Privacy Policy

Last updated: May 6, 2026

Legacy Media Kft. ("Legacy Media", "we", "us", or "our"), the publisher of the Youngr brand and mobile application (the "App"), respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the App and related services (together, the "Service"). For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Legacy Media Kft. is the data controller. By using the Service, you agree to the collection and use of information in accordance with this Policy.

NOTICE. The Service processes self-reported information about your meals and lifestyle preferences (age, biological sex, sleep duration, diet pattern, activity level, supplement use, and similar self-reported answers). We collect this information solely to operate the Service and to compute your personalized nutritional estimates. We do not use it for advertising or sell it. You may withdraw your consent at any time by deleting your account.

1. Information We Collect

We collect only what is necessary to provide nutritional analysis.

a) Information you provide

Account identifier

  • A randomly generated anonymous user identifier created on first launch.

Demographics and body measurements (collected during onboarding)

  • Biological sex (male, female, or other).
  • Age in years (whole number, between 18 and 80).
  • Height (in centimetres, with imperial display in feet/inches as a preference).
  • Weight (in kilograms, with imperial display in pounds as a preference).
  • Preferred unit system (metric or imperial).

Lifestyle and dietary answers (collected during onboarding, via predefined choices)

  • Sleep duration band (e.g., less than 5h, 5–6h, 6–7.5h, 7.5–9h, more than 9h).
  • Activity level (sedentary, lightly active, moderately active, very active).
  • Daily sun exposure band (none, less than 30 min, 30–60 min, more than 60 min).
  • Diet pattern (no specific pattern, carnivore, vegetarian, vegan, other).
  • Fish consumption frequency (rarely, weekly, 2–3× weekly, daily).
  • Red meat consumption frequency (rarely, weekly, 2–4× weekly, daily).
  • Daily vegetable servings (less than 1, 1–2, 3–4, 5 or more).
  • Whether you currently take supplements (yes/no).

Subjective wellness self-assessment (collected during onboarding)

  • Self-reported energy level (chronically low, inconsistent, decent, good, high).
  • Self-reported stress level (low, moderate, high, very high).

Goals and onboarding context

  • Primary goal (live longer, reclaim energy, sleep better, think sharper, perform better).
  • Desired pace toward your goal (slow, recommended, fast).
  • Self-reported main blocker (consistency, unhealthy habits, prioritization, time, quitting too quickly).
  • How you envision success (energized morning, performs younger, habits stick, control over aging).
  • Whether you have tracked nutrition before (every meal, briefly, never but want to, never considered).
  • How you heard about the App (e.g., social media platform, friends, search, app store).

We do NOT ask about alcohol consumption, smoking, medical conditions, medications, allergies, menstrual or reproductive data, or any other sensitive medical information beyond what is listed above.

Meal content (Premium subscribers only)

  • Photos you capture or upload, ingredient labels you edit, meal names, and the AI-generated nutritional estimates derived from them. Meal scanning is gated behind a Premium subscription, so we only ever collect this category of data after you have started a Premium subscription.

Derived attributes (computed from your inputs, stored on your account)

  • A "Nutritional Age" estimate, top nutrient gaps, and recommended nutrient focus, generated by our scoring algorithm from the data above.

Account linking (optional)

  • If you choose to link Sign in with Apple or Sign in with Google to save your data across devices, we receive a stable provider-specific identifier and, if you grant it, an email address.

Subscription data

  • Your subscription status and transaction receipts, processed by RevenueCat. We never receive your payment card.

b) Information collected automatically

  • Device and diagnostic data: device model, OS version, app version, locale, and crash logs (Sentry).
  • Usage events: anonymous interaction events such as screens viewed, features used, and error counts (PostHog). These events are not joined with your meal images or any sensitive nutritional details (height, weight, BMI, nutrient values are excluded by an internal blocklist).
  • Approximate session data: app open timestamps and feature success/failure for quality improvement.

c) Information we do NOT collect

We do not collect your precise location, contacts, microphone audio, biometric identifiers, financial account numbers, government IDs, or social media content. We do not require your legal name, phone number, or mailing address to use the core Service.

2. How We Use Your Information

We use your information to:

  • Identify foods in your meal photos and generate nutritional estimates.
  • Personalize your daily value percentages, nutritional age, and recommended nutrient focus based on your age range, biological sex, and lifestyle answers.
  • Maintain your scan history and allow you to review and edit past meals.
  • Process subscriptions and deliver premium features.
  • Detect bugs and improve app performance and reliability.
  • Detect abuse, fraud, and violations of our Terms of Service.
  • Comply with legal obligations and respond to lawful requests.

Legal bases under the GDPR (Article 6):

  • Performance of a contract (Article 6(1)(b)) to deliver the Service you requested, including all personalization features and meal analysis.
  • Your consent (Article 6(1)(a)) for optional processing such as crash reports and analytics, which you can withdraw at any time.
  • Our legitimate interests (Article 6(1)(f)) in securing the Service and preventing abuse, balanced against your rights and freedoms.
  • Compliance with legal obligations (Article 6(1)(c)).

