Back to home

Privacy Policy

Last updated: July 6, 2026

Moveno ("we", "us", "our") respects your privacy. This privacy policy explains what personal data we collect, why we collect it, and how we protect it.

In short

  • We only collect the data we need to provide the service (email, food photos, nutrition logs, dietary preferences, and — only if you opt in — Apple Health or Health Connect data).
  • Core data is stored within the European Union (Frankfurt, Germany). Meal photos are sent to US-based AI providers for food recognition under EU Standard Contractual Clauses and additional safeguards (Section 7).
  • Moveno uses AI (Google Gemini, Anthropic Claude) to identify food from photos and propose calories and macronutrients. The AI's output is always a suggestion you can confirm or edit — Moveno is not a medical device. See Sections 4.1 and 4.2.
  • We process health-related data (dietary preferences, weight, food logs, and optional Apple Health / Health Connect data) only under your explicit consent, and we never share it with advertising partners.
  • We never sell your data to third parties.
  • Food photos are used solely for nutrition analysis and are never used for AI model training.
  • You can permanently delete all your data at any time through the app, and request a portable export by email.
  • We use AES-256 encryption and PostgreSQL Row Level Security to protect your information.

1. Who are we?

Moveno is an AI nutrition and fitness app that combines food and nutrition tracking, training and workouts, health-app integration, and community groups. It uses AI photo recognition and a comprehensive nutrition database, is available across the European Union, and ships in English and Dutch. Moveno is operated from the Netherlands.

Controller: Moveno is a sole proprietorship ("eenmanszaak") under Dutch law, registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 91344751. Correspondence address: Postbus 32007, 6370JA Landgraaf, the Netherlands.

Contact details:

1.1 Age requirement and children's data

Moveno is intended for users aged 18 and over. We do not knowingly process personal data of users under the age of 18.

Where users from EU/EEA Member States other than the Netherlands access Moveno, the GDPR Article 8 digital-consent age (between 13 and 16 depending on the Member State; 16 in the Netherlands under Article 5 of the Dutch UAVG) applies in addition. If we become aware that we have inadvertently collected data from a person below the applicable digital-consent age without verified parental consent, we will delete that data without undue delay. If you believe a minor has created an account, please contact privacy@moveno.co.

1.2 Privacy contact and Data Protection Officer

We have not appointed a formal Data Protection Officer (DPO) under Article 37 GDPR at this stage, as Moveno's processing volume currently falls below the "large-scale" threshold in WP29 Guidelines WP243. Privacy questions, rights requests, and concerns can be addressed to our privacy contact at privacy@moveno.co. We will re-evaluate the DPO requirement as our user base grows and update this policy accordingly.


2. What data do we collect?

We collect the following categories of data when you use Moveno:

  • Account data: email address, display name, hashed password, login sessions
  • Profile data: height, weight, age, sex, activity level, nutrition goals
  • Health-related data (see Section 3): dietary preferences, allergen filters, weight entries over time, food logs, meal photos
  • Workout and training data (only if you log workouts, see Section 3.2): the workouts you log, including for each set the weight used, the number of repetitions, your effort rating, an optional mood note, and optional session notes; and a daily training-load summary that combines your workouts with the rest of your activity
  • Apple Health / Health Connect data (optional, only with your explicit per-scope permission, see Section 3.1):
    • Read scopes: weight (READ_WEIGHT), height (READ_HEIGHT), body fat percentage (READ_BODY_FAT), basal metabolic rate (READ_BASAL_METABOLIC_RATE), biological sex, date of birth, today's active calories burned (READ_ACTIVE_CALORIES_BURNED), today's step count (READ_STEPS), completed exercise sessions (READ_EXERCISE), and nutrition entries written by other apps (READ_NUTRITION).
    • Write scopes: meal nutrition — calories, protein, carbohydrates, fat, fibre (WRITE_NUTRITION) — your weight entries (WRITE_WEIGHT), and your completed Moveno workouts (WRITE_EXERCISE), so other apps you trust can read Moveno data alongside your activity.
    • On iOS the equivalent HealthKit identifiers are HKQuantityTypeIdentifierBodyMass, HKQuantityTypeIdentifierHeight, HKQuantityTypeIdentifierBodyFatPercentage, HKQuantityTypeIdentifierBasalEnergyBurned, HKCharacteristicTypeIdentifierBiologicalSex, HKCharacteristicTypeIdentifierDateOfBirth, HKQuantityTypeIdentifierActiveEnergyBurned, HKQuantityTypeIdentifierStepCount, HKWorkoutType, HKQuantityTypeIdentifierDietaryEnergyConsumed and the dietary macro identifiers.
  • Scanning data: barcode scans, AI food recognition results, user corrections
  • Usage data: app interactions, error reports, device type and operating system
  • Location data: approximate country, derived from low-accuracy GPS (foreground only), used to personalise the nutrition database
  • Consent records: the cookie and marketing choices you have made, with timestamps
  • Payment data: processed by Apple or Google; we never store full payment details, only subscription status
  • Support requests: if you contact our support team — in the app, on our website while signed in, or as a guest on our website — we process the category, subject and message you send, plus any screenshots you choose to attach. If you contact us as a guest (without a Moveno account), we also process the name and email address you provide so that we can reply to you.

