Privacy Policy

This Privacy Policy explains how The Invenio Group B.V (“M0VE”, “we”, “us”, “our”) collects, uses, stores, and shares personal data when you use the M0VE mobile app, website, and related services (collectively, the “Service”).

Please read this policy carefully. By using the Service you confirm that you have read and understood how we process your personal data.

1. Who we are

The data controller responsible for your personal data is:

The Invenio Group B.V
Oosthavendijk 46A
3241LK Middelharnis
The Netherlands
Trade register number: 88868303
VAT number: NL864805664B01
Privacy contact: privacy@movenutrition.app

We are registered in the Netherlands and subject to the General Data Protection Regulation (GDPR) as implemented under Dutch law. Our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

2. Data we collect and why

The sections below set out each category of personal data we collect, the lawful basis we rely on under GDPR Article 6 or Article 9, and the purpose for which we process it.

Account information

Data: Email address, display name, Firebase authentication identifier.

Lawful basis: Contract (Article 6(1)(b)) — necessary to create and maintain your account.

Athlete profile

Data: Sport type, nutrition goal, training thresholds (FTP, threshold pace), activity level, work type, BMR formula preference.

Lawful basis: Contract (Article 6(1)(b)) — necessary to calculate your personalised daily nutrition targets.

Body metrics

Data: Body weight, height, date of birth, gender, body fat percentage (optional).

Lawful basis: Contract (Article 6(1)(b)) for weight and height used in calorie calculations. Where these metrics are processed as health data under GDPR, we rely on your Explicit Consent (Article 9(2)(a)) — see Section 3.

Nutrition and food logs

Data: Meals, food items, quantities, calorie and macro values, hydration records, and sweat test results you enter into the app.

Lawful basis: Contract (Article 6(1)(b)) — core service functionality.

Training data

Data: Workout type, date, duration, distance, heart rate, power output, and active calories — imported from connected services you authorise (Strava, Intervals.icu, Apple Health, Apple Watch).

Lawful basis: Contract (Article 6(1)(b)) — used to adjust your daily nutrition targets based on training load. You initiate each connection via OAuth or in-app authorisation.

Menstrual cycle data

Data: Last cycle start date and cycle length, used to calculate your current cycle phase and apply phase-appropriate nutrition adjustments.

Lawful basis: Explicit Consent (Article 9(2)(a)) — this is special category health data. It is processed only where you have given explicit, informed, and freely withdrawable consent. See Section 3 and Section 5 for full details.

Usage and diagnostic data

Data: Device type, operating system version, app version, crash reports, screen views, app lifecycle events, and product analytics events (such as features used, training sessions planned, and navigation patterns).

Lawful basis: Legitimate Interests (Article 6(1)(f)) — we have a legitimate interest in maintaining the stability of and improving the Service. Analytics events are not combined with your food logs, health data, or other sensitive data, and are not used for advertising or cross-service profiling.

Support communications

Data: Your name, email address, and the content of messages you send through our support form or by email.

Lawful basis: Legitimate Interests (Article 6(1)(f)) — necessary to respond to your enquiry and maintain records of support interactions.

Coach-athlete data

Data: If you connect to a coach within the app, your nutrition logs and daily targets are visible to that coach through the M0VE coach dashboard.

Lawful basis: Contract (Article 6(1)(b)) — you explicitly authorise each coaching connection within the app and can remove it at any time.

3. Special category health data

GDPR Article 9 requires a higher level of protection for certain categories of personal data. For M0VE, this includes:

• Menstrual cycle data — cycle start dates and length used to phase-adjust your nutrition targets.
• Body and fitness data processed in a health context — where body weight, height, body fat percentage, or fitness metrics are processed as part of a health or nutrition management service, they may constitute health data under applicable law.

We rely on your explicit consent (Article 9(2)(a)) to process this data. That consent is:

• Collected through an affirmative in-app action at the point you enable the relevant feature.
• Specific to the purpose stated at the point of collection.
• Freely given — enabling or withholding this consent does not affect your access to other features of the Service.
• Withdrawable at any time without detriment. To withdraw consent for menstrual cycle data, disable cycle tracking or delete your cycle data in the app. To withdraw consent for body metrics, remove that data from your profile. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Apple HealthKit

If you grant permission on iOS, M0VE reads the following data types from Apple HealthKit:

• Workout type, duration, distance, and active energy burned
• Heart rate (average and maximum, where available)
• Cycling power (where available)

This data is used solely to calculate your daily calorie and nutrition targets and to display your workout history within the app.

