GUSTO

Privacy Policy · Gusto

Last updated: 13 May 2026 Data Controller: Gusto (Ben — contact: privacy@swipegusto.com) Document version: 1.0 (V1 launch draft) Italian version: Versione italiana


1. Who we are and why this policy exists

Gusto is an iOS app that helps you build a personalized weekly diet based on tastes, goals, and context. To provide this service we process some personal data. This policy, drafted in accordance with EU Regulation 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 ("Privacy Code"), explains what data we collect, why, for how long we keep it, and what rights you can exercise.

This policy applies to the Gusto iOS app and to the website swipegusto.com.

2. Categories of data we process

2.1 Data you provide

Data Collected when Purpose
Email address Account registration (Sign in with Apple) Authentication, service communications
Display name Onboarding UI personalization
Anthropometric data (weight, height, age, sex, activity level, estimated body-fat %, lean mass, BMR, TDEE) Onboarding and periodic updates Caloric needs computation, diet plan generation
Goal (lose/maintain/gain weight) Onboarding Caloric target adjustment
Food preferences (eating style, allergies, intolerances, disliked ingredients, max cooking time, servings, snack slots) Onboarding and Preferences edits Dish filtering, personalized ranking
Declared health conditions (e.g. diabetes, hypertension, hypercholesterolemia) Optional, from Preferences Food safety filters
Body photos for body composition estimation Onboarding and re-estimation every 56 days (optional) Estimation of body fat % and lean mass
Off-plan ("sgarro") records described via voice or text When you record an off-plan event Caloric/macro estimation and plan adaptation
Fridge photos When you use "analyze fridge" Dish suggestions based on available ingredients
Dish feedback (like/dislike, pairings, substitutions, skips) App usage Learning your preferences
Shopping list, pinned dishes, pantry App usage Core features

2.2 Data collected automatically

Data Source Purpose
Meal consumption events (eaten/substituted/skipped/sgarro) "Today" tab Adherence tracking, plan recomputation
Daily hydration (ml of water) Hydration card Hydration tracking
Weight (periodic read) Apple Health (HealthKit, with your consent) Weekly TDEE adaptation
Calories consumed / water written to HealthKit HealthKit write audit log Traceability for diagnostics and GDPR
Subscriptions and free trials StoreKit / App Store PRO delivery
Impressions and clicks on sponsored content Sponsored cards Advertiser reporting

2.3 Special categories (Art. 9 GDPR)

Data relating to weight, body composition, eating habits and declared health conditions may qualify as health data and therefore as special categories under Art. 9 GDPR. We process this data only on the basis of your explicit consent (Art. 9.2(a) GDPR), which we request during onboarding for each sensitive category. You can withdraw it at any time from "Profile → Settings → Privacy" or by deleting your account.

3. Body photos · how they really work

Body photos taken during onboarding or for re-estimation receive special, privacy-by-design treatment:

  1. The photo stays on your device. It is saved inside the Gusto sandbox (Documents/body-photos/) and never uploaded to any storage server of ours.
  2. Ephemeral transmission for analysis only. The photo is sent, in base64 format, once, to a serverless function (Supabase Edge Function analyze-body) hosted in the EU (eu-west-1). The function passes it to the vision model (Anthropic Claude Sonnet) to estimate body composition.
  3. No server-side persistence. Our function does not write the photo to Storage, does not log it, does not archive it. Anthropic does not use the input for training their models (see DPA with Anthropic, Art. 6.1).
  4. We only save the numbers. The body_estimation_events table contains only numeric results (body-fat %, lean mass, weight at the time of estimation, optional textual notes from the model). Never the photo, never a photo hash, never a storage path.
  5. You control deletion. You can remove photos from the Gusto sandbox via "Profile → Storage → Remove local photos", or by uninstalling the app.

If in the future we decided to introduce cloud storage of photos (currently excluded), we would notify you with a separate explicit consent before enabling it on your account.

