Privacy Policy for Health+ AI

Wellness Disclaimer

Health+ AI is a general wellness and nutrition tracking app. It is not a medical device and does not provide medical advice, diagnosis, or treatment. The in-app AI assistant "AIRA" offers general lifestyle and nutrition information only and is not a substitute for a qualified healthcare professional. For any health concerns, please consult a doctor. In case of a medical emergency, call your local emergency number. The full disclaimer is part of our Terms of Use.

Controller (Art. 4(7) GDPR)

Dr. Alper Beser, Dr.-Golm-Str. 24, 27232 Sulingen, Germany
Email: HealthPlusAI.app<at>gmail.com
No Data Protection Officer has been appointed; please direct privacy inquiries to the email above.

Health+ AI (hereafter also referred to as "app" or "Service") is a freemium AI-powered health, nutrition and weight-management app. It enables you to log meals (by photo, voice or text), receive AI-generated nutrition estimates, chat with an AI assistant called "AIRA" for health and nutrition guidance, and track your progress against goals. The app is offered by the service provider (hereafter also referred to as "we") with a free tier and optional auto-renewing subscriptions for premium features.

This page informs visitors regarding our policies on the collection, use, and disclosure of personal data when anyone uses our Service. If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us (HealthPlusAI.app<at>gmail.com).

If you choose to use our Service, we will process your personal data only as described in this Privacy Policy and in accordance with applicable law (GDPR, TTDSG, BDSG). The personal data we collect is used to provide and improve the Service. We will not use or share your personal data with anyone except as described in this Privacy Policy.

The terms used in this Privacy Policy have the same meanings as in our Terms of Use unless otherwise defined here.

Important Health Disclaimer

Health+ AI is not a medical device. The information, calorie/macronutrient estimates, AI-generated suggestions and chat replies provided by the app are for general informational and lifestyle purposes only and do not constitute medical, dietary, diagnostic or therapeutic advice. AI outputs may be inaccurate, incomplete or unsuitable for your individual situation. Always consult a qualified physician, dietitian or other healthcare professional before making decisions that affect your health, including changes to diet, exercise, medication, or treatment.

What is Personal Data?

"Personal data" means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). In the context of Health+ AI this includes, in particular:

Health data and special-category data: Information you enter about your body (weight, height, body fat, etc.), information read from Apple HealthKit, and food/nutrition entries are considered "health data" under the GDPR (Art. 9). They are subject to enhanced protection; we only process them on the legal bases set out below, in particular your explicit consent (Art. 9(2)(a) GDPR) and your express request for the AI service (Art. 9(2)(h) is not relied upon, since we are not a healthcare provider).

No Account Registration / Anonymous Use

Health+ AI does not require you to create an account with name, email or password. On first launch the app signs you in anonymously to Firebase Authentication. Firebase generates a random, pseudonymous user identifier ("anonymous UID") that ties together your settings, purchases and attribution data on our backend. We cannot link this UID to your real-world identity unless you voluntarily provide additional information (e.g. by emailing us for support).

Consents & Settings

For non-essential analytics and attribution technologies that store or access information on your device (e.g. IDFV, installation IDs), and for the transfer of Apple Search Ads attribution data, we obtain your prior consent in the app (Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG; on iOS additionally via App Tracking Transparency where applicable). You can withdraw consent at any time inside the app under "Settings → Analytics & Optimization". Withdrawal does not affect the lawfulness of processing prior to withdrawal and does not impair essential app functions.

Access to Apple HealthKit, the microphone, the photo library, the camera, and local notifications requires your permission via the standard iOS system prompts. You can revoke each of these permissions at any time in the iOS Settings app under "Privacy & Security". Disabling a permission may limit the functions that depend on it.

