Privacy Policy · Gusto
Last updated: 13 May 2026 Data Controller: Gusto (Ben — contact: privacy@swipegusto.com) Document version: 1.0 (V1 launch draft) Italian version: Versione italiana
1. Who we are and why this policy exists
Gusto is an iOS app that helps you build a personalized weekly diet based on tastes, goals, and context. To provide this service we process some personal data. This policy, drafted in accordance with EU Regulation 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 ("Privacy Code"), explains what data we collect, why, for how long we keep it, and what rights you can exercise.
This policy applies to the Gusto iOS app and to the website swipegusto.com.
2. Categories of data we process
2.1 Data you provide
| Data | Collected when | Purpose |
|---|---|---|
| Email address | Account registration (Sign in with Apple) | Authentication, service communications |
| Display name | Onboarding | UI personalization |
| Anthropometric data (weight, height, age, sex, activity level, estimated body-fat %, lean mass, BMR, TDEE) | Onboarding and periodic updates | Caloric needs computation, diet plan generation |
| Goal (lose/maintain/gain weight) | Onboarding | Caloric target adjustment |
| Food preferences (eating style, allergies, intolerances, disliked ingredients, max cooking time, servings, snack slots) | Onboarding and Preferences edits | Dish filtering, personalized ranking |
| Declared health conditions (e.g. diabetes, hypertension, hypercholesterolemia) | Optional, from Preferences | Food safety filters |
| Body photos for body composition estimation | Onboarding and re-estimation every 56 days (optional) | Estimation of body fat % and lean mass |
| Off-plan ("sgarro") records described via voice or text | When you record an off-plan event | Caloric/macro estimation and plan adaptation |
| Fridge photos | When you use "analyze fridge" | Dish suggestions based on available ingredients |
| Dish feedback (like/dislike, pairings, substitutions, skips) | App usage | Learning your preferences |
| Shopping list, pinned dishes, pantry | App usage | Core features |
2.2 Data collected automatically
| Data | Source | Purpose |
|---|---|---|
| Meal consumption events (eaten/substituted/skipped/sgarro) | "Today" tab | Adherence tracking, plan recomputation |
| Daily hydration (ml of water) | Hydration card | Hydration tracking |
| Weight (periodic read) | Apple Health (HealthKit, with your consent) | Weekly TDEE adaptation |
| Calories consumed / water written to HealthKit | HealthKit write audit log | Traceability for diagnostics and GDPR |
| Subscriptions and free trials | StoreKit / App Store | PRO delivery |
| Impressions and clicks on sponsored content | Sponsored cards | Advertiser reporting |
2.3 Special categories (Art. 9 GDPR)
Data relating to weight, body composition, eating habits and declared health conditions may qualify as health data and therefore as special categories under Art. 9 GDPR. We process this data only on the basis of your explicit consent (Art. 9.2(a) GDPR), which we request during onboarding for each sensitive category. You can withdraw it at any time from "Profile → Settings → Privacy" or by deleting your account.
3. Body photos · how they really work
Body photos taken during onboarding or for re-estimation receive special, privacy-by-design treatment:
- The photo stays on your device. It is saved inside the Gusto sandbox (
Documents/body-photos/) and never uploaded to any storage server of ours. - Ephemeral transmission for analysis only. The photo is sent, in base64 format, once, to a serverless function (Supabase Edge Function
analyze-body) hosted in the EU (eu-west-1). The function passes it to the vision model (Anthropic Claude Sonnet) to estimate body composition. - No server-side persistence. Our function does not write the photo to Storage, does not log it, does not archive it. Anthropic does not use the input for training their models (see DPA with Anthropic, Art. 6.1).
- We only save the numbers. The
body_estimation_eventstable contains only numeric results (body-fat %, lean mass, weight at the time of estimation, optional textual notes from the model). Never the photo, never a photo hash, never a storage path. - You control deletion. You can remove photos from the Gusto sandbox via "Profile → Storage → Remove local photos", or by uninstalling the app.
If in the future we decided to introduce cloud storage of photos (currently excluded), we would notify you with a separate explicit consent before enabling it on your account.
4. Purposes and legal bases
| Purpose | Legal basis | Data category |
|---|---|---|
| Authentication and account management | Performance of a contract (Art. 6.1(b) GDPR) | Email, identifiers |
| Personalized diet plan generation | Explicit consent (Art. 9.2(a)) for health data + Contract (Art. 6.1(b)) | Anthropometrics, health conditions, preferences |
| Body photo vision analysis | Explicit consent (Art. 9.2(a)) | Photo (in-transit only) and numeric results |
| Cross-user taste learning (matrix factorization, archetype clustering) | Legitimate interest (Art. 6.1(f)) balanced with anonymization on deletion | Feedback, impressions, consumption events (anonymized post-delete) |
| PRO subscription delivery | Performance of a contract | Subscription events |
| Contextual advertising (free users) | Consent (cookies/IDFA) + Legitimate interest for aggregate impressions | Impressions, clicks |
| Security, anti-fraud, diagnostics | Legitimate interest | Technical logs |
| Legal compliance | Legal obligation (Art. 6.1(c)) | Billing (handled by Apple for IAP) |
You have the right to object to processing based on legitimate interest: write to privacy@swipegusto.com.