We will not use HealthKit data for advertising, marketing, or with data brokers — ever. We will not share HealthKit data with any third party except as strictly necessary to deliver the core nutrition calculation service to you. HealthKit data is not stored in iCloud by M0VE. HealthKit data is not used to build profiles for any purpose other than your own nutrition management within the Service.

You can revoke HealthKit access at any time in iOS Settings › Privacy & Security › Health › M0VE.

5. Menstrual and reproductive health data

We treat menstrual cycle data as among the most sensitive data we hold. The following rules apply without exception:

• Menstrual cycle data is never shared with any third party — including advertisers, analytics platforms, data brokers, or law enforcement — except where we are legally compelled by a court order we cannot lawfully resist. Where legally permitted to do so, we will notify you if such a request is received.
• Menstrual cycle data is not sent to any AI system, including Anthropic’s API, for any purpose.
• Menstrual cycle data is not used for advertising, marketing, analytics, or profiling of any kind.
• Menstrual cycle data is stored in Firebase Firestore on Google Cloud servers in the United States, protected by encryption at rest and in transit (see Section 9 on international transfers).
• You can delete your menstrual cycle data independently of your account at any time within the app. Deletion removes the data from our active systems within 30 days, and from backup archives within 60 days.

6. AI food processing

M0VE uses Anthropic’s Claude AI to power two features: AI food logging (describing a meal in plain language) and AI recipe building (generating a portioned meal from ingredients you list).

What data is sent to Anthropic:

• AI food logging: The text description you type, plus your body weight (used to contextualise serving size estimates).
• AI recipe building: The ingredient list you provide, your target meal type and macro targets for that meal, your body weight, sport type, and dietary preferences.

What Anthropic does not receive: Your email address, display name, account identifier, food log history, menstrual cycle data, or workout history.

Anthropic processes this data as a data processor on our behalf. Under Anthropic’s commercial API terms, your inputs are not used to train Anthropic’s models. Anthropic does not retain API inputs beyond the time required to process the request.

Lawful basis: Contract (Article 6(1)(b)) — AI food parsing is a core feature of the Service.

Anthropic is a US-based company. Data sent to their API is transferred to the United States under Standard Contractual Clauses (see Section 9).

Automated decisions: AI-generated nutritional values are presented to you for review and can be edited or overridden before being logged. No automated decisions with legal or similarly significant effects are made about you. The AI assists your food logging — it does not make binding determinations about you.

7. Third parties we work with

We do not sell your personal data. We share data only with the following named parties, each of whom processes data on our behalf under a Data Processing Agreement:

Google / Firebase

Authentication, database (Firestore), and crash reporting (Crashlytics). Your account data, profile, food logs, and training data are stored in Firestore. Crash and diagnostic logs are processed by Firebase Crashlytics. Google LLC, United States.

Vercel

Hosting for the M0VE website and server-side API. Vercel processes request metadata (IP addresses, response data) as part of serving the web application. Vercel Inc., United States.

Anthropic

AI language model for food parsing and recipe building (see Section 6). Anthropic PBC, United States.

PostHog

Product analytics for the M0VE app and website. PostHog collects page views, screen views, app lifecycle events, and custom product events (such as features used and training sessions planned) to help us understand how the Service is used and where to focus improvements. We use PostHog’s EU Cloud, which means your analytics data is stored and processed within the European Economic Area and is not transferred outside the EEA. PostHog does not receive your food logs, health data, menstrual cycle data, or personal identifiers such as your email address. PostHog B.V., The Netherlands.

Loops

Transactional email delivery — account notifications and support replies. Your email address and name are shared with Loops for this purpose only. Loops, United States.

Strava

When you connect Strava, we receive completed activity data under the scopes you authorise via Strava’s OAuth flow. We use this data solely to adjust your daily nutrition targets. We do not share your M0VE data back to Strava. Strava Inc., United States.

Intervals.icu

When you connect Intervals.icu using your API key, we read planned sessions and completed workout data to display your training schedule and adjust fuelling targets. Intervals.icu, New Zealand.

Apple

HealthKit data is read locally from your device under iOS permissions you grant. Apple does not receive data from M0VE.

Coaches you authorise

If you connect to a coach within the app, that coach can view your nutrition logs, targets, and compliance data through the M0VE coach dashboard. You control which coach is connected and can remove the connection at any time.

Legal and corporate disclosures

We may share data where required by law, to comply with a legal obligation, to protect the rights or safety of users, or in connection with a merger or acquisition subject to standard confidentiality protections.

