YallaFit Privacy Policy

This Privacy Policy explains how the YallaFit mobile and web application ("YallaFit", the "App", or the "Service") — operated under the trade name Rind ("Rind", "we", "us", or "our") — collects, uses, stores, shares, and protects information about you ("user", "you", or "your") when you use the App.

By installing, accessing, or using YallaFit, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use the App.

Rind is based in Ajman, United Arab Emirates. For any privacy-related question, request, or complaint, contact us at privacy@therinds.com.

1. Interpretation and Definitions

1.1 Interpretation

Words with capitalized initials have the meanings defined below. Definitions apply equally regardless of singular or plural form.

1.2 Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for you to access the Service or parts of it.
• Application or App refers to YallaFit, the mobile and web application provided under the Rind trade name.
• Country refers to: United Arab Emirates.
• Device means any device that can access the Service, including mobile phones, tablets, computers, and wearables.
• Health and Fitness Data means information related to your physical attributes, activity, nutrition, and wellbeing, including weight, height, body measurements, age, sex, calorie intake, macro-nutrient breakdown, water intake, step count, exercise logs, and goals.
• Personal Data means any information that relates to an identified or identifiable individual.
• Rind ("we", "us", or "our") is the trade name under which the YallaFit Service is operated, based in Ajman, United Arab Emirates.
• Service refers to the YallaFit Application.
• Service Provider means any natural or legal person who processes data on behalf of Rind.
• Usage Data refers to data collected automatically through your use of the Service or generated by the Service infrastructure.
• You means the individual accessing or using the Service, or the legal entity on whose behalf such individual is accessing or using the Service.

2. Information We Collect

2.1 Information You Provide Directly

When you create an Account or use YallaFit's features, we may collect:

• Account information: email address, name (or chosen display name), and password (stored in hashed form via our authentication provider).
• Profile information: date of birth, gender, height, weight, target weight, activity level, dietary preference, fitness goal, language preference, and unit system (metric or imperial).
• Health and fitness logs: food entries (text, photo, or voice transcript), water intake, weight history, step count, exercise sessions, and saved recipes.
• User-generated content: custom recipes, meal notes, and any feedback you submit to us.

2.2 Information Collected Automatically (Usage Data)

When you use YallaFit, we automatically collect:

• Device information: device model, operating system and version, App version, language, time zone, and a unique device identifier.
• Diagnostic data: crash reports, error logs, and basic performance metrics used to diagnose problems.
• Approximate location: inferred from your IP address. We do not collect precise GPS location.

We do not track you across other apps or websites, and we do not use third-party advertising identifiers.

2.3 Photos, Voice, and Text Submissions

When you log a meal using the AI features, the photo, voice recording, or text description you submit is processed by our AI provider to identify the food and estimate its nutritional content. See Section 5 for full details on AI processing.

2.4 Health and Fitness Data — Special Category

Some of the information YallaFit collects (weight, body measurements, dietary habits, exercise data) is treated as "special category" or "sensitive" personal data under laws including the EU General Data Protection Regulation (GDPR) and the UAE Personal Data Protection Law (PDPL). We process this data only with your explicit consent, given when you complete onboarding and grant access to the relevant App features. You can withdraw this consent at any time by deleting the relevant data from your Account or by deleting your Account entirely.

2.5 Information We Do Not Collect

We do not collect:

• Precise GPS or geo-location data.
• Contacts, calendar entries, or files outside the App.
• Camera or microphone input outside the moments you actively use the food-scan or voice-log features.
• Payment card information. All payment processing is handled directly by Apple App Store or Google Play (see Section 7).

3. How We Use Your Information

We use the information we collect to:

• Operate the Service — provide core App features including calorie targets, macro tracking, water and step tracking, AI food recognition, recipe storage, and progress charts.
• Personalize your experience — calculate your daily nutrition targets based on your profile and goals.
• Manage your Account — authenticate sign-in, sync your data across your devices, and enable Account recovery.
• Improve the Service — analyze aggregated, de-identified usage trends, debug crashes, and develop new features.
• Communicate with you — respond to support requests, send important security or service notifications, and (with your consent) send product updates.
• Comply with legal obligations — meet our regulatory, tax, accounting, or law-enforcement obligations.
• Protect the Service and our users — detect, investigate, and prevent fraud, abuse, or security incidents.

We do not sell your Personal Data, and we do not show third-party advertising in the App.

4. Legal Basis for Processing (EU / EEA / UK Users)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases under the GDPR:

• Consent — for processing health and fitness data, AI photo/voice/text analysis, and optional marketing communications.
• Performance of a contract — to provide the Service you signed up for.
• Legitimate interests — to secure the Service, prevent fraud, and improve features in ways that do not override your rights.
• Legal obligation — to comply with applicable laws.

You can withdraw consent at any time by deleting the relevant data, disabling the feature, or deleting your Account.

5. AI Processing and Automated Decisions

YallaFit uses third-party Artificial Intelligence services to recognize food from photos, transcribe voice meal logs, and parse free-text descriptions of meals. Specifically:

• Provider: OpenAI, L.L.C. (United States).
• What is sent: the photo, voice file, or text you actively submit when using an AI feature.
• What is returned: an estimated identification of the food and an approximate nutritional breakdown (calories, protein, carbohydrates, fat).
• Retention: your submission is processed in real time and is not stored on our servers after a result is returned. OpenAI's data-handling practices are governed by their own privacy policy and their API data-usage terms, under which API submissions are not used to train their models.

The nutritional estimates produced by the AI are approximate and not guaranteed to be accurate. You can choose not to use AI features at any time by logging meals manually. Calorie targets and macro splits we compute for you are based on widely accepted formulas (Mifflin–St Jeor for BMR) and your profile data; they do not constitute medical or nutritional advice.

6. Third-Party Service Providers

We share Personal Data with the following Service Providers, strictly for the purposes described:

• Supabase, Inc. (United States / EU regions) — Authentication, database hosting, file storage. Data shared: account credentials, profile, logs, weight history.
• OpenAI, L.L.C. (United States) — AI food recognition from photo, voice, or text. Data shared: the photo, transcript, or text you submit.
• Open Food Facts (France, non-profit) — Barcode product lookup. Data shared: the barcode you scan.
• Apple Inc. (United States) — "Sign in with Apple", App Store distribution, in-app purchases. Data shared: OAuth tokens, purchase receipts, standard platform telemetry.
• Google LLC (United States) — "Sign in with Google", Google Play distribution, in-app purchases. Data shared: OAuth tokens, purchase receipts, standard platform telemetry.
• Cloudflare, Inc. (United States) — Edge proxy for AI requests, content delivery network. Data shared: request metadata, IP address.

Each Service Provider is bound by contractual obligations to process your data only for the purposes we instruct, to apply appropriate security measures, and to comply with applicable data-protection laws. We encourage you to review each provider's privacy policy.

7. Subscriptions and Payments

YallaFit offers optional paid subscriptions. All payment processing is handled exclusively by Apple App Store or Google Play depending on your platform. We do not receive, store, or process your credit-card or bank-account details. We receive only:

• A subscription receipt or transaction identifier confirming an active subscription.
• The product identifier purchased.
• The renewal or expiry status of your subscription.

You can manage or cancel your subscription at any time through your Apple ID or Google Play account settings.

8. Data Retention

We retain your Personal Data only for as long as necessary to:

• Provide you the Service while your Account is active.
• Comply with our legal, accounting, or reporting obligations.
• Resolve disputes and enforce our agreements.

Specifically:

• Account and profile data: retained until you delete your Account.
• Food, weight, and activity logs: retained until you delete the entries individually or delete your Account.
• AI submissions (photos, voice, text): discarded immediately after a result is returned.
• Diagnostic and crash data: retained for up to ninety (90) days, then aggregated or deleted.
• Subscription receipts: retained for the period required by tax and consumer-protection laws (typically seven (7) years).

When you delete your Account from Settings → Delete Account, we permanently delete your profile, all logs, weight history, custom recipes, per-user settings, and saved sign-in records within thirty (30) days, except where we are required by law to retain a minimum subset.

9. Storage and International Transfers

Your Personal Data is stored on servers operated by our infrastructure providers, primarily in the European Union and the United States. By using YallaFit, you consent to the transfer of your data to these jurisdictions, which may have data-protection laws different from those in your country of residence.

When we transfer data outside the European Economic Area, the United Kingdom, or the United Arab Emirates, we rely on the following safeguards:

• Standard Contractual Clauses approved by the European Commission.
• Adequacy decisions where applicable.
• Equivalent contractual protections required under UAE Federal Decree-Law No. 45 of 2021 (PDPL).

We use industry-standard encryption (TLS 1.2+ in transit, AES-256 at rest) to protect your data during transfer and storage.

10. Your Rights

Depending on where you reside, you have the following rights with respect to your Personal Data.

10.1 General rights (all users)

• Access — request a copy of the Personal Data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — request that we delete your Personal Data ("right to be forgotten").
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Withdrawal of consent — withdraw any consent you previously gave for AI processing, marketing, or sensitive-data processing.

10.2 EU / EEA / UK users (GDPR)

In addition to the rights above, you have:

• The right to object to processing based on our legitimate interests.
• The right to restrict processing in certain circumstances.
• The right to lodge a complaint with your national data-protection authority.

10.3 California users (CCPA / CPRA)

You have the right to:

• Know what categories of Personal Data we collect, the sources, the purposes, and the third parties we share it with.
• Opt out of the "sale" or "sharing" of your Personal Data. Note that we do not sell or share Personal Data as defined by the CCPA.
• Limit the use of sensitive Personal Data.
• Be free from discrimination for exercising any CCPA right.

10.4 UAE users (PDPL)

Under UAE Federal Decree-Law No. 45 of 2021 you have the right to:

• Request information about how we process your data.
• Request transfer of your data to another controller.
• Object to automated decision-making.
• Lodge a complaint with the UAE Data Office.

10.5 How to exercise your rights

To exercise any of these rights, email privacy@therinds.com from the email address associated with your Account. We will respond within thirty (30) days. We may ask for additional information to verify your identity before fulfilling your request.

You can delete most of your data directly from the App via Settings → Delete Account.

11. Data Security

We implement reasonable technical and organizational measures to protect your Personal Data, including:

• TLS 1.2 or higher for all network communications.
• Encrypted storage at rest (AES-256).
• Hashed and salted passwords; we never store plaintext passwords.
• Principle-of-least-privilege access controls for our staff and contractors.
• Regular security reviews of our infrastructure and dependencies.

However, no method of electronic transmission or storage is one hundred percent secure. While we strive to use commercially reasonable means to protect your Personal Data, we cannot guarantee absolute security. In the event of a Personal Data breach affecting your data, we will notify you and, where required, the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach.

12. Children's Privacy

YallaFit is not directed at children. We do not knowingly collect Personal Data from:

• Children under the age of thirteen (13) in most jurisdictions, including the United States and the United Arab Emirates.
• Children under the age of sixteen (16) in the European Union, or such other age set by individual EU Member States in line with GDPR Article 8.

If you are a parent or guardian and you believe that a child has provided us with Personal Data, please contact us at privacy@therinds.com and we will delete that information from our servers as soon as reasonably possible.

13. Marketing Communications

We may send you product updates, tips, and promotional offers related to YallaFit only if you have opted in. You can opt out at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email.
• Disabling notifications in your device settings or in Settings → Notifications within the App.
• Emailing privacy@therinds.com.

We will continue to send you service-related notifications (security alerts, important changes to this policy, billing notices) regardless of your marketing preferences, as these are necessary for the operation of the Service.

14. Disclosure for Legal Reasons

We may disclose your Personal Data in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, court order, or valid request from a public authority.
• Protect and defend the rights or property of Rind.
• Prevent or investigate possible wrongdoing in connection with the Service.
• Protect the personal safety of users of the Service or the public.
• Protect against legal liability.

In the event of a merger, acquisition, restructuring, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you in advance of any such transfer and any material change in how your data will be handled.

15. Links to Third-Party Sites

The Service may contain links to websites or services operated by third parties. We are not responsible for the content or privacy practices of those third parties. We encourage you to review the privacy policy of any third-party site or service before providing them with any personal information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or applicable law. We will:

• Post the updated policy in the App (Settings → Privacy Policy) and on our website.
• Update the "Last Updated" date at the top of this document.
• For material changes, give you at least thirty (30) days' notice via email or in-App notification before the changes take effect.

Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree with the changes, you should stop using the Service and delete your Account.

17. Contact Us

If you have any questions, requests, or concerns regarding this Privacy Policy or our handling of your Personal Data, please contact us:

• Privacy inquiries: privacy@therinds.com
• General support: support@therinds.com
• Postal address: Rind, Ajman, United Arab Emirates

We aim to respond to all inquiries within thirty (30) days.