5. Retention periods
| Category | Retention |
|---|---|
| Active account (profile, plans, pantry) | For the lifetime of the account |
| Behavioral events (feedback, impressions, consumption, sgarro) | 24 months while account is active; upon deletion, they are anonymized (field user_id → NULL) and retained for model training, with no further link to your identity |
| Body estimation events | 36 months from the date of measurement |
| HealthKit write logs | 12 months (security audit) |
| Subscription events | 10 years (accounting and tax obligations) |
| Body photos (on device) | Until you delete them, or until you uninstall the app |
| Technical diagnostic logs | 30 rolling days |
Anonymization follows the anonymize_on_delete trigger (see tables meal_consumed_events, sgarro_events, feedback_events, impressions, duel_responses). The user_id is set to NULL, and the record loses any ability to be re-identified.
6. Who we share data with
To deliver the service, we rely on the following providers (data processors under Art. 28 GDPR):
| Provider | Service | Location | Extra-EU transfer |
|---|---|---|---|
| Supabase, Inc. | PostgreSQL database, authentication, Edge Functions, Storage | EU (eu-west-1) | No |
| Anthropic, PBC | AI inference (vision, plan generation, sgarro analysis) | USA | Yes, covered by EU Standard Contractual Clauses (SCCs) 2021/914 and Anthropic DPA |
| Apple Inc. | Authentication (Sign in with Apple), HealthKit, IAP/StoreKit, push notifications (APNs) | Global | Yes, covered by Apple SCCs and DPA |
| GitHub, Inc. (Microsoft) | Hosting of legal pages, CI/CD | USA | Yes, covered by SCCs |
| Google Ireland Ltd. (AdMob) | Contextual advertising (free users only) | EU/USA | Yes, covered by SCCs |
We do not sell your data to third parties. We do not share your identifying personal data with advertisers. AdMob receives only pseudonymous identifiers (IDFA, if granted) and generic context.
7. Extra-EU transfers
When data is transferred outside the EU (e.g. AI inference to Anthropic USA), the transfer is covered by Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, by supplementary measures (e.g. encryption in transit, DPAs, data minimization).
8. Your rights
Under Articles 15–22 GDPR you can exercise at any time:
| Right | Meaning | How to exercise it |
|---|---|---|
| Access (Art. 15) | Know what data we hold and get a copy | Profile → Export my data (JSON) or email privacy@swipegusto.com |
| Rectification (Art. 16) | Correct inaccurate data | Directly in the app from "Preferences" |
| Erasure (Art. 17) | "Right to be forgotten" | Profile → Delete account (hard delete on L1 data, anonymization on L2 data) |
| Restriction (Art. 18) | Suspend processing | Email privacy@swipegusto.com |
| Portability (Art. 20) | Receive data in a structured, reusable format | Profile → Export my data (JSON) |
| Object (Art. 21) | Object to processing based on legitimate interest | Email privacy@swipegusto.com |
| Withdraw consent | For consent-based processing | Profile → Privacy or account deletion |
| Complain to the Supervisory Authority | Italian Data Protection Authority | garanteprivacy.it |
We reply within 30 days (extendable up to 90 in complex cases, with notice).
9. Security
We adopt appropriate technical and organizational measures (Art. 32 GDPR):
- Encryption in transit: TLS 1.3 on all communications with our servers.
- Encryption at rest: AES-256 on the database side (Supabase) and disk encryption on the device side (iOS Data Protection).
- PostgreSQL Row Level Security: each user can read only their own data (
auth.uid() = user_idpolicy). - Service-role bypass only for internal authenticated workers operating on aggregate or anonymized data.
- Sign in with Apple: no password management on the Gusto side.
- Minimization: we collect only strictly necessary data (e.g. no photos on the server, no precise geolocation, no address book).
- Audit logs for sensitive writes (HealthKit, profile changes, subscriptions).
- Backups managed by Supabase with 7-day retention (Pro plan).
In the event of a data breach posing a risk to your rights, we will notify you without undue delay (Art. 34 GDPR) and inform the Authority within 72 hours (Art. 33 GDPR).
10. Minors
Gusto is not intended for users under 16 years of age. We do not knowingly collect data from minors. If you become aware that a minor under 16 has registered an account, write to privacy@swipegusto.com and we will delete it.
11. Cookies and similar technologies (app)
The app does not use cookies. For free users, AdMob may use Apple's advertising identifier (IDFA) only if you grant consent via the ATT prompt (App Tracking Transparency). If you do not grant it, you will see non-personalized advertising.
12. Changes to this policy
When we update this policy, we change the "Last updated" date at the top. For substantial changes, we will notify you in-app before they take effect. Previous versions are archived in GitHub gusto-website history.
13. Contact
- Data controller: Gusto · Ben
- Privacy email: privacy@swipegusto.com
- Support email: support@swipegusto.com
- Address: to be indicated at first operational launch / DPO not mandatory (no large-scale systematic monitoring)
- Supervisory authority: Italian Data Protection Authority — garanteprivacy.it