Privacy Policy
Last updated: Mai 2026
This privacy policy describes how NomNom ("we") collects, uses, shares and protects your personal data when you use our mobile application and our website trynomnom.com. We are committed to complying with the General Data Protection Regulation (GDPR) and the French Data Protection Act.
1. Data controller
The controller of your data is the publisher of NomNom, whose full details appear in the Legal Notice.
For any question regarding your personal data, you can contact us at: support@trynomnom.com.
2. Data we collect
We only collect data necessary to operate the service. No data is collected without your knowledge.
Account data
- Email address and password (stored hashed and salted — we never see it in clear text)
- Unique identifier (UUID v7) generated by our server
- Preferred language (fr / en)
- Dietary profile, optional: goals, restrictions, preferences (only if you choose to provide them)
- If you use "Sign in with Google": your Google email address and public name, transmitted by Google after your consent
Content you create
- Meal photographs you upload
- AI analysis results: nutritional score, estimated values (calories, protein, carbs, fat), positives, areas for improvement, tags (meal type, detected ingredients)
- Meal history, statistics, streaks, optional weight tracking
- Conversations with the AI coach (Premium Coach plan)
Subscription data
- Subscription status (free / Premium / Premium Coach), purchased product, period dates
- RevenueCat identifier, which is your internal UUID
- No payment card data is collected or stored by NomNom. Payments are handled exclusively by Apple App Store or Google Play.
Technical data
- Server logs: IP address, user-agent, timestamp, endpoint called — strictly necessary for security, debugging, and abuse prevention
- Session cookies (authentication, language preference) — no advertising or tracking cookies
3. Purposes and legal bases
Each processing activity is based on a legal ground compliant with Article 6 of the GDPR.
| Purpose | Data involved | Legal basis |
|---|---|---|
| Account creation and management | Email, hashed password, UUID, language | Performance of the contract |
| AI nutritional analysis of your photos | Photos, dietary profile | Performance of the contract |
| History, statistics, personalized insights | Analysis results, history | Performance of the contract |
| Conversational AI coach (Premium Coach) | Conversations, dietary context | Performance of the contract |
| Premium subscription management | Subscription status, RevenueCat identifier | Performance of the contract |
| Security, fraud and abuse prevention | Server logs, IP, user-agent | Legitimate interest |
| Responding to support requests | Email, content of the request | Legitimate interest |
| Compliance with legal obligations (accounting, authorities' requests) | Data as required | Legal obligation |
4. Sharing with third parties
We never sell your data. We share it only with the technical subprocessors strictly necessary to provide the service, listed below.
| Subprocessor | Role | Data transmitted | Location |
|---|---|---|---|
| Contabo GmbH | Application and database hosting | All account and usage data | Germany (EU) |
| OVHcloud | Photo storage (S3) | Meal photos | France (EU) |
| OVHcloud AI Endpoints | AI inference (vision + text) | Meal photos, history excerpts required for advice | France (EU) |
| Apple Distribution International Ltd | iOS distribution, in-app payments | Payment data (handled by Apple) | Ireland (EU) |
| Google Ireland Ltd | Android distribution, in-app payments | Payment data (handled by Google) | Ireland (EU) |
| RevenueCat, Inc. | Technical subscription management (entitlements) | UUID, purchase events, subscription status, device model, OS | United States |
| Google LLC (Sign-In) | Google authentication, if you use it | Google email, public name, OAuth token | United States |
| Google LLC (Google Fonts) | Web font delivery on the website | IP address, user-agent | United States |
5. Transfers outside the European Union
Most of our subprocessors are located in the European Union. Three providers are based in the United States:
- RevenueCat, Inc. for subscription entitlement management
- Google LLC if you use "Sign in with Google" (optional)
- Google LLC for serving Google Fonts on the website
These transfers are framed by the European Commission's Standard Contractual Clauses (decision 2021/914) and, where applicable, by these companies' certification under the EU-US Data Privacy Framework, in accordance with Articles 45 and 46 of the GDPR.
6. Retention periods
- Account data: kept as long as your account is active
- Photographs: kept until you manually delete them or delete your account. No copy is retained by our AI subprocessors: images are not used to retrain the models
- Analysis history: kept as long as your account is active
- Server logs: 30 days, then automatically deleted
- After account deletion: your personal data is erased within a maximum of 30 days. Technical logs containing your IP may persist until expiry of their 30-day retention period. Data retained for legal obligations (e.g. billing) is archived separately for the legally required duration
7. Security
We implement the following measures to protect your data:
- TLS 1.2+ encryption of all communications (HTTPS)
- Passwords hashed with a modern algorithm (bcrypt) and salted
- Authentication via short-lived JSON Web Tokens (JWT), with refresh token rotation
- Server access restricted by SSH key, logged
- Image storage bucket private, accessible only through signed URLs
- Regular database backups
In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay, in accordance with Article 33 of the GDPR.
8. Minors' data
NomNom is reserved for users aged 16 or older. We do not knowingly collect data from minors under 16. If you become aware that a minor under 16 has provided us with data, please contact us at support@trynomnom.com and we will delete it promptly.
9. Third-party SDKs and absence of ad tracking
We aim to be transparent about the third-party libraries integrated into our applications.
Integrated in the mobile app
- RevenueCat: subscription management (see table above)
- Google Sign-In: Google authentication, only if you choose this option
- Local-only libraries (encrypted storage, image cache, local notifications, camera access) — no data is transmitted to any third party through these libraries
Not used
We do not use any of the following SDKs:
- No Firebase (no Analytics, no Crashlytics, no Cloud Messaging, no Performance)
- No Sentry, Bugsnag or other third-party crash reporting
- No Mixpanel, Amplitude, PostHog, Segment or other product analytics
- No Meta SDK, TikTok SDK, AppsFlyer, Adjust or other marketing / attribution SDK
- No remote push notifications (notifications are scheduled locally by the app)
Cookies on the website
The trynomnom.com website only uses strictly necessary cookies (session, language preference). No advertising or tracking cookies are set, and therefore no consent banner is required.
10. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access: obtain a copy of your personal data
- Right to rectification: correct inaccurate data
- Right to erasure ("right to be forgotten"): request deletion of your data
- Right to data portability: receive your data in a structured, machine-readable format
- Right to restriction of processing
- Right to object to processing based on legitimate interest
- Right to set instructions regarding what happens to your data after your death
You may exercise these rights:
- Directly in the app, from the "My account" screen (account deletion, profile editing)
- By email to support@trynomnom.com — we commit to respond within one month
For the detailed account deletion procedure and the list of data deleted or retained, see our dedicated page: Account Deletion.
If you consider that your rights have not been respected, you may lodge a complaint with the CNIL (French data protection authority): www.cnil.fr — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.
11. Automated decisions
The nutritional analysis of your photos relies on an artificial intelligence model. The results produced (score, advice, estimated nutritional values) are indicative and do not produce a legal effect concerning you. They do not constitute medical or dietary advice.
12. Changes to this policy
We may amend this policy to reflect changes in the service, regulation or our subprocessors. Any substantial change will be notified to you by email or via an in-app notification at least 30 days before it takes effect. The last update date appears at the top of this page.
13. Contact
For any question relating to this policy or to your personal data:
- Email: support@trynomnom.com
- Postal address: see Legal Notice