Sign in with Apple / Google (optional). If you choose to create your account or log in using Sign in with Apple or Google Sign-In, that provider returns a limited set of profile fields to us — your email address and your name — which we use only to create and identify your Moveno account. With Sign in with Apple you can choose to hide your email, in which case Apple provides a private relay address instead. We do not receive your password or any other data held by Apple or Google.

If you signed up for the waitlist before launch, we collected only your email address to notify you when Moveno became available.


3. Health data (GDPR Article 9)

Moveno processes data that qualifies as special category (health) data under GDPR Article 9 — specifically: dietary preferences, allergen filters, weight entries, food logs, profile data such as height and nutrition goals, workout and training data (if you log workouts, see Section 3.2), and (if you connect a hub) Apple Health / Health Connect data.

  • Legal basis: Article 9(2)(a) — your explicit consent, given through a dedicated, unticked checkbox during onboarding that is separate from acceptance of our Terms of Service. You can review and withdraw this consent at any time (see "Withdrawal" below).
  • Withdrawal: you can withdraw consent for health-data processing at any time without deleting your account, via Profile → Preferences → Privacy → Withdraw health-data consent, or by deleting your account in-app. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Non-disclosure: we do NOT share health-related data with advertising partners (TikTok, Meta, Google Analytics) or with any third party for marketing purposes.
  • Storage: health data is stored within our EU infrastructure. Meal photos are an exception: they are sent to AI providers (Google, Anthropic) for the sole purpose of food recognition, under EU Standard Contractual Clauses (see Section 7).

3.1 Apple Health and Health Connect integration (optional)

If you choose to connect Moveno with Apple Health (iOS) or Health Connect (Android), the following applies in addition to Section 3:

  • Lawful basis: GDPR Article 9(2)(a) — your explicit consent, given through the operating system's permission dialog for each data scope individually. Every grant is logged in our consent audit trail with a timestamp, the platform (healthkit or health_connect) and the number of scopes you granted — not the scope identifiers themselves, so the audit record stays data-minimised.
  • Granular scopes: you can grant or deny each data type individually (for example, allow weight reads but deny step reads). At any time you can revoke any scope without losing access to the rest of the app.
  • Data we may read (only with your permission): weight, height, body fat percentage, basal metabolic rate, biological sex, date of birth, today's active calories burned, today's step count, completed exercise sessions, and nutrition entries written by other apps. Each scope is read only to support a specific feature: weight/height/sex/date of birth to auto-fill your profile during onboarding, body fat and basal metabolic rate to refine your calorie target, active calories and steps to drive your dynamic daily goal (see "Adjust goal for activity" in the app), exercise sessions to attribute active calories to specific workouts, and nutrition entries written by other apps to avoid double-counting.
  • Data we may write (only with separate write permission): meal nutrition (calories, protein, carbohydrates, fat, fibre), your weight entries, and — if you use the workout feature — a summary of each completed Moveno workout (type, duration and an estimated energy figure, via WRITE_EXERCISE), so other apps you trust — for example Apple Watch, Strava, Whoop, Garmin Connect, Fitbit or Samsung Health — can read Moveno's data alongside your activity. Each write type is a separate, off-by-default permission that you grant individually — turning one on never turns the others on.
  • On-device hub: Apple Health (iOS) and Health Connect (Android) are operating-system features that live on your device. We do not have direct access to the hub itself — we can only read or write the specific data types you have granted, and we do not control which other apps you allow to read from or write to the hub.
  • No new international transfer: Apple Health and Health Connect are on-device features of iOS and Android — the data lives on your device, not on Apple's or Google's servers. When you grant Moveno permission, we read the specific data types you allowed and store them on our EU servers (Frankfurt, Germany). The integration itself does not create any new transfer of your health data outside the European Union. Meal photos — which you choose to upload separately and which existed before this integration — continue to be sent to US-based AI providers for food recognition under the safeguards described in Section 7; that path is unchanged.
  • What we store server-side: weight readings imported from the hub are saved in your Moveno account as standard weight entries and follow the same retention as manual entries (Section 5). Today's active calories and step counts are stored in your daily nutrition summary so we can calculate your dynamic calorie goal. We do not persistently store every individual step event or workout session.
  • What we do NOT do: we do not sell, share, transfer or otherwise disclose Apple Health or Health Connect data to advertising partners, data brokers, AI providers (training or inference) or any third party for marketing purposes. Apple Health and Health Connect values are never included in prompts or payloads sent to our AI providers (Google Gemini, Anthropic) — those providers only ever receive meal photos for food recognition (inference only, never training), never your weight, body fat, calorie burn, steps, exercise sessions, biological sex or date of birth. Our error-monitoring redaction chain strips health values before any event leaves our backend.
  • Apple and Google store-policy commitments (HealthKit & Health Connect): We do NOT use Apple Health or Health Connect data for advertising or any data-mining purposes other than improving your health, fitness or nutrition tracking inside Moveno. We do NOT disclose Apple Health or Health Connect data to any third party without your explicit permission, and any disclosure that does occur is only for the purpose of providing or improving Moveno's app functionality. We do NOT sell Apple Health or Health Connect data. We do NOT share Apple Health or Health Connect data with data brokers. We do NOT use Apple Health or Health Connect data to identify you beyond the functionality of Moveno itself, and we do NOT combine it with advertising or marketing identifiers.
  • Revoking permission at any time:
    • iOS: Settings → Privacy & Security → Health → Moveno — toggle individual permissions off, or remove Moveno entirely.
    • Android (Health Connect): the Health Connect app → Permissions → Moveno — toggle individual permissions off, or remove Moveno entirely.
    • In the Moveno app: Profile → Preferences → Integrations → Disconnect — withdraws all granted scopes at once and writes a consent-withdrawal record to our audit trail.
  • Effect of revoking: Moveno immediately stops reading new data from the hub and stops writing new data to the hub. Previously imported data remains in your Moveno account until you delete it (see Section 10 for your rights). Samples Moveno has already written to Apple Health / Health Connect remain in the hub until you delete them there — we deliberately do not retroactively remove your hub data on revocation, because that data is yours and you may want to keep it.
  • Account deletion: when you delete your Moveno account (Section 5), all server-side data including hub mapping records is removed via the self-service deletion flow. Data stored inside Apple Health / Health Connect itself is NOT removed by Moveno account deletion — those hubs remain under your control and you can delete entries directly there.
  • Not a medical device: Moveno is a nutrition and wellness application. It does not provide medical advice, diagnosis or treatment, and these integration features are not intended for clinical use. If you have a medical condition, consult a qualified healthcare professional.
  • Right to withdraw: You have the right to withdraw your consent for the Apple Health / Health Connect integration at any time using the steps above, without affecting the lawfulness of processing carried out before withdrawal.