Information Collection and Use — Overview

To deliver the app's core functions we process the categories of personal data listed above. Specifically:

Links to the privacy policies of the third-party service providers we use:

AI Processing — Google Vertex AI / Gemini (Firebase AI Logic)

Health+ AI uses Google's generative AI services accessed through "Firebase AI Logic" (also known as Firebase AI) to power three features:

What data is transmitted to Google for AI processing:

Where this data is processed: Google's infrastructure, which may include servers in the United States and other countries. We access these services through Firebase AI Logic with the Vertex AI Gemini API backend. Google acts as our data processor (Art. 28 GDPR) under Google's Data Processing Addendum for Firebase / Google Cloud customers. According to Google, prompts and responses sent through Firebase AI Logic are not used to train Google's foundation models and are retained only as needed for abuse-prevention monitoring in line with Google's documented policies.

What we do not store: We do not retain the prompt content (your meal photos, voice transcripts, chat messages or health snapshots) on our own backend. The meal photo you submit for analysis is sent to Google transiently for the analysis call and is not persisted on our servers; the corresponding meal record (name, nutrients, etc.) is stored locally on your device in our Realm database.

Legal bases (GDPR):

Risks to be aware of: AI outputs can be wrong. Do not submit content you do not want transmitted to Google. Do not submit content of third parties without their consent. Health+ AI is not a medical device — see "Important Health Disclaimer" above.

Apple HealthKit

If you grant the permission, Health+ AI reads selected health and fitness data from Apple HealthKit on your device in order to (a) display it to you, (b) calculate calorie burn, daily targets and progress and (c) include a snapshot in the context sent to the AI assistant. With your further permission, the app writes back nutritional intake (calories, protein, fat, carbohydrates) and body weight to HealthKit so it appears in Apple's Health app.

HealthKit data we may read: step count, walking/running distance, active and resting energy burned, heart rate and resting heart rate, sleep analysis, body weight, body-fat percentage, workout sessions (running, walking, cycling, strength training, yoga, swimming, hiking, dance, elliptical, HIIT, pilates, rowing, stair stepping and similar).

HealthKit data we may write: calories consumed, protein, fat, carbohydrates, body weight.

Important — onward transmission to AI: A subset of the HealthKit data we read (in particular daily and recent-average values for steps, energy, sleep and heart rate) is included in the prompt context that we send to Google's Vertex AI / Gemini when you use the AI chat or meal-related AI features. This onward transmission of HealthKit-derived data is necessary to provide a personalised response. By granting HealthKit permission and using the AI features you are giving your explicit consent for this transmission (Art. 9(2)(a) GDPR). You can revoke HealthKit access at any time in iOS Settings → Health → Data Access & Devices → Health+ AI. We do not sell or use HealthKit data for advertising, and we do not share it with parties other than Google for the purposes described above.

Caching: HealthKit values are cached locally on your device in UserDefaults (current day) and Realm (recent dates, kept for up to 90 days) to avoid repeatedly querying HealthKit for the same values. This cache never leaves your device unless it is sent as part of an AI prompt context as described above.

Voice / Microphone & Apple Speech Recognition

For voice-based meal logging and for editing meals by voice, the app records audio via the microphone and submits it to Apple's Speech Recognition framework (SFSpeechRecognizer). We use this framework in online mode (requiresOnDeviceRecognition = false), which means the audio is transmitted to Apple's servers for transcription. Apple is an independent data controller for this processing. Apple's documented terms apply (see link above). We do not retain the audio on our own servers; we receive only the text transcript, which is then either sent to Google's Vertex AI for meal analysis or shown to you for editing.

Microphone access requires your permission (iOS will prompt you). You can revoke it at any time in iOS Settings → Privacy & Security → Microphone, and Speech Recognition access in iOS Settings → Privacy & Security → Speech Recognition.

Photos & Meal Images

To log a meal by photo, you select an image from your photo library (or you may capture one with the camera). The selected image is compressed to a maximum of 800 pixels (longest side) at JPEG quality 0.7 and transmitted to Google's Vertex AI / Gemini for analysis. We do not retain the image on our backend after the analysis call.

