Privacy Policy

We collect the minimum data needed to operate the service: Account data • Email address (required for account creation via AWS Cognito) • First and last name (optional, set in your profile) • Avatar photo (optional, uploaded by you) Usage data • Nutrition label photos and food photos you upload — stored in AWS S3 • Analysis records linked to your account — stored in AWS DynamoDB • Journal entries you create: food notes, personal grades, and any photos you attach — stored in AWS S3 and DynamoDB Quiz data • Quiz responses are stored only in your browser's localStorage. We do not send quiz answers to our servers. Payment data • Paddle processes all payments as our Merchant of Record. We receive only a customer ID and subscription status — we never see or store your card details. Analytics and error data • PostHog collects anonymised product usage events (pages visited, features used) to help us improve the product. • Sentry captures error reports that may include your email address in error context.

We use the data we collect to: • Provide and improve the Svelio service • Authenticate your account and manage your subscription • Process and display nutrition analysis results to you • Store your journal entries and make them available to you • Send transactional emails (account confirmation, password reset, billing receipts) • Monitor and fix errors and performance issues • Understand which features are most useful and where to invest next We do not sell your data. We do not use your uploaded photos or journal entries for advertising, model training, or any purpose beyond delivering the service to you.

Svelio uses the following third-party services to operate: AWS (Amazon Web Services) Storage and database infrastructure. Your uploaded files are stored in AWS S3 (us-east-2 region). Your profile and analysis records are stored in AWS DynamoDB. Authentication is handled by AWS Cognito, which stores your email and name. Paddle Payment processing (Merchant of Record). Paddle handles all card data, tax collection, and compliance. We receive only subscription status and customer identifiers. Paddle's privacy policy: paddle.com/privacy. PostHog Product analytics. We use PostHog to understand how the product is used — page views, feature clicks, and similar anonymised events. PostHog's privacy policy: posthog.com/privacy. Sentry Error monitoring. Sentry captures unhandled errors to help us diagnose bugs. Error reports may include your email address if you are logged in at the time of the error. Sentry's privacy policy: sentry.io/privacy. No other third parties receive your personal data as part of normal service operation.

We use a minimal set of cookies: • Session cookie — an httpOnly cookie used to maintain your authenticated session. It contains no personal data, only a session reference. • Refresh cookie — an httpOnly cookie used to renew your session without requiring you to sign in again. We do not use advertising cookies or third-party tracking cookies. PostHog may set a first-party analytics cookie to distinguish unique sessions.

Your data is retained for as long as your account is active. If you delete your account, we will delete your profile, uploaded files, and journal entries within 30 days, except where we are required by law to retain records for longer. Stripe retains billing records for their own legal and compliance purposes. Error logs in Sentry are retained for 90 days.

Depending on your location, you may have the right to: • Access the personal data we hold about you • Correct inaccurate data • Request deletion of your data (right to erasure) • Export your data in a portable format • Object to or restrict certain processing • Lodge a complaint with a supervisory authority (EU/UK users: your national data protection authority) To exercise any of these rights, contact us at hello@svelio.io. We will respond within 30 days.

Questions about this Privacy Policy or how we handle your data? Email us at hello@svelio.io. Montebay Innovations LLC — svelio.io