1 Introduction
NYAM App Ltd ("NYAM", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and protect your information when you use the NYAM mobile application ("the App") and our website at nyamapp.co.uk ("the Website").
This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). NYAM App Ltd is registered with the Information Commissioner's Office under registration number ZC122949.
Please read this policy carefully. By using the App or Website, you confirm that you have read and understood it.
2 Who We Are
Data controller: NYAM App Ltd
Company number: 17118391 (registered in England and Wales)
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
ICO registration: ZC122949
Contact: hello@nyamapp.co.uk
If you have any questions about this policy or how we handle your data, please contact us at hello@nyamapp.co.uk.
3 What Data We Collect
3.1 Authentication: anonymous use and signed-in accounts
NYAM supports two ways of using the App.
- Anonymous use (default): You can use the App without creating an account or providing any contact details. On first launch NYAM assigns a random anonymous identifier (via Supabase anonymous authentication) which is used to associate your in-app data with our secure cloud database. This identifier contains no personally identifiable information.
- Signed-in account: You can choose to create an account. This requires your email address, a password you choose, and (optionally) a first name. We require email confirmation before sign-in. An account preserves your data across devices and lets you opt in to marketing emails (see section 3.4). If you upgrade from anonymous use to a signed-in account, your existing data is preserved on the same identifier.
Passwords are hashed and stored by Supabase Auth; we do not see or store your password in plain text. Email confirmation links are sent by Supabase's transactional email service on our behalf.
3.2 Data you create within the App
The following data is created by your use of the App. It is stored locally on your device (SQLite) and, for cloud-backed features, in our Supabase database against your identifier:
- Shopping lists and list items — product names, scores and quantities you add to lists
- Barcode scan history — barcodes and the associated product data we look up for you
- Offline scan queue — barcodes scanned while you were offline, stored locally and looked up automatically when you return online
- Invoice and basket import data — receipt or basket text you paste or upload for scoring (processed by Anthropic Claude AI as described in section 5.4; not retained beyond the processing session)
- Food priority settings — the up-to-three nutritional priorities you select to personalise your score
- Personal notes and tags — any notes or tags you attach to products (stored locally on your device only)
- User-set score overrides — if you override a NYAM score, the barcode, your score and your stated reason are stored locally; an anonymised version (no personally identifiable information) is synced to Supabase for scoring calibration (see section 4 and section 6)
- Subscription status — your current tier (Free or Premium) and any active trial, as reported by RevenueCat
3.3 Data you voluntarily submit to improve the catalogue
The App lets you submit information to help improve the NYAM product catalogue. Submissions are reviewed by NYAM before they are published. The types of submission are:
- Product image — a photo of the front of a product (logo, brand, packaging) so other users can identify it in scan results
- Nutrition label photo — a photo of the back-of-pack nutrition information so a moderator can verify the values you submit
- Publicly available nutritional data — the per-100g values printed on the product packaging (energy, fat, saturated fat, sugar, salt, protein, etc.), plus product name, brand and category
No identifying information policy. Submitted images are intended to capture the product, not the contributor. We ask you to make sure your photos do not contain anything that could identify you or anyone else — faces, hands holding the product, household surroundings, address labels, receipts, screens or other personal context. NYAM reviews every submission before approval and rejects any image found to contain identifying information. Rejected images are deleted and never become part of the public catalogue.
The nutritional values, product name, brand and category in a submission are publicly available information printed on commercial product packaging. They are treated as product data (not your personal data) and, once approved, are added to the NYAM catalogue under the contribution terms set out in our Terms & Conditions. Approved product images and nutrition photos are stored in Supabase and may be displayed in the App. While your account remains active, the anonymous identifier or account identifier of the submitter is retained alongside the submission record so that we can administer the moderation process and credit your submissions back to you in the App's "My Submissions" view; it is never shown publicly. If you delete your account, this identifier is removed from any approved submission that remains in the catalogue, so the retained product data is no longer linked to you, and any submission still awaiting or failing moderation is deleted in full.
3.4 Marketing communications
NYAM only sends marketing emails to users who have:
- created a signed-in account; and
- explicitly opted in by ticking the marketing-consent checkbox during sign-up (the box is unticked by default) or by switching on "Marketing emails" in Settings.
What we share with our email provider: if you have opted in we share your email address and, if you provided one, your first name with Brevo (see section 5.5) so that they can send you our marketing emails on our behalf. We do not share any other profile information for marketing purposes.
How to withdraw consent: open the App, go to Settings → Notifications → Marketing emails, and toggle the switch off. You can also click the unsubscribe link in any marketing email we send. Withdrawal takes effect immediately and does not affect the lawfulness of any processing carried out beforehand.