3.2 Workout and training data (optional)

If you use Moveno's workout features, the following applies in addition to Section 3:

  • What we store. When you log a workout, we store the workout itself and, for each set, the weight you used, the number of repetitions, your effort rating, an optional mood note, and optional session notes. We also keep a daily training-load summary that combines your workouts with the rest of your activity. This is special category (health) data under GDPR Article 9, stored within our EU infrastructure and kept under the same retention as your other training and nutrition history (24 months, see Section 5). Your workout data is isolated to your account and is never visible to other users unless you choose to share a completed workout to a group (see Section 9).
  • AI workout generation and the workout coach. If you ask Moveno to generate a workout, or use the in-app coach to suggest a safe alternative exercise, we send a short fitness questionnaire to our AI providers. This questionnaire is pseudonymised before it leaves your device — it is never sent with your name or any identifier that points back to you. The AI returns the structure of a workout only (which exercises, how many sets and repetitions, rest and effort guidance); Moveno never prescribes how much weight to lift — that always stays your decision. The same AI providers we already use for food recognition (Google and Anthropic, reached through our AI gateway, OpenRouter) process this questionnaire for inference only, never to train their models, and do not keep it under the terms that apply to us. See Sections 4.1 and 4.2.
  • Medical pre-screening (PAR-Q+ / injuries). Before AI workout generation, you may answer a short medical pre-screening (based on the established PAR-Q+ / ACSM questionnaire) and flag any injuries. These answers are special category (health) data processed under your explicit consent (a dedicated exercise health consent). They are pseudonymised in transit, removed from our error logs, and — importantly — not kept after your workout is generated: they are used to compute a safer plan and then discarded. We only record an acknowledgement that you gave this consent, with no health details attached to that record.
  • Under-fuelling support nudge. If your pattern of eating sits well below what your activity suggests you need over several days, Moveno may show you a gentle, supportive reminder. This is a health inference derived on your device from data you have already logged. We do not store it as a "risk" label, we do not log the underlying numbers, and the nudge is opt-in and dismissible. It is softened for users whose goal is weight loss, and includes a safeguard that signposts professional help where appropriate. This nudge is not a medical diagnosis, and it is not an automated decision with any legal or similarly significant effect (Article 22 GDPR) — it is informational and supportive only.
  • Not a medical device. Moveno's workout features are for general fitness and wellness. They do not provide medical advice, diagnosis or treatment, and are not intended for clinical use. The scientific basis of our calculations is explained in plain language inside the app. If you have an injury, a medical condition, are pregnant, or are otherwise under clinical care, consult a qualified healthcare or fitness professional before following any plan.
  • Right to withdraw. You can withdraw your exercise health consent at any time without deleting your account; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Why do we process your data?

| Purpose | Legal basis (GDPR) | |---------|-------------------| | Sending waitlist emails | Consent (Art. 6(1)(a)) | | Creating and managing accounts | Performance of contract (Art. 6(1)(b)) | | Calculating nutrition values | Performance of contract (Art. 6(1)(b)) | | Processing health-related data | Explicit consent (Art. 9(2)(a)) | | Storing your workout and training data | Performance of contract (Art. 6(1)(b)) and explicit consent (Art. 9(2)(a)) | | AI medical pre-screening (PAR-Q+ / injuries) for workout generation | Explicit consent (Art. 9(2)(a)) | | Writing your nutrition, weight and completed-workout data to Apple Health / Health Connect (where you grant write permission) | Explicit consent (Art. 9(2)(a)) | | Measuring advertising effectiveness | Consent (Art. 6(1)(a)) | | Product analytics (PostHog, Google Analytics) | Consent (Art. 6(1)(a)) — only after you opt in via Cookie Settings | | Handling your support requests (help center + tickets) | Performance of contract (Art. 6(1)(b)) for account-holders; pre-contractual steps and legitimate interest in answering your request (Art. 6(1)(b)/(f)) for guest requests | | Improving the app, fixing bugs, and protecting service integrity | Legitimate interest (Art. 6(1)(f)) — our interest in maintaining a stable, secure, and continuously improving product, balanced against your interests through data minimisation, pseudonymisation in logs, and the absence of profiling | | Error monitoring and abuse prevention (Sentry, rate limiting) | Legitimate interest (Art. 6(1)(f)) and legal obligation to ensure security of processing (Art. 32) | | Meeting legal obligations | Legal obligation (Art. 6(1)(c)) |

4.1 Automated decision-making (GDPR Article 22)

Moveno uses automated processing in four places. We disclose them here under Article 13(2)(f) of the GDPR so you understand the logic, significance, and consequences.

1. AI food recognition (Google Gemini 2.5 Flash; Anthropic Claude as fallback). When you take a photo, an AI model identifies the foods, estimates portion sizes, and proposes calories and macronutrients. The result is a suggestion: you review and confirm each item before it is saved to your log, and you can edit quantities, swap items, or remove the entry entirely. Because the decision to log a meal is yours, this processing is not "solely automated" within the meaning of Article 22(1). The AI can be wrong (wrong food, wrong portion); you are the safeguard.

2. Onboarding calorie goal (Mifflin-St Jeor formula). At onboarding we calculate a daily calorie target from your age, height, weight, biological sex, and activity level using the published Mifflin-St Jeor equation. You can override this number at any time in Profile → Goals. Because you can adjust it manually, this is not a decision made solely by automated means.

3. Dynamic daily calorie target (active-calories adjustment). If you connect Apple Health or Health Connect and the "Adjust goal for activity" setting is on (default), today's active calories are added to today's baseline goal. We apply a hard cap of +1,500 kcal per day as a safety limit against sensor errors; the baseline goal is never reduced by this feature, and you can switch the adjustment off at any time in Profile → Preferences.

4. AI workout generation and the under-fuelling support nudge (workout features). If you use the workout features, an AI model can propose the structure of a workout from your fitness questionnaire (see Section 3.2), and Moveno can show a supportive under-fuelling reminder derived on your device. Both are suggestions: you choose whether to start a generated workout (and Moveno never tells you how much weight to lift), and the under-fuelling nudge is opt-in, dismissible, and informational only. Neither produces a legal or similarly significant effect, so neither is a decision made solely by automated means within the meaning of Article 22(1).

Significance and envisaged consequences. Moveno is a wellness application, not a medical device. The numbers we surface inform your day-to-day eating choices; they do not produce any legal effect and they are not used to deny you access to any feature, price, or service. If you have an eating disorder, a metabolic condition, are pregnant or breastfeeding, or are otherwise under clinical care, please consult a qualified healthcare professional before relying on Moveno's targets.

Your rights. You have the right to obtain human review of any of the above, to contest the outcome, and to express your point of view. Contact privacy@moveno.co.

4.2 Use of AI systems (EU AI Act Article 50)

When you take a meal photo, Moveno sends the image to an artificial-intelligence system (Google Gemini 2.5 Flash by default; Anthropic Claude as fallback) that identifies the food and estimates its nutritional content. The image-recognition result is generated by an AI model and is shown to you as a suggestion you can edit or reject before saving. The app itself displays a notice at the camera screen confirming this so you are informed at the point of interaction.

If you use the workout features, the AI workout generator and the in-app workout coach send a pseudonymised fitness questionnaire — including any injury flags (see Section 3.2) — to the same AI providers (Google and Anthropic, via our OpenRouter gateway) we already use for food recognition. The questionnaire carries no name or identifier, is processed for inference only and never used for model training, and is not retained by those providers under the terms that apply to us. The AI returns workout structure only: Moveno never prescribes a weight, and the output passes a medical-screening gate plus an automatic safety check before it reaches you. You decide whether to start the suggested workout.

Some text on the Moveno website blog is drafted with AI assistance and reviewed by a human editor before publication.

Moveno's AI use is classified as limited risk under Regulation (EU) 2024/1689 (the EU AI Act). It is not a high-risk AI system under Annex III, and it is not intended for medical diagnosis or treatment (see Section 3.1, "Not a medical device").


