You download a calorie app. You start tracking your food. You take photos of your meals. You sign in with your email address.
Then what? Your nutrition data goes somewhere. To a server. Somewhere in the world. Where exactly? You probably never think about it. But it matters. Because where your data is stored determines who can access it and which privacy laws apply.
Why is nutrition data considered sensitive?
Nutrition data seems harmless at first glance. Carbohydrates, protein, calories. But together, these data points tell a story. About your eating patterns. About your health. About potential medical conditions or dietary restrictions.
Within the European Union, this type of information falls under health data. The GDPR (General Data Protection Regulation) classifies health data as a special category of personal data under Article 9 [1]. That means: extra protection, stricter processing rules, and higher fines for violations.
But that protection only applies when your data is stored on European servers.
What is GDPR and what does it mean for you?
The GDPR is European legislation that has been in effect since 2018. The core principle: your data belongs to you, not to the company collecting it.
Specifically, you have the following rights:
- Right of access. You can request to see what data a company holds about you.
- Right to erasure. You can have your account deleted, including all your data.
- Right to data portability. You can request your data in a transferable format.
- Consent required. Companies cannot sell your data without your explicit consent.
- Breach notification. In case of a data breach, the company must inform you within 72 hours.
These rights sound obvious. But they only fully apply under European law. If your nutrition data sits on American servers, different rules apply.
Where do popular calorie apps store your data?
Not every calorie app processes your data in the same location. This overview shows where the major apps store your data and which privacy laws apply.
| App | Server location | Privacy law | Owner |
|---|---|---|---|
| MyFitnessPal | United States | US law | Francisco Partners (US) |
| CalAI | United States | US law | Cal AI Inc. (US) |
| YAZIO | Germany (EU) | GDPR | YAZIO GmbH (Germany) |
| Mijn Eetmeter | Netherlands (EU) | GDPR | Voedingscentrum (NL) |
| Moveno | Frankfurt, Germany (EU) | GDPR | Moveno (NL) |
The difference is clear: apps with EU servers fall under GDPR. Apps with US servers fall under American law, which offers less comprehensive privacy protection.
What are the risks of data storage outside the EU?
When your nutrition data is stored on American servers, there are two key risks.
1. Government access without your knowledge
Under FISA Section 702, US intelligence agencies can request data from American tech companies without the company being required to inform you [3]. This programme targets communications of non-US persons outside the United States, but in practice also affects data of EU citizens stored with American services.
Is this likely for your food diary? No. But it is legally possible. Under the GDPR, this could not happen without judicial oversight.
2. Policy changes during ownership transfers
Companies change hands. Policies change with them. MyFitnessPal is a telling example.
The MyFitnessPal ownership timeline:
- 2015. Under Armour acquires MyFitnessPal for 475 million dollars.
- 2018. A data breach exposes 150 million user accounts. Usernames, email addresses, and hashed passwords are stolen [4]. In 2019, the stolen data appears for sale on the dark web.
- 2020. Under Armour sells MyFitnessPal to Francisco Partners, an American private equity firm, for 345 million dollars [5].
Three owners in five years. Each ownership change brings a new privacy policy and new decisions about how your data is handled.
Is there an agreement between the EU and the US on data transfers?
Yes. In July 2023, the European Commission approved the EU-US Data Privacy Framework (DPF) [6]. This framework establishes that certified American companies provide an "adequate" level of data protection.
But there are important caveats:
- Voluntary certification. Companies must actively enroll. Not every American company is certified.
- Legal uncertainty. The two predecessors of this framework (Safe Harbor and Privacy Shield) were both struck down by the European Court of Justice. Privacy organisations have also challenged the current framework.
- Limited scope. The framework places restrictions on US intelligence agencies but does not abolish FISA Section 702.
The framework is a step in the right direction. But it does not provide the same level of protection as keeping your data within the EU.
What can you check before choosing a calorie app?
Before you start using a calorie app, there are three questions worth asking.
1. Where are the servers located?
Check the app's privacy policy. Look for terms like "data processing location", "server location", or "data storage". European servers mean GDPR protection.
2. Who owns the company?
A European company is bound by GDPR. An American company falls under US law, unless it has voluntarily certified under the EU-US Data Privacy Framework.
3. What happens when you delete your account?
Under GDPR, a company must fully erase your data when you request it. Not all apps outside the EU offer that guarantee.
How does Moveno handle your privacy?
At Moveno, we store your nutrition data in Frankfurt, Germany. That is a deliberate choice. Your data falls entirely under the GDPR.
In practice, this means:
- European servers. Your data does not leave the EU.
- No data sales. We do not sell your nutrition data to third parties.
- Right to access and deletion. You can always request what data we hold and have everything erased.
- Transparent privacy policy. We communicate clearly about how your data is processed.
This does not make us unique in Europe. YAZIO and Mijn Eetmeter offer similar protection. But it does set us apart from most AI-powered calorie apps that run on American servers.
Frequently asked questions
Does nutrition data really count as health data under GDPR?
Yes. The GDPR classifies data about a person's health, including dietary patterns and nutrition information, as special category personal data under Article 9 [1]. This means companies must take additional precautions when processing this type of data.
Is MyFitnessPal safe to use?
MyFitnessPal is a functional app with a large food database. However, your data is stored on US servers and the company experienced a major data breach in 2018 that affected 150 million accounts [4]. Whether you are comfortable with that is a personal decision.
What is the EU-US Data Privacy Framework?
It is a 2023 agreement between the EU and the US that sets rules for transferring personal data to certified American companies [6]. It offers more protection than before, but is not yet as legally robust as direct GDPR protection within the EU.
Can I have my data deleted from a calorie app?
Under GDPR, you have the right to have all your data erased (the "right to be forgotten"). This applies to companies that fall under GDPR, such as apps with European servers. For American apps, it depends on their privacy policy and the state where they are incorporated.
Why does Moveno store data in Germany rather than the Netherlands?
Frankfurt is one of Europe's largest data centre hubs. It offers excellent infrastructure, redundancy, and connectivity. Germany also has one of the strictest interpretations of GDPR in the EU, through the Bundesdatenschutzgesetz (BDSG).
Summary
Your nutrition data belongs to you. Where it is stored determines which laws protect you. European servers mean GDPR protection with strong rights to access, deletion, and transparency. American servers mean fewer legal safeguards.
This is not a reason to panic. It is a reason to choose consciously. When you pick your next calorie app, ask yourself: where is my data stored? Our nutrition app guide compares the top apps on features, accuracy, and privacy.
Want a calorie app that keeps your nutrition data in Europe? At Moveno, we store everything in Frankfurt, fully under the GDPR. Join the waitlist and get early access.
Sources
- European Union. Regulation (EU) 2016/679, Article 9 -- Processing of special categories of personal data. GDPR Article 9
- European Commission. General Data Protection Regulation (GDPR) -- Rights of the data subject. European Commission GDPR
- U.S. Department of Justice. Foreign Intelligence Surveillance Act. FISA
- Engadget (2018). Under Armour data breach affects 150 million MyFitnessPal users. Engadget
- PR Newswire (2020). Under Armour Completes Sale Of The MyFitnessPal Platform To Francisco Partners. PR Newswire
- European Commission (2023). Adequacy decision for safe and trusted EU-US data flows. European Commission DPF
