary to deliver the subscription you purchased.
• Transfer mechanism: Standard Contractual Clauses (SCCs) per RevenueCat's processor agreement.
• Retention: While your subscription is active and for the period RevenueCat retains under its own retention policy.
• More info: revenuecat.com/privacy

8.11 Apple (TestFlight — Marketing Waitlist Only)

• What: If you submit the waitlist form on rovi-app.com and select iOS, your email address is sent to Apple via the App Store Connect API and added to our TestFlight External Testing group.
• Why: So Apple can email you a TestFlight invite to download the iOS beta build.
• Where: Apple servers (United States and Ireland)
• Legal basis: Your explicit consent (you choose to submit the waitlist form)
• Retention: Apple retains beta tester records according to its own policy until the tester is removed from the group or the beta cycle ends.
• Your control: You can request removal at any time by emailing 27@vinh.ly, or by leaving the beta from the TestFlight app on your iPhone.
• Their privacy policy: https://www.apple.com/legal/privacy/

(For Android waitlist signups, your email is added to a Firebase App Distribution tester group — Firebase is already covered in section 8.1.)

8.12 Resend (Marketing Waitlist Verification Emails Only)

• What: If you submit the waitlist form on rovi-app.com, your email address and the 6-digit verification code are sent to Resend Inc. to deliver the verification email to your inbox.
• Why: To prove email ownership before adding you to TestFlight or Firebase App Distribution, preventing fraudulent signups.
• Where: Resend servers in the European Union (Ireland — `eu-west-1` region)
• Legal basis: Your explicit consent (you choose to submit the waitlist form)
• Retention: Resend retains delivery metadata (timestamps, delivery status) for up to 30 days under their data retention policy. The email content itself is not retained beyond delivery.
• Their privacy policy: https://resend.com/legal/privacy-policy

8.13 Cloudflare (Bot-Protection Challenge — Marketing Waitlist Only)

• What: When you load the waitlist form on rovi-app.com, Cloudflare's Turnstile widget runs an invisible browser-fingerprinting check to confirm you are not an automated bot. Cloudflare processes browser characteristics, request headers, and a hashed IP for the duration of the challenge.
• Why: To stop bots from spamming the waitlist form with fake email addresses.
• Where: Cloudflare's global edge network (data may be processed in any of Cloudflare's data centres including the United States, Europe, and Asia)
• Legal basis: Our legitimate interest in protecting the service from automated abuse (UK GDPR Article 6(1)(f))
• Retention: Cloudflare retains challenge data according to its own retention policy (typically days, not months). No personal data crosses from Cloudflare back into our systems beyond a yes/no "is human" verdict.
• Their privacy policy: https://www.cloudflare.com/privacypolicy/

We may also share your data if required to do so by law, regulation, or legal process.

Back to top

9. International Data Transfers

Your personal data is transferred to and processed in the United States by Google (Firebase) and Anthropic. The United States does not have an adequacy decision under UK GDPR.

To protect your data during these transfers, we rely on:

• Google: Standard Contractual Clauses (SCCs) as part of Google's Cloud Data Processing Addendum, combined with encryption of data at rest and in transit
• Anthropic: Standard Contractual Clauses (SCCs) as part of Anthropic's API Terms of Service

These mechanisms, combined with our encryption practices (see Section 12), provide a level of protection broadly equivalent to UK data protection law. We acknowledge that transfer to the United States involves some residual risk due to the absence of an adequacy decision, and we monitor developments in international data transfer law to ensure our safeguards remain appropriate.

Back to top

10. How Long We Keep Your Data

We retain your personal data for as long as your account is active. Specifically:

After account deletion: Within 30 days of account deletion, all personal data is removed from ROVI's primary databases through an automated process that removes data from all Firebase collections associated with your account. Google Cloud maintains automatic infrastructure backups which may persist for up to an additional 30 days before being purged. Aggregated usage statistics that cannot be linked to any individual may be retained indefinitely.

Back to top

11. Your Rights

Under UK GDPR, you have the following rights:

• Right of access: You can request a copy of all personal data we hold about you. You can export your data directly from the app via Settings > Privacy & Data > Export My Data.
• Right to rectification: You can correct any inaccurate data directly within the app, or contact us to request corrections.
• Right to erasure ("right to be forgotten"): You can delete your account and all associated data directly from the app via Settings > Account > Delete Account. This is immediate and irreversible.
• Right to restrict processing: You can request that we limit how we use your data.
• Right to data portability: You can export your data in a machine-readable format (JSON) via the app.
• Right to object: You can object to processing based on legitimate interests.
• Right to withdraw consent: You can withdraw consent at any time by disabling specific features, adjusting privacy settings, or deleting your account. For health data specifically, see Section 6.1.

In-app privacy controls: For your convenience, many privacy controls are available directly in the app: Settings > Privacy & Data for data export and health data consent; Settings > Account > Delete Account for permanent account deletion; Settings > Social > Privacy Settings to control activity visibility on the leaderboard and feed; and Settings > Notifications to manage push notification preferences.

To exercise any of these rights, you can use the in-app tools or contact us at support@rovi-app.com. We will respond to your request within one month, as required by UK GDPR. For complex requests, we may extend this by up to two additional months and will notify you of any extension.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Phone: 0303 123 1113

Back to top

12. Data Security

We take the security of your personal data seriously. We implement the following measures:

• All data transmitted between the app and our servers is encrypted using TLS (Transport Layer Security)
• Data stored in Firebase is encrypted at rest using Google Cloud's default encryption
• Authentication credentials are managed by Firebase Authentication with industry-standard security practices
• Biometric authentication (Face ID, Touch ID, fingerprint) is available as an additional security layer
• Account lockout after repeated failed login attempts
• Suspicious activity detection and logging
• Push notification tokens are removed on logout
• All photos are stored in Firebase Storage with access controls that restrict access to authenticated users

Biometric data: Biometric authentication data (such as Face ID, Touch ID, or fingerprint templates) is processed entirely on your device using iOS and Android system APIs. Biometric templates are never sent to our servers or any external service. Only the success or failure result of authentication is recorded locally.

No system is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

Back to top

13. Cookies and Tracking

ROVI is a mobile application and does not use cookies. We use Firebase Analytics to collect basic usage data (such as security events, feature interactions, and app stability metrics). We do not use any advertising trackers, and we do not collect your device's Advertising Identifier (IDFA/GAID) for tracking purposes.

Back to top

14. On-Device Processing

Some features of ROVI process data entirely on your device without sending it to any external service:

• Text recognition (OCR): Receipt scanning uses Google ML Kit's on-device text recognition. Your receipt images are processed locally and are never sent to any external server, including Google's servers. See https://policies.google.com/privacy for Google's ML Kit privacy practices.
• Image classification: Food detection uses on-device machine learning models provided by Google ML Kit. Images are processed on your device only.
• Health platform data: Data from Apple HealthKit or Google Health Connect is read locally on your device. Only summary data (such as daily step totals) is synced to our servers — raw health platform data is not transmitted.
• Biometric authentication: Face ID, Touch ID, and fingerprint data is processed entirely on your device. See Section 12 for details.
• Speech recognition: Voice input uses your device's built-in speech recognition service. Depending on your device and operating system version, audio may be processed on-device or sent to Apple (iOS) or Google (Android) for processing. See Section 8.8 for details.

Back to top

15. Third-Party Links

ROVI may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with any personal data.

Back to top

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this document. If we make significant changes that affect how we process your personal data, we will notify you through the app.

We encourage you to review this Privacy Policy periodically.

Back to top

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: support@rovi-app.com

We aim to respond to all enquiries within one month. For complex requests, we may extend this period by up to two additional months and will inform you of any extension.

Back to top