5. How long do we keep your data?

| Data type | Retention | |---|---| | Account data | As long as your account is active | | Meals and daily summaries | 24 months | | Workout and training data (logged workouts, sets, daily training-load summary) | 24 months | | AI workout-generation medical pre-screening answers (PAR-Q+ / injuries) | Not kept — used to generate your workout, then discarded | | Under-fuelling support nudge | Not kept — derived on your device and discarded; never stored as a label | | Meal photos | 18 months | | Orphan meal photos (uploaded but never saved to a meal) | 24 hours | | Weight entries (manual) | Indefinite (under your control via the app) | | Imported weight from Apple Health / Health Connect | Same as manual weight entries (indefinite, under your control) | | Today's imported active calories and step count (stored in daily summary) | Same as daily summaries (24 months) | | Apple Health / Health Connect connection mapping (which scopes you granted, on which platform) | Until you disconnect or delete your account | | Sentry error events (scrubbed) | 90 days | | Consent records (including health_data and exercise_health consent grants and withdrawals) | 5 years from the date of the record (GDPR audit-trail obligation) | | Translation cache (anonymised) | 7 months | | Analytics data (anonymised/aggregated) | Up to 26 months | | Support tickets and messages (including guest tickets) | 24 months after the ticket is closed | | Support attachments (screenshots) | 30 days after the ticket is closed | | Waitlist emails | Up to 6 months after launch or until you unsubscribe |

When you delete your account, your data is removed via our self-service deletion flow. Anonymised or legally required data may persist within the durations listed above.


6. Where is your data stored?

Your core data is stored within the European Union (Frankfurt, Germany). We use a combination of named external partners and EU-based infrastructure providers.

Named external partners:

| Partner | Purpose | Location | |---------|---------|----------| | Google LLC (Gemini API) | AI food photo recognition; AI workout generation | USA | | Anthropic (via OpenRouter) | AI fallback for food recognition and content generation; AI workout generation | USA | | TikTok | Advertising attribution | USA | | Meta | Advertising attribution (Facebook/Instagram) | USA | | Google LLC (Analytics 4) | Website traffic analytics | USA | | PostHog (EU) | Product analytics | EU (Frankfurt) | | MailBlue (ActiveCampaign EU) | Waitlist and transactional email | EU | | Apple | In-app subscription billing | USA | | Google Play (subscription billing) | In-app subscription billing | EU contracting via Google Commerce Limited (Ireland); group entities in USA | | RevenueCat | Subscription status mirroring | USA |

EU-based infrastructure providers:

In addition, we rely on EU-based providers for database and authentication, image storage, website hosting, transactional email, and error monitoring. These providers process data under GDPR-compliant Data Processing Agreements within EU data centres.


7. International data transfers

Some of the named partners above are located in the United States. Transfers rely on the following safeguards under GDPR Chapter V:

| Partner | Country | Transfer mechanism | |---|---|---| | Google LLC (Gemini, Analytics 4) | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Anthropic (via OpenRouter) | USA | EU Standard Contractual Clauses (SCCs); Anthropic is additionally self-certified under the EU-US Data Privacy Framework | | TikTok | USA | EU Standard Contractual Clauses (SCCs) | | Meta | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Apple | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Google Play | IE (contracting via Google Commerce Limited) / USA (group) | Intra-EEA contract with EU contracting entity; SCCs for any onward US transfer | | RevenueCat | USA | EU Standard Contractual Clauses (SCCs) |

Where you use Sign in with Apple or Google Sign-In, the limited profile data those providers return (your email address and name, see Section 2) is transferred from Apple or Google in the United States under the same safeguards shown above for Apple and Google — EU-US Data Privacy Framework and/or Standard Contractual Clauses.

These safeguards are designed to ensure that personal data transferred to the United States receives a level of protection essentially equivalent to EU law, following the Schrems II ruling.