The image (or, for voice-logged meals, an AI-generated illustration) is stored locally on your device in the app's Documents directory (folder mealImages) so you can view it later. These local files do not leave your device, except for an iCloud backup of your device if you have one enabled (an iCloud backup is governed by Apple's privacy policy).

Photo Library access requires your permission. You can revoke it at any time in iOS Settings → Privacy & Security → Photos.

Meal Image Generation

For voice-logged meals, the app may generate an illustrative image to visually represent your meal entry. We try in order:

Generated images are stored locally on your device only.

Firebase Authentication, Firestore & Cloud Backend

We use Firebase Authentication to sign you in anonymously and we use Cloud Firestore as our backend database. The following data may be stored in Firestore under your anonymous UID:

What is NOT stored in Firestore: your meals, your photos, your chat history, your HealthKit data, your name, age, weight, height or any other profile or health attribute. These remain on your device only (in the Realm database) and are transmitted only to Google's AI services as described in "AI Processing".

Legal bases: Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR) for the anonymous account, sessions and purchase records; legitimate interests (Art. 6(1)(f) GDPR) for fraud and abuse prevention; your consent (Art. 6(1)(a) GDPR, § 25 TTDSG) for attribution, IDFV storage and the AppStance forwarding.

Recipient / role: Google LLC / Google Ireland Ltd. as our processor under Google's Data Processing Addendum.

Analytics (Firebase Analytics) & Crashlytics

With your consent we use Firebase Analytics to record app events (such as the type of AI call you made, e.g. ai_meal_analysis_call, ai_voice_meal_call, ai_voice_meal_image_call) along with technical metadata (device model, iOS version, app version, language, country/region at App Store storefront level, pseudonymous app instance identifier). Data is processed by Google as our processor under Firebase Data Processing Terms.

With your consent we also use Firebase Crashlytics to receive non-fatal error reports and crash dumps from your device, including device model, OS version, app version, locale, anonymised stack traces and the time of the crash. We do not attach your name, email or anonymous UID to Crashlytics reports.

Opt-out: Open the app and go to Settings → Analytics & Optimization, then turn analytics off. From that moment on, no new analytics or crash data is collected, attribution data already stored in Firestore is deleted, and no further events are forwarded to AppStance. The original-transaction identifier may be retained to process Apple's App Store Server Notifications for refunds.

Retention: analytics events up to 14 months (configurable; Firebase default); Crashlytics non-fatal reports typically up to 90 days.

Firebase Remote Config & Firebase App Check

Firebase Remote Config delivers feature flags and configuration values (e.g. which Gemini model version to use) to the app. It transmits the installation ID, app version, device type and the country/region of your App Store storefront in order to deliver the correct configuration. No personal data is profiled. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in operating the app efficiently.

Firebase App Check protects our backend by verifying that requests come from genuine app installations. It transmits device-attestation tokens to Google. No personal data is profiled. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in securing our services and preventing abuse.

Marketing Attribution & AppStance (Sub-Processor)

We measure how new users discover our app, primarily to evaluate and optimize our spending on Apple Search Ads. For this purpose, with your consent, we collect:

This data is stored in Firebase Firestore (Google as processor) and forwarded server-side by a Cloud Function to AppStance.com, a service provider specialised in Apple Search Ads campaign optimization. AppStance acts as our sub-processor (Art. 28 GDPR), is bound by a data processing agreement, and is contractually prohibited from using the data for its own purposes, from selling it, or from combining it with data from other apps or websites to track you across services. AppStance does not place third-party advertising cookies or SDKs inside Health+ AI.

This is not "tracking" within the meaning of Apple's App Tracking Transparency, because we do not combine your data with data from other companies' apps or websites for cross-app/web advertising or measurement, and because Apple Search Ads attribution is provided by Apple as a first-party measurement framework.

Legal basis (GDPR / TTDSG): your consent (Art. 6(1)(a) GDPR; § 25 TTDSG). If you withdraw your consent in Settings → Analytics & Optimization, attribution and identifier data is deleted from our backend and no further events are forwarded to AppStance. Retention: as long as your anonymous account exists, otherwise as described above.

