Privacy Policy

Effective Date: February 1, 2026

At nom, we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("App") and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

1. Information We Collect

We collect information that you provide directly to us, information generated through your use of the Service, and information from third-party sources.

1.1 Account Information

When you create an account using Apple Sign In or Google Sign-In through Firebase Authentication, we collect:

• Your name and profile photo (if you choose to share them with us)
• Email address (including Apple's private relay email address, if applicable)
• Unique Apple or Google user identifier
• Firebase user identifier (UID)
• Authentication tokens needed to maintain your session

1.2 User-Generated Content

• Recipes: AI-generated and manually created recipes, including titles, ingredients, cooking instructions, serving sizes, preparation times, and recipe photos
• Meal Logs: Food diary entries tracking your meals and snacks, including nutritional information (calories, macronutrients, vitamins, minerals)
• Photos and Images: Food photos, pantry items, meal photos, and images you upload or capture using your device camera
• Grocery Lists: Shopping list items, quantities, and categories
• Dietary Preferences: Dietary restrictions (vegetarian, vegan, gluten-free, etc.), allergies, cuisine preferences, health and fitness goals
• AI Chat History: Conversations with our AI chef assistant, including your questions, requests, and the AI's responses (including text transcripts of voice conversations)
• Voice Interactions: Audio you provide when using voice features, which is streamed to generate responses and transcriptions. We store the resulting transcripts and chat messages, not raw audio recordings

1.3 Social Interactions and Public Content

• Posts, comments, and replies on shared recipes
• Likes and reactions to content
• Social connections (followers and users you follow)
• Profile information you choose to make public
• Content moderation reports and safety-related actions

1.4 Automatically Collected Information

• Usage Data: App interactions, features used, screens viewed, session duration, and frequency of use
• Device Information: Device model, operating system version, app version, device identifiers, mobile network information
• Performance Data: Crash reports, error logs, performance metrics, and diagnostic information
• Log Data: Timestamps, API requests, response times, and technical logs
• Analytics Identifiers: App instance identifiers and related event data used to understand feature usage and improve the Service. We do not collect advertising identifiers

1.5 Information We Do NOT Collect

We do not collect:

• Precise geolocation data (GPS coordinates)
• Biometric data (face ID, fingerprints) - these remain on your device for authentication
• Contacts or address book information

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide and Improve the Service

• Create and manage your account
• Generate AI-powered recipes based on your requests
• Track your meals and calculate nutritional information
• Match recipe ingredients to our nutrition database
• Store and organize your recipes, meal logs, and grocery lists
• Process and analyze food photos you upload
• Enable voice interactions and transcribe your voice input
• Enable recipe discovery and search functionality

2.2 To Personalize Your Experience

• Recommend recipes based on your preferences, dietary restrictions, and history
• Customize the AI chat responses to your cooking style and needs
• Suggest meals and ingredients based on your past activity
• Show relevant content in your Explore feed

2.3 To Improve Our AI and Algorithms

• Internal Model Training: We use anonymized and aggregated user data to improve our internal systems, including nutrition matching (food database embeddings), recipe recommendations, and prompt engineering for better AI-generated recipes
• Quality Improvement: Analyze recipe generation quality and user satisfaction
• Important: We use OpenAI to process chat, images, and voice interactions to generate responses. We do not permit OpenAI to use your data to train their models. OpenAI may retain data for a limited period for abuse monitoring, consistent with their policies

2.4 To Enable Social Features

• Allow you to share recipes publicly or with followers
• Enable following, commenting, and liking functionality
• Display your public profile and posts to other users
• Facilitate connections within the nom community

2.5 To Communicate with You

• Send important service updates and announcements
• Provide customer support and respond to your inquiries
• Send push notifications about activity on your account (if enabled)
• Notify you about new features or changes to our Service

2.6 To Ensure Safety and Security

• Moderate user-generated content and enforce community guidelines
• Detect and prevent spam, abuse, and fraudulent activity
• Investigate and address violations of our Terms of Service
• Protect the rights and safety of our users

2.7 To Analyze and Improve Performance

• Monitor app performance and identify technical issues
• Debug errors and crashes
• Understand how users interact with features
• Conduct internal research and analytics to improve the Service

2.8 Data Usage

• We do not display advertisements, and we do not sell or share your data for advertising purposes

2.9 Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, our legal basis for collecting and using your information depends on the specific data and context:

• Contract: Processing necessary to provide the Service you've requested (account creation, recipe generation, meal tracking)
• Legitimate Interest: Improving our Service, ensuring security, and personalizing your experience
• Consent: When required by law, such as for marketing communications or certain data sharing practices (you can withdraw consent at any time)
• Legal Obligation: When required to comply with legal obligations

3. How We Share Your Information

We share your information in the following circumstances:

3.1 Third-Party Service Providers

We work with trusted third-party service providers who help us operate and improve the Service. These providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information:

AI and Machine Learning Services

• OpenAI: We share your chat conversations, recipe requests, food photos, and voice interactions with OpenAI to generate responses, analyze images, and transcribe audio. OpenAI does not use your data to train their models and may retain data for a limited period for abuse monitoring, consistent with their policies. See OpenAI's Privacy Policy
• Luma AI: We may send recipe descriptions to Luma AI to generate AI-created recipe images

Infrastructure and Hosting

• Google Cloud Platform (GCP): We use GCP for cloud storage (recipe photos, user images), database hosting (PostgreSQL), backend services (Cloud Run), and server logs. Google may access your data as necessary to provide infrastructure services. See Google Cloud Privacy Notice
• Firebase (Google): We use Firebase Authentication for sign-in, Firebase Analytics for usage analytics, and Firebase Crashlytics for crash reporting. Firebase processes identifiers and event data needed to provide these services. See Firebase Privacy and Security

Authentication Providers

• Apple: If you use Apple Sign In, Apple processes your sign-in data under their privacy policy
• Google: If you use Google Sign-In, Google processes your sign-in data under their privacy policy

3.2 Public Content and Social Features

When you use our social features, certain information becomes public or visible to other users:

• Public Recipes: Recipes you share publicly can be viewed, saved, and commented on by all nom users
• Profile Information: Your display name, profile photo, and bio (if provided) are visible to other users
• Social Interactions: Your comments, likes, and posts are visible to users who can see the associated content
• Follower Lists: Your followers and the users you follow may be visible to other users

Important: Once you share content publicly, other users may save, screenshot, or share it outside of nom. Think carefully before sharing personal or sensitive information publicly.

3.3 Legal Requirements and Safety

We may disclose your information if required to do so by law or if we believe such action is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of nom, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims of illegal content or violations of third-party rights

3.4 Business Transfers

If nom is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the app before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information for other purposes with your explicit consent.

3.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. For example, we might share statistics about recipe popularity or aggregate nutrition trends.

3.7 We Do Not Sell Your Personal Information

We do not sell your personal information to third parties. We do not share your personal information with third parties for their own marketing purposes. We do not currently display targeted advertising, and we have no plans to do so.

4. Data Security

We take the security of your personal information seriously and implement technical, administrative, and physical safeguards to protect your data:

4.1 Security Measures

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols
• Encryption at Rest: Sensitive data stored in our databases and cloud storage is encrypted
• Authentication: Secure authentication via Firebase Authentication with Apple Sign In or Google Sign-In
• Access Controls: Strict access controls limit employee and contractor access to personal information on a need-to-know basis
• Cloud Security: We leverage Google Cloud Platform's enterprise-grade security infrastructure
• Regular Security Updates: We keep our systems updated with the latest security patches
• Monitoring: We monitor our systems for potential security vulnerabilities and unauthorized access

4.2 Limitations of Security

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and device security.

4.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email or in-app notification within a reasonable timeframe
• Provide information about what data was affected and steps you can take to protect yourself
• Notify appropriate regulatory authorities as required by law
• Take immediate steps to remediate the breach and prevent future occurrences

5. Your Privacy Rights and Choices

Depending on your location, you have certain rights regarding your personal information. This section describes your rights and how to exercise them.

5.1 Rights Available to All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate or incomplete information in your account settings or by contacting us
• Deletion: Request deletion of your account and associated personal data (some data may be retained as described in Section 6)
• Data Portability: Request a copy of your data in a portable, machine-readable format (JSON)
• Opt-Out of Communications: Unsubscribe from marketing emails or disable push notifications in your device settings

5.2 Additional Rights for GDPR Users (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

• Right to Object: Object to processing based on legitimate interests
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent for processing based on consent (without affecting prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe we have violated your privacy rights

5.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information (with certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (note: we do not sell or share your personal information)
• Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information (health/nutrition data) to purposes necessary to provide the Service
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

5.4 Additional Rights for Other U.S. State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas, Indiana, Kentucky, and Rhode Island have similar rights under their respective state privacy laws, including rights to access, correct, delete, and opt-out of certain data processing.

5.5 Control Over AI Training

If you do not want your data used to improve our internal AI systems (nutrition matching, recipe recommendations), you can opt out by contacting us at support@nom-ai.app. Note that this will not affect the core functionality of the app (recipe generation, meal tracking), but may result in less personalized recommendations.

5.6 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@nom-ai.app with:

• Your name and email address associated with your account
• A description of your request
• Verification information (we may ask you to verify your identity before processing your request)

We will respond to your request within the timeframe required by applicable law (typically 30-45 days). There is no fee for reasonable requests, but we may charge a fee for excessive, repetitive, or manifestly unfounded requests.

