Legal
Privacy Policy
Last updated: 20 April 2026
The short version
- We don’t sell your data. Not to advertisers, insurers, employers, or anyone else. Ever.
- Your meal photos don’t train AI. They’re sent to a vendor to be read once, then discarded.
- You can delete everything. Profile → Data → Delete Account wipes your record within 30 days.
- We only collect what the app needs to work. No tracking pixels, no cross-app identifiers, no ATT prompt.
If any of that turns out to be wrong, that’s our failure and we want to hear about it: hello@akomahealthcare.com.
1. Who we are
“Akoma” is a trading name used by a UK-based operator to publish the Akoma iOS app and the akomahealthcare.com website. Akoma is not, at the time of writing, a registered company. The operator is the “data controller” for personal data collected through Akoma and can be contacted at hello@akomahealthcare.com. The operator’s full identifying details (legal name and correspondence address) are available on written request to that address.
For UK/EU users, this policy is our statement under the UK GDPR and the EU GDPR. For California users, it doubles as our CCPA/CPRA notice.
2. What we collect and why
2.1 Account data
- Sign-in identifier (an opaque token from Sign in with Apple or Sign in with Google) — to recognise you across devices.
- Email address, when you choose to share it with us (not hidden via Apple’s private relay) — to email you about your account or reply to support requests.
- Account creation date and device type — for basic product analytics.
Legal basis (UK/EU GDPR Art. 6(1)(b)): performance of the contract you entered into when you signed up.
2.2 Logs you create
- Meals (name, macros, photo reference, barcode, meal kind, timestamp).
- Shots (drug, dose, site, timestamp).
- Water, weight, moods, side-effect entries.
- Reminders you configure.
- Subscription and purchase state (from RevenueCat).
We treat these as special-category health data under UK/EU GDPR, even when they’re not strictly diagnostic, because you have a reasonable expectation of strong protection.
Legal basis: your explicit consent (Art. 9(2)(a)), which you give when you complete the onboarding medical disclaimer. You can withdraw consent at any time by deleting your account.
2.3 AI meal recognition
When you take a meal photo, we send the photo to an AI processing vendor over TLS. At launch, that vendor is Google (Gemini API). The vendor returns an estimate of what’s on the plate. The vendor is contractually required not to retain your image after the request completes, and not to use it to train their models. We store only the text of the estimate, plus a local thumbnail on your device — never the original photo on our servers. You can skip the AI feature entirely and log food with barcode scan, search, or manual entry.
2.4 Apple Health
Akoma can read your weight, water, and step count from Apple Health, and write water you log in Akoma back to Health. Health data never leaves your device unless you explicitly log it into Akoma. You can revoke permission in Settings → Privacy & Security → Health → Akoma at any time.
2.5 Diagnostics
- Crash reports via Sentry, scrubbed of personal data. We see the stack trace, device model, OS version, and a pseudonymous install ID — never your logs.
- Event analyticsvia PostHog (EU region). We track actions such as “logged a meal” or “viewed paywall” tied to a random install ID, never to your email or Apple ID.
Legal basis: legitimate interest in keeping the app functional and improving features. You can opt out in Profile → Data → Analytics.
2.6 Food database
When you search or scan a barcode, Akoma queries Open Food Facts and, if needed, a commercial nutrition database fallback. These requests carry no personal data — they include only the query string or barcode.
2.7 Payment
Purchases run through Apple. We never see your card number. Apple sends us a receipt via RevenueCat so we can unlock Premium on your account.
2.8 Transactional email
Emails about your account (sign-up confirmation, password reset, email-change confirmation, etc.) are delivered through Resend, our email-sending provider, using SMTP configured inside our auth backend (Supabase). Resend receives only the destination email address, the subject, and the body of each email — no other data about you.
3. Who we share with
We share personal data only with the specific processors below, each under a signed Data Processing Agreement (DPA):
| Processor | Region | Purpose | Data shared |
|---|---|---|---|
| Supabase | EU (Frankfurt) | Database hosting, auth | Account ID, logs |
| Google (Gemini API) | US / EU | AI meal recognition | Meal photo (ephemeral) |
| Resend | US / EU | Transactional email delivery | Email address, message content |
| RevenueCat | US | Subscription state | Anonymous account ID, receipt |
| Sentry | EU | Crash reporting | Stack traces, device info |
| PostHog | EU (Frankfurt) | Product analytics | Events, install ID |
| Apple | Global | App distribution, Sign in with Apple | Apple-managed |
We do notsell personal data, share it with data brokers, or use it to train third-party models. We do not share it with advertisers, insurers, or employers. We will only disclose data to law enforcement if compelled by a valid legal process, and we’ll notify you unless prohibited by law.
4. Where your data lives
Primary storage is in Supabase’s Frankfurt (eu-central-1) region. AI meal recognition and purchase verification involve transfers to processors that operate partly in the US under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs).
5. How long we keep it
- Account data: while your account is active, plus 30 days after deletion (to allow billing reconciliation).
- Logs: same as account data.
- Crash reports: 90 days.
- Analytics events: 12 months, then aggregated and the raw events deleted.
- Transactional email: delivery logs kept by Resend for up to 30 days for debugging, then purged.
- Meal photos: never stored server-side; the local thumbnail disappears when you delete the meal on-device.
6. Your rights
Under UK/EU GDPR, CCPA/CPRA, Australian Privacy Act, and New Zealand Privacy Act, you can:
- Access your data — Profile → Data → Export gives you a JSON bundle.
- Correct your data — edit it in-app, or email us.
- Delete your data — Profile → Data → Delete Account.
- Port your data — the export is machine-readable.
- Object to processing — stop logging or close your account.
- Restrict processing — opt out of analytics; opt out of AI features (barcode and manual entry still work).
- Complain to a regulator — ICO (UK), your national DPA (EU), the California Attorney General (US), the OAIC (AU), or the OPC (NZ).
California residents can exercise the right to know, delete, and opt out of sale/sharing (though we don’t sell or share to begin with) via hello@akomahealthcare.com.
7. Children
Akoma is not directed at or intended for children under 18. If you believe a child has given us personal data, email hello@akomahealthcare.com and we will delete it.
8. Cookies and web analytics
akomahealthcare.com uses only first-party, strictly necessary cookies (session and CSRF). We do not use third-party cookies or tracking pixels. There is nothing to consent to.
9. Changes
If we change this policy in a way that affects your rights, we’ll notify you in-app at least 14 days before the change takes effect. The “Last updated” date at the top always reflects the current version.
10. Contact
All privacy enquiries, data requests, and security disclosures: hello@akomahealthcare.com. A real person reads every message.
Akoma — operating in the United Kingdom