In-App Purchases & Subscriptions (StoreKit 2)

Health+ AI offers auto-renewing premium subscriptions sold via the Apple App Store (in-app purchase). Payment is processed by Apple. We do not receive or store your payment-card details, your Apple ID or your real name. We process the App Store transaction receipt and anonymous transaction metadata (product identifier, transaction identifier, purchase and expiration date, currency and amount, free-trial state) in order to unlock premium features and to detect renewals, cancellations and refunds.

Subscription state is stored on your device in UserDefaults and listened to via StoreKit 2 Transaction.updates. Purchase events are also recorded in our Firestore backend as part of the attribution flow described above.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR); for the forwarding of purchase events to AppStance: your consent (Art. 6(1)(a) GDPR, § 25 TTDSG).

Refund Handling

When you request a refund through Apple, Apple may notify our backend. In response, we share aggregated, pseudonymous consumption data with Apple (such as account age, total play time, total purchases, total refunds, account status [active / inactive], delivery status and platform) so that Apple can decide on your refund request and so that we can detect abusive refund patterns. Apple processes this data as an independent controller under its own privacy terms.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in preventing fraudulent refunds; performance of a contract (Art. 6(1)(b) GDPR).

Notifications

With your permission the app may show local reminders and notifications (e.g. to log a meal or check in on your goals) using iOS local notification scheduling. Health+ AI does not use remote push notifications or Firebase Cloud Messaging. No notification content is transmitted to our servers. You can disable notifications at any time in iOS Settings → Notifications → Health+ AI.

Local Storage on Your Device (Realm, UserDefaults, Files)

The bulk of your personal data — including your name/nickname, gender, age, height, weight, target weight, goals, activity level, meals, chat messages, AI-generated meal images and cached HealthKit values — is stored only on your device in our local Realm database, in UserDefaults and in the app's Documents directory. This local data does not leave your device except when explicitly transmitted to Google for AI processing as described above.

Local data is automatically removed when you delete the app from your device. If your device performs an iCloud backup, local app data may be included in that backup; iCloud backups are governed by Apple's privacy policy.

Log Data

When you use our service, in the event of an error, we may collect data and information through third-party products (in particular Firebase Crashlytics) on your device, called "Log Data". This Log Data may include information such as the device IP address, device name, operating system version, app configuration when using our service, the time and date of your use, and other statistics related to usage. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in technical security, stability and debugging. Access to or storage of information on your device that is not strictly necessary occurs only with your prior consent (§ 25 TTDSG).

Processing Overview (Summary Table)

Apple Speech Recognition
Purpose: convert speech to text (voice meal logging, voice corrections).
Data: microphone audio, device/OS data, IP address.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); your explicit consent for related health-data inputs (Art. 9(2)(a) GDPR).
Recipient / role: Apple Inc. — independent controller under Apple's policies.
Retention: not retained by us.

Google Vertex AI / Gemini (Firebase AI Logic)
Purpose: meal analysis, AI chat with "AIRA", meal image generation.
Data: meal photos, voice transcripts, chat messages, profile data, HealthKit snapshot, meal history, image description.
Legal basis: performance of a contract (Art. 6(1)(b)); for health/special-category data: your explicit consent (Art. 9(2)(a)); legitimate interests (Art. 6(1)(f)) for operation and security.
Recipient / role: Google as our processor under the Firebase Data Processing Addendum. Per Google, content is not used for model training.
Retention: not retained by us; Google retains transiently as per its policies.

Apple HealthKit
Purpose: read fitness/health data and write back nutrition and weight entries.
Data: see "Apple HealthKit" section above.
Legal basis: explicit consent (Art. 6(1)(a) / Art. 9(2)(a) GDPR) via the iOS HealthKit permission prompts and your activation of the relevant feature.
Recipient / role: data is read/written on-device. Subsets are forwarded to Google as part of AI prompts (see above).
Retention: cached on-device for up to 90 days; HealthKit itself is managed by Apple.

Firebase Authentication, Firestore, Crashlytics, Analytics, Remote Config, App Check
Purpose: anonymous account, attribution storage, purchase tracking, crash & stability monitoring, feature flags, abuse prevention.
Data: anonymous UID, IDFV (with consent), install timestamp, session metrics, purchase events, Apple Search Ads attribution, app instance identifier, device/OS/app metadata, crash dumps.
Legal basis: consent for analytics/attribution/IDFV (Art. 6(1)(a), § 25 TTDSG); performance of contract / legitimate interests for the anonymous account, security and stability (Art. 6(1)(b)/(f)).
Recipient / role: Google as processor under Firebase Data Processing Terms.
Retention: as described per service above.

AppStance (Apple Search Ads optimization)
Purpose: optimisation of our Apple Search Ads campaigns.
Data: anonymous UID, IDFV, install timestamp, purchase / trial / renewal events, Apple Search Ads attribution.
Legal basis: consent (Art. 6(1)(a) GDPR; § 25 TTDSG).
Recipient / role: AppStance — sub-processor under data processing agreement; no own purposes; no cross-app/web tracking.
Retention: as long as your anonymous account exists; deleted on opt-out (subject to AppStance's own retention).

Refund handling (Apple)
Purpose: response to Apple refund requests.
Data shared with Apple: account age, usage duration, total purchases, total refunds, user status, delivery status, platform.
Legal basis: legitimate interests (Art. 6(1)(f)); performance of contract (Art. 6(1)(b)).
Recipient / role: Apple — independent controller.

Support contact (email)
Purpose: respond to support inquiries.
Data: your email address, message content, metadata.
Legal basis: pre-contractual / contractual (Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)).
Retention: 6 months after ticket closure, unless legal obligations require longer.

Legal Bases for Processing

We process your personal information based on the following legal grounds under GDPR Article 6 and, where applicable, Article 9:

Where we rely on legitimate interests, we have conducted a balancing test (Legitimate Interests Assessment). A summary can be provided upon request.

Service Providers / Recipients of Data

We may employ third-party companies and individuals (see links above) to:

Depending on the service, providers act either as processors (Art. 28 GDPR) under our instructions or as independent controllers under their own responsibility. Where a provider acts as our processor, we have entered into data processing agreements and require appropriate technical and organisational security measures. Where a provider acts as an independent controller (e.g. Apple for Speech Recognition, HealthKit and Search Ads), processing is governed by that provider's own privacy notices.

Data Transfers Outside the EEA

Your personal data may be transferred to and processed in countries outside the EEA, in particular the United States. This concerns in particular data sent to Google (Firebase / Vertex AI / Gemini), Apple (Speech Recognition, Search Ads, refund handling) and AppStance (campaign optimization).

Where the recipient participates in the EU–US Data Privacy Framework (DPF), transfers rely on the European Commission's adequacy decision under Art. 45 GDPR. Otherwise, we use the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) together with supplementary measures (in particular TLS encryption in transit and access controls). Despite these measures, transfers to third countries may carry a residual risk of access by government authorities under the laws of that country.

Data Retention

We retain personal data only for as long as necessary for the purposes described above or as required by law. Unless stated otherwise:

Backups may retain technical copies for a limited period; these are automatically overwritten and are not used for active processing.

Account Deletion & Local Data Removal

You may delete your anonymous Firebase account at any time from inside the app under "Settings → Account & Data". Deletion removes your Firebase Authentication record and signs you out. Subject to operational and backup cycles, we will also delete your Firestore user document and associated purchase / attribution records on request (please write to HealthPlusAI.app<at>gmail.com and quote your IDFV or original-transaction identifier so we can locate the records). The original-transaction identifier may be retained, in pseudonymous form, where this is necessary to process Apple's App Store Server Notifications and to prevent abusive refunds.