Supplementary measures for US transfers. Following Schrems II (CJEU C-311/18) and EDPB Recommendations 01/2020 (v2.0), we apply the following supplementary measures to all transfers to US-based partners listed above, in addition to the contractual safeguards (SCCs / DPF):

  • Encryption in transit: all communications use TLS 1.2 or higher.
  • Encryption at rest: data stored with US partners is encrypted at rest by the partner; data we store ourselves uses AES-256 at rest plus PostgreSQL Row Level Security.
  • Data minimisation: we transmit only what is strictly required for the stated purpose — for example, only meal photo bytes (no identifiers) to Gemini/Anthropic, and only one-way SHA-256 hashes of email/phone to advertising partners.
  • No special-category data to advertisers: health-related data (weight, dietary preferences, food logs, Apple Health / Health Connect data) is never transferred to TikTok, Meta or Google for advertising purposes.
  • Pseudonymisation in error monitoring: events sent to our error-monitoring provider strip user emails, IP addresses, geo-location and free-text content via a documented 10-stage redaction pipeline.
  • Contractual transparency: our SCC-based agreements with US partners include the obligation to notify us of any government access requests to the extent legally permitted, and to challenge overbroad requests.
  • No transfer of meal photos for AI training: meal photos sent to Gemini / Anthropic are processed for food recognition only (inference) and are excluded from model training under the applicable enterprise terms.
  • Pseudonymised workout questionnaire, same AI providers: the AI workout generator and workout coach send only a pseudonymised fitness questionnaire (no name, no identifier) to the same providers used for food recognition — Google and Anthropic, via the OpenRouter gateway. No other AI provider receives this data. It is processed for inference only, excluded from model training under the applicable terms, and the medical pre-screening answers are not retained by Moveno after your workout is generated.

You can request a copy of the applicable Standard Contractual Clauses by contacting privacy@moveno.co.


8. Advertising partners

We work with TikTok and Meta to promote Moveno to potential users. Our data exchange with advertising partners is limited:

  • Outbound (from us to them): a SHA-256 hashed version of your email or phone number (one-way hash, cannot be reversed by the partner), the type of event (e.g. sign-up, subscription), and a unique event ID used to deduplicate browser and server events within 48 hours. Used only for ad attribution.
  • Inbound (from them to us): aggregate ad performance metrics — impressions, clicks, demographics at group level (never individual-level).

We do NOT:

  • Sell your personal data.
  • Share your health data, food logs, weight, or dietary preferences with advertisers.
  • Use your data for ad targeting on other platforms.
  • Transfer your data to data brokers.

You can withdraw marketing consent at any time via Cookie Settings. Doing so has no effect on your ability to use Moveno.


9. Do we share your data?

We never sell your data to third parties. We only share data with:

  • Service providers who process data on our behalf (see Sections 6 and 7)
  • Advertising partners as strictly described in Section 8
  • Authorities if legally required

For the avoidance of doubt regarding Apple Health and Health Connect data specifically: we do not share or sell Apple Health or Health Connect data with any third party, and we use it solely to operate the calorie-tracking, weight-tracking, and dynamic-calorie-goal features described in Section 3.1.

Sharing a workout to a group. If you choose to share a completed workout to one of your groups, the group only ever sees activity-level information — your name, the workout's name, how long it lasted, when you finished, and any reactions. The group never sees the exercises you did, the weights or repetitions, your training volume, or any calorie figure. Sharing a workout is opt-in each time, and the detailed workout data stays private to your account.


10. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access (Art. 15) — obtain confirmation of whether we process your data and receive a copy.
  • Rectification (Art. 16) — have inaccurate data corrected without undue delay.
  • Erasure / "right to be forgotten" (Art. 17) — have your data deleted. Self-service erasure is available in-app under Profile → Account → Delete account.
  • Restriction (Art. 18) — restrict processing while a dispute is resolved.
  • Data portability (Art. 20) — receive the personal data you provided to us in a structured, commonly used, machine-readable format (JSON), and have it transmitted to another controller where technically feasible. Portability is currently delivered on request via privacy@moveno.co within the statutory timeline below; a self-service export is on our roadmap.
  • Object (Art. 21) — object to processing based on legitimate interests (Art. 6(1)(f)). You have an absolute right to object to processing for direct marketing at any time, including profiling related to direct marketing.
  • Withdraw consent (Art. 7(3)) — withdraw any consent previously given, at any time, without affecting the lawfulness of processing before withdrawal.
  • Not be subject to solely automated decisions producing legal or similarly significant effects (Art. 22) — see Section 4.1 on automated decision-making.

