App 支持中心
NutriScan

把营养成分表扫描、支持入口和隐私说明整理成一套独立的审核页面。

用途
公开支持、隐私与法律页面
Legal

Privacy Policy

Updated May 2, 2026

NutriScan is a consumer wellness product that handles information many North American users will reasonably view as sensitive health data, including allergies, health conditions, dietary restrictions, and food-decision history. This policy is intentionally detailed: it explains what we collect, what we do not intentionally collect for core features, why we process it, when it may be handled by cloud or AI processors, how long it may be retained, what rights may apply in the United States and Canada, and what limits still exist even when we aim to minimize privacy risk.

Scope and sensitivity of this policy

This Privacy Policy applies to the NutriScan mobile experience, its connected cloud services, and the product-analysis flows used to generate personalized food guidance. Because your profile and scan history can reveal health interests, allergies, chronic-condition context, pregnancy or kidney-related concerns, or other wellness patterns, we treat this information as sensitive personal information and consumer health data.

Information you provide directly

  • Account and sign-in data, such as your email address and authentication identifiers.

  • Health-profile inputs you choose to save, including supported health groups, allergies, dietary preferences, and personalized nutrition limits or thresholds derived from your profile.

  • Manual product inputs, corrections, and nutrition information you type into the app.

Scan, label, and nutrition data we process

  • Barcode values, product names, ingredient or nutrition-label text, and product metadata returned from supported food databases.

  • Nutrition-label photos you choose to upload for OCR, the extracted OCR text and structured nutrient values, and any confidence or review metadata attached to that extraction.

  • Saved scan history, product-analysis results, scores, warnings, suitability labels, and recommendation text generated for your account.

Technical and operational data

  • Authenticated session state needed to keep you signed in on your device.

  • Operational metadata such as timestamps, request identifiers, app-version context, and service errors generated when scans or account features run.

  • Security and abuse-prevention logs needed to keep the service reliable, detect misuse, and investigate incidents.

Data we do not intentionally require for core use

NutriScan is built around account authentication, product scans, profile inputs, and cloud analysis. Core use of the product does not intentionally depend on your contacts, microphone, background location, SMS content, call logs, or advertising identifiers. If an operating system or integration exposes incidental device metadata while handling a request, that metadata may still transit through the normal platform stack, but it is not the intended focus of the product workflow.

Where the data comes from

Most of the sensitive information in NutriScan comes directly from you: profile setup answers, scan actions, uploaded label images, and manual product edits. We also retrieve product and nutrition context from public or third-party food databases when you scan a barcode, and we generate additional inference output through OCR and AI analysis layers using the minimum relevant product and profile context needed for the requested result.

How we use your information

  • To create and secure your account and restore it across sessions and devices.

  • To personalize scores, warnings, thresholds, and recommendation language based on your saved health profile.

  • To run OCR on nutrition-label photos and to analyze product nutrition in the context of your health goals or risk factors.

  • To save scan history, show trends, reopen prior results, and power features such as History, Dashboard, Explore, and Insights.

  • To debug extraction failures, investigate reliability issues, and improve product-data quality, model prompting, and nutrition interpretation rules.

  • To comply with law, enforce our terms, and protect the security of users, the app, and our infrastructure.

Purpose limitation and data minimization

We aim to use the minimum reasonably necessary account, profile, and product context needed to complete the feature you requested. For example, not every scan requires the same profile attributes, and not every support or debugging event should require access to your full history. In practice, operational safeguards can be imperfect, logs can contain context needed to diagnose failures, and provider infrastructure can temporarily copy or cache request data, so data minimization should be understood as an engineering objective rather than a guarantee that no extra technical trace will ever exist.

Legal basis and permission to process

Depending on where you live, we may process your information because it is necessary to provide the service you asked for, because you directed us to process sensitive health-related profile information for consumer wellness purposes, because we have a legitimate interest in security, fraud prevention, product reliability, and quality improvement, or because applicable law requires or permits the processing. When local law requires a separate consent for sensitive personal information or consumer health data, your voluntary use of the relevant profile or scan feature is intended to serve as that instruction unless a stricter consent flow is presented.

AI and automated analysis

When you request a scan result, NutriScan may send the selected product nutrition payload, OCR output, and relevant portions of your saved profile to AI-supported analysis services so the app can generate tailored warning language, scores, and next-step guidance. Automated output can still be incomplete or wrong, especially when labels are blurry, product databases are stale, or a package omits nutrients important to a specific condition. The app is designed for wellness support, not emergency triage or medical diagnosis.

Third-party processors, AI retention, and provider terms

Authentication, database hosting, serverless functions, OCR, and AI-supported inference may run on third-party infrastructure rather than only on your device. Those providers can process request content, logs, and security metadata under their own service terms, data-processing addenda, and operational retention settings. Even where we intend to configure processors for business use rather than public-facing model improvement, provider-side retention, abuse monitoring, or legal compliance obligations may still create temporary or limited copies outside the app interface itself.

When we share data and with whom

We do not sell your health profile, scan history, or other sensitive wellness data. We may disclose or process data with service providers that help us run authentication, cloud storage, serverless functions, OCR, and AI inference; with food-data sources that answer barcode or product lookup requests; when required by law; to protect users or investigate abuse; or as part of a merger, financing, or asset transfer if the product changes ownership. We do not share sensitive health-profile data with advertisers for behavioral ad targeting in the ordinary course of product use.

Health-profile data and third-party analytics

The current NutriScan mobile build is not wired to a third-party product-analytics SDK that ingests raw health-profile fields or saved scan history for advertising or feature analytics. Operational monitoring, authentication, cloud hosting, OCR, and AI processors can still handle relevant request data when you actively use the product, but health-profile values are not intentionally forwarded to a separate growth-analytics tool for cross-context behavioral profiling in the ordinary course of use.