Anonymous users (those without a signed-in account) cannot subscribe to marketing emails. If you are using NYAM anonymously and try to manage marketing preferences, the App will invite you to create an account first.
3.5 Data collected automatically
- Usage analytics — data about how you use the App, not linked to your identity, including features accessed, screens viewed and session duration, collected via Firebase Analytics (Google)
- Crash reports — if the App crashes, technical information about the crash is collected via Firebase Crashlytics, including device type, operating system version and App version. We do not attach your identity to this data
- Connectivity status — the App detects whether your device is online or offline so it can manage offline scanning and data sync. Connectivity state is not stored
- Last-active timestamp — when you open the App we record the date and time you were last active, linked to your account identifier (including for anonymous users). Unlike the usage analytics above (which is not linked to your identity), this is associated with your account. We use it only to understand how many people actively use the App (for example, weekly and monthly active-user counts) so we can make decisions about maintaining and improving it. It is updated at most once per day and is deleted when you delete your data
3.6 Data we do not collect
- We do not require you to create an account in order to use the core scanning, scoring or search features
- We do not collect your precise location
- We do not access your contacts, camera roll or other device data beyond what is necessary: camera access for barcode scanning and product photos; file access for PDF invoice import
- We do not sell your personal data to third parties
- We do not use your data for advertising
- No brand or advertiser has ever paid NYAM to influence any score, recommendation or content displayed in the App. No brand or advertiser ever will
- We do not store your payment card details. Payment processing is handled entirely by the relevant app store (Google Play on Android, the Apple App Store on iOS) and their designated payment processors
4 How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal basis |
|---|---|
| Providing and operating the App | Performance of contract |
| Creating and managing your account (where you choose to sign up) | Performance of contract |
| Processing subscription payments via Google Play or the Apple App Store | Performance of contract |
| Personalising your NYAM score based on your selected priorities | Performance of contract / Legitimate interests |
| Storing your shopping lists, scan history and preferences | Performance of contract |
| Processing your offline scan queue when you reconnect | Performance of contract |
| Reviewing and, where appropriate, publishing the product images, nutrition photos and nutritional data you voluntarily submit | Legitimate interests (improving the public product catalogue) |
| Rejecting and deleting submissions that contain identifying information | Legitimate interests / Legal obligation |
| Sending service-related notifications (offline scan ready, shop score ready, weekly basket reminder, etc.) | Performance of contract / Consent |
| Sending marketing emails (NYAM updates and food choice tips) | Consent |
| Monitoring App performance and fixing bugs | Legitimate interests |
| Improving the App through usage analytics not linked to your identity | Legitimate interests |
| Scoring calibration using anonymised user score overrides (barcode + score + reason; no personally identifiable information) | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Responding to your enquiries | Legitimate interests |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5 Third-Party Services
NYAM uses the following third-party services to operate the App. Each has its own privacy policy which we encourage you to review:
5.1 Supabase
We use Supabase for authentication (anonymous and email/password), our product database (over 165,000 UK food products), and cloud storage of user data (including submitted product images and nutrition label photos) associated with your identifier. Our Supabase database and file storage are hosted in the United Kingdom (London region). Supabase complies with the UK GDPR. Row-level security policies ensure that users can only access their own data.
Privacy policy: supabase.com/privacy
5.2 Firebase (Google)
We use Firebase Analytics and Firebase Crashlytics (both provided by Google) for usage analytics and crash reporting; we do not attach your identity (name, email or account ID) to this data. Google may process data outside the UK; appropriate safeguards are in place (Google is certified under the UK-US Data Bridge and uses Standard Contractual Clauses approved by the UK ICO).
Privacy policy: firebase.google.com/support/privacy
5.3 RevenueCat
We use RevenueCat to manage in-app subscriptions. RevenueCat processes your subscription status and purchase history. For signed-in accounts, RevenueCat receives your NYAM account identifier (used to link your subscription to your account); for anonymous use it receives an anonymous identifier instead. In both cases RevenueCat also receives your subscription status. It does not receive your name or email address.
