Legal

Privacy Policy

Last updated: 16 May 2026 · Effective date: 23 April 2026

This Privacy Policy explains how Arovya ("we", "us", "the app") handles your information. We've written it in plain English. If anything is unclear, contact us at the address at the bottom of this page.

1. The short version

    Your supplements, adherence, scan history, name, goals and diet preferences are stored only on your device. We do not have a copy as part of normal app operation.
Barcodes you scan are sent to Open Food Facts so we can look up product information.
Photos you take for AI label scanning are sent to our processing service (Cloudflare and OpenAI) to extract ingredients and nutrition.
When AI label scanning successfully identifies a food product, we retain the front-of-package photo and the extracted product data (ingredients, nutrition, brand, category, allergens). This lets us recognise the same product faster when other users scan it and reduces the cost of running the service.
Anonymous scan data is tied to a hashed device identifier — not to your name, email, or any direct identifying information.
Anonymous analytics and crash reports help us understand which features are used and fix bugs. They are configured not to include personal information.
Subscription state is handled by Apple and RevenueCat using anonymous identifiers.
We do not sell your data, share it for advertising, or use it for any purpose unrelated to running the app.

  

2. Who we are

Arovya is an indie app developed by Anand Basavaraj Muddi, based in the United Kingdom. We are the data controller for any information you provide.

Correspondence address:

Anand Muddi
Unit 166188
PO Box 7169
Poole, BH15 9EL
United Kingdom

For privacy questions, contact: support@arovya.uk

3. What stays only on your device

The following information is stored exclusively in your device's local storage (UserDefaults). It is not intentionally sent to us or to any third party as part of normal app operation:

Your name (if you enter one during onboarding)
Your health goals (e.g. energy, sleep, immunity)
Your dietary preferences (e.g. vegetarian, vegan, dairy-free)
Your supplement list (what you take, dose, timing)
Your daily adherence data (which supplements you've marked as taken)
Your scan history (past products you've scanned and their results)
Your purchase tracking marks (whether you bought a scanned product or not)
Your settings and preferences within the app

If you delete the app, this information is removed with it.

4. What is sent off your device, and why

4.1 Barcode lookups (Open Food Facts)

When you scan a barcode, we send the barcode number to Open Food Facts (openfoodfacts.org) to retrieve product information. Open Food Facts is a free, open product database. We send only the barcode — no information about you. See Open Food Facts' privacy policy at openfoodfacts.org/privacy.

4.2 AI label scanning (Cloudflare and OpenAI)

When a product isn't in Open Food Facts and you choose to scan the label with AI, the photos you take are sent through our Cloudflare Worker (a security and rate-limiting proxy we operate) to OpenAI for ingredient and nutrition extraction.

What we send:

The photos you took (up to three: front of package, ingredients list, and optionally nutrition panel)
A device identifier (see Section 4.4)
The app version
The static AI prompt

What we do not intentionally send:

Your name, supplements, adherence, goals, diet, or scan history
Anything about other products you've scanned

OpenAI processes the photos to extract text and structured data, then returns the result. We use OpenAI's API service. Under OpenAI's API data handling terms, data submitted via the API is not used to train OpenAI's models by default. After extraction, only the front-of-package photo is retained (see Section 4.3); ingredients and nutrition photos are used for extraction only and are not kept. For current details on OpenAI's data handling, review their privacy and API documentation.

4.3 Product image storage (Cloudflare R2)

When AI label scanning successfully identifies a food product, we retain the front-of-package photo you took. The image is stored in Cloudflare R2 (Western Europe region) alongside the extracted product data described in Section 4.4, so that when other users scan the same product in future, we can recognise it faster and avoid re-processing the same label. This optimises the service for all users and reduces the cost of running Arovya.

We store only one image per successful scan — the front-of-package photo. Photos of the ingredients list and nutrition panel are not retained after processing. The stored image is not linked to your name, identity, or account; it sits alongside the anonymised data described in Section 4.4.

