Savréa Privacy Policy
In plain English
Savréa stores no food, pantry, or health data on our servers — except the specific data you explicitly choose to share with us to improve the app. Your meals, your pantry state, your sleep and steps stay on your device and in your private iCloud store. We collect anonymous usage statistics to improve the app, and you can opt out anytime in Settings. If you turn on data sharing to help improve Savréa — it is off by default — the specific things you choose to share (for example, a receipt photo with your corrections, or a recipe you asked Savréa to generate) do reach us; you can stop sharing and delete what you’ve shared anytime in Settings. That opt-in is the single, user-initiated exception to “it stays on your device”; everything you don’t choose to share stays on your device as described. If you signed up for our pre-launch beta waitlist on the Savréa marketing site, we also hold the email you submitted — we use it only to send your TestFlight invite and occasional Savréa updates, and we never share it.
That is the whole story in one paragraph. The rest of this policy fills in the precise mechanics — what we mean by “our servers,” what passes through our systems briefly to reach a vendor, what we do with the few pieces of operational data we do hold, and what rights you have. We have tried to write this in plain English because privacy policies that no one reads do not actually inform anyone.
1. Who we are
Savréa is a product of Savrea, Inc., a Texas corporation located in Azle, Texas, USA. Savrea, Inc. is the data controller for any personal data described in this policy. You can reach us at privacy@savrea.com for any privacy-related question, request, or concern.
In this policy, “Savréa,” “we,” “us,” and “our” refer to Savrea, Inc. operating the Savréa application. “You” or “your” refers to you, the person using Savréa on your iPhone or other Apple device.
2. The structural promise
Savréa is built around a structural privacy commitment that goes beyond a written promise: the architecture itself prevents us from doing things we say we will not do. Specifically:
- Your food, pantry, and meal logs live on your device and in your private iCloud store. They never copy to a server we control. We have no internal tool that could pull your meal history, even with full administrator access — it is not on our infrastructure to pull.
- Your HealthKit and Apple Watch data (sleep, steps) is read directly from Apple’s HealthKit on your device and stays there. Savréa never copies HealthKit values to our servers, never writes nutrition data back to HealthKit in v1.0, and never shares HealthKit data with third parties.
- We do not train any machine-learning model on your data — anywhere, ever. This is a hard architectural rule, not a marketing slogan. Our recipe-recommendation and image-recognition vendors operate under contracts that prohibit training on customer data, and Savréa itself runs no model that learns from your data.
- The recipe-recommendation, vision, and food-database features make calls to outside vendors. Those calls pass through a Savréa-operated proxy in transit, but the proxy stores no payload — only short-lived operational metadata. We explain this in detail in Section 4.
These are not aspirations. They are constraints we have built into the system on purpose, because the strongest privacy guarantee is the one that does not depend on a future employee remembering not to do something.
3. The four data classes
Every piece of data Savréa touches falls into one of four classes. This is the same framework engineering uses internally; we are using it here so the operational reality and the user-facing promise are the same document.
Class A — Your content (lives on your device)
What it is. Your pantry contents, kitchen equipment, meal logs, daily plans, recovery flags, all photographs you take in the app (receipts, grocery hauls, meals), all free-text descriptions you write, your TDEE and macro targets, your anchor patterns, and your HealthKit values (sleep duration, sleep stages, step counts) and — at v1.x — your Oura ring values (sleep, HRV, readiness, activity scores).
Where it lives. On your iPhone, and in your private iCloud store via Apple’s CloudKit. It does not live on a Savréa-controlled server. We cannot access it. If you uninstall Savréa and remove its data from iCloud, the data is gone — there is no copy on our side to delete.
Photographs you take in the app (receipts, grocery hauls, meals) are a partial exception worth being precise about: the image bytes pass through Savréa’s Vendor Access Layer (Section 4) on their way to an outside vision vendor (Anthropic Claude, or a cost-leader alternate), and the result is returned to your device. The image is not stored on the proxy — neither on disk, nor in a cache, nor in a queue, nor in an application log. The proxy holds the image in memory only long enough to forward it. After the round trip, the image exists on your device (if you chose to keep it) and nowhere else.