You may also designate an authorized agent to make requests on your behalf. The authorized agent must provide proof of authorization.

6. Data Retention

We retain your personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

6.1 Retention While Your Account is Active

While your account is active, we retain:

• Account Information: Retained for the lifetime of your account
• Recipes and Meal Logs: Retained until you delete them or close your account
• Chat History: Retained until you delete conversations or close your account
• Photos: Retained in cloud storage until you delete them or close your account
• Usage and Log Data: Typically retained for 12-24 months for analytics and debugging

6.2 Retention After Account Deletion

When you delete your account:

• Personal Information: Deleted from active systems within 30 days
• Backups: May persist in backup systems for up to 90 days before permanent deletion
• Public Content: Recipes you shared publicly may remain visible to users who saved them, but will be disassociated from your account and marked as from a "deleted user"
• Anonymized Data: We may retain anonymized, aggregated data that cannot identify you for analytics and research purposes
• Legal Retention: We may retain certain information if required by law or for legitimate business purposes (e.g., to resolve disputes, enforce agreements, comply with legal obligations)

6.3 Third-Party Retention

Data shared with third-party service providers (like OpenAI) is subject to their retention policies:

• OpenAI: Retains API data (chat conversations, images, voice interactions) for a limited period for abuse monitoring, consistent with their policies
• Google Cloud Platform: Data stored in GCP is deleted when we delete it, subject to their backup and retention policies
• Firebase: Analytics and crash data are retained based on Firebase configuration and policies

7. Children's Privacy (COPPA Compliance)

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13.

7.1 Age Restriction

You must be at least 13 years old to use nom. If you are under 18, you should review this Privacy Policy with your parent or guardian.

7.2 No Intentional Collection from Children

We do not knowingly collect, use, or disclose personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without proper parental consent, we will take steps to delete that information as quickly as possible.

7.3 Parental Rights

If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us immediately at support@nom-ai.app. We will:

• Verify the request and your parental relationship
• Provide you with information about what data we collected (if any)
• Delete the child's account and all associated personal information promptly

7.4 Additional Protections for Minors (13-17)

While users aged 13-17 may use the Service, we encourage parents and guardians to supervise their use. Minors should be cautious about sharing personal information publicly through social features.

8. International Data Transfers

nom is operated in the United States, and our servers and service providers are primarily located in the United States.

8.1 Cross-Border Data Transfers

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country.

8.2 European Economic Area, UK, and Switzerland

For users in the EEA, UK, or Switzerland, we rely on the following legal mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with our service providers to ensure adequate protection of your data
• Adequacy Decisions: We may transfer data to countries deemed to provide adequate protection by the European Commission
• Necessary for Contract Performance: Some transfers are necessary to provide the Service you requested

8.3 Data Protection Officer

We do not currently have a dedicated EU representative or Data Protection Officer. For questions about data transfers or privacy concerns, please contact us at support@nom-ai.app.

8.4 Your Consent

By using the Service, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.

9. Cookies and Tracking Technologies

The nom mobile app does not use traditional web cookies. However, we do use similar technologies to collect information and improve your experience:

9.1 Mobile App Technologies

• Local Storage: We store preferences, session data, and cached content on your device using AsyncStorage (React Native) to improve app performance and maintain your session
• Device Identifiers: We may collect device identifiers such as app instance IDs for analytics and service provision purposes. We do not collect advertising identifiers
• Authentication Tokens: We use JWT tokens stored securely on your device to maintain your logged-in session

9.2 Analytics and Performance

We use internal logging as well as Firebase Analytics and Firebase Crashlytics to monitor app performance, track errors, and understand usage patterns. We do not use ad networks or third-party tracking for targeted advertising, and we do not collect advertising identifiers.

9.3 Your Choices

You can control certain tracking by:

• Limiting ad tracking in your iOS device settings (Settings > Privacy > Tracking)
• Disabling push notifications in your device settings
• Clearing app data or uninstalling the app (this will delete all locally stored information)

10. Automated Decision-Making and AI

10.1 AI-Powered Features

nom uses artificial intelligence and automated systems for the following purposes:

• Recipe Generation: AI generates recipes based on your prompts and preferences
• Nutrition Matching: Automated algorithms match recipe ingredients to our nutrition database using semantic similarity
• Photo Analysis: AI analyzes food photos to identify ingredients and suggest recipes
• Content Recommendations: Automated systems suggest recipes based on your preferences and history
• Content Moderation: Automated tools may flag potentially inappropriate content for human review

10.2 Human Oversight

We do not make solely automated decisions that have significant legal or similarly significant effects on you. Important decisions involving content moderation or account suspension include human review.

