01Preliminary provisions
This Privacy Policy (hereinafter “Policy”) describes, in a clear and transparent manner, the practices applied by the Controller to the processing of personal data collected through the nhac mobile application (hereinafter “Application”), in compliance with Brazil's General Data Protection Law (Law No. 13,709/2018, hereinafter “LGPD”) and with Law No. 12,965/2014 — Brazilian Civil Rights Framework for the Internet.
The Controller collects solely the data strictly necessary for the provision of the service, does not commercialize personal data and confines processing to the purposes expressly set forth in this Policy.
02Identification of the Controller
For the purposes of this Policy, the Controller is the natural person responsible for the operation of the nhac Application, to whom the decisions regarding the processing of users' personal data are assigned, pursuant to article 5, item VI, of the LGPD.
The Data Subject may contact the Controller, on any matter relating to the processing of personal data, at the electronic address app.clubnhac@gmail.com.
03Personal data processed
The Controller processes the following categories of personal data, in accordance with the purposes indicated below:
- Registration data
- Name, electronic mail address and profile image, obtained exclusively through the Google Sign-In authentication provider, the sole sign-up method currently made available by the Controller.
- Cooking preferences
- Information voluntarily provided by the Data Subject during onboarding and editable at any time, including cuisine types, dietary restrictions, allergies and skill level.
- Content of interactions with the Daisy persona
- Text messages submitted by the Data Subject, replies generated by the artificial intelligence model and the resulting recipes, retained for history and contextual continuity purposes.
- Recipe usage records
- Recipes saved to the personal shelf, step completion markers, ratings assigned by the Data Subject and the optional photograph of the finished dish.
- Usage and stability data
- Application usage events and crash reports captured by Firebase Crashlytics, processed on an anonymized and aggregated basis for service maintenance and improvement.
- Device technical data
- Device model, operating system version, language and time zone, used exclusively for Application compatibility purposes.
The Controller does not collect: precise geolocation data, calendar, contact list, microphone audio or camera imagery, except for the voluntary capture of a photograph of the finished dish by the Data Subject. Nor does it employ third-party tracking cookies.
04Legal bases and purposes of processing
Pursuant to article 7 of the LGPD, the processing of personal data carried out by the Controller is grounded on the following legal bases:
- Performance of contract (art. 7, V) — for the provision of the Application's core services, including recipe generation, storage of preferences and operation of cooking mode;
- Legitimate interest (art. 7, IX) — for fault diagnosis, improvement of service quality and prevention of fraud or platform abuse;
- Consent (art. 7, I) — for optional communications, such as informational messages and notifications of new features, which the Data Subject may withdraw at any time;
- Compliance with legal or regulatory obligation (art. 7, II) — in response to requests made by competent authority, within the strict limits of applicable law.
05Artificial intelligence and third-party models
The Daisy persona constitutes a product layer integrated into the Application, responsible for curation, tone of communication and memory of the Data Subject's profile. The content generated through her stems, however, from artificial intelligence models provided by third parties, currently Google Gemini. In the processing of information transmitted to such models, the Controller observes the following directives:
- Transmission limited to that strictly necessary for the formulation of the response, comprising the current message, the relevant preferences and the context of the ongoing conversation;
- No direct personal identifiers — such as name and electronic mail address — are bound to the requests submitted to the model;
- Model-generated images are retained on a server administered by the Controller, associated with the recipe identifier, for subsequent display without regeneration;
- Use of the models is subject to the prevailing terms of the provider's application programming interface (API); sharing of the Data Subject's content with third parties for advertising or marketing purposes is prohibited.
Recipes, photographs and text produced by artificial intelligence may contain inaccuracies as to ingredients, quantities, times and techniques. Prior verification by the Data Subject is recommended, particularly in cases involving allergies, severe dietary restrictions and preparations intended for children, pregnant individuals or persons in sensitive health condition.
06Sharing with processors
The Controller shares personal data solely with processors indispensable to the provision of the service, in compliance with the contractual terms and standard processing conditions of each platform:
- Google Cloud / Firebase — hosting, authentication via Google Sign-In, database (Firestore) and file storage;
- Google Gemini — artificial intelligence models employed in the generation of recipes and images;
- Firebase Crashlytics — error capture and generation of Application stability reports.
The commercialization of personal data is expressly prohibited, as is its sharing with advertising agencies, marketing intermediaries or advertisement platforms.
07Retention periods
Personal data are retained for the periods set forth below, save for legal retention obligations:
- Active account: for the entire period of use of the Application by the Data Subject;
- Closed account: deletion of personal data within 30 (thirty) days, with generated recipes being anonymized and possibly retained on an aggregate basis for statistical and quality improvement purposes;
- Conversation history: 180 (one hundred and eighty) days on a rolling basis; the Data Subject may proceed with earlier deletion under Settings → Conversations;
- Technical records and crash reports: 90 (ninety) days.
08Rights of the Data Subject
Pursuant to article 18 of the LGPD, the Data Subject is entitled to exercise the following rights, by means of a request addressed to the Controller:
- Confirmation of the existence of processing of personal data and access to such data;
- Correction of incomplete, inaccurate or out-of-date data;
- Anonymization, blocking or deletion of unnecessary or excessive data, or data processed in non-conformity with the LGPD;
- Portability of the data to another service or product supplier, observing the legal requirements and commercial and industrial secrecy;
- Deletion of personal data processed on the basis of consent;
- Information on the public and private entities with which the Controller has carried out shared use of data;
- Withdrawal of consent, at any time, pursuant to article 8, § 5, of the LGPD;
- Filing of a complaint with the Brazilian National Data Protection Authority (ANPD).
Requests shall be sent to the electronic address app.clubnhac@gmail.com; a reply shall be provided within no more than 15 (fifteen) business days from receipt.
09Information security
The Controller adopts reasonable and proportionate technical and administrative measures designed to safeguard personal data against unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination, in accordance with the best practices applicable to the development and operation of mobile applications.
Notwithstanding the efforts undertaken, no system is fully immune to failure. Upon detection of a security incident that may give rise to relevant risk or harm to the Data Subject, the Controller shall make the communication to the ANPD and to the Data Subject, pursuant to article 48 of the LGPD.
10Amendments to this Policy
This Policy may be reviewed periodically, particularly on account of regulatory, technical or operational changes. Any material amendments shall be previously communicated to the Data Subject, through the Application and/or by electronic mail, with a minimum advance notice of 15 (fifteen) days. The date of the most recent update appears at the header of this document.
11Channel of communication
Any questions, requests for the exercise of rights, incident notices or further communications concerning the processing of personal data shall be directed to the electronic address app.clubnhac@gmail.com.