Privacy policy: revenuecat.com/privacy
5.4 Anthropic (Claude AI)
We use Anthropic's Claude AI to power the following features:
- NYAM score explanations — product names and nutritional data are sent to the Claude API to generate an explanation of why a product scored as it did
- Smarter Swaps — product names and scores, together with your selected nutrition priorities, are sent to generate alternative suggestions
- Score My Shop — when you upload a receipt or order confirmation, the document you provide is sent in full to the Claude API for product extraction and scoring. Supermarket receipts and order confirmations may contain personal details such as your name, delivery or billing address, loyalty-card number, order number, account email and partial payment-card digits. We use only the product line items, but the whole document is transmitted to Anthropic for processing. Anthropic acts as our processor for this feature: it processes the document only on our instructions, to extract the product line items, and does not use it to train its models or for its own purposes. We do not retain the document on our own systems beyond the processing session. Anthropic processes the document under its standard commercial API terms and may retain it for up to 30 days, after which it is deleted; during that period the document may be accessed by Anthropic only where necessary for safety, security or to comply with law, and is not used to train its models.
- Score Basket — the basket text you provide is sent to the Claude API for product matching and scoring. Order or basket text you provide may contain personal details such as those listed above; we recommend you redact anything sensitive before sending.
- AI shop analysis — your scored product list is sent to generate a full shop report
For most features we send only product and nutritional data, with no information that identifies you. The exception is receipt and order-confirmation uploads (Score My Shop) and provided order/basket text (Score My Shop and Score Basket), where the document you upload, or the text you provide, may include the personal details listed above. We strongly recommend that you redact any personal or sensitive information before uploading or sending; alternatively, you can add products to a list manually to score a whole shop without sending a document or providing order/basket text. Some details, such as your name and full address, cannot be detected or removed automatically, so redacting sensitive information yourself is the best way to limit what is sent. For these features the whole document or text you provide is transmitted to Anthropic; for all other features we send only the product and nutritional data each feature needs to function. Anthropic's API is used in accordance with their usage policies.
Privacy policy: anthropic.com/privacy
5.5 Brevo (email delivery)
If you have opted in to marketing emails we use Brevo (Sendinblue SAS) to send those emails on our behalf. We share your email address and, if you provided one, your first name with Brevo. Brevo is based in the European Union and complies with the EU and UK GDPR. We do not share your scan history, shopping lists, scores or any other in-app data with Brevo.
Your opt-in choice is stored in our Supabase database and synchronised with Brevo whenever you change it. If you withdraw consent in the App, your record is removed from the active marketing list immediately.
Brevo is also our email-delivery provider for essential account and service emails — for example, confirming your email address when you sign up, password resets, and confirming an account-deletion request. These emails are part of providing the App (not marketing), so they are sent on the basis of our contract with you rather than consent, and they go to all signed-in users regardless of marketing preferences. In all cases Brevo receives only your email address and the content of the email itself.
Privacy policy: brevo.com/legal/privacypolicy
5.6 Open Food Facts
Product data is sourced in part from Open Food Facts, an open-source food products database, used under the Open Database Licence (ODbL). Open Food Facts data is community-contributed and may be incomplete or inaccurate.
Website: openfoodfacts.org
5.7 App Stores (Google Play & Apple App Store)
Downloads and in-app purchases are managed by Google (on Android) or Apple (on iOS), each subject to its own terms and privacy policy.
6 Data Retention
We retain your personal data for as long as necessary to provide the App and comply with our legal obligations:
| Data type | Retention period |
|---|---|
| Anonymous identifier (Supabase) | Retained for the duration of App use plus 12 months after last activity |
| Last-active timestamp (Supabase) | A single most-recent value per user (overwritten, not a history); deleted when you delete your data, and in any case removed within 12 months after last activity |
| Signed-in account record (email, hashed password, optional first name) | Retained while your account is active; deleted within 30 days of account deletion |
| Marketing-consent record (Supabase + Brevo) | Retained for as long as you remain opted in; on withdrawal, the Brevo record is removed immediately and our internal record is updated to "withdrawn" within 7 days |
| Shopping lists, scan history, preferences (local SQLite on your device) | Retained on your device until you delete the App, clear App data, or use Delete My Data in Settings |
| Shopping lists, scan history (Supabase cloud) | Retained for 12 months after last activity, or until you delete your data |
| Offline scan queue | Processed on reconnection and removed from the queue immediately after processing |
| Submitted product images and nutrition label photos — APPROVED | Retained as part of the public catalogue for as long as the product is in the catalogue |
| Submitted product images and nutrition label photos — REJECTED (e.g. for containing identifying information) | Deleted as soon as the rejection decision is recorded |
| Submitted nutritional values, product name, brand, category (treated as product data, not personal data) | Retained as part of the public catalogue |
| Submitter identifier linked to a submission (so we can administer moderation and show "My Submissions") | Retained until you delete your account or the submission is removed from the catalogue, whichever is first; not displayed publicly |
| Anonymised user score-override data (barcode + score + reason; no personally identifiable information) | Retained indefinitely for scoring calibration. Cannot be individually identified or deleted |
| Usage analytics (Firebase) | Usage analytics data (not linked to your identity) retained for up to 26 months |
| Crash reports (Firebase Crashlytics) | Retained for 90 days |
| Support communications | Retained for 3 years |
| Subscription records (RevenueCat) | Retained for 7 years for tax and accounting purposes |
7 Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you
- Right to rectification — you can request that we correct inaccurate data
- Right to erasure — you can request that we delete your personal data, subject to legal retention obligations. The App also includes a Delete My Data feature in Settings which permanently deletes all locally and cloud-stored data associated with your identifier
- Right to restriction — you can request that we restrict processing of your data in certain circumstances
- Right to data portability — you can request your data in a structured, machine-readable format. The App's Export My Data feature in Settings produces a JSON file you can download and share
- Right to object — you can object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent (e.g. marketing emails), you can withdraw it at any time. Withdrawal does not affect the lawfulness of any processing carried out beforehand
How we verify your identity. If you have a signed-in NYAM account, we will verify a rights request against the email address on that account. If you are using NYAM anonymously, please include your anonymous installation identifier (visible in Settings → About) in your request so we can locate your data. Because anonymous identifiers are not tied to a person, we cannot otherwise verify identity for anonymous users.
