Privacy Policy

V. 3 dated 03/06/2026

This privacy policy is intended to provide all information on the processing of personal data carried out by Nexify Limited when Users use the Application (as better specified below).

1. INTRODUCTION - WHO ARE WE?

Nexify Limited, with registered office at Harbourmaster Place no. 4, Eir Building, Custom House Dock, Dublin 1 (Ireland), D01 K6X5, Tax/VAT no. IE3393380OH, (hereinafter, the “Controller”), owner of the Yumii application (hereinafter, the “Application”, “App” or “Yumii”), as data controller of the personal data of users (hereinafter, the “Users” or “Data Subjects”) who, by creating and completing an account (hereinafter, the “Account”), access the Application intended for personal nutrition monitoring (hereinafter, the “Service”) and use the related features, provides below the privacy notice pursuant to Article 13 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, the “Regulation” or the “Applicable Law”).

It is specified that the App, the Service and any features offered through the App are reserved to persons who have reached the age of eighteen. The Controller therefore does not collect personal data relating to persons under 18 years of age. At the request of Users, the Controller will promptly delete all personal data inadvertently collected and relating to persons under 18 years of age.

2. HOW TO CONTACT US?

The Controller attaches the utmost importance to the right to privacy and to the protection of its Users’ personal data. For any information relating to this privacy policy, Users may contact the Controller at any time using the following methods:

by sending a registered letter with return receipt to the Controller’s registered office: Harbourmaster Place no. 4, Eir Building, Custom House Dock, Dublin 1 (Ireland), D01 K6X5;

by sending an e-mail message to: info@nexify.io.

Users may also contact the Controller’s Data Protection Officer (RPD or DPO), whose contact details are set out below: Shibumi S.r.l., contactable at the following e-mail address: dpo@youniversal.com

3. WHAT DO WE DO? – PURPOSES, NATURE OF THE DATA, LEGAL BASIS, METHODS OF PROCESSING AND RETENTION PERIODS

Users’ personal data will be lawfully processed by the Controller for the following processing purposes.

Main purpose: provision, pursuant to the Terms and Conditions for use of the Application, of the Service, which is carried out through the activities described below:

Creation and completion of the Account within the Application and the related sending of service communications (for example, confirmation of Account creation, password change request, changes to the privacy policy). For this purpose, the Controller may process the following User data: first name, surname, date of birth or age, e-mail address and password, which jointly constitute the access credentials, sex, body weight and height, technical data (such as IP address, log files, browser type and device inferred from the user-agent), as well as any further personal information that may be voluntarily communicated by the User when creating and completing the Account.

In order to document the proper establishment of the contractual relationship and the declarations made during registration, Yumii also stores the date and time of acceptance, the version of the accepted legal documents, the language/interface used and the IP address from which registration is carried out. These data are used to prove acceptance of the Terms of Service, acknowledgement of the Privacy Policy, acceptance of the Health and AI Disclaimer and the declaration of legal age.

Legal basis of processing: Article 6, paragraph 1, letter b) of the Regulation, namely performance of a contract to which the User is party. The retention of evidence of legal acceptances is also based, where necessary, on the Controller’s legitimate interest in protecting its rights and documented accountability.

Methods of processing: the Controller will process Users’ personal data using manual and IT tools, with logic strictly related to the purposes themselves and, in any case, in a manner that ensures the security and confidentiality of the data. In particular, the password chosen by the User will be processed and stored by the Controller in encrypted form, in order to ensure an adequate level of security.

Retention periods: personal data collected during creation and completion of the Account will be retained by the Controller for the entire duration of the Account and deleted when the Account is deleted from the application archives, unless further retention is necessary to comply with legal obligations or protect rights; log files are retained for 7 days. Data relating to legal acceptances will be retained for the duration of the Account and deleted when the Account is deleted, unless further retention is necessary to comply with legal obligations or protect rights.

Making available the Application features, namely to allow use of the App features, including by way of example: (i) recording and uploading meals through photographs, text descriptions, product barcode scans or manual entry; (ii) processing and analysis of nutritional estimates (such as calories and macronutrients), through an artificial intelligence system, also in light of photographs uploaded by the User to their Account; (iii) creation and management of personalised recipes; (iv) display of dashboards, trends and statistics relating to nutritional values (calories, carbohydrates, proteins, fats) concerning the User; (v) interaction with the virtual assistant active on the Application (hereinafter, the “Virtual Assistant” or “Yumii Coach”) aimed at providing nutritional suggestions. For this purpose, the Controller may process the following User data: first name, surname, sex and e-mail address (collected when creating and completing the Account under the previous purpose A1)), as well as any further data that may be voluntarily provided by the User when using the features, including the content of interactions with the Virtual Assistant and the related history.

Legal basis of processing: Article 6, paragraph 1, letter b) of the Regulation, namely performance of a contract to which the User is party.

The Controller also uses artificial intelligence systems to: (i) process and analyse nutritional estimates; and (ii) allow the User to use the Virtual Assistant, as a tool aimed at providing nutritional suggestions.

In both cases, Users’ personal data will not be used for the purpose of training the artificial intelligence system and the generated responses or nutritional estimates may be inaccurate or incorrect.

Retention periods: personal data collected while using the Application for the above features will be retained by the Controller for the entire duration of the Account and deleted when the User’s Account is deleted from the application archives, limited to personal data relating to the Account, unless further retention is necessary to comply with legal obligations or protect rights.

Analytics subject to consent: Yumii may use Microsoft Clarity, provided by Microsoft, to collect statistical information and analyse, in aggregate or non-aggregate form, use of the App, in order to improve experience, features and Service quality. The tool may involve session recording/session replay, heatmaps, technical events, visited URLs, browser and device information, approximate geographic area and usage data; the Strict masking configuration is intended to limit the recording of personal or sensitive content. Clarity is activated only subject to consent to the Statistics category through Cookiebot. The legal basis is consent, which may be withdrawn at any time from the consent management panel. In the absence of consent, Clarity is not activated and does not set cookies; details on cookies, duration and withdrawal are available in the Cookie Policy.

Further purposes:

Legal obligations, namely to comply with obligations laid down by law, by an authority, by a regulation or by European legislation. For this purpose, the Controller may process the following User data: first name, surname and any further personal information of the User necessary to pursue this processing purpose.

Legal basis of processing: Article 6, paragraph 1, letter c) of the Regulation, namely in order to comply with a legal obligation deriving from Union law or national law.

Retention periods: Users’ personal data will be retained by the Controller for the time necessary to achieve the processing purpose described.

4. SCOPE OF DATA COMMUNICATION AND DISCLOSURE

The User’s personal data may be transferred outside the European Union and, in such case, the Controller will ensure that the transfer takes place in accordance with the Applicable Law and, in particular, in accordance with Articles 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to appropriate safeguards) of the Regulation.

The Controller’s employees and/or collaborators responsible for managing the Application and Users’ requests may become aware of Users’ personal data. These persons, who have been instructed accordingly by the Controller pursuant to Article 29 of the Regulation, will process Users’ data exclusively for the purposes indicated in this notice and in compliance with the provisions of the Applicable Law.

Third parties may also become aware of Users’ personal data where they may process personal data on behalf of the Controller as Data Processors, such as, by way of example and without limitation, providers of outsourcing or cloud computing services, professionals and consultants, and providers of IT and logistics services functional to operation of the Application.

In particular, these providers include those currently used to provide the Application: (i) OVH SAS / OVHcloud for hosting on EU infrastructure, Kubernetes cluster, database, self-hosted services and private Garage/S3 storage; (ii) OpenAI Ireland Ltd for meal image analysis, generation of suggestions and ingredient estimation through artificial intelligence systems; (iii) Groq, Inc. for Yumii Coach/chat features; (iv) Amazon Web Services EMEA SARL for sending transactional e-mails through Amazon SES; (v) Google Ireland Limited / Google LLC for Google OAuth and reCAPTCHA; (vi) Open Food Facts for access to the product database and barcode search; and (vii) Microsoft Corporation / Microsoft Ireland Operations Limited for Microsoft Clarity, analytics and session recording subject to consent. Meilisearch / off-search.cluster.ynext.io and Garage/S3 are on-premise or private components within the OVH cluster and are not listed as separate third-party providers.

For Microsoft Clarity, Microsoft may transfer personal data outside the European Economic Area, in particular to the United States, on the basis of Standard Contractual Clauses and appropriate supplementary measures. More information is available in Microsoft’s privacy statement: https://www.microsoft.com/en-us/privacy/privacystatement.

Users have the right to obtain a list of any data processors appointed by the Controller by making a request to the Controller using the methods indicated in paragraph 5 below.

5. DATA SUBJECTS’ RIGHTS

Data Subjects may exercise the rights guaranteed to them by the Applicable Law by contacting the Controller or the DPO at the contacts indicated in the recitals and, with reference to the right to erasure, also through their personal Account. In particular, as regards the right to erasure, the Data Subject may use the “Delete account” button.

Pursuant to the Applicable Law, the Controller informs that Data Subjects have the right to obtain an indication of (i) the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the case of processing carried out with the aid of electronic tools; (iv) the identification details of the controller and processors; (v) the persons or categories of persons to whom the personal data may be communicated or who may become aware of them as processors or persons in charge.

In addition, Data Subjects have the right to obtain:

a) access to, updating, rectification or, where they have an interest, integration of the data;

b) erasure, transformation into anonymous form or restriction of data processed in breach of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;

c) certification that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except where such fulfilment proves impossible or involves a use of means manifestly disproportionate to the protected right.

In addition, Data Subjects have:

a) the right to withdraw consent at any time, where processing is based on their consent;

b) the right (where applicable) to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format);

c) the right to object:

i) in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even where relevant to the purpose of collection.

d) if they consider that the processing concerning them infringes the Regulation, the right to lodge a complaint with a supervisory authority (in the Member State in which they habitually reside, work or in which the alleged infringement occurred). The Italian supervisory authority is the Garante per la protezione dei dati personali, with registered office at Piazza Venezia no. 11, 00187 Rome (http://www.garanteprivacy.it/).

****

The Controller is not responsible for updating all links displayed in this Notice; therefore, whenever a link is not working and/or not updated, Data Subjects acknowledge and accept that they must always refer to the document and/or section of the websites referenced by that link.