Important: Local data stored by the app on your device (Realm database, cached HealthKit values, meal images, settings) is not deleted automatically by the in-app "delete account" action. To remove all local data, please uninstall the app from your device. Uninstalling removes the local Realm database, the locally stored meal images and the app's UserDefaults.

Data Breach Notification

In the event of a personal-data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay (Art. 34 GDPR). If you suspect a data breach, please contact us at HealthPlusAI.app<at>gmail.com.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights according to the GDPR. Every user is entitled to the following rights:

The right to access (Article 15): You have the right to request copies of your personal data.

The right to rectification (Article 16): You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

The right to erasure ("right to be forgotten") (Article 17): You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing (Article 18): You have the right to request that we restrict the processing of your personal data, under certain conditions.

The right to object to processing (Article 21): You have the right to object to our processing of your personal data, in particular when processing is based on legitimate interests or for direct marketing.

The right to data portability (Article 20): You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, and to have those data transmitted to another controller, under certain conditions.

The right to withdraw consent (Article 7(3)): You may withdraw any consent you have given at any time, with effect for the future, in the app under "Settings → Analytics & Optimization", in iOS Settings, or by emailing us.

To exercise any of these rights: Please contact us at HealthPlusAI.app<at>gmail.com. We have one month to respond to you from receipt of your request (extendable by two further months for complex or multiple requests). In some cases, we may need to verify your identity before processing your request, although because we operate on anonymous accounts we will not request more information than is strictly necessary.

You also have the right to lodge a complaint with a supervisory authority if you believe that your data protection rights have been violated. Our competent authority is: Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany, Phone: +49 511 120-4500, Email: poststelle@lfd.niedersachsen.de.

Security

We value your trust in providing us your personal data, and we strive to use commercially acceptable means of protecting it. But please remember that no method of transmission over the internet, or method of electronic storage, is 100 % secure and reliable, and we cannot guarantee absolute security.

We implement technical and organisational measures including TLS encryption in transit, Firebase App Check attestation, access controls based on the principle of least privilege, logging and monitoring, regular deletion schedules, and data processing agreements with our processors. Sensitive content (in particular health-related inputs) is not stored on our backend.

Provision of Data

Providing meal inputs (photo, voice or text) and profile information is necessary to use the core features of the app. Granting analytics, attribution and HealthKit consents is optional; if you withhold or withdraw consent, the related features remain disabled, and the core meal-logging features continue to work (although personalised AI output will be less accurate without context).

Source of Data

We collect personal data directly from you and from your device during app use (via the app and integrated SDKs), and from Apple via the AdServices framework (Apple Search Ads attribution). We do not obtain personal data from third-party data brokers.

Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. AI outputs (meal estimates, chat replies, suggested goals) are informational only and are not used to make individual decisions with legal effect; they are not a substitute for medical advice.

Children's Privacy

This Service is not intended for or directed to children under the age of 16. In the EEA, we apply the GDPR Article 8 threshold of 16 years; outside the EEA, the same minimum age applies as a matter of our own product policy. The app is rated 16+ on the App Store. We do not knowingly collect personal data from children under 16. If we discover that a child under 16 has provided us with personal data, we will promptly delete it. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us so that we can take appropriate action.

Links to Other Sites

This Service may contain links to other sites. If you click on a third-party link, you will be directed to that site. These external sites are not operated by us, so we strongly advise you to review the privacy policies of these websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Language

If we provide this policy in multiple languages, the German version prevails for users in Germany and the EEA.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. You are advised to review this page periodically for any changes. For material changes, we will provide advance notice in-app or by email at least 7 days before the new policy takes effect.
This policy is effective as of 17 May 2026.

Imprint

Dr. Alper Beser
Dr.-Golm-Str. 24
27232 Sulingen, Germany

Email: HealthPlusAI.app<at>gmail.com
Inquiries are typically answered within 24–48 hours.

For the full imprint, please visit: Imprint

Contact Us

If you have any questions or suggestions about this Privacy Policy, contact us at HealthPlusAI.app<at>gmail.com.