Privacy Policy
Effective: April 11, 2026
This Privacy Policy explains how Nyami (“Nyami,” “we,” “us,” or “our”) collects, uses, and safeguards personal information when you visit nyami.app, use the Nyami mobile application, join our waitlist, or interact with our communications (collectively, the “Services”). It also sets out your privacy rights under the EU General Data Protection Regulation (GDPR).
1. Who we are & how to reach us
Nyami is a mindful eating companion under development. We act as the data controller for the personal information processed through the Services.
- Controller: Nyami (a pre-incorporation project operated by the founding team; we will update this Policy once the legal entity is registered).
- Registered/principal office: Budapest, Hungary. Please contact us for our full postal address if you wish to write to us.
- Email for privacy enquiries: hello@nyami.app
We have not appointed a data protection officer. If we do so in the future, we will update this Policy with their contact details.
2. The information we collect
- Identification and contact data: Email address and any optional information you submit when joining the waitlist, creating an account, or contacting us.
- App data: When you use the Nyami mobile application, we collect the data you provide through the app, including meal logs, hunger scale ratings, emotional state entries, and your profile picture. This data is stored in your account and used to deliver the core features of the service.
- Communications data: Messages you send us and our responses, including metadata (dates, times).
- Usage data: Device information (browser type, operating system, screen resolution), IP address, pages viewed, referring URLs, interactions with page elements, session duration, performance metrics, and other analytics data collected via consents-based cookies.
- Analytics data: We use PostHog to collect anonymous usage analytics. PostHog identifies users by an anonymous user ID only — we do not send email addresses, usernames, or other personally identifiable information to PostHog. You can opt out of analytics via the toggle in your app settings.
- Consent records: Timestamped records of your cookie and marketing preferences, stored locally (e.g., the
nyami-cookie-consentcookie) and within our internal logs. - Aggregated and anonymised data: High-level statistics that no longer identify you, which we use to understand patterns and improve the Services.
3. Why we use your data & our lawful bases
We only process personal data when we have a legal basis under the GDPR. The table below summarises our main processing activities.
| Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|
| Manage the waitlist and respond to enquiries | Identification and contact data; communications data | Consent (Article 6(1)(a)) when you opt in to the waitlist; legitimate interests (Article 6(1)(f)) to respond to ad-hoc enquiries | 12 months after last interaction, unless you request earlier deletion |
| Send product updates and mindful content | Identification and contact data | Consent (Article 6(1)(a)); you can withdraw at any time via the unsubscribe link | Until you withdraw consent or we discontinue the mailing programme |
| Provide secure, reliable access to the site | Usage data, consent records | Legitimate interests (Article 6(1)(f)) to operate, secure, and troubleshoot the Services | Rolling 12 months for server and event logs |
| Deliver core app features (meal logging, insights, reflections) | App data (meal logs, hunger scales, emotions, profile picture) | Performance of a contract (Article 6(1)(b)) | Retained while your account is active; deleted within 30 days of account deletion |
| Run product analytics and improve the experience | Anonymous usage data identified by user ID only (no email or username); cookie-based analytics on the website | Consent (Article 6(1)(a)) via our cookie banner (website) or analytics toggle in app settings | PostHog retains event data for up to 12 months in the EU region |
| Meet legal obligations and enforce our Terms | Any relevant data category | Legal obligations (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) | As long as required under applicable law (e.g., limitation periods) |
If we rely on legitimate interests, we balance those interests against your rights by limiting the data we collect, using aggregated insights wherever possible, and offering opt-outs when appropriate.
4. Cookies & similar technologies
We use strictly necessary cookies to remember your preferences, and analytics cookies (set only after you consent) to understand how visitors engage with our pages. You can manage your choices through the banner or your browser settings.
| Cookie | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
nyami-cookie-consent | Nyami (first-party) | Stores your cookie consent choice so the banner does not reappear unnecessarily | 12 months | Strictly necessary |
ph_{project-key}_posthog and related PostHog cookies | PostHog (EU region) | Records session information and feature usage to help us improve Nyami (set only after you click “Accept the crumbs”) | Up to 12 months per PostHog’s retention defaults | Analytics (requires consent) |
We also use Cloudflare for DNS, CDN, and security services (including Turnstile challenge on our contact form). Cloudflare may set strictly necessary cookies (such as __cf_bm) to distinguish humans from bots. These cookies are essential to the functioning of the site and do not require consent.