4. Purposes and legal bases

Purpose Legal basis Data category
Authentication and account management Performance of a contract (Art. 6.1(b) GDPR) Email, identifiers
Personalized diet plan generation Explicit consent (Art. 9.2(a)) for health data + Contract (Art. 6.1(b)) Anthropometrics, health conditions, preferences
Body photo vision analysis Explicit consent (Art. 9.2(a)) Photo (in-transit only) and numeric results
Cross-user taste learning (matrix factorization, archetype clustering) Legitimate interest (Art. 6.1(f)) balanced with anonymization on deletion Feedback, impressions, consumption events (anonymized post-delete)
PRO subscription delivery Performance of a contract Subscription events
Contextual advertising (free users) Consent (cookies/IDFA) + Legitimate interest for aggregate impressions Impressions, clicks
Security, anti-fraud, diagnostics Legitimate interest Technical logs
Legal compliance Legal obligation (Art. 6.1(c)) Billing (handled by Apple for IAP)

You have the right to object to processing based on legitimate interest: write to privacy@swipegusto.com.

5. Retention periods

Category Retention
Active account (profile, plans, pantry) For the lifetime of the account
Behavioral events (feedback, impressions, consumption, sgarro) 24 months while account is active; upon deletion, they are anonymized (field user_id → NULL) and retained for model training, with no further link to your identity
Body estimation events 36 months from the date of measurement
HealthKit write logs 12 months (security audit)
Subscription events 10 years (accounting and tax obligations)
Body photos (on device) Until you delete them, or until you uninstall the app
Technical diagnostic logs 30 rolling days

Anonymization follows the anonymize_on_delete trigger (see tables meal_consumed_events, sgarro_events, feedback_events, impressions, duel_responses). The user_id is set to NULL, and the record loses any ability to be re-identified.

6. Who we share data with

To deliver the service, we rely on the following providers (data processors under Art. 28 GDPR):

Provider Service Location Extra-EU transfer
Supabase, Inc. PostgreSQL database, authentication, Edge Functions, Storage EU (eu-west-1) No
Anthropic, PBC AI inference (vision, plan generation, sgarro analysis) USA Yes, covered by EU Standard Contractual Clauses (SCCs) 2021/914 and Anthropic DPA
Apple Inc. Authentication (Sign in with Apple), HealthKit, IAP/StoreKit, push notifications (APNs) Global Yes, covered by Apple SCCs and DPA
GitHub, Inc. (Microsoft) Hosting of legal pages, CI/CD USA Yes, covered by SCCs
Google Ireland Ltd. (AdMob) Contextual advertising (free users only) EU/USA Yes, covered by SCCs

We do not sell your data to third parties. We do not share your identifying personal data with advertisers. AdMob receives only pseudonymous identifiers (IDFA, if granted) and generic context.

7. Extra-EU transfers

When data is transferred outside the EU (e.g. AI inference to Anthropic USA), the transfer is covered by Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, by supplementary measures (e.g. encryption in transit, DPAs, data minimization).

8. Your rights

Under Articles 15–22 GDPR you can exercise at any time:

Right Meaning How to exercise it
Access (Art. 15) Know what data we hold and get a copy Profile → Export my data (JSON) or email privacy@swipegusto.com
Rectification (Art. 16) Correct inaccurate data Directly in the app from "Preferences"
Erasure (Art. 17) "Right to be forgotten" Profile → Delete account (hard delete on L1 data, anonymization on L2 data)
Restriction (Art. 18) Suspend processing Email privacy@swipegusto.com
Portability (Art. 20) Receive data in a structured, reusable format Profile → Export my data (JSON)
Object (Art. 21) Object to processing based on legitimate interest Email privacy@swipegusto.com
Withdraw consent For consent-based processing Profile → Privacy or account deletion
Complain to the Supervisory Authority Italian Data Protection Authority garanteprivacy.it

We reply within 30 days (extendable up to 90 in complex cases, with notice).

9. Security

We adopt appropriate technical and organizational measures (Art. 32 GDPR):

In the event of a data breach posing a risk to your rights, we will notify you without undue delay (Art. 34 GDPR) and inform the Authority within 72 hours (Art. 33 GDPR).

10. Minors

Gusto is not intended for users under 16 years of age. We do not knowingly collect data from minors. If you become aware that a minor under 16 has registered an account, write to privacy@swipegusto.com and we will delete it.

11. Cookies and similar technologies (app)

The app does not use cookies. For free users, AdMob may use Apple's advertising identifier (IDFA) only if you grant consent via the ATT prompt (App Tracking Transparency). If you do not grant it, you will see non-personalized advertising.

12. Changes to this policy

When we update this policy, we change the "Last updated" date at the top. For substantial changes, we will notify you in-app before they take effect. Previous versions are archived in GitHub gusto-website history.

13. Contact