Privacy Policy
Space Folding · Last updated: April 18, 2025
Contents
- Who We Are
- Data We Collect
- Camera Permission
- Health & Biometric Data
- Wearable & Health Platform Integrations
- How We Use Your Data
- Cloud Processing & Storage
- Data Sharing & Third Parties
- Data Retention
- Security
- Your Rights — GDPR (EU/EEA)
- Your Rights — CCPA (California)
- FTC Health Breach Notification Rule (US)
- Children's Privacy
- Changes to This Policy
- Contact Us
This Privacy Policy explains how Space Folding (“we”, “us”, or “our”) collects, uses, stores, and protects your information when you use the Nibblio mobile application (“the App”). Because Nibblio handles sensitive health and biometric data, we take your privacy especially seriously. Please read this policy carefully.
1. Who We Are
Nibblio is a nutrition and wellness application developed and operated by Space Folding. The App helps users track nutrition, interpret biomarker data from lab reports, and integrate health metrics from wearable devices to provide personalised dietary and wellness guidance.
For privacy-related questions: info@spacefolding.ai
2. Data We Collect
Personal Information
- Name, email address, and password (for account creation)
- Age, sex, height, and weight (for nutritional calculations)
- Dietary preferences, goals, and restrictions you enter manually
Health & Biometric Data Sensitive
- Biomarker values from lab reports you scan or upload (e.g. glucose, HbA1c, cholesterol, vitamin levels)
- Biometric data synced from wearable devices and health platforms (heart rate, HRV, sleep quality, activity, steps, calories burned)
- Nutritional intake data you log manually or via camera scanning
Camera Data
- Images of food and meals (for AI nutrition analysis)
- Barcode and nutrition label scans
- Lab report documents or photos (for biomarker extraction)
Technical & Usage Data
- Device type and operating system version
- Anonymised crash reports and diagnostic data
- Aggregated, anonymised feature usage analytics
We do not collect payment information, precise location, contacts, or any data not listed above.
3. Camera Permission
What the camera is used for
Images captured during a scan are transmitted to our servers for processing to extract the relevant data (nutritional values, barcode identifiers, or biomarker readings). Results are stored in your account. Raw lab report images are deleted from our servers within 30 days of processing. Food and meal photos are retained as part of your nutrition log unless you delete them.
You can revoke camera permission at any time in your device settings. Scanning features will be disabled, but all other App functionality will continue to work.
4. Health & Biometric Data
Special Category Data under GDPR Article 9
Lab Report Data
When you scan or upload a lab report, we extract biomarker values to generate nutritional and wellness insights. Extracted values are stored in encrypted form in your account. Raw document images are deleted from our servers within 30 days of processing.
Wearable & Biometric Data
With your permission, we import biometric data — heart rate, HRV, sleep quality, activity levels, and caloric expenditure — from connected health platforms. This data is used exclusively to personalise your nutrition recommendations within the App.
Restrictions on Health Data Use
Health and biometric data is used only to provide the App's features to you. It is never used for advertising, sold or licensed to third parties, shared with insurers or employers, or used to make automated decisions that have legal or similarly significant effects on you.
5. Wearable & Health Platform Integrations
All integrations require your explicit authorisation before any data is accessed. You can disconnect any integration at any time from within the App's Settings.
Apple Health (HealthKit) — iOS
The App reads and may write health data via Apple HealthKit. Data accessed through HealthKit is governed by Apple's HealthKit privacy rules in addition to this policy. We do not use HealthKit data for advertising or share it with data brokers. Manage permissions in iOS Settings → Privacy & Security → Health → Nibblio.
Google Fit / Health Connect — Android
The App integrates with Google Fit and/or Health Connect to access activity and biometric data. Revoke access at any time through the Google Fit or Health Connect app settings.
Third-Party Wearables (Garmin, Fitbit, Whoop, and others)
The App connects to third-party wearable platforms via their official APIs. When you authorise a wearable connection, that platform shares specific data types with Nibblio under the permissions you grant. Each platform's own privacy policy governs how they handle your data on their infrastructure. We request only the minimum data scopes needed for nutritional and wellness analysis.
6. How We Use Your Data
- To provide personalised nutrition tracking and dietary recommendations
- To analyse lab biomarkers and correlate them with nutritional patterns
- To integrate biometric data from wearables into wellness insights
- To improve App accuracy and features (using anonymised, aggregated data only)
- To diagnose and fix technical issues
- To respond to support enquiries
- To comply with applicable legal obligations
We do not use your data for behavioural advertising, third-party profiling, or any purpose not listed above.