5. Sharing your data
We do not sell personal information. We share data only with service providers that help us operate the Services, subject to written contracts and appropriate safeguards.
- Hetzner (EU): Provides hosting and infrastructure for the landing page and waitlist submission API. Data processed: all categories stored on the site. Safeguards: EU GDPR-compliant hosting.
- Cloudflare (United States): Provides DNS, CDN, DDoS protection, and bot management (including Turnstile on our contact form). Data processed: IP addresses, HTTP request metadata, and bot-detection tokens. Safeguards: Standard Contractual Clauses (SCCs), EU data localisation options.
- Namecheap (United States): Manages our domain registration. Data processed: minimal contact details. Safeguards: Standard Contractual Clauses (SCCs) and security reviews.
- Mailgun (United States): Delivers transactional and marketing emails on our behalf. Data processed: email addresses, message content, and delivery metadata. Safeguards: Standard Contractual Clauses (SCCs), data processing agreement in place.
- PostHog (EU cloud region): Delivers product analytics and cookie consent logs. Data processed: anonymous usage data and consented event metadata. Safeguards: EU data residency, SCCs where applicable.
We may also disclose data if required by law, to protect our rights or the rights of others, or in connection with a business transaction (such as a merger or acquisition).
6. Data retention
We keep personal information only as long as needed for the purposes described above or as required by law. Current retention guidelines are:
- App data (meal logs, hunger scales, emotions, profile picture): Retained while your account is active. When you delete your account, all associated app data is permanently deleted within 30 days.
- Waitlist and marketing emails: Removed 12 months after your last interaction or sooner if you unsubscribe.
- Support and enquiry records: Retained for up to 12 months after closure to help us follow up and improve the Services.
- Analytics data: Anonymous event data is retained for up to 12 months in PostHog’s EU region, then automatically deleted.
- Cookie consent logs: Stored for 12 months to demonstrate compliance, then refreshed.
- Aggregated analytics: Retained indefinitely in non-identifiable form.
We delete or anonymise data once the retention period expires or when you exercise your right to erasure, unless we must keep it for legal reasons.
7. How we protect information
We use administrative, technical, and physical safeguards to protect personal data, including HTTPS encryption, access controls, audit logging, and regular monitoring of our hosting environment. We restrict access to personal information to team members who need it to perform their duties.
8. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (NAIH) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
- Where the breach is likely to result in a high risk to your rights and freedoms, notify affected users without undue delay via email and/or an in-app notification, describing the nature of the breach, its likely consequences, and the measures we have taken or propose to take.
- Document the breach internally, including its effects and the remedial actions taken.
9. International data transfers
Our primary operations are in Hungary. When we transfer personal data outside the European Economic Area (for example, to Namecheap in the United States), we rely on lawful transfer tools such as Standard Contractual Clauses and ensure that recipients provide adequate protections.
10. Your rights
Under the GDPR you have the right to request access to your data, correction, deletion, restriction, portability, and to object to certain processing. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
In particular:
- Data export: You can request a machine-readable export of all personal data associated with your account, including meal logs, hunger scales, emotional state entries, and profile information. Email hello@nyami.app with the subject line “Data export request.”
- Account deletion: You can delete your account and all associated data from within the app settings. Alternatively, email hello@nyami.app with the subject line “Account deletion request.” All personal data will be permanently removed within 30 days of your request.
- Analytics opt-out: You can disable analytics at any time using the analytics toggle in your app settings. On the website, you can withdraw cookie consent through the cookie banner.
You can exercise any of your rights by emailing hello@nyami.app. We will respond within 30 days. We may ask for additional information to verify your identity before we action your request.
You also have the right to lodge a complaint with your local data protection authority or with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), H-1055 Budapest, Falk Miksa utca 9-11, Hungary (naih.hu, ugyfelszolgalat@naih.hu).
11. Children
The Services are not directed to anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us so we can delete it.
12. Updates to this Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the “Effective” date above and, where required, provide additional notice (for example, via email or on-site banner). Your continued use of the Services after changes become effective means you accept the revised Policy.
13. Contact us
If you have questions or concerns about this Privacy Policy or our data practices, email us at hello@nyami.app.