Last updated 29th June 2026

Privacy Policy

NYAM App Ltd — Registered in England and Wales · Company no. 17118391 · ICO ZC122949
hello@nyamapp.co.uk · nyamapp.co.uk

1 Introduction

NYAM App Ltd ("NYAM", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and protect your information when you use the NYAM mobile application ("the App") and our website at nyamapp.co.uk ("the Website").

This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). NYAM App Ltd is registered with the Information Commissioner's Office under registration number ZC122949.

Please read this policy carefully. By using the App or Website, you confirm that you have read and understood it.

2 Who We Are

Data controller: NYAM App Ltd

Company number: 17118391 (registered in England and Wales)

Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

ICO registration: ZC122949

Contact: hello@nyamapp.co.uk

If you have any questions about this policy or how we handle your data, please contact us at hello@nyamapp.co.uk.

3 What Data We Collect

3.1 Authentication: anonymous use and signed-in accounts

NYAM supports two ways of using the App.

Passwords are hashed and stored by Supabase Auth; we do not see or store your password in plain text. Email confirmation links are sent by Supabase's transactional email service on our behalf.

3.2 Data you create within the App

The following data is created by your use of the App. It is stored locally on your device (SQLite) and, for cloud-backed features, in our Supabase database against your identifier:

3.3 Data you voluntarily submit to improve the catalogue

The App lets you submit information to help improve the NYAM product catalogue. Submissions are reviewed by NYAM before they are published. The types of submission are:

No identifying information policy. Submitted images are intended to capture the product, not the contributor. We ask you to make sure your photos do not contain anything that could identify you or anyone else — faces, hands holding the product, household surroundings, address labels, receipts, screens or other personal context. NYAM reviews every submission before approval and rejects any image found to contain identifying information. Rejected images are deleted and never become part of the public catalogue.

The nutritional values, product name, brand and category in a submission are publicly available information printed on commercial product packaging. They are treated as product data (not your personal data) and, once approved, are added to the NYAM catalogue under the contribution terms set out in our Terms & Conditions. Approved product images and nutrition photos are stored in Supabase and may be displayed in the App. While your account remains active, the anonymous identifier or account identifier of the submitter is retained alongside the submission record so that we can administer the moderation process and credit your submissions back to you in the App's "My Submissions" view; it is never shown publicly. If you delete your account, this identifier is removed from any approved submission that remains in the catalogue, so the retained product data is no longer linked to you, and any submission still awaiting or failing moderation is deleted in full.

3.4 Marketing communications

NYAM only sends marketing emails to users who have:

What we share with our email provider: if you have opted in we share your email address and, if you provided one, your first name with Brevo (see section 5.5) so that they can send you our marketing emails on our behalf. We do not share any other profile information for marketing purposes.

How to withdraw consent: open the App, go to Settings → Notifications → Marketing emails, and toggle the switch off. You can also click the unsubscribe link in any marketing email we send. Withdrawal takes effect immediately and does not affect the lawfulness of any processing carried out beforehand.

Anonymous users (those without a signed-in account) cannot subscribe to marketing emails. If you are using NYAM anonymously and try to manage marketing preferences, the App will invite you to create an account first.

3.5 Data collected automatically

3.6 Data we do not collect

4 How We Use Your Data

We use your personal data for the following purposes:

PurposeLegal basis
Providing and operating the AppPerformance of contract
Creating and managing your account (where you choose to sign up)Performance of contract
Processing subscription payments via Google Play or the Apple App StorePerformance of contract
Personalising your NYAM score based on your selected prioritiesPerformance of contract / Legitimate interests
Storing your shopping lists, scan history and preferencesPerformance of contract
Processing your offline scan queue when you reconnectPerformance of contract
Reviewing and, where appropriate, publishing the product images, nutrition photos and nutritional data you voluntarily submitLegitimate interests (improving the public product catalogue)
Rejecting and deleting submissions that contain identifying informationLegitimate interests / Legal obligation
Sending service-related notifications (offline scan ready, shop score ready, weekly basket reminder, etc.)Performance of contract / Consent
Sending marketing emails (NYAM updates and food choice tips)Consent
Monitoring App performance and fixing bugsLegitimate interests
Improving the App through usage analytics not linked to your identityLegitimate interests
Scoring calibration using anonymised user score overrides (barcode + score + reason; no personally identifiable information)Legitimate interests
Complying with legal obligationsLegal obligation
Responding to your enquiriesLegitimate interests