10.3 Your Right to Object

If you are in the EEA or UK, you have the right to object to automated decision-making. You can contact us to request human review of any automated decision.

11. Third-Party Links and Services

The Service may contain links to third-party websites, services, or content (for example, recipe URLs you import, Instagram links, or external websites).

We are not responsible for the privacy practices of these third-party services. This Privacy Policy applies only to information collected by nom. We encourage you to read the privacy policies of any third-party services you visit.

12. Health Information and HIPAA

nom is NOT a HIPAA-covered entity. The nutrition and meal tracking information you provide is not subject to the Health Insurance Portability and Accountability Act (HIPAA).

While we treat your health-related information (nutrition logs, dietary preferences, health goals) as sensitive personal information and protect it accordingly, nom is a wellness and recipe app, not a medical service. The Service is not intended to diagnose, treat, cure, or prevent any disease.

If you have medical conditions or dietary restrictions, please consult with a qualified healthcare provider before making dietary changes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 How We Notify You

When we make changes, we will:

• Update the "Effective Date" at the top of this policy
• Post the updated policy on our website and in the app
• For material changes, provide prominent notice in the app or via email

13.2 Your Acceptance

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, please stop using the Service and delete your account.

13.3 Prior Versions

You can request previous versions of this Privacy Policy by contacting us at support@nom-ai.app.

14. California Privacy Rights (CCPA/CPRA)

This section provides additional information for California residents as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

14.1 Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information (as defined by CCPA):

• Identifiers: Name, email address, unique Apple or Google ID, Firebase UID, device identifiers
• Customer Records: Account information, authentication data
• Commercial Information: Saved recipes, grocery lists
• Internet/Network Activity: App usage data, browsing behavior within the app, log files, device information
• Geolocation Data: None - we do not collect precise geolocation
• Audio/Visual Information: Food photos, recipe images you upload, and voice interactions if you use voice features
• Sensitive Personal Information: Health and nutrition data (meal logs, dietary restrictions, nutritional intake), account credentials (authentication tokens)

14.2 Sources of Personal Information

We collect personal information from the following sources:

• Directly from you (account creation, recipe creation, meal logging, chat conversations)
• Automatically through your use of the Service (usage data, device information)
• From third-party authentication providers (Apple Sign In or Google Sign-In via Firebase Authentication)

14.3 Business/Commercial Purposes for Collection

We use personal information for the following business and commercial purposes:

• Providing and maintaining the Service
• Personalizing your experience and recommendations
• Improving our AI algorithms and features
• Enabling social features and user interactions
• Communicating with you about the Service
• Ensuring safety, security, and integrity
• Debugging and technical support
• Internal research and analytics

14.4 Categories of Third Parties We Share With

We share personal information with the following categories of third parties:

• AI and machine learning service providers (OpenAI, Luma AI)
• Cloud infrastructure providers (Google Cloud Platform, Firebase)
• Authentication providers (Apple, Google)
• Other users (for public content you choose to share)

14.5 Sale and Sharing of Personal Information

We do not "sell" or "share" your personal information as those terms are defined under CCPA. We do not:

• Sell personal information to third parties for monetary consideration
• Share personal information with third parties for cross-context behavioral advertising
• Use your personal information for targeted advertising

14.6 Retention Period

We retain each category of personal information as described in Section 6 (Data Retention).

14.7 Sensitive Personal Information

We collect and use sensitive personal information (health/nutrition data, account credentials) only for purposes permitted by CCPA, specifically to provide the Service you requested. We do not use or disclose sensitive personal information for purposes of inferring characteristics about you.

14.8 How to Exercise Your California Rights

California residents can exercise their rights by:

• Emailing us at support@nom-ai.app
• Including "California Privacy Request" in the subject line
• Providing your name, email address, and description of your request

We will respond within 45 days. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

14.9 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

14.10 Do Not Track Signals

We do not currently respond to "Do Not Track" (DNT) signals from web browsers, as we are a mobile-first application. However, we do not track users across third-party websites or apps.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@nom-ai.app

Subject Line for Privacy Requests: "Privacy Request" or "California Privacy Request" (for California residents)

We will respond to your inquiry within a reasonable timeframe, typically within 30-45 days depending on the nature of your request and applicable law.

16. Effective Date and Updates

Current Effective Date: February 1, 2026

Last Updated: February 1, 2026

This Privacy Policy was last updated on the date listed above. Please check back periodically for updates.

Summary: nom collects personal information to provide AI-powered recipe generation, meal tracking, voice features, and social features. We share data with AI providers (OpenAI, Luma AI), Firebase services (auth, analytics, crash reporting), and cloud infrastructure (Google Cloud Platform) to deliver the Service. We do not sell your data or use it for advertising. You have rights to access, correct, delete, and export your data. For questions, contact support@nom-ai.app.