Sharing a kitchen (cross-account sharing). Savréa lets you share a kitchen with another person — your shared pantry, kitchen equipment, grocery list, and a “Family favorites” cookbook. When you share, that data moves directly between your iCloud account and theirs, brokered by Apple (iCloud / CloudKit), end-to-end within iCloud. It never touches a Savréa server — not even in transit. Apple (iCloud / CloudKit) is the service that carries the share, and Apple’s terms govern it. What stays private to you and is never shared: your meal logs, your daily plan, your macro targets and tracking, and your HealthKit/Oura values — sharing a kitchen shares the kitchen, not your eating or your health. If the person who owns a shared kitchen stops sharing it, or you leave it, your device removes its copy of that shared kitchen; the owner keeps the data (it lived in their iCloud). This sharing sub-section was reviewed by counsel (2026-06-15): the “Apple-brokered, end-to-end within iCloud, never on our servers” sharing claim, the Apple/iCloud-as-transport framing, and the participant / leave-a-share disclosures are approved as consumer-facing language. It goes public with the rest of this policy at the public flip.
Sharing data to improve Savréa (opt-in). Separately from sharing a kitchen with another person, you can choose to share some of what you do in Savréa with us, to help us make the app more accurate. This is off by default, and revocable — it is the single, user-initiated exception to everything above. If you never turn it on, nothing here applies and your content stays on your device exactly as described. When you do turn it on:
- What you can share (only after you opt in, and only these): the text records of how Savréa matched what you logged; a receipt photo together with the corrections you confirmed; grocery-haul and meal photos; when you report a bug, the diagnostic detail for that one case; and the recipe requests you make and the recipes Savréa generates for you — including the pantry items and dietary needs that go into each request. Match-text rides a single on/off setting; photos, logs, and recipe requests ask you each time before anything uploads. Your meal logs as a whole, your daily plan, your macro targets, and your HealthKit/Oura values are not part of this and are never collected.
- The honest part about photos. A receipt photo can contain your name, a store, an address, or part of a card number. Before a receipt image leaves your device, Savréa blurs the top band of the receipt where those usually print — on your device, best-effort. We do not promise shared images are free of personal information; some identifiers may remain. The honest posture is consented, redacted-where-feasible, access-controlled, and deletable — not “PII-free.” Grocery-haul and dish photos carry lower risk and get no special blurring beyond the access-control and deletion guarantees. This is the first time Savréa would hold a photo of yours on our side at all — today photos only pass through to a vision vendor (Section 4) and are kept nowhere.
- The honest part about recipe requests. A recipe request carries the pantry items you have on hand and the dietary needs you set — including any per-person allergies or restrictions you entered for the people you cook for. That is health-adjacent information about you and your household, so we treat a shared recipe request and the recipe Savréa generates from it at the same highest sensitivity level as a shared photo or log — asked for each time, never on a standing toggle. When you choose to share one, we keep the request, the recipe Savréa generated, and whether our allergen-safety check flagged anything — so we can make the generator safer and more accurate — and nothing else from your account. Unlike a photo, which your phone uploads directly, the recipe you ask for is built on our servers, so a shared recipe request is captured there as it passes through (Section 4) — never on a standing collection, only the one you opted to share.
- Where it goes, and what we never do with it. What you share goes to a dedicated, encrypted Savréa storage area built for this — separate from the Vendor Access Layer (Section 4), which still stores nothing. It is used only for Savréa’s own internal accuracy tuning and evaluation. We never use it to train or fine-tune a machine-learning model — ours or a vendor’s — the no-training rule (Section 9) does not bend for shared data.
- Stopping and deleting. Turn the setting off and nothing further is collected. Ask us to delete what you’ve shared and we purge it — your contributions are keyed to an opaque identifier so we can remove your specific data (Section 10.5).
During the closed beta, this opt-in sharing is covered by a separate plain-English consent document the beta cohort acknowledges (Savréa_Beta_Data_Collection_Consent.md); this Privacy Policy sub-section is the public-facing version. Counsel reviewed and cleared this opt-in disclosure (2026-06-15): informed consent is a sufficient basis to collect, retention may be indefinite given best-effort redaction and deletion-on-request, and the honest image-PII posture is approved. It goes public with the rest of this policy at the public flip. Counsel separately reviewed and cleared the recipe-request (LLM-trace) extension of this opt-in sharing (Mario Lamar, 2026-06-24): naming the recipe requests + generated recipes as a shared category at the highest sensitivity tier, under the same toggle and the same no-training rule, is approved consumer-facing language. This mirrors the Savréa_PRD.md §7.1.10 opt-in-exception posture (the user-facing translation of it — the two must agree).
Class B — Anonymous usage statistics
What it is. Counters and timing measurements that tell us whether the app is working: app launches, screen views, onboarding completion percentile, average reflow latency, distribution of OCR confidence bands, count of meal-logging events per day (the count, never the contents). These measurements use an anonymous session identifier that is not your Apple ID, not your name, not your email. Where possible, we pre-aggregate on your device before transmitting, so the data we receive cannot be reconstructed back to an individual session.
Where it lives. With PostHog Cloud (PostHog Inc.), our analytics provider. PostHog is open-source software with an architecture that supports anonymous identifiers as a first-class concept; we use that architecture deliberately.
Default-on, opt-out anytime. This collection is on by default. You can turn it off during onboarding (the privacy review screen) or anytime later in Settings → Privacy → Anonymous usage statistics. Turning it off has no effect on app functionality.
What we use it for. Improving the app — measuring whether onboarding is too long, whether reflow is fast enough, whether the recipe engine returns results within an acceptable time, whether a release introduced a regression. Aggregate metrics only; no staff member at Savréa can resolve an aggregate counter to an individual user, because the underlying data simply is not joinable that way.
Class C — Operational state
What it is. Three narrow, honest categories of data we genuinely need to operate the service:
- Subscription state (free, trial, paid, churned). This is tied to your Apple ID by billing necessity — Apple handles the actual payment, and our subscription provider, RevenueCat (RevenueCat, Inc.), records the state of your subscription so we know whether to give you paid features. We do not see your payment method, your billing address, or any direct payment information; that stays with Apple.
- Crash reports, if you opt in. Off by default. If you choose to enable crash reporting during onboarding (Settings → Privacy → Crash reporting), the next time the app closes unexpectedly, a stack trace is sent to Sentry (Functional Software, Inc., d/b/a Sentry). Stack traces only — we strip request bodies, user context, and any custom data. No food data, no health data, no pantry data is ever included.
- Bug reports you submit to us. If you tap “Report a bug” and write us a description, the description and any screenshots you attach are sent to our support inbox at privacy@savrea.com. We retain the report only as long as needed to investigate and respond, then delete it.
Class D — Vendor transient (passes through, does not live)
A small set of features depends on outside vendors that Savréa does not operate: receipt OCR, grocery-haul photo identification, meal photo identification, the recipe catalog, recipe substitutions, recipe generation (a novel recipe authored by an outside AI vendor from your pantry items, macro targets, and equipment), and a portion of the food/nutrition database. When you use one of these features, the relevant data — an image, a list of pantry items, a recipe query, a recipe-generation request — passes through Savréa’s Vendor Access Layer in transit, on its way to the outside vendor. The vendor returns a result. The proxy stores nothing — including the recipe-generation request and the recipe it returns: parsed in memory only for the trip, never written to disk, a cache, or a log — except the recipe inputs and outputs you choose to share to improve Savréa. If (and only if) you opt in to recipe-request sharing (§3, “Sharing data to improve Savréa”), that one request’s recipe inputs and the generated recipe are forwarded to the separate, encrypted Savréa store built for opted-in data; the proxy itself still keeps nothing (Section 4). For everyone who has not opted in, the parse-in-memory-only default holds without exception.
We explain the Vendor Access Layer fully in Section 4 because it is the part of the architecture that most warrants a precise account.
Marketing site interactions — outside the in-app classes
The four classes above describe data when you use the Savréa app. This section covers a different surface: what happens when you submit your email to our beta waitlist at savrea.com/beta/. We are giving it its own treatment because it is a different kind of data with a different posture, and we did not want to bury it inside the in-app framework.
What we collect. Your email address (required) and, optionally, your first name. Nothing else from the marketing site — we do not log IP addresses for the waitlist, set tracking cookies, or fingerprint your browser.
How we collect it. The form on the marketing site posts your submission directly to a Google Forms backend in our Google Workspace. The submission lands in a Google Sheet that only authorized Savréa team members can access.
Why we collect it. To send your TestFlight invite when your cohort opens, and to send occasional Savréa updates about beta progress or launch milestones. That is the entire purpose.
Who we share it with. Only Google, as the operator of the Forms + Sheets infrastructure that holds our waitlist. We do not sell, rent, license, or otherwise share your email with any other third party — not advertisers, not affiliates, not data brokers. Ever.
How long we keep it. Until you ask us to delete it, or until two years after public launch if you never converted to an active user — whichever comes first. To request deletion at any time, email privacy@savrea.com with the subject line “delete me from the waitlist”. We confirm within 30 days.
Your rights. The rights described in Section 10 (CCPA, GDPR, TDPSA, and the universal access / correction / deletion rights) apply to your marketing-site submission the same way they apply to in-app data. The email channel above is the easiest path for any of those requests.
What we don’t do with your marketing email. Section 9 (“What Savréa never does”) applies fully — no behavioral profiling, no third-party data enrichment, no advertising-network sharing, no linkage to your in-app activity once you become a Savréa user.
4. The Vendor Access Layer (transit only)
Some honest caveats on the Section 2 promise. When you use a feature that depends on an outside vendor — receipt OCR, grocery-haul or meal photo identification, recipe lookup, recipe substitution — the request travels from your device, through a Savréa-operated proxy, to the vendor, and then back. The proxy is necessary for security: vendor API keys must be held server-side rather than embedded in the app, where an attacker could extract them and run up large bills on Savréa’s account. Without the proxy, your privacy is no different, but our security and the cost-stability of the service is much worse.
What the proxy does:
- Receives the request from your app, verifies that the request is genuinely coming from a real Savréa app on a real Apple device (using Apple App Attest, Apple’s cryptographic device-attestation framework), and forwards the request to the vendor.
- Forwards the response back to your device. The proxy holds the request in memory only long enough to do this — typically milliseconds.
- Strips device-level identifiers before forwarding upstream. The vendor sees an anonymous request. If the vendor’s contract permits a coarse tier identifier (free/paid) without user-level resolution, the proxy may attach that; nothing finer.
What the proxy does not do:
- It does not write your data to a database. There is no database.
- It does not cache your data. There is no cache.
- It does not log your image bytes, your pantry contents, your recipe queries, your free-text inputs, or any payload body. Ever.
What the proxy does retain, briefly:
For up to 24 hours, the proxy retains a small set of operational metadata for each request: the request timestamp, which vendor was called, the response status code, the latency, the App Attest assertion identifier (a per-request token, not a per-user token), and the tier identifier. This metadata is used to debug failures and to detect abuse (someone running scripted attacks against our vendor accounts). After 24 hours, only aggregated counts survive — and those counts are part of the Class B anonymous statistics described above.
The one opt-in exception — recipe-request sharing. Recipe generation is the single case where, with your permission, the proxy does more than forward-and-forget. The recipe you ask Savréa to generate is built server-side — your app never holds the full request — so unlike a shared photo, which your device uploads directly, a shared recipe request can only be captured here, at the proxy, as it passes through. If you opt in to recipe-request sharing (§3), and only then, the proxy forwards a copy of that one request’s inputs and the generated recipe to the separate, encrypted Savréa store built for opted-in data (the same store described in §3 and §13). The proxy still does not retain it — no database, no cache, no proxy log of your data; it forwards the copy to the dedicated store and keeps nothing itself. This happens only for the recipe-generation surface, only while your sharing toggle is on, and never for any other vendor traffic.
The precise version of the structural promise: your data never lives on our servers. Vendor traffic does transit Savréa infrastructure on its way to the vendor — that is the whole purpose of the proxy. We are choosing the precise word deliberately, because “your data never reaches our servers” would not be true and we will not write a privacy policy that is not true.
Vendor exception — Oura. At v1.x, when we add Oura ring integration, your Oura data is read by your app directly from Oura’s servers using a per-user authorization token issued by Oura. This data does not transit our Vendor Access Layer at all — it goes from Oura to your phone, full stop, and stays on your phone.
5. HealthKit and Apple Health data
Savréa reads a small set of values from Apple’s HealthKit on your device — steps, sleep, body mass, height, biological sex, and date of birth. The system permission prompt presented when you grant HealthKit access reads, verbatim:
“Savréa reads steps, sleep, body mass, height, biological sex, and date of birth from Apple Health to keep your daily calorie anchor current and to ease the deficit when sleep is shorter than usual.”
We use these inputs to estimate your daily energy expenditure and, in the case of a short-sleep night relative to your personal 28-day baseline, to surface a one-day recovery adjustment that bumps protein and softens the deficit until you choose to dismiss it.
In compliance with Apple’s HealthKit App Review Guidelines (specifically HKK 5.1.3):
- Savréa never copies HealthKit data to its servers. HealthKit values are read by the app on your device and remain on your device.
- Savréa never writes nutrition data back to HealthKit in v1.0. (If we ever change this — for example to give you the option of exporting your meal log into Apple Health — we will update this policy and ask for your explicit consent before writing.)
- We do not use HealthKit data for advertising or marketing.
- We do not sell HealthKit data to anyone, ever.
- We do not share HealthKit data with any third party for any purpose other than your own health and fitness goals within Savréa. Specifically: HealthKit data is not sent to any of the Class D vendors listed in Section 8.
- HealthKit data is not used to train any machine-learning model, ours or anyone else’s.
You grant HealthKit permission to Savréa during onboarding. You can revoke it at any time from your iPhone’s Settings → Health → Data Access & Devices → Savréa.
6. Subscription, payment, and trials
Savréa is a free download with an optional paid subscription ($9.99/month or $59.99/year, with a 7-day free trial). Apple processes all payments through the App Store. Apple gives Savréa a record, via our subscription provider RevenueCat, of whether your subscription is active, in trial, expired, or refunded.
We do not see, hold, or process your payment method, your name as it appears on your card, your billing address, your card expiration date, or any other direct payment information. That data is held by Apple and is governed by Apple’s privacy practices.
If you cancel your subscription, you do so through Apple (Settings → Apple ID → Subscriptions on your device). We are not in the cancellation flow. You retain access to paid features through the end of your billing period, then your subscription state moves to “expired” and the app reverts to the free-tier feature set. None of your on-device data is deleted — your meal log, pantry, and history remain on your device and in your iCloud private store.
7. Crash reports and bug reports
Crash reports are off by default. During onboarding, we ask whether you would like to share crash reports. If you say yes, the next time Savréa closes unexpectedly, a stack trace is sent to Sentry. The stack trace is the technical record of where in our code the crash happened — file names, function names, line numbers. We strip request bodies, user-supplied parameters, and any custom context that could include your data. No food information, no health information, no pantry information is ever included in a crash report.
You can change your crash-reporting preference any time in Settings → Privacy → Crash reporting.
If you choose to send us a bug report through the in-app “Report a bug” flow, the description you write and any screenshots you attach are sent to our support inbox. We retain that information only as long as needed to investigate and resolve, then delete it. We will not pull other data from your device to investigate; if a bug report needs additional information, we will ask you, and you decide what to share.
8. Vendors we use, and what they do with your data in transit
Savréa relies on the following outside vendors for specific features. All Class D vendor traffic transits the Vendor Access Layer described in Section 4. Each call carries no Savréa user identifier; the vendor sees anonymous requests. Vendor selection criterion at procurement was a documented retention policy and the ability to be audited.
| Vendor | What they do | Retention posture (per Savréa contract) |
|---|---|---|
| Anthropic (Claude Sonnet 4.6 / Haiku 4.5) | Parses photographed grocery receipts into structured line items, identifies items in grocery-haul photos, identifies meals in dish photos, generates recipe substitution rationale, and generates novel recipes from your pantry items, macro targets, and kitchen equipment | No training on customer content per Anthropic’s standard Commercial Terms; data handling governed by Anthropic’s Data Processing Addendum (incorporated by reference into the Commercial Terms) |
| Spoonacular | Returns ranked recipes given a list of pantry items, a macro envelope, and an equipment filter | Per-call retention controls per Spoonacular’s Developer Terms (1-hour cache cap, indefinite storage limited to recipe id + title + image URL); upstream-source attribution rendered on each recipe-detail surface |
| FatSecret Platform (Premier) | Restaurant menu lookup and the small fraction of branded UPCs not covered by our on-device cache (paid-tier feature only) | Per-call retention controls per Platform Terms Section 1.5 (24-hour bound on retained Content unless explicitly identified as storable indefinitely); attribution rendered on each surface that displays FatSecret content |
| USDA FoodData Central | Live fall-through for free-tier nutrition lookup when our on-device cache misses | Public-domain government source (CC0 1.0 Universal); no commercial retention concern |
| Open Food Facts | Live fall-through for free-tier branded-product lookup when our on-device cache misses | Open-data nonprofit, database licensed under the Open Database License (ODbL 1.0). Per ODbL §4.3, when OFF-derived data is rendered in the app we display the notice: “Contains information from Open Food Facts, which is made available under the Open Database License (ODbL).” with a tappable link to https://openfoodfacts.org. |
| PostHog (PostHog Cloud) | Receives Class B anonymous usage statistics if you have not opted out | Anonymous session identifiers; no Apple ID, no payload |
| Sentry | Receives Class C crash reports if you have opted in | Stack traces only; payload scrubbed; opt-in |
| RevenueCat | Tracks subscription state (free/trial/paid/churned) so the app can grant paid features | Subscription state only; payments handled by Apple |
| Apple (HealthKit, App Store, App Attest, iCloud, push notifications) | Operating system services | Governed by Apple’s privacy practices |
At v1.x, we will add Oura. Oura’s API is accessed directly from your device using a per-user authorization token; it does not pass through the Vendor Access Layer.
If a chosen vendor becomes unable to honor a “no retention beyond the request” stance, our contract with them lapses and we move to an alternate. This is an architectural commitment, not a courtesy.
9. What Savréa never does
Some things we do not do, and the architecture is built such that we cannot start doing them without rewriting the system and updating this policy:
- We do not sell your personal information to anyone. Not in bulk, not in part, not de-identified, not “for research.” Not ever.
- We do not share your personal information with advertisers or with marketing partners. There is no advertising in Savréa, free or paid.
- We do not train or fine-tune any machine-learning model on your data. No model ever learns from your data. Not ours, not a vendor’s — including the AI vendor that generates recipes (the same Anthropic no-training contract governs the recipe-generation call as governs receipt OCR and photo identification). Anchor inference (the feature that learns your typical meal times from your own logging history) runs on your device, over your own data, and the result stays on your device.
- We do not build cross-user behavior profiles for v1.0. Anchor inference, recovery flagging, and recipe ranking are computed individually from your own data.
- We do not use your HealthKit data for anything other than the in-app features that depend on it — TDEE estimation, the recovery flag, and (at v1.x) Oura cross-checks.
- We do not have a customer-success team that can see what individual users are doing. “I see you stopped logging — can we help?” is, structurally, a question we cannot ask, because we do not have the data to know.
One user-initiated exception — opt-in app-improvement sharing. Everything in this section holds for all data you have not chosen to share. If you opt in to “Sharing data to improve Savréa” (§3), the specific data you choose does reach us, and we use it to measure and evaluate Savréa’s own accuracy — for example, checking how well the app read a receipt against the correction you confirmed. Even then, the limit that matters most does not bend: we do not train or fine-tune any machine-learning model on it — ours or a vendor’s; no model ever learns from your data. We also do not sell it, share it with advertisers, or use it to build cross-user profiles. The opt-in changes one thing only — that the specific data you choose reaches our internal accuracy work — and nothing else in this list.