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5 Third-Party Services

NYAM uses the following third-party services to operate the App. Each has its own privacy policy which we encourage you to review:

5.1 Supabase

We use Supabase for authentication (anonymous and email/password), our product database (over 165,000 UK food products), and cloud storage of user data (including submitted product images and nutrition label photos) associated with your identifier. Our Supabase database and file storage are hosted in the United Kingdom (London region). Supabase complies with the UK GDPR. Row-level security policies ensure that users can only access their own data.

Privacy policy: supabase.com/privacy

5.2 Firebase (Google)

We use Firebase Analytics and Firebase Crashlytics (both provided by Google) for usage analytics and crash reporting; we do not attach your identity (name, email or account ID) to this data. Google may process data outside the UK; appropriate safeguards are in place (Google is certified under the UK-US Data Bridge and uses Standard Contractual Clauses approved by the UK ICO).

Privacy policy: firebase.google.com/support/privacy

5.3 RevenueCat

We use RevenueCat to manage in-app subscriptions. RevenueCat processes your subscription status and purchase history. For signed-in accounts, RevenueCat receives your NYAM account identifier (used to link your subscription to your account); for anonymous use it receives an anonymous identifier instead. In both cases RevenueCat also receives your subscription status. It does not receive your name or email address.

Privacy policy: revenuecat.com/privacy

5.4 Anthropic (Claude AI)

We use Anthropic's Claude AI to power the following features:

For most features we send only product and nutritional data, with no information that identifies you. The exception is receipt and order-confirmation uploads (Score My Shop) and provided order/basket text (Score My Shop and Score Basket), where the document you upload, or the text you provide, may include the personal details listed above. We strongly recommend that you redact any personal or sensitive information before uploading or sending; alternatively, you can add products to a list manually to score a whole shop without sending a document or providing order/basket text. Some details, such as your name and full address, cannot be detected or removed automatically, so redacting sensitive information yourself is the best way to limit what is sent. For these features the whole document or text you provide is transmitted to Anthropic; for all other features we send only the product and nutritional data each feature needs to function. Anthropic's API is used in accordance with their usage policies.

Privacy policy: anthropic.com/privacy

5.5 Brevo (email delivery)

If you have opted in to marketing emails we use Brevo (Sendinblue SAS) to send those emails on our behalf. We share your email address and, if you provided one, your first name with Brevo. Brevo is based in the European Union and complies with the EU and UK GDPR. We do not share your scan history, shopping lists, scores or any other in-app data with Brevo.

Your opt-in choice is stored in our Supabase database and synchronised with Brevo whenever you change it. If you withdraw consent in the App, your record is removed from the active marketing list immediately.

Brevo is also our email-delivery provider for essential account and service emails — for example, confirming your email address when you sign up, password resets, and confirming an account-deletion request. These emails are part of providing the App (not marketing), so they are sent on the basis of our contract with you rather than consent, and they go to all signed-in users regardless of marketing preferences. In all cases Brevo receives only your email address and the content of the email itself.

Privacy policy: brevo.com/legal/privacypolicy

5.6 Open Food Facts

Product data is sourced in part from Open Food Facts, an open-source food products database, used under the Open Database Licence (ODbL). Open Food Facts data is community-contributed and may be incomplete or inaccurate.

Website: openfoodfacts.org

5.7 App Stores (Google Play & Apple App Store)

Downloads and in-app purchases are managed by Google (on Android) or Apple (on iOS), each subject to its own terms and privacy policy.