We do not use your meal content, lifestyle answers, or nutritional estimates for advertising, marketing, profiling unrelated to the Service, or training third-party AI models.

3. Additional Safeguards for Lifestyle and Meal Data

Even though your meal photos and lifestyle answers are not classified by us as special-category health data, we apply heightened safeguards to them:

  • Your meal images, nutritional estimates, and onboarding answers are never shared with advertising networks, data brokers, or marketing partners, and are never sold.
  • Your meal images and nutritional estimates are never stored in iCloud, Google Drive, or any unencrypted consumer cloud storage. Device-level backups are limited to non-sensitive data.
  • Error monitoring (Sentry) is configured to scrub identifiable nutritional details (height, weight, BMI, nutrient values) from reports; PostHog receives only pseudonymous event data with the same blocklist applied.
  • You may withdraw consent and delete all of this data at any time by deleting your account, which triggers full deletion (see Section 8).

4. Data Storage, Security, and International Transfers

  • Meal images are stored on Cloudflare R2 with encryption at rest.
  • Application data is stored in a PostgreSQL database (hosted on Supabase) using encrypted connections.
  • Authentication uses short-lived JSON Web Tokens; passwords are never stored by us.
  • All data in transit is protected with TLS 1.2 or higher.
  • Access to production data is limited to a small number of engineers and is logged.

International transfers. Legacy Media Kft. is established in Hungary (European Union). Our infrastructure providers are primarily located in the United States, which means your personal data is transferred outside the European Economic Area. For these transfers we rely on:

  • Adequacy decisions where available (e.g., the EU–U.S. Data Privacy Framework for participating recipients);
  • EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) with each non-adequate sub-processor;
  • Supplementary technical measures (encryption in transit and at rest, access controls).

You may request a copy of the safeguards we rely on by contacting [email protected].

5. Third-Party Sub-processors

We use vetted service providers under data processing agreements that prohibit use of your data for their own purposes:

  • Cloudflare, Inc. (United States) — serverless compute (Workers) and image storage (R2). Receives meal images and API traffic.
  • Supabase, Inc. (United States / Singapore) — managed PostgreSQL database hosting.
  • Google LLC (United States) — processes meal images via the Gemini API to generate nutritional estimates. Images are processed in real time. Data handling is governed by Google's Gemini API terms; on the paid tier, content is not used to improve Google's models.
  • Apple, Inc. (United States) and Google LLC (United States) — process Sign in with Apple / Google authentication and App Store / Play Store subscription billing.
  • RevenueCat, Inc. (United States) — subscription entitlement management. Receives a pseudonymous user identifier and subscription status only — no meal images, nutritional values, or onboarding answers.
  • Superwall Labs, Inc. (United States) — paywall template rendering and A/B testing. Receives anonymous event data — no meal images, nutritional values, or onboarding answers.
  • Sentry / Functional Software, Inc. (United States) — crash and error monitoring. Scrubbed of nutritional details (height, weight, BMI, nutrient values) before transmission.
  • PostHog Inc. (United States) — product analytics. Receives pseudonymous event data only.

We update this list as our providers change. All sub-processors operate under data processing agreements with Standard Contractual Clauses where required.

6. How We Share Information

We share personal information only in the following circumstances:

  • Service providers (see Section 5) acting on our instructions and under contract.
  • Legal compliance: to comply with a court order, subpoena, or other lawful request; to enforce our Terms; or to protect the rights, property, or safety of Legacy Media Kft., our users, or the public.
  • Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, subject to confidentiality obligations and continued protection of your information under this Policy.
  • With your consent: when you explicitly direct us to share information (for example, exporting a copy of your data).

We do not sell your personal information and do not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

7. Your Privacy Rights

Depending on where you live, you may have the following rights regarding your personal information:

a) All users

  • Access: view the data associated with your account directly in the App.
  • Correction: edit your profile answers, meal names, and ingredients at any time.
  • Deletion: delete your account and all associated data from the Profile screen.
  • Portability: request a machine-readable copy by emailing [email protected].
  • Withdraw consent: stop using the App and delete your account at any time.

b) European Union, United Kingdom, and Switzerland (GDPR, UK GDPR, revDSG)

You have the right to access, rectify, erase, restrict processing, object to processing, withdraw consent at any time without affecting processing performed before withdrawal, and port your data. You may lodge a complaint with the Hungarian Data Protection Authority — Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), 1055 Budapest, Falk Miksa utca 9-11, Hungary, [email protected], https://www.naih.hu — or with your local supervisory authority. Because Legacy Media Kft. is established in the European Union, no Article 27 representative is required.

c) California residents (CCPA / CPRA)

You have the right to know what personal information we collect, to delete it, to correct it, to limit use of sensitive personal information, and to opt out of sale or sharing. We do not sell or share personal information. You may exercise these rights by emailing [email protected]. We will verify your request using information reasonably related to your account.

d) Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware, New Hampshire, New Jersey, and other state privacy laws

You have similar rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, sale of personal data, and profiling producing legal or similarly significant effects. We do not engage in any of these activities with respect to your data.

e) Washington and Nevada residents

We do not classify the lifestyle and dietary information processed by the Service as "consumer health data" under the Washington My Health My Data Act or "consumer health data" under Nevada SB 370. Regardless of classification, you may access, delete, and withdraw consent for any data we hold about you using the rights described in paragraph (a) above.

f) How to exercise your rights

Email [email protected] with the subject "Privacy Request" and describe the right you wish to exercise. We respond within the timeframe required by applicable law (typically 30 days under the GDPR, extendable by two further months for complex requests; 30 to 45 days under U.S. state laws). You will not be discriminated against for exercising any right.

g) Appeals

If we decline a request, you may appeal by replying to our decision email. We will respond to appeals within 60 days and explain our reasoning. EU/EEA users may also lodge a complaint with the NAIH or their local supervisory authority. U.S. users may, where applicable state law provides it, also contact their state Attorney General.

8. Data Retention and Deletion

We retain your data only as long as your account exists. When you delete your account from the Profile screen:

  • Your database records (profile, scans, daily summaries, subscription link) are permanently deleted within 24 hours.
  • Your meal images are permanently deleted from Cloudflare R2 within 24 hours.
  • Your pseudonymous identifiers in PostHog and Sentry are invalidated immediately; retained backups, if any, expire within 30 days.
  • RevenueCat entitlement records are deleted in accordance with their retention policy (typically within 30 days of request).

We do not maintain long-term backups of deleted user content. Aggregated, non-identifiable statistics (for example, total number of scans processed across all users) may be retained for product analytics.

Legal holds. If we are subject to a legal obligation to preserve specific records — including obligations under Hungarian accounting law (typically 8 years for invoicing records) — we will retain the minimum necessary information for the duration of that obligation. Such retained records do not include your meal images, lifestyle answers, or nutritional estimates.

9. Children's Privacy

The Service is not directed to, and we do not knowingly collect information from, children. Consistent with the Children's Online Privacy Protection Act (COPPA) in the United States and Article 8 of the GDPR in the European Union, we do not knowingly collect personal information from children under 13, and the App is restricted by our Terms of Service to users 18 and older. Users between 13 and 17 must not create an account without a parent or legal guardian's consent and supervision. If you believe a child under 13 has provided us with information, contact [email protected] and we will delete it promptly.

10. Do Not Track

Our App does not respond to "Do Not Track" browser signals because the App is not a website and does not use cross-site tracking cookies. We also do not participate in advertising identifiers (IDFA / GAID); you may reset or limit these via your device settings. We honor Global Privacy Control (GPC) signals where technically applicable.

11. Cookies and Similar Technologies

The App does not use web cookies because it is a native application. We use local device storage (Expo SecureStore and AsyncStorage) to store your anonymous session token and app preferences. You can clear this data by deleting the App or by deleting your account from the Profile screen.

12. Automated Decisions and AI Processing

Our nutritional estimates, nutritional age, and recommended nutrient focus are generated by artificial intelligence and rule-based algorithms. These outputs are informational and educational only; they are not medical advice, a medical diagnosis, or a treatment plan. You are not subject to any solely automated decision that produces legal effects within the meaning of Article 22 of the GDPR. You may review and correct ingredient identifications at any time from the scan detail screen.

13. Data Breach Notification

We maintain reasonable technical and organizational measures to protect personal information. If we experience a personal data breach affecting your information, we will:

  • Notify the competent supervisory authority (the NAIH for Legacy Media Kft.) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 of the GDPR), and as required by applicable U.S. state breach-notification laws.
  • Publish notice in the App and via any contact channel you have provided.

No system is perfectly secure; by using the Service, you acknowledge this residual risk.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes that expand the categories of information we collect or the purposes for which we use it, we will notify you in advance via in-app notice and, where required by law, seek your renewed consent. The "Last updated" date at the top reflects the most recent revision. Your continued use of the Service after an update constitutes acceptance of the revised Policy, except where applicable law requires affirmative opt-in.

15. Contact Us

Privacy inquiries and requests:
Email: [email protected]

Mailing address (data controller):
Legacy Media Kft.
1054 Budapest, Honvéd utca 8. 1. em. 2. ajtó
Hungary

Hungarian Data Protection Authority (NAIH):
1055 Budapest, Falk Miksa utca 9-11, Hungary
[email protected]
https://www.naih.hu

We aim to respond to all privacy inquiries within 10 business days.