These limitations are deliberate. They cost us some product capability we would otherwise have. We accept those costs in exchange for a privacy posture that is structurally true rather than written-promise true.
10. Your rights
Different jurisdictions grant different rights over personal data, and we honor them whether or not the law in your specific jurisdiction requires us to. The mechanics for exercising these rights with Savréa look unusual because, for the most part, your data is on your device and in your iCloud private store, where you already have direct access and control — without going through us.
10.1 California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, how we use it, and with whom we share it. This policy is our notice.
- Access the personal information we hold about you.
- Delete the personal information we hold about you.
- Correct the personal information we hold about you.
- Opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of, but you have the right to make the request and we will honor it as a confirmation.
- Limit the use of sensitive personal information. HealthKit data is sensitive; we never share it, never use it for advertising, and never use it to infer characteristics about you.
- Be free from discrimination for exercising these rights. We will not deny you the app, charge you a different price, or provide a different level of service for exercising any of the rights above.
To exercise any of these rights, email privacy@savrea.com with a description of what you would like us to do. We will respond within 45 days. Note: because most of your data lives on your device and not on our servers, an “access” or “deletion” request to us is mostly answered by what is already true (we do not hold it). We will be specific about what we do and do not have, and act on what we do.
10.2 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)
If you are in the EEA, the UK, or Switzerland, the legal bases on which we process your personal data are:
- Performance of a contract with you (operating the app, including the Vendor Access Layer, subscription billing).
- Your consent (Class B anonymous telemetry — opt-out at any time; Class C crash reports — opt-in; HealthKit access — explicit permission you grant).
- Legitimate interests (debugging the service via 24-hour proxy operational logs; abuse detection).
You have the right to access, rectify, erase, restrict processing of, port, and object to the processing of your personal data, plus the right to withdraw consent for processing based on consent. Email privacy@savrea.com to exercise any of these rights. You also have the right to lodge a complaint with your local supervisory authority.
10.3 Texas residents (TDPSA)
If you are a Texas resident, the Texas Data Privacy and Security Act gives you rights to access, correct, delete, port, and opt out of the sale of your personal data, and to opt out of profiling that produces legal or similarly significant effects. Email privacy@savrea.com. We do not sell personal data and do not use personal data for profiling.
10.4 Everyone else
If you are not in California, the EEA, the UK, Switzerland, or Texas, the rights above may not apply to you as a matter of law, but we will honor reasonable access, correction, and deletion requests anyway. Email privacy@savrea.com.
10.5 Opted-in shared data — the one category we do hold
For almost everything in Savréa, an access or deletion request to us is answered by what is already true: your content is on your device, not ours, so there is nothing on our side to return or delete (§10.1). Data you opted to share to improve Savréa (§3) is the exception — that, we do hold, and deletion-on-request is a real, honored duty, not a formality. Your shared contributions are stored keyed to an opaque per-account identifier, so we can locate and purge your specific data when you ask. Email privacy@savrea.com (or use the in-app control when it ships); we delete what you’ve shared and confirm within the response windows in §16. Turning the sharing setting off stops further collection; deleting data you already shared is a separate request you can make at any time. (Counsel-cleared 2026-06-15: deletion-on-request is the standing duty for opted-in shared data; retention is otherwise indefinite — see §13.)
11. Children
Savréa is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and you believe your child under 13 has used Savréa, please email privacy@savrea.com and we will help confirm and, if applicable, delete any data we hold (for the most part, that will be Class B anonymous statistics, since user content is on the child’s own device and iCloud). The App Store’s age rating for Savréa is 17+, consistent with health and fitness apps that include nutrition and health-related content.
12. International users and data location
Savréa is operated from the United States. Class B anonymous statistics are processed by PostHog and stored on PostHog’s infrastructure (United States). Class C crash reports are processed by Sentry (United States). Class D vendor calls are processed by the relevant vendor in their respective regions; vendor regions are subject to change with vendor infrastructure. The Vendor Access Layer itself runs in AWS us-east-1 (Northern Virginia, USA).
Apple’s services (App Store, HealthKit, iCloud) operate per Apple’s regional infrastructure; iCloud data residency follows Apple’s policy for your account region.
By using Savréa from outside the United States, you agree that your data may be processed in the United States and other countries, subject to applicable cross-border-transfer protections (e.g., EU Standard Contractual Clauses where applicable to the GDPR).
13. Data retention summary
A consolidated view of how long each class of data lives:
- Class A (your content) — retained on your device and in your iCloud private store for as long as you keep the app installed and as long as you choose to retain the iCloud data. Savréa cannot delete it; you delete it by uninstalling the app and removing its iCloud data through your iPhone’s Settings.
- Class A — opted-in shared data (the one exception we do hold) — data you choose to share to improve Savréa (§3) — match-text, shared photos and logs, and, for opted-in users, the recipe requests + generated recipes you share — is held on a dedicated, encrypted Savréa store (separate from the Vendor Access Layer), used only for internal accuracy work, and retained indefinitely — there is no fixed deletion date (counsel-cleared 2026-06-15, on the basis of best-effort on-device image redaction plus deletion-on-request). It is keyed to an opaque per-account identifier and deleted on request (per-user-key purge — §10.5); turning the sharing setting off stops further collection. Never used to train or fine-tune any model (§9).
- Class B (anonymous statistics) — retained by PostHog per their default retention (currently 7 years for event data on the free tier; we may shorten this in our PostHog configuration before launch).
- Class C — subscription state (RevenueCat) — retained for the lifetime of your subscription plus the period required by Apple for billing reconciliation and tax purposes.
- Class C — crash reports (Sentry) — retained per Sentry’s default (currently 90 days on the relevant tier); never longer than needed to fix the issue.
- Class C — bug reports (support inbox) — retained as long as needed to resolve, then deleted.
- Class D — vendor request operational metadata — 24 hours, then aggregated counts only (which become Class B).
- Class D — vendor-side handling — per each vendor’s contract; see Section 8.
- Marketing-site waitlist emails — retained in our Google Workspace (Forms → Sheets) until you ask us to delete (email privacy@savrea.com with subject “delete me from the waitlist”), or until two years after public launch for waitlist members who never converted to active users — whichever comes first.
14. Security
We protect data in transit with TLS 1.2 or higher between your device and the Vendor Access Layer, and between the Vendor Access Layer and each vendor. The Vendor Access Layer authenticates every request from your device using Apple App Attest, rejecting requests that cannot prove they originated from a real Savréa app on a real Apple device. Vendor API keys are stored in AWS Secrets Manager with AWS KMS encryption at rest, never in source code, never in container images, never in CI/CD logs, and rotated on a 90-day cadence (and immediately on any incident). The proxy itself holds no payload, which is its own security control: there is nothing to steal from a proxy that stores nothing.
No system is perfectly secure, and we will not pretend otherwise. If a security incident occurs that affects your personal data, we will notify you per applicable law and via in-app notice as soon as practicable.
15. Changes to this policy
If we change this policy in a way that materially affects how we handle your data, we will give you advance notice through an in-app notification before the change takes effect. Non-material changes (clarifying language, fixing typos, adding a vendor that fits an existing class with the same posture) will be reflected in the next published version of this document, without separate notice.
The current version of this policy is always available at savrea.com/privacy (live as of the marketing site’s v1.0 build; until the site goes fully public, this Markdown source is the canonical version).
16. Contact
For any privacy question, request, or concern:
- Email: privacy@savrea.com
- Postal: Savrea, Inc., Azle, TX, USA (full address available on request)
We respond to privacy requests within 45 days under CCPA/CPRA, 30 days under GDPR (extendable by 60 days for complex requests with notice), and as quickly as we reasonably can in all other cases. If you email us about a non-urgent question and we have not responded within a week, please email again — we run a small operation and your first message may not have reached us.