6 Data Retention

We retain your personal data for as long as necessary to provide the App and comply with our legal obligations:

Data typeRetention period
Anonymous identifier (Supabase)Retained for the duration of App use plus 12 months after last activity
Last-active timestamp (Supabase)A single most-recent value per user (overwritten, not a history); deleted when you delete your data, and in any case removed within 12 months after last activity
Signed-in account record (email, hashed password, optional first name)Retained while your account is active; deleted within 30 days of account deletion
Marketing-consent record (Supabase + Brevo)Retained for as long as you remain opted in; on withdrawal, the Brevo record is removed immediately and our internal record is updated to "withdrawn" within 7 days
Shopping lists, scan history, preferences (local SQLite on your device)Retained on your device until you delete the App, clear App data, or use Delete My Data in Settings
Shopping lists, scan history (Supabase cloud)Retained for 12 months after last activity, or until you delete your data
Offline scan queueProcessed on reconnection and removed from the queue immediately after processing
Submitted product images and nutrition label photos — APPROVEDRetained as part of the public catalogue for as long as the product is in the catalogue
Submitted product images and nutrition label photos — REJECTED (e.g. for containing identifying information)Deleted as soon as the rejection decision is recorded
Submitted nutritional values, product name, brand, category (treated as product data, not personal data)Retained as part of the public catalogue
Submitter identifier linked to a submission (so we can administer moderation and show "My Submissions")Retained until you delete your account or the submission is removed from the catalogue, whichever is first; not displayed publicly
Anonymised user score-override data (barcode + score + reason; no personally identifiable information)Retained indefinitely for scoring calibration. Cannot be individually identified or deleted
Usage analytics (Firebase)Usage analytics data (not linked to your identity) retained for up to 26 months
Crash reports (Firebase Crashlytics)Retained for 90 days
Support communicationsRetained for 3 years
Subscription records (RevenueCat)Retained for 7 years for tax and accounting purposes

7 Your Rights Under UK GDPR

You have the following rights regarding your personal data:

How we verify your identity. If you have a signed-in NYAM account, we will verify a rights request against the email address on that account. If you are using NYAM anonymously, please include your anonymous installation identifier (visible in Settings → About) in your request so we can locate your data. Because anonymous identifiers are not tied to a person, we cannot otherwise verify identity for anonymous users.

We will respond to all requests within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8 Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.

9 Age Policy (18+ only)

The App is intended for adults aged 18 and over only. NYAM is not directed at children, is not marketed to children, and is not designed for use by anyone under 18. App-store listings and marketing materials are configured to reflect this.

We do not knowingly collect personal data from anyone under 18. If you are under 18, please do not use the App and do not submit any information to us.

If you believe a person under 18 has used the App or that we hold any data relating to a person under 18, please contact us at hello@nyamapp.co.uk. On verification we will delete the associated data without undue delay.

10 International Data Transfers

Some of our third-party providers may process data outside the UK and EEA:

Supabase data is stored in the United Kingdom and is not transferred outside the UK.

11 Cookies and Tracking

The App does not use cookies. Our Website (nyamapp.co.uk) may use essential cookies for functionality only. We do not use tracking, advertising or third-party analytics cookies on our Website without your explicit consent.

12 Deleting Your Data

You can delete your data at any time using the Delete My Data feature in Settings. This permanently removes:

The App itself remains installed and you can start fresh at any time. To request deletion of any cloud-held data outside the Delete My Data flow, please email hello@nyamapp.co.uk and include your anonymous installation identifier (visible in Settings → About) or your account email address.

Limitations: anonymised score-calibration data (barcode + score + reason, no personally identifiable information) cannot be individually identified and cannot be deleted on request. Submitted product images and nutritional data that have been approved and added to the public catalogue may also remain in the catalogue after your account is deleted, with no link back to you.

13 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the App and updating the "last updated" date below. Continued use of the App after changes constitutes acceptance of the updated policy.

14 Contact Us

For any questions, concerns or data-subject requests:

NYAM App Ltd

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Email: hello@nyamapp.co.uk

Website: nyamapp.co.uk

ICO registration: ZC122949

This Privacy Policy was last updated on 29th June 2026.