We will respond to all requests within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8 Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encrypted cloud storage via Supabase
- Row-level security policies in Supabase ensuring users can only access data associated with their own identifier
- Passwords stored as one-way hashes by Supabase Auth; never stored in plain text
- Email confirmation required before a new account can sign in
- Human moderator review of every submitted product image and nutrition label photo before it is published, including a check for identifying information
- Immediate deletion of any submission found to contain identifying information
- Access controls limiting who within NYAM can access personal data
- Regular security reviews
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.
9 Age Policy (18+ only)
The App is intended for adults aged 18 and over only. NYAM is not directed at children, is not marketed to children, and is not designed for use by anyone under 18. App-store listings and marketing materials are configured to reflect this.
We do not knowingly collect personal data from anyone under 18. If you are under 18, please do not use the App and do not submit any information to us.
If you believe a person under 18 has used the App or that we hold any data relating to a person under 18, please contact us at hello@nyamapp.co.uk. On verification we will delete the associated data without undue delay.
10 International Data Transfers
Some of our third-party providers may process data outside the UK and EEA:
- Google (Firebase) — may process data in the United States. Google LLC is certified under the UK-US Data Bridge and uses Standard Contractual Clauses approved by the UK ICO
- Anthropic (Claude AI) — processes data in the United States. Anthropic acts as our processor under a data processing agreement, incorporated into Anthropic's commercial terms, which provides for international transfers using the EU Standard Contractual Clauses as adapted by the UK Addendum issued by the Information Commissioner. The data we send to the Claude API is described in section 5.4.
- RevenueCat — may process subscription data in the United States. RevenueCat uses Standard Contractual Clauses
- Brevo — processes data in the European Union; no additional transfer mechanism is required for transfers from the UK to the EU under current adequacy arrangements
Supabase data is stored in the United Kingdom and is not transferred outside the UK.
11 Cookies and Tracking
The App does not use cookies. Our Website (nyamapp.co.uk) may use essential cookies for functionality only. We do not use tracking, advertising or third-party analytics cookies on our Website without your explicit consent.
12 Deleting Your Data
You can delete your data at any time using the Delete My Data feature in Settings. This permanently removes:
- All scanned products and history
- All shopping lists and items
- All invoice and basket import records
- Your food priority preferences
- Your ingredient watchlist
- Your tags and personal notes
- Your account record (email, hashed password, optional first name) if you had a signed-in account
- Your marketing-consent record in Brevo, if any
The App itself remains installed and you can start fresh at any time. To request deletion of any cloud-held data outside the Delete My Data flow, please email hello@nyamapp.co.uk and include your anonymous installation identifier (visible in Settings → About) or your account email address.
Limitations: anonymised score-calibration data (barcode + score + reason, no personally identifiable information) cannot be individually identified and cannot be deleted on request. Submitted product images and nutritional data that have been approved and added to the public catalogue may also remain in the catalogue after your account is deleted, with no link back to you.
13 Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the App and updating the "last updated" date below. Continued use of the App after changes constitutes acceptance of the updated policy.
14 Contact Us
For any questions, concerns or data-subject requests:
NYAM App Ltd
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: hello@nyamapp.co.uk
Website: nyamapp.co.uk
ICO registration: ZC122949
This Privacy Policy was last updated on 29th June 2026.