4.4 Anonymous scan results (Cloudflare D1)

After a successful AI label scan, we save the extracted result to our database, paired with a hashed device identifier. This helps us recognise commonly-scanned products faster in future and improve coverage in regions where Open Food Facts has gaps.

What's stored:

The extracted product information (product name, ingredients, nutrition values)
Brand (if visible on the label)
Category (a short descriptor such as "snack", "cereal", "drink")
Allergens (if listed on the label)
Serving size (if listed on the label)
A reference to the stored front-of-package image (see Section 4.3)
The barcode (where present)
A SHA-256 hash of a randomly-generated device UUID, salted with a secret value
An approximate country code (from your network connection — country only, not city, not address)
The app version
Timestamp

What's not intentionally stored:

Your name
Your supplements or adherence data
Your scan history (only the single scan being processed)
The ingredients or nutrition photos
Your IP address
Your raw device identifier

The device identifier is a random UUID generated on first install and stored only on your device. We do not intend to collect or store the raw value — only a salted hash of it. This lets us count how many distinct devices use the service for rate-limiting and abuse prevention, without being able to identify any individual.

If a previously-scanned product looks wrong, you can report it as such from within the app; this clears the cached entry and triggers a fresh AI scan. The new result replaces the previous record under the same barcode. Free users have a monthly limit on these corrections (3 per month) to prevent abuse; Pro subscribers have unlimited corrections. Corrections are processed using the same flow described in Section 4.2 and produce a new entry as described in this section.

4.5 Rate limiting (Cloudflare KV)

To prevent abuse of the AI scanning service, our Cloudflare Worker tracks scan counts using the same hashed device identifier. Counts are kept for short rolling windows (10 minutes, 1 hour, 1 day) and then automatically expire.

4.6 Analytics (Mixpanel, EU server)

We use Mixpanel to understand which features are used. Events are tied to an anonymous Mixpanel-generated identifier, not to your name or any account.

Events we track:

screen_viewed (with a screen name like "scan_home")
scan_started, scan_completed (with score and data source)
upgrade_screen_viewed, upgrade_completed
purchase_marked_bought, purchase_marked_didnt_buy, purchase_decision_cleared — fired when you mark a scanned product as bought, not bought, or clear that status. We record only the score range (low / medium / high) — no product names, brands, or barcodes.
correction_initiated, correction_completed, correction_failed, correction_limit_reached — fired when you report a scanned product as wrong and trigger a fresh AI scan. We record only the original data source ("OFF" / "Cache" / "AI"), the score range, and (for failures) a categorical reason such as "non_food" or "network_error". No product names, brands, or barcodes are included.

We do not intentionally attach your name, supplement list, adherence data, goals, or diet to any analytics event. Mixpanel is hosted on its EU server (api-eu.mixpanel.com) for GDPR compliance.

4.7 Crash reporting (Sentry)

We use Sentry to receive crash reports so we can fix bugs. Sentry crashes contain device model, operating system version, and a stack trace. We have explicitly disabled the collection of personal identifying information (sendDefaultPii = false) — Sentry is configured not to collect your IP address, cookies, or user identifiers.

4.8 Anonymous app usage analytics (TelemetryDeck)

We use TelemetryDeck (privacy-first analytics, hosted in the EU) to understand how Arovya is used in aggregate. TelemetryDeck collects anonymous device and usage information including device type, operating system version, country (approximate, derived from network), language preference, and counts of in-app events (such as scans started, tabs viewed, and Pro features explored).

Events we track include: app launches, onboarding progress, tab navigation, scan flow stages, paywall views, Pro purchase events, and supplement-related interactions (such as adding, removing, or toggling supplements). Where parameters are attached to events, they use anonymous identifiers (e.g., supplement IDs) or bucketed values (e.g., score ranges) — never your name, scan content, or other personally identifying information.

