Back to home

Privacy Policy

Last updated: April 15, 2026

Moveno ("we", "us", "our") respects your privacy. This privacy policy explains what personal data we collect, why we collect it, and how we protect it.

In short

  • We only collect the data we need to provide the service (email, food photos, nutrition logs, dietary preferences).
  • Core data is stored within the European Union (Frankfurt, Germany). Meal photos are sent to US-based AI providers for food recognition under EU Standard Contractual Clauses.
  • We process health-related data (dietary preferences, weight, food logs) under your explicit consent, and we never share it with advertising partners.
  • We never sell your data to third parties.
  • Food photos are used solely for nutrition analysis and are not shared for any other purpose.
  • You can export or permanently delete all your data at any time through the app.
  • We use AES-256 encryption and Row Level Security to protect your information.

1. Who are we?

Moveno is a Dutch app for tracking calories and nutrition using AI photo recognition and a comprehensive nutrition database. Moveno is operated from the Netherlands.

Contact details:

2. What data do we collect?

We collect the following categories of data when you use Moveno:

  • Account data: email address, display name, hashed password, login sessions
  • Profile data: height, weight, age, sex, activity level, nutrition goals
  • Health-related data (see Section 3): dietary preferences, allergen filters, weight entries over time, food logs, meal photos
  • Scanning data: barcode scans, AI food recognition results, user corrections
  • Usage data: app interactions, error reports, device type and operating system
  • Location data: approximate country, derived from low-accuracy GPS (foreground only), used to personalise the nutrition database
  • Consent records: the cookie and marketing choices you have made, with timestamps
  • Payment data: processed by Apple or Google; we never store full payment details, only subscription status

If you signed up for the waitlist before launch, we collected only your email address to notify you when Moveno became available.

3. Health data (GDPR Article 9)

Moveno processes data that qualifies as special category (health) data under GDPR Article 9 — specifically: dietary preferences, allergen filters, weight entries, food logs, and profile data such as height and nutrition goals.

  • Legal basis: Article 9(2)(a) — your explicit consent, given during onboarding.
  • Withdrawal: you can withdraw consent at any time by deleting your account in-app.
  • Non-disclosure: we do NOT share health-related data with advertising partners (TikTok, Meta, Google Analytics) or with any third party for marketing purposes.
  • Storage: health data is stored within our EU infrastructure. Meal photos are an exception: they are sent to AI providers (Google, Anthropic) for the sole purpose of food recognition, under EU Standard Contractual Clauses (see Section 7).

4. Why do we process your data?

| Purpose | Legal basis (GDPR) | |---------|-------------------| | Sending waitlist emails | Consent (Art. 6(1)(a)) | | Creating and managing accounts | Performance of contract (Art. 6(1)(b)) | | Calculating nutrition values | Performance of contract (Art. 6(1)(b)) | | Processing health-related data | Explicit consent (Art. 9(2)(a)) | | Measuring advertising effectiveness | Consent (Art. 6(1)(a)) | | Improving the app and fixing bugs | Legitimate interest (Art. 6(1)(f)) | | Meeting legal obligations | Legal obligation (Art. 6(1)(c)) |

5. How long do we keep your data?

| Data type | Retention | |---|---| | Account data | As long as your account is active | | Meals and daily summaries | 24 months | | Meal photos | 18 months | | Orphan meal photos (uploaded but never saved to a meal) | 24 hours | | Weight entries | Indefinite (under your control via the app) | | Translation cache (anonymised) | 7 months | | Analytics data (anonymised/aggregated) | Up to 26 months | | Waitlist emails | Up to 6 months after launch or until you unsubscribe |

When you delete your account, your data is removed via our self-service deletion flow. Anonymised or legally required data may persist within the durations listed above.

6. Where is your data stored?

Your core data is stored within the European Union (Frankfurt, Germany). We use a combination of named external partners and EU-based infrastructure providers.

Named external partners:

| Partner | Purpose | Location | |---------|---------|----------| | Google (Gemini) | AI food photo recognition | USA | | Anthropic (via OpenRouter) | AI fallback for food recognition and content generation | USA | | TikTok | Advertising attribution | USA | | Meta | Advertising attribution (Facebook/Instagram) | USA | | Google Analytics 4 | Website traffic analytics | EU/USA | | PostHog (EU) | Product analytics | EU (Frankfurt) | | MailBlue (ActiveCampaign EU) | Waitlist and transactional email | EU | | Apple / Google Play | Subscription billing and entitlement | USA | | RevenueCat | Subscription status mirroring | USA |

EU-based infrastructure providers:

In addition, we rely on EU-based providers for database and authentication, image storage, website hosting, transactional email, and error monitoring. These providers process data under GDPR-compliant Data Processing Agreements within EU data centres.