7. Cloud Processing & Storage
All data processing and storage takes place on our secure cloud infrastructure. No personal or health data is processed or stored solely on your device. All data transmitted to our servers is encrypted in transit (TLS 1.2+) and at rest (AES-256).
| Feature | Where processed | What is stored |
|---|---|---|
| Barcode scanning | Cloud | Product ID and associated nutrition values |
| Food image analysis | Cloud (AI model) | Image and extracted nutritional values, linked to your account |
| Lab report extraction | Cloud (OCR / AI) | Document image and extracted biomarker values; raw image deleted within 30 days of processing |
| Wearable data sync | Cloud | Encrypted biometric data linked to your account |
| Nutrition recommendations | Cloud | Recommendations and underlying inputs, linked to your account |
| Crash diagnostics | Cloud | Anonymised diagnostic data only; no health data included |
8. Data Sharing & Third Parties
We do not sell, rent, or trade your personal or health data. We share data only in the following limited circumstances:
Service Providers
Trusted third-party services (cloud hosting, OCR processing, crash reporting) that process data on our behalf under strict data processing agreements. They may not use your data for their own purposes.
Health Platform APIs
Data flows between connected health platforms and our App under the permissions you grant. Each platform's privacy policy governs their handling of the data on their side.
Legal Requirements
We may disclose data if required by law, court order, or valid legal process, or to protect the rights and safety of our users.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you at least 30 days in advance, giving you the opportunity to delete your account.
9. Data Retention
- Account and health data: Retained while your account is active. Deleted within 30 days of account deletion.
- Lab report images: Raw images deleted from servers within 30 days of processing. Extracted biomarker values retained until you delete them or your account.
- Wearable / biometric data: Retained until you disconnect the integration or delete your account.
- Anonymised analytics: Up to 12 months.
- Support correspondence: Up to 2 years.
- After account deletion: All personal and health data permanently deleted within 30 days. Anonymised aggregate data that cannot be linked to you may be retained.
10. Security
Given the sensitivity of health data, we apply the following safeguards:
- Encryption in transit via TLS 1.2+
- Encryption at rest via AES-256
- Access controls restricting staff access to health data on a need-to-know basis
- Regular security reviews and penetration testing
- Incident response procedures aligned with GDPR breach notification timelines (72 hours)
No system is 100% secure. In the event of a breach affecting your health or personal data, we will notify you and the relevant authorities as required by law.
11. Your Rights — GDPR (EU/EEA Users)
If you are in the EU or EEA, you have the following rights under the General Data Protection Regulation. Because Nibblio processes health data (special category data under Article 9), these rights carry additional weight:
- Right of access: Request a copy of all personal and health data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of all your data. Processed within 30 days.
- Right to restriction: Ask us to pause processing while a dispute is resolved.
- Right to data portability: Receive your data in a structured, machine-readable format (JSON or CSV).
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Withdraw explicit consent for health data at any time via App Settings. This disables health features but does not affect prior processing.
- Right to lodge a complaint: Contact your local data protection authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany).
Legal basis for processing health data (Article 9(2)(a))
To exercise any right: info@spacefolding.ai. We respond within 30 days, or within 90 days for complex requests (with advance notice).
12. Your Rights — CCPA (California Users)
- Right to know: Request disclosure of personal information collected, including health data categories and specific pieces.
- Right to delete: Request deletion of personal information we hold.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale: We do not sell personal information. No action required.
- Right to limit use of sensitive personal information: Health and biometric data qualifies as sensitive personal information under CCPA. You may request that we limit its use to what is strictly necessary to provide the App's features.
- Right to non-discrimination: We will not discriminate against you for exercising these rights.
Submit a request: info@spacefolding.ai
13. FTC Health Breach Notification Rule (US)
As a consumer-facing health application operating in the United States, Nibblio is subject to the FTC Health Breach Notification Rule. In the event of an unauthorised acquisition of identifiable health data, we are required to notify:
- Affected users — without unreasonable delay, and no later than 60 days after discovery
- The Federal Trade Commission
- Prominent media outlets, if the breach affects 500 or more residents of a US state or territory
We maintain an incident response plan to ensure these obligations are met promptly.
14. Children's Privacy
The App is not directed at children under the age of 13 (or under 16 in the EU). We do not knowingly collect personal or health data from children. If you believe a child has created an account or submitted health data, contact us immediately at info@spacefolding.ai and we will delete it promptly.
15. Changes to This Policy
We may update this policy as the App evolves or regulations change. We will update the “Last updated” date at the top of this page. For material changes — particularly those affecting how health data is processed — we will provide at least 14 days advance notice via in-app notification or email before changes take effect.
Your continued use of the App after changes are posted constitutes acceptance of the updated policy. If you disagree with material changes, you may delete your account before they take effect.
16. Contact Us
For privacy questions, data requests, or to exercise any of your rights:
Space Folding — Privacy
Email: info@spacefolding.ai
We aim to respond to all privacy requests within 30 days. For complex requests we may extend this by up to 60 additional days and will notify you in advance.