TelemetryDeck does not assign persistent user identifiers. The data is anonymous and cannot be linked back to individual users. You can read TelemetryDeck's privacy policy at telemetrydeck.com/privacy.

4.9 Subscriptions (Apple and RevenueCat)

When you subscribe to Arovya Pro:

Apple processes your payment via the App Store. We do not see your payment details.
RevenueCat helps us verify your subscription status across devices. RevenueCat receives an anonymous identifier ($RCAnonymousID), not your name, email, or Apple ID.

5. What we never collect

We do not collect:

Your email address
Your phone number
Your real name (unless you optionally enter one for personalised greetings, in which case it stays on your device)
Your contacts, calendar, location (beyond approximate country from your network), photos beyond those you take for scanning, or microphone
Your health records or any data from Apple Health
Your browsing history
Identifiers that can be used to track you across other apps (no IDFA, no fingerprinting)

6. How long we keep things

What	Where	How long
Your data on your device	Your iPhone	Until you delete the app
AI scan results in our database	Cloudflare D1	Retained for as long as reasonably necessary to improve product recognition and operate the service. Wrong-product corrections replace previous records under the same barcode.
Product front-of-package images	Cloudflare R2	Retained for as long as reasonably necessary to improve product recognition; we may remove or replace images as coverage improves
Rate-limit counters	Cloudflare KV	Auto-expire after 10 min / 1 hour / 1 day
Mixpanel events	Mixpanel (EU)	Per Mixpanel default retention (currently up to 5 years)
Sentry crashes	Sentry (EU)	Per Sentry default retention (currently 90 days)
TelemetryDeck events	TelemetryDeck (EU)	Per TelemetryDeck default retention
Subscription receipts	RevenueCat / Apple	Per Apple and RevenueCat policy

7. Your rights under UK GDPR

Because almost all your personal information stays on your device, most data-subject requests are handled by you simply using the app:

Access: Open the app to see your data.
Deletion: Delete the app to erase everything stored locally.
Correction: Edit any field directly in the app.
Portability: Currently we don't provide an export. Email us if you'd like one.

For the small amount of data on our servers (anonymous scan results and product images), we do not hold information that directly identifies you. If you would like us to attempt to locate and delete records associated with your specific device, you can contact support@arovya.uk and provide your device identifier from the app; we will make reasonable efforts to locate matching records and remove them.

Legal basis for processing. Where we process your personal data, we rely on the following legal bases under UK GDPR: legitimate interests for operational data such as rate limiting, abuse prevention, crash diagnostics, and anonymised product records used to improve the service; contract performance for subscription management; and consent where required by applicable law.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe your privacy rights have been infringed.

8. Children

Arovya is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have received personal information directly from a child under 13, we will take reasonable steps to delete it. If you are a parent or guardian and believe a child has provided information to us, please contact support@arovya.uk.

9. International transfers

Some of our service providers process data outside the UK and EU:

OpenAI (United States) — processes AI scan photos for extraction
Cloudflare — global edge network; our scan logs and product images are stored in the Western Europe region (WEUR)
Mixpanel (EU server) — analytics
Sentry (EU server) — crash reports
TelemetryDeck (EU server) — anonymous analytics
RevenueCat (United States) — subscription verification
Apple (per your App Store region) — payment processing

Where data is transferred outside the UK, we rely on safeguards offered by our providers, such as Standard Contractual Clauses or equivalent transfer mechanisms where applicable.

10. Changes to this policy

We may update this policy. Material changes will be communicated via the app or by updating the "Last updated" date at the top. Continued use after changes constitutes acceptance.

11. Contact

Anand Basavaraj Muddi

Unit 166188
PO Box 7169
Poole, BH15 9EL
United Kingdom

Email: support@arovya.uk

For UK GDPR matters, our supervisory authority is the Information Commissioner's Office (ico.org.uk).