7. International data transfers

Some of the named partners above are located in the United States. Transfers rely on the following safeguards under GDPR Chapter V:

| Partner | Country | Transfer mechanism | |---|---|---| | Google (Gemini) | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Anthropic (via OpenRouter) | USA | EU Standard Contractual Clauses (SCCs) | | TikTok | USA | EU Standard Contractual Clauses (SCCs) | | Meta | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Apple | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | Google (Play / Analytics) | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses | | RevenueCat | USA | EU Standard Contractual Clauses (SCCs) |

These safeguards are designed to ensure that personal data transferred to the United States receives a level of protection essentially equivalent to EU law, following the Schrems II ruling. You can request a copy of the applicable Standard Contractual Clauses by contacting privacy@moveno.co.

8. Advertising partners

We work with TikTok and Meta to promote Moveno to potential users. Our data exchange with advertising partners is limited:

  • Outbound (from us to them): a SHA-256 hashed version of your email or phone number (one-way hash, cannot be reversed by the partner), the type of event (e.g. sign-up, subscription), and a unique event ID used to deduplicate browser and server events within 48 hours. Used only for ad attribution.
  • Inbound (from them to us): aggregate ad performance metrics — impressions, clicks, demographics at group level (never individual-level).

We do NOT:

  • Sell your personal data.
  • Share your health data, food logs, weight, or dietary preferences with advertisers.
  • Use your data for ad targeting on other platforms.
  • Transfer your data to data brokers.

You can withdraw marketing consent at any time via Cookie Settings. Doing so has no effect on your ability to use Moveno.

9. Do we share your data?

We never sell your data to third parties. We only share data with:

  • Service providers who process data on our behalf (see Sections 6 and 7)
  • Advertising partners as strictly described in Section 8
  • Authorities if legally required

10. Your rights

Under the GDPR (General Data Protection Regulation), you have the right to:

  • Access — see what data we hold about you
  • Rectification — have incorrect data corrected
  • Erasure — have your data deleted ("right to be forgotten")
  • Restriction — restrict the processing of your data
  • Portability — receive your data in a readable format
  • Object — object to the processing of your data
  • Withdraw consent — withdraw previously given consent

Contact us at privacy@moveno.co to exercise any of these rights. We will respond within 30 days.

11. Cookies

Our website uses cookies in three categories:

11.1 Necessary cookies (always active)

These cookies are required for basic website functionality and cannot be disabled.

| Cookie | Purpose | Duration | |--------|---------|----------| | Supabase auth session | Admin dashboard login | Session | | NEXT_LOCALE | Remember language preference | 1 year | | moveno-consent | Store your cookie preferences | 1 year |

11.2 Analytics cookies (optional)

Help us understand how visitors use the website so we can improve the user experience.

  • PostHog (EU-hosted, Frankfurt) — product analytics and user behavior
  • Google Analytics 4 — website traffic and conversion tracking

11.3 Marketing cookies (optional)

Used for ad attribution and retargeting on social media.

  • Meta Pixel — Facebook/Instagram ad attribution and retargeting
  • TikTok Pixel — browser-side TikTok ad attribution and retargeting
  • TikTok Events API (server-side) — complements the browser pixel by sending conversion events from our servers directly to TikTok. We send: a SHA-256 hashed version of your email or phone number (one-way hash), the event type (e.g. sign-up), and a unique event ID used to deduplicate browser and server events within 48 hours. Data is transferred to TikTok in the United States under EU Standard Contractual Clauses. You can disable both the browser pixel and the server-side events by setting "Marketing" to off in Cookie Settings — this does not affect your ability to use Moveno.

11.4 How to manage your cookie preferences

On your first visit to our website, a cookie banner will appear allowing you to choose which categories of cookies you want to allow. You can:

  • Accept all — allow all cookies
  • Reject all — allow only necessary cookies
  • Manage preferences — choose per category which cookies you allow

Analytics and marketing cookies are only placed after you have given your consent. You can change your preferences at any time via the "Cookie settings" link in the website footer.

12. Security

We take appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Access control on a "need-to-know" basis
  • Regular security audits

13. Changes to this policy

We may update this privacy policy from time to time. In case of substantial changes, we will inform you via email or the app. The "Last updated" date at the top indicates the most recent version.

14. Complaints

If you have a complaint about the processing of your personal data, you can contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

15. Contact

Questions about this privacy policy? Contact us at: