Privacy Policy
Version 1.0 · Published July 9, 2026
Table of Contents
- Who We Are
- Scope of This Privacy Policy
- What Personal Data We Collect
- Data Users Provide Directly
- Data Collected Automatically
- Meal Photos and AI Analysis
- Nutrition, Wellbeing, Habit, and Health-Adjacent Data
- Data from Apple Health, Google Health Connect, Wearables, or Integrations
- Payment and Subscription Data
- Device, Analytics, Diagnostics, and Crash Data
- Cookies, SDKs, Attribution, and Tracking Technologies
- How We Use Personal Data
- Legal Bases Under GDPR / UK GDPR
- Special Category or Sensitive Data Considerations
- AI Processing and Automated Insights
- Personalisation and Recommendations
- Push Notifications and Reminders
- Marketing Communications
- When We Share Personal Data
- Processors and Service Providers
- International Data Transfers
- Data Retention
- Security
- Children and Minimum Age
- User Rights Under GDPR, UK GDPR, and Swiss FADP
- How to Exercise Your Rights
- Account Deletion and Data Deletion
- App Store Purchases and Third-Party Platforms
- Third-Party Links and Services
- Changes to This Privacy Policy
- Contact Details
1. Who We Are
This Privacy Policy is issued by:
NXL GmbH Baarermattstrasse 8D 6340 Baar Switzerland Company registration number: [COMPANY REGISTRATION NUMBER — CH-UID]
NXL GmbH ("NXL", "we", "our", or "us") is the data controller responsible for personal data processed through the mobile application Spru (the "App") and related services (together, the "Services").
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights available to you.
2. Scope of This Privacy Policy
This Privacy Policy applies to:
- the Spru mobile application (iOS and Android);
- any associated websites operated by NXL (e.g. https://spru.app);
- customer support interactions related to the App; and
- any other service that links to this Privacy Policy.
This Privacy Policy does not apply to third-party websites, applications, or services that Spru may link to or integrate with, including Apple, Google, and other platforms, which are governed by their own privacy policies. See Section 29.
This Privacy Policy should be read together with our Terms & Conditions.
3. What Personal Data We Collect
The exact personal data we collect about you depends on:
- which features you choose to use;
- the permissions you grant on your device (e.g. camera, photo library, notifications, health data access);
- whether you connect optional integrations (e.g. Apple Health, Google Health Connect); and
- your device and operating system settings.
Categories of personal data we may collect include, without limitation:
- Account data: email address, authentication identifiers, account creation date
- Profile information: display name, age or age range, height, weight, gender, activity level
- Goals and preferences: nutrition goals, hydration goals, dietary preferences, allergies, food preferences
- Meal and nutrition data: meal photos, AI-inferred food items, portion size estimates, nutrition estimates (calories, macronutrients, micronutrients), meal history, manually logged meals
- Hydration and habit data: water intake logs, habit tracking activity, streaks, progress and engagement history
- Avatar/engagement data: avatar ("Spru") evolution state and progress
- Health-adjacent integration data: data received from Apple Health, Google Health Connect, or other connected wearables, where enabled (see Section 8)
- Subscription and payment-related data: subscription tier, purchase status, transaction identifiers (see Section 9)
- Device and technical data: device identifiers, device model, operating system version, app version, IP address, language and locale settings
- Usage and analytics data: in-app events, feature usage, session data, screen views
- Diagnostics data: crash logs and error reports [PLACEHOLDER — confirm crash reporting provider before publication; see Section 20]
- Notification data: push notification tokens, notification interaction data
- Support data: messages, attachments, and information you provide when contacting customer support
We do not require you to provide all of the above categories to use the core features of the App. Some data is required to create an account and use basic functionality; other data is collected only if you choose to enable specific features.
4. Data Users Provide Directly
You provide personal data directly to us when you:
- create an account (e.g. email address, authentication credentials);
- complete or edit your profile (e.g. age, height, weight, gender, goals, dietary preferences, allergies);
- log meals, water intake, or habits manually;
- upload or capture meal photos;
- interact with the Spru avatar or in-app features;
- subscribe to Premium or manage your subscription;
- contact customer support or provide feedback; and
- respond to in-app surveys or prompts, where offered.
5. Data Collected Automatically
When you use the App, certain data is collected automatically, including:
- device identifiers and device/OS information;
- IP address and approximate location derived from it;
- app usage data (features used, screens viewed, session duration, interaction events);
- analytics events generated by our analytics tooling (see Section 20);
- diagnostic and crash data; and
- notification tokens used to deliver push notifications.
The exact data collected automatically depends on your device settings (e.g. whether you have restricted tracking, location, or advertising identifiers at the operating system level) and any privacy choices you make within the App.
6. Meal Photos and AI Analysis
Spru allows you to capture or upload photos of meals so that our AI-powered systems can attempt to identify food items, estimate portion sizes, and estimate nutritional content.
In relation to meal photos, we want you to understand that:
- meal photos you capture or upload are processed by AI systems, including third-party AI providers acting as our processors (see Section 20);
- AI-generated food identification, portion estimates, and nutrition estimates are estimates only and may be inaccurate, incomplete, or unreliable;
- you should review and, where necessary, correct AI-generated results before relying on them;
- meal photos may be retained to provide your meal history and to allow you to review past entries, subject to the retention periods in Section 22; and
- see Section 15 for how meal photo data may or may not be used to improve our AI systems.
7. Nutrition, Wellbeing, Habit, and Health-Adjacent Data
Spru helps you track nutrition, hydration, habits, and general wellbeing. Data you provide or that is generated through your use of these features (nutrition estimates, hydration logs, habit streaks, goals, dietary preferences, and allergy information) is health-adjacent data.
We treat this data with particular care because, depending on your jurisdiction, some of it may qualify as special category or sensitive personal data (see Section 14).
Spru is not a medical device, and it does not provide medical advice, diagnosis, or treatment. Nutrition and wellbeing information provided through the App is for general informational and educational purposes only. You should consult a qualified physician, registered dietitian, or other healthcare professional before making decisions that affect your health, particularly if you have a medical condition, allergy, or are pregnant, breastfeeding, or otherwise in a vulnerable health situation.
8. Data from Apple Health, Google Health Connect, Wearables, or Integrations
Spru currently supports optional, user-enabled integrations with:
- Apple Health (HealthKit), on iOS devices; and
- Google Health Connect, on Android devices.
[PLACEHOLDER — confirm the exact data types read from and/or written to Apple Health / Google Health Connect (e.g. steps, weight, water intake, active energy, nutrition) before publication, and update this section and the relevant App Store / Google Play disclosures accordingly.]
Where you enable one of these integrations:
- you will be asked to grant permission at the operating system level for each specific data type;
- you may revoke this permission at any time through your device's system settings;
- data obtained through these integrations is used to provide and personalise the Services (e.g. combining hydration or activity data with in-app tracking); and
- we do not control, and are not responsible for, how Apple or Google collect or process data within their respective health platforms — see their own privacy policies for details.
We may support additional wearable or third-party health platform integrations in the future. Any new integration will be reflected in an updated version of this Privacy Policy and, where required, will be subject to your consent before activation.
9. Payment and Subscription Data
Spru offers a free tier and a Premium subscription tier.
Subscriptions purchased through the App are billed by Apple App Store or Google Play, as applicable. When you subscribe:
- Apple or Google processes your payment method and full payment card details; NXL does not receive or store your full card number, CVV, or bank account details;
- we receive limited transaction data from our subscription management provider (see Section 20), such as subscription status, product identifier, purchase/renewal dates, and anonymised or truncated transaction identifiers, to manage entitlements (i.e. to know which features you have access to); and
- refunds, billing disputes, and payment method changes are handled by Apple or Google in accordance with their respective policies — see Section 28.
10. Device, Analytics, Diagnostics, and Crash Data
We and our service providers collect technical and analytics data to operate, secure, and improve the App, including:
- device model, operating system and version, app version, language, and locale;
- IP address and approximate location derived from it;
- unique device or install identifiers;
- in-app analytics events (e.g. feature usage, screens viewed, taps, session length); and
- crash logs and diagnostic/error reports [PLACEHOLDER — confirm crash reporting provider; not currently confirmed as integrated based on our technical review — see Section 20].
This data helps us identify and fix bugs, understand feature usage, and improve app performance and stability.
11. Cookies, SDKs, Attribution, and Tracking Technologies
In-app tracking technologies. The App uses software development kits (SDKs) from the service providers listed in Section 20 (e.g. analytics, crash reporting, subscription management) to collect device and usage data as described above.
Advertising and attribution SDKs. [PLACEHOLDER — no mobile attribution SDK (e.g. AppsFlyer, Adjust) was identified in our technical review as of the date of this draft. If an attribution or advertising SDK is added, this section must be updated before publication, and platform-level tracking consent (e.g. Apple App Tracking Transparency) must be implemented.]
Website cookies. If NXL operates a marketing or account website at https://spru.app or a related domain, that website may use cookies or similar tracking technologies. [PLACEHOLDER — insert or link a separate Cookie Policy / cookie banner disclosure if the website uses non-essential cookies, in accordance with ePrivacy and GDPR consent requirements.]
Where required by applicable law (e.g. ePrivacy Directive implementations, GDPR), we will obtain your consent before activating non-essential tracking technologies, and will provide a mechanism to withdraw consent at any time.
12. How We Use Personal Data
We use personal data to:
- create, maintain, and secure your account;
- provide core App functionality (meal logging, AI meal analysis, hydration tracking, habit tracking, goals, streaks, avatar progression);
- generate nutrition estimates and personalised insights and recommendations;
- process and manage Premium subscriptions and entitlements;
- send push notifications and reminders you have opted into;
- provide customer support and respond to inquiries;
- monitor, maintain, and improve the performance, security, and reliability of the Services;
- detect, investigate, and prevent fraud, abuse, and security incidents;
- comply with legal obligations; and
- with your consent where required, send marketing communications (see Section 18).
We do not use personal data for purposes incompatible with those described in this Privacy Policy without providing further notice and, where required, obtaining your consent.
13. Legal Bases Under GDPR / UK GDPR
Where the GDPR or UK GDPR applies to our processing of your personal data, we rely on the following legal bases, as applicable to the specific processing activity:
- Performance of a contract (Art. 6(1)(b) GDPR): to create your account, provide the Services you request, and manage your subscription.
- Consent (Art. 6(1)(a) GDPR): for processing that requires opt-in consent, such as optional health integrations, certain analytics or tracking technologies, marketing communications, and any use of data for AI model improvement that requires consent under Section 15.
- Legitimate interests (Art. 6(1)(f) GDPR): for product analytics, security, fraud prevention, and service improvement, balanced against your rights and interests. [PLACEHOLDER — a formal legitimate interests assessment (LIA) should be completed and referenced here before publication.]
- Legal obligation (Art. 6(1)(c) GDPR): to comply with tax, accounting, consumer protection, or other applicable legal requirements.
Where we process special category data under Article 9 GDPR, we rely on explicit consent (Art. 9(2)(a) GDPR) or another applicable Article 9 exception, as described in Section 14.
14. Special Category or Sensitive Data Considerations
Some data processed by Spru — including health-adjacent nutrition data, allergy information, and data obtained from Apple Health or Google Health Connect — may constitute special category data under Article 9 GDPR / UK GDPR, or sensitive personal data under the Swiss FADP, depending on the jurisdiction and the specific data involved.
Where this is the case:
- we will only process such data on the basis of your explicit consent, or another valid legal basis recognised under applicable law;
- you may withdraw consent at any time, which will stop future processing of that data (without affecting the lawfulness of processing before withdrawal), as described in Section 26; and
- we apply additional technical and organisational safeguards to this category of data, as described in Section 23.
Allergy and dietary restriction information you provide is used solely to power in-app features (e.g. filtering or flagging) and is not used for any purpose beyond providing and improving the Services, except as otherwise described in this Privacy Policy.
15. AI Processing and Automated Insights
Spru uses artificial intelligence and machine learning systems, including third-party AI providers, to power features such as meal photo recognition, nutrition estimation, and personalised insights.
You should understand that:
- meal photos and related inputs may be processed by AI systems, including third-party AI providers acting as our processors (see Section 20);
- AI systems may infer food items, portion sizes, nutritional values, and other attributes from the data you provide;
- AI outputs are estimates and may be inaccurate, incomplete, or change over time as our models and methods are updated;
- automated insights and recommendations generated by the App are informational only and do not constitute medical, dietary, or health advice, and are not a substitute for professional consultation; and
- you remain responsible for reviewing AI-generated outputs and for the decisions you make based on them.
Use of data for AI model training and improvement.
We may use de-identified or aggregated data derived from user content and usage data to evaluate, maintain, and improve our AI systems and the accuracy of our nutrition estimates. Where we do so:
- we apply de-identification or aggregation techniques intended to prevent the data from being reasonably linked back to you; and
- we do not use your raw, identifiable meal photos or personal data to train general-purpose or third-party AI models outside the scope of providing and improving the Services described in this Privacy Policy.
[PLACEHOLDER — confirm final de-identification/aggregation methodology and retention approach with engineering and legal before publication, and confirm whether any AI provider's terms permit them to independently use submitted data for their own model training (see provider DPAs in the Implementation Checklist).]
16. Personalisation and Recommendations
We use the personal data described in this Privacy Policy — such as your goals, dietary preferences, meal history, hydration logs, and habit activity — to personalise your experience, including:
- tailoring nutrition and hydration recommendations;
- adjusting insights and progress summaries; and
- evolving the in-app avatar based on your engagement.
Personalisation is based on your in-app activity and the information you choose to provide. You may be able to limit personalisation by not enabling certain optional features or by adjusting your preferences in the App, where such controls are available. [PLACEHOLDER — confirm which personalisation controls are exposed to users in-app.]
17. Push Notifications and Reminders
With your permission, we send push notifications, including meal logging reminders, hydration reminders, streak and progress updates, and other engagement or informational notifications.
- You will be asked to grant notification permission at the operating system level before receiving push notifications.
- You may disable push notifications at any time through your device's system settings, or through in-app notification preferences where available.
- Notification delivery relies on platform push services (Apple Push Notification service, Firebase Cloud Messaging/Google) and our notification delivery provider (see Section 20).
18. Marketing Communications
Where we send marketing communications (e.g. product updates, promotional offers, or newsletters) by email or push notification, we will do so only in accordance with applicable law, which may require your prior opt-in consent.
You may opt out of marketing communications at any time by:
- following the unsubscribe instructions included in the communication;
- adjusting your notification or communication preferences in the App, where available; or
- contacting us using the details in Section 31.
Opting out of marketing communications does not affect transactional or service-related communications (e.g. account, security, or billing notices), which we may still need to send you.
19. When We Share Personal Data
We do not sell your personal data. We may share personal data in the following circumstances:
- With service providers and processors who perform services on our behalf (e.g. hosting, analytics, AI processing, subscription management, notification delivery) — see Section 20;
- With Apple and Google as necessary to process App Store / Google Play purchases and to support platform integrations you enable (e.g. Health Connect, HealthKit);
- For legal reasons, where we believe disclosure is necessary to comply with applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of NXL, our users, or others;
- In connection with a business transaction, such as a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and, where required, notice to affected users; and
- With your consent, for any other purpose we disclose to you at the time of collection.
20. Processors and Service Providers
We work with the following categories of service providers to operate the App. Providers marked [Confirmed] were identified in our technical review of the Spru codebase and infrastructure as of the date of this draft; providers marked [Placeholder] require confirmation before publication.
| Provider | Purpose | Status |
|---|---|---|
| Firebase (Google) | Authentication, and potentially other Firebase services | [Confirmed] |
| PostHog | Product analytics (mobile and backend events) | [Confirmed] |
| RevenueCat | Subscription and entitlement management | [Confirmed] |
| Google Generative AI (Gemini) | AI meal photo recognition and nutrition estimation | [Confirmed] |
| Expo (Expo Notifications) | Push notification delivery, relayed via Apple APNs / Google FCM | [Confirmed] |
| Google Cloud Platform | Application hosting, databases, file storage (Cloud Run, Cloud SQL, Cloud Storage) | [Confirmed] |
| Apple (HealthKit) | Optional health data integration (iOS) | [Confirmed] |
| Google (Health Connect) | Optional health data integration (Android) | [Confirmed] |
| Sentry | Crash and error reporting | [Placeholder — not currently identified as integrated; confirm before publication] |
| AppsFlyer / Adjust | Marketing attribution | [Placeholder — not currently identified as integrated; confirm before publication] |
| OpenAI / Anthropic | AI processing | [Placeholder — not currently identified as integrated; remove if not used] |
| [Additional providers] | [Purpose] | [Placeholder] |
All processors are required, under data processing agreements, to process personal data only on our documented instructions, to implement appropriate technical and organisational security measures, and to assist us in complying with applicable data protection law.
[PLACEHOLDER — attach or reference the executed Data Processing Agreement (DPA) for each confirmed provider before publication; see the Implementation Checklist.]
21. International Data Transfers
NXL is based in Switzerland. Depending on the service providers we use, your personal data may be processed in Switzerland, the European Economic Area (EEA), the United Kingdom, the United States, or other countries.
Where personal data is transferred outside Switzerland, the EEA, or the UK to a country that has not been recognised as providing an adequate level of data protection, we rely on appropriate safeguards, which may include:
- adequacy decisions issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC), the European Commission, or the UK government, as applicable;
- the EU Standard Contractual Clauses (SCCs), and, where relevant, the Swiss Addendum to the SCCs;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs; and
- additional contractual, technical, and organisational safeguards with our processors.
[PLACEHOLDER — confirm the specific transfer mechanism relied on for each processor listed in Section 20, including hosting region configuration for Google Cloud Platform, before publication.]
22. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
Indicative retention periods (to be confirmed and finalised before publication):
- Account data: retained for the life of your account and deleted or anonymised within [X] [days/months] after account deletion, subject to Section 27
- Meal photos: retained for [X days/months] unless you save or reference them in your meal history, or until account deletion
- Nutrition, hydration, and habit logs: retained for the life of your account, or [X years] after your last activity if the account becomes inactive
- Analytics data: retained for [X months]
- Crash and diagnostic data: retained for [X months]
- Support messages: retained for [X years]
- Payment/subscription records: retained for [X years], as required for accounting, tax, and legal compliance purposes
- Marketing consent records: retained for [X years] after withdrawal of consent, to demonstrate compliance
[PLACEHOLDER — a formal retention schedule must be finalised with input from engineering, finance, and legal before publication; see the Implementation Checklist.]
23. Security
We implement technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or destruction, including [PLACEHOLDER — confirm and list actual measures, which may include: encryption in transit (TLS), encryption at rest, access controls and role-based permissions, authentication safeguards, and regular security review practices].
No method of transmission or storage is completely secure. While we take reasonable steps to protect your personal data, we cannot guarantee absolute security.
If we become aware of a data breach affecting your personal data, we will notify you and/or the relevant supervisory authority where required by applicable law (including the Swiss FADP, GDPR, and UK GDPR).
24. Children and Minimum Age
Spru is not directed at children, and we do not knowingly collect personal data from children under the age of [PLACEHOLDER — confirm minimum age, e.g. 16, consistent with applicable law in relevant jurisdictions, noting that GDPR permits member states to set the age of consent for information society services between 13 and 16].
If you believe a child has provided personal data to us without appropriate parental or guardian consent, please contact us using the details in Section 31 so that we can investigate and, where appropriate, delete the data.
[PLACEHOLDER — confirm final minimum age policy and any age-verification mechanism with legal counsel; this must be consistent with the Terms & Conditions eligibility clause.]
25. User Rights Under GDPR, UK GDPR, and Swiss FADP
Depending on your location, you may have some or all of the following rights in relation to your personal data:
- Right of access: to obtain confirmation of, and access to, the personal data we hold about you.
- Right to rectification: to request correction of inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): to request deletion of your personal data, subject to applicable exceptions.
- Right to restriction of processing: to request that we limit how we use your personal data in certain circumstances.
- Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller, where technically feasible.
- Right to object: to object to processing based on legitimate interests, and to object to direct marketing at any time.
- Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint: with a supervisory authority, including:
- the Swiss Federal Data Protection and Information Commissioner (FDPIC), if you are in Switzerland;
- your local supervisory authority, if you are in the EEA; or
- the UK Information Commissioner's Office (ICO), if you are in the United Kingdom.
These rights are subject to applicable legal limitations and exceptions under the Swiss FADP, GDPR, and UK GDPR, as relevant to your location.
26. How to Exercise Your Rights
To exercise any of the rights described in Section 25, you may:
- use in-app self-service tools where available (e.g. profile editing, account deletion); or
- contact us at the details in Section 31.
We may need to verify your identity before fulfilling your request. We will respond within the timeframe required by applicable law [PLACEHOLDER — confirm target response time, e.g. within one month under GDPR, extendable in certain circumstances].
27. Account Deletion and Data Deletion
You may delete your account at any time [PLACEHOLDER — confirm whether account deletion is available in-app, and describe the exact flow, e.g. Settings → Account → Delete Account].
When you delete your account:
- your profile, meal history, hydration and habit logs, goals, and avatar progress will be deleted or anonymised, subject to the retention periods in Section 22;
- some data may be retained for a limited period where necessary to comply with legal obligations (e.g. financial records for tax purposes) or to resolve disputes; and
- data already shared with processors will be deleted from their systems in accordance with our agreements with them, subject to their own deletion timelines.
[PLACEHOLDER — confirm exact deletion mechanics, backup purge timelines, and whether deletion is immediate or scheduled, with engineering before publication.]
28. App Store Purchases and Third-Party Platforms
Premium subscriptions are purchased and billed through the Apple App Store or Google Play, depending on your device.
- Apple and Google act as the merchant of record for in-app purchases made through their respective platforms and process your payment information under their own privacy policies.
- NXL does not receive or store your full payment card details.
- Refunds, billing disputes, and subscription management (e.g. cancellation) for App Store or Google Play purchases are handled directly by Apple or Google in accordance with their respective policies.
- We receive limited transaction and entitlement data from Apple/Google (via our subscription management provider) to activate and manage your Premium access.
29. Third-Party Links and Services
The App may contain links to, or integrations with, third-party websites, platforms, or services (e.g. Apple, Google, and other integrations you choose to enable). This Privacy Policy does not apply to those third-party services, which are governed by their own privacy policies and terms. We encourage you to review the privacy practices of any third-party service before providing personal data to it.
30. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law.
- If we make material changes, we will provide notice through the App, by email, or by other reasonable means before the changes take effect, and, where required by law, we will obtain your consent.
- The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.
- Your continued use of the App after a revised Privacy Policy takes effect constitutes acknowledgement of the update, subject to any additional consent requirements under applicable law.
Prior versions of this Privacy Policy will be retained in os/legal/agreements/ for reference (e.g. this document as privacy_policy_v1.md).
31. Contact Details
If you have questions about this Privacy Policy or how we handle personal data, please contact:
NXL GmbH Baarermattstrasse 8D 6340 Baar Switzerland
Email: privacy@spru.app Website: https://spru.app
Additional details:
- Company registration number: [PLACEHOLDER — CH-UID / commercial register number]
- Data Protection Officer: [PLACEHOLDER — name and contact details, if appointed; if not legally required and not appointed, state "Not applicable"]
- EU representative (Art. 27 GDPR): [PLACEHOLDER — required if NXL offers goods/services to, or monitors, individuals in the EU; name and contact details, or confirmation that an assessment concluded none is required]
- UK representative (Art. 27 UK GDPR): [PLACEHOLDER — required if NXL offers goods/services to, or monitors, individuals in the UK; name and contact details, or confirmation that an assessment concluded none is required]
You also have the right to lodge a complaint with your local data protection supervisory authority — see Section 25.
Spru