How to exercise your rights. Send an email to privacy@moveno.co from the email address associated with your account, stating which right you wish to exercise. For requests where we have reasonable doubt about your identity, we may ask for additional information to confirm it (Art. 12(6)) — for example a confirmation code sent to your account email. Requests are handled free of charge unless they are manifestly unfounded or excessive (Art. 12(5)).

Response timeline. We respond without undue delay and in any event within one month of receipt of your request (Art. 12(3)). Where the request is complex or we receive a high volume of requests, we may extend the period by a further two months; in that case we will inform you of the extension and the reasons within the first month.


11. Cookies

Our website uses cookies in three categories:

11.1 Necessary cookies (always active)

These cookies are required for basic website functionality and cannot be disabled.

| Cookie | Purpose | Duration | |--------|---------|----------| | Supabase auth session | Admin dashboard login | Session | | NEXT_LOCALE | Remember language preference | 1 year | | moveno-consent | Store your cookie preferences | 1 year |

11.2 Analytics cookies (optional)

Help us understand how visitors use the website so we can improve the user experience.

  • PostHog (EU-hosted, Frankfurt) — product analytics and user behaviour. Uses first-party cookies. When you revoke analytics consent, PostHog is opted out (opt_out_capturing) and existing identifiers are reset (GDPR Art. 7(3)) so subsequent activity is no longer tied to your prior profile.
  • Google Analytics 4 — website traffic and conversion tracking. Data is transferred to the US under EU-US Data Privacy Framework + Standard Contractual Clauses (see Section 7).

11.3 Marketing cookies (optional)

Used for ad attribution and retargeting on social media.

  • Meta Pixel — Facebook/Instagram ad attribution and retargeting
  • TikTok Pixel — browser-side TikTok ad attribution and retargeting
  • TikTok Events API (server-side) — complements the browser pixel by sending conversion events from our servers directly to TikTok. We send: a SHA-256 hashed version of your email or phone number (one-way hash), the event type (e.g. sign-up), and a unique event ID used to deduplicate browser and server events within 48 hours. Data is transferred to TikTok in the United States under EU Standard Contractual Clauses. You can disable both the browser pixel and the server-side events by setting "Marketing" to off in Cookie Settings — this does not affect your ability to use Moveno.

11.4 How to manage your cookie preferences

On your first visit to our website, a cookie banner will appear allowing you to choose which categories of cookies you want to allow. You can:

  • Accept all — allow all cookies
  • Reject all — allow only necessary cookies
  • Manage preferences — choose per category which cookies you allow

Analytics and marketing cookies are only placed after you have given your consent. You can change your preferences at any time via the "Cookie settings" link in the website footer.


12. Security

We take appropriate technical and organisational measures to protect your data, including:

  • AES-256 encryption of data at rest and TLS 1.2+ encryption in transit
  • PostgreSQL Row-Level Security enforcing per-user data isolation
  • Mandatory multi-factor authentication (MFA) for all admin and support staff
  • Pseudonymisation of user identifiers in application logs (SHA-256 hashed prefixes)
  • A multi-layer credential and health-value redaction chain applied to all error monitoring before events leave our backend
  • Network segmentation between EU-hosted database, edge functions, and object storage
  • Regular security audits, dependency scanning, and a documented vulnerability response process

12.1 Personal data breaches

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms — for example, a breach affecting health data, authentication credentials, or payment status — we will also notify affected users without undue delay via email and an in-app notice, including the nature of the breach, the categories of data involved, the likely consequences, and the measures we have taken, in line with Article 34 GDPR.


13. Changes to this policy

We may update this privacy policy from time to time. In case of substantial changes, we will inform you via email or the app. The "Last updated" date at the top indicates the most recent version.


14. Complaints

You have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). You may complain in particular with the supervisory authority of:

  • the EU/EEA Member State of your habitual residence,
  • your place of work, or
  • the place of the alleged infringement.

For users in the Netherlands, the competent authority is the Autoriteit Persoonsgegevens:

A directory of all EU/EEA supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

Lodging a complaint with a supervisory authority is without prejudice to any other administrative or judicial remedy you may have.


15. Contact

Questions about this privacy policy? Contact us at: