Last updated: 23 April 2026 · Version 2.1
Summary: Leileat processes your data to provide nutrition tracking services and personalised recommendations. Some data (weight, height, goals, foods consumed) qualifies as health data under Article 9 GDPR and is processed exclusively based on your explicit consent. We do not sell your data and do not use it for profiled advertising.
The data controller for the processing of personal data under EU Regulation 2016/679 (GDPR) and, for users resident in Switzerland, the Swiss Federal Act on Data Protection (FADP), is:
To exercise your rights, request clarification, or file complaints, you may write to privacy@leileat.com.
When providing the Service we collect and process the following categories of personal data:
The data listed in point 2.2 (weight, height, goals, calorie intake, nutritional composition of meals, etc.) may qualify as "health data" within the meaning of Art. 4(15) and Art. 9 GDPR.
Processing of such data is carried out exclusively on the basis of Your explicit consent (Art. 9(2)(a) GDPR), collected at first app launch and revocable at any time from the profile settings or by writing to privacy@leileat.com.
Such data is never used for behavioural marketing, advertising profiling, or shared with advertisers. Ads that may be shown in the free version are non-personalised and are not based on any health data of the user.
Leileat does not directly process payment data: this is handled exclusively by Apple and Google under their respective privacy policies.
| Purpose | Data categories | Legal basis |
|---|---|---|
| Service provision (registration, login, nutrition tracking) | 2.1, 2.4 | Contract performance — Art. 6(1)(b) GDPR |
| Personalisation of nutrition recommendations and health calculations | 2.2, 2.3 | Explicit consent — Art. 9(2)(a) GDPR |
| AI analysis of food photos | 2.4 (photos) | Contract performance + Consent — Art. 6(1)(b) and 9(2)(a) GDPR |
| Premium subscription management | 2.1, 2.6 | Contract performance — Art. 6(1)(b) GDPR |
| Security and fraud prevention | 2.5 | Legitimate interest — Art. 6(1)(f) GDPR |
| Error diagnostics and product improvement (aggregated) | 2.5 | Legitimate interest — Art. 6(1)(f) GDPR |
| Non-personalised ads (free version) | 2.5 (limited) | Legitimate interest — Art. 6(1)(f) GDPR |
| Personalised ads (if you provide consent) | 2.5 | Consent — Art. 6(1)(a) GDPR |
| Legal and tax obligations | 2.1, 2.6 | Legal obligation — Art. 6(1)(c) GDPR |
To provide the Service we rely on the following providers, appointed as processors under Art. 28 GDPR:
We use the following Firebase modules:
Data processed: account identifiers, user content, technical data. Primary servers: European Union, with possible transfers to the United States.
Privacy policy: policies.google.com/privacy
We use OpenAI APIs (multimodal AI model: vision + language) for food recognition from photos and for meal plan generation.
Data processed: food photos, query text. OpenAI states that it does not use API data to train its models and retains it for a maximum of 30 days for abuse monitoring purposes.
Privacy policy: openai.com/policies/privacy-policy
Non-EU transfers: United States, on the basis of the European Commission's Standard Contractual Clauses (SCC).
Management of in-app subscriptions and cross-device synchronisation of premium status. Does not process payment data.
Data processed: pseudonymous user ID, subscription status, purchase store.
Privacy policy: revenuecat.com/privacy
Advertising system integrated in the free version. Formats used:
By default, non-personalised ads are shown (not based on profiling). Personalised ads, based on an advertising identifier, are shown only if the user provides specific consent via the consent banner (Google User Messaging Platform) and the Apple App Tracking Transparency prompt.
The nutritional and health data entered in the App is never transmitted to Google nor used for advertising profiling. Premium plan users do not see any ads.
Network domains used by AdMob/Google Ads: googleads.g.doubleclick.net, pagead2.googlesyndication.com, googleadservices.com, doubleclick.net.
Privacy policy: policies.google.com/technologies/partner-sites
Optional authentication method. Apple may provide us with your name and a "private" relay email (@privaterelay.appleid.com) if you choose to mask it.
Privacy policy: apple.com/legal/privacy
Optional authentication method.
Privacy policy: policies.google.com/privacy
In-app purchases take place exclusively through the Apple and Google platforms, subject to their respective privacy policies.
Public database of nutritional information. Only text search queries are sent (e.g. "apple"). No personal data is shared.
Collaborative food product database, used for barcode lookup. No personal data is shared.
Privacy policy: world.openfoodfacts.org/privacy
EU → Switzerland transfer (location of the Controller): Switzerland is recognised by the European Commission as a third country with an adequate level of protection (Adequacy Decision 2000/518/EC, renewed in 2024). The transfer of personal data from the EU to Switzerland is therefore lawful under Art. 45 GDPR without the need for additional contractual clauses. For users resident in Switzerland, the Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023) applies directly — see the dedicated page /en/gdpr.
EU/CH → United States transfer: some providers (OpenAI, Google, RevenueCat, Apple) have their headquarters or infrastructure in the United States. Such transfers are made on the basis of:
| Category | Retention period |
|---|---|
| Account and profile data | For the entire duration of the account; deleted within 30 days of the deletion request |
| Historical nutrition data | For the entire duration of the account |
| Photos sent to the AI | Not retained on our servers after processing; OpenAI retains them for up to 30 days for abuse monitoring |
| Technical and diagnostic logs | Maximum 90 days |
| Tax data relating to purchases | 10 years (Art. 958f CO — Swiss Code of Obligations) |
| Encrypted backups | Up to 30 days after deletion of the original data |
Under Articles 15–22 GDPR you have the right to:
To exercise these rights, write to privacy@leileat.com. We will respond within 30 days, extendable by a further 60 days in complex cases.
The Service is not intended for persons under 16 years of age (Art. 8 GDPR). We do not knowingly collect personal data from minors.
If you are a parent or guardian and believe that a minor in your care has provided us with data, contact us at privacy@leileat.com: we will delete the data immediately.
The nutrition recommendations and meal plans generated by the app are based on AI-powered algorithms (our provider's multimodal AI model). Such processing produces estimates for informational purposes and does not constitute a diagnosis, medical treatment, or dietary prescription. The user always retains control over dietary decisions and may object to automated decisions under Art. 22 GDPR.
The mobile app does not use HTTP cookies in the traditional web sense. SDKs are used that may employ technical installation identifiers (Firebase Installation ID) and, subject to consent, advertising identifiers (IDFA/GAID).
For more details, see the Cookie Policy.
We may update this Privacy Policy to reflect regulatory, operational, or service changes. Changes will be published on this page with the date of the last update. For material changes we will inform you via in-app notification or email.