No sale, no targeted advertising, and no high-impact decisioning

We do not intend to sell sensitive health-profile data, scan history, or consumer health data to data brokers, and we do not intend to use that sensitive data for cross-context behavioral advertising. NutriScan also does not present itself as making employment, insurance, housing, credit, or similarly consequential decisions about you. It generates consumer wellness guidance about packaged foods, which should not be treated as a binding medical, insurance, or regulatory determination.

De-identified, aggregated, and diagnostic use

We may use aggregated statistics, de-identified patterns, or internal diagnostic summaries to understand product reliability, feature usage, data coverage, model quality, and safety issues. Where we claim information is de-identified or aggregated, the goal is to remove or minimize direct account linkage before that data is used for analytics or product improvement. De-identification is a risk-reduction practice, not a claim that re-identification is impossible in every environment or under every legal standard.

Health-data context, HIPAA, and North American expectations

NutriScan is built as a consumer food-and-wellness assistant, not as a hospital portal, insurer platform, or clinical electronic medical record. Unless a separate written agreement says otherwise, NutriScan should not be understood as operating as a HIPAA covered entity or business associate solely because you choose to store health-related preferences in the app. At the same time, we recognize that U.S. state consumer health privacy laws and Canadian privacy expectations may still treat this information as highly sensitive, so we describe and handle it accordingly.

Retention and deletion

  • We keep account, profile, and saved-scan data for as long as your account remains active and the data is needed to provide the product features you use.

  • If you delete individual scans or later remove profile information, live product views should stop using that deleted data after the change propagates through our systems.

  • Backup copies, security logs, and diagnostic records may remain for a limited additional period when required for recovery, fraud prevention, compliance, or incident investigation.

  • We aim to minimize retention of raw label images and transient OCR inputs beyond the time needed to complete extraction, debugging, or reliability review, but some short-lived processor or infrastructure copies may exist in transit or logs.

Security safeguards and limits

  • We design the service around authenticated access controls so users can access only their own saved account data in normal operation.

  • We rely on encrypted network transport, credentialed API access, and provider-side security controls appropriate for a modern cloud application.

  • Access to production data should be limited to authorized personnel and processors with a legitimate operational need, such as reliability, security, or customer support.

  • No mobile app, network, or cloud service can guarantee absolute security, so you should still use a device passcode, keep your credentials private, and avoid storing highly sensitive data on shared devices.

Incident response and compelled disclosure

We may preserve, review, or disclose information when we believe it is reasonably necessary to comply with law, respond to legal process, investigate fraud or abuse, enforce our agreements, protect users or the public, or support security incident response and remediation. If the product changes ownership through a merger, acquisition, restructuring, financing, or asset sale, relevant data may be transferred as part of that transaction subject to applicable law and any commitments that continue to bind the transferred service.

Your privacy choices and regional rights

  • You can review and update your health profile inside the app at any time.

  • You can choose whether to scan by barcode, upload a nutrition-label image, or type data manually, and you can revoke camera or photo-library permissions through your device settings.

  • Where available in the client, you can remove saved scans or clear account-level content directly from the app experience.

  • If you are entitled under applicable U.S. state, provincial, or Canadian privacy law to request access, correction, deletion, or a copy of your personal data, you can start that request from the in-app Settings area described below.

  • If we ever use sensitive information for a new purpose that requires fresh consent under applicable law, we will ask before using it that way.

Identity verification, authorized agents, and appeals

Before acting on a privacy request, we may require reasonable steps to verify that the requester controls the relevant NutriScan account or is otherwise authorized to act for that person. If local law allows you to use an authorized agent, guardian, or similar representative, additional proof of authority may be required. If a request is denied in whole or in part because it cannot be verified, is legally exempt, or conflicts with security or record-retention obligations, some jurisdictions may give you the right to appeal that outcome and we may ask you to submit that appeal through the same privacy-request pathway until a separate process is published.

How to make a privacy request today

  • Open Profile, then use Privacy Requests & Data Rights in the Privacy, About & Standards section.

  • Choose the request type and data scope, then review the structured request summary generated in the app.

  • Use the email tied to your account so the request can be authenticated, and avoid sharing extra medical detail unless it is necessary to process the request safely.

  • Use the share action from that screen to send or save the request summary through your preferred support channel until a dedicated privacy inbox or portal is published.

Jurisdiction-specific notes for the United States and Canada

Privacy and consumer health laws differ across jurisdictions, including California, Washington, Nevada, other U.S. states, and Canada’s federal or provincial privacy frameworks. This policy is intended to be read broadly enough to describe our handling of sensitive account, wellness, and scan data across those contexts, but some rights, definitions, timelines, verification steps, and exemptions may differ depending on where you live. If a local law grants stronger protection than this summary describes, that law should control to the extent it applies.

Cross-border processing

Depending on where you live and which service providers support your request, your information may be stored or processed in the United States, Canada, or other jurisdictions where our infrastructure or subprocessors operate. Those jurisdictions may apply privacy rules that differ from the rules in your home province, state, or country.

Children and teen users

NutriScan is not intended for children to use on their own without appropriate adult involvement. If local law requires parental authorization for minors, the account holder is responsible for obtaining that authorization before entering sensitive health or dietary information for a young person into the app.

Policy updates

We may update this Privacy Policy as the product, laws, processors, and privacy controls evolve. When changes are material, we will update the date above and may add in-app notice or other reasonable disclosure before the new terms take effect.

This policy should be read together with the Terms of Use and Data Standards & Sources pages. If you are looking for account removal instructions, see the Privacy Requests & Data Rights page or the Delete Account page. If you rely on NutriScan for condition-sensitive food decisions, review those pages as well so you understand both the privacy implications and the data-quality limits of the service.