8. Advertising and tracking

M0VE does not engage in cross-app or cross-website tracking. We do not use advertising SDKs, data brokers, or ad-targeting platforms. Usage analytics collected via Firebase and PostHog are used solely for internal product improvement and are not shared with or used by advertising networks.

Health and fitness data, body metrics, menstrual cycle data, and food logs are never used for advertising purposes — including by any third-party processor we work with.

9. International data transfers

We are based in the Netherlands. Several of our processors are based in the United States, which means your personal data is transferred outside the European Economic Area (EEA) when processed by those services.

We ensure these transfers are lawful by relying on Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable the EU-US Data Privacy Framework. Each processor has entered into a Data Processing Agreement with us covering these transfer mechanisms:

• Google / Firebase — SCCs + Google Cloud Data Processing Addendum
• Vercel — SCCs via Vercel’s Data Processing Addendum
• Anthropic — SCCs via Anthropic’s Data Processing Addendum
• Loops — SCCs
• Strava — SCCs under Strava’s API partner terms

You can request a copy of the relevant transfer safeguards by contacting us at privacy@movenutrition.app.

10. How long we keep your data

We retain personal data for the periods set out below. After these periods data is permanently deleted or irreversibly anonymised.

• Account data (name, email, Firebase UID): Duration of your account, plus 30 days after account deletion to allow recovery in the event of accidental deletion.
• Athlete profile and body metrics: Duration of your account. Deleted within 30 days of account deletion.
• Food and nutrition logs: Duration of your account. Deleted within 30 days of account deletion.
• Training data (imported from Strava, Apple Health, Intervals.icu): Duration of your account. Deleted within 30 days of account deletion. Source data remains with the connected service — only the copy held by M0VE is deleted.
• Menstrual cycle data: Duration of your account, or until you delete it within the app. Deleted within 30 days of account deletion or in-app deletion.
• Sweat test results: Duration of your account. Deleted within 30 days of account deletion.
• Crash and diagnostic logs: 90 days.
• Support communications: Two years from the date of last contact.
• Backup copies: Deleted data may persist in encrypted backup archives for up to 60 days before permanent removal.

11. Your rights

Under GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@movenutrition.app or use our support form.

We will respond within one month of receiving your request. For complex or numerous requests we may extend this by up to two further months — we will notify you within the first month if an extension is needed. Requests are free of charge unless manifestly unfounded or excessive. We may ask you to verify your identity before processing a request.

Right of access (Article 15)

You can request a copy of the personal data we hold about you and information about how we use it.

Right to rectification (Article 16)

You can correct inaccurate personal data. Most profile data can be updated directly in the app. Contact us for any data you cannot update yourself.

Right to erasure (Article 17)

You can request deletion of your personal data. You can delete your account and all associated data directly within the app (Account › Delete account). We will permanently delete your data within 30 days, subject to the retention periods in Section 10.

Right to restriction of processing (Article 18)

You can request that we restrict processing of your data in certain circumstances — for example, while a dispute about accuracy is resolved.

Right to data portability (Article 20)

Where we process your data on the basis of contract or consent using automated means, you can request that data in a structured, commonly used, machine-readable format. Contact us to request a data export.

Right to object (Article 21)

You can object to processing based on our legitimate interests. We will stop that processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

Right to withdraw consent

Where we rely on your consent — including explicit consent for special category data — you can withdraw that consent at any time without detriment. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent for menstrual cycle data, disable the feature in the app or delete your cycle data from your profile.

Rights related to automated decision-making (Article 22)

M0VE does not make solely automated decisions that produce legal or similarly significant effects about you. AI-generated nutritional values are presented as suggestions for you to review, edit, and approve before they are logged.

12. Complaints

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
autoriteitpersoonsgegevens.nl

If you are located in another EU member state, you may also lodge a complaint with the supervisory authority in your country of residence. You also have the right to an effective judicial remedy against us or against a supervisory authority (Article 79 GDPR).

We would appreciate the opportunity to resolve your concerns directly before you contact a supervisory authority. Please reach out to us at privacy@movenutrition.app first.

13. Security

We use industry-standard technical and organisational measures to protect your data, including TLS encryption in transit and AES-256 encryption at rest via Firebase and Google Cloud infrastructure. Access to personal data is restricted to personnel who need it to provide the Service.

No method of transmission or storage is completely secure. If you become aware of a security concern, please contact us at privacy@movenutrition.app.

14. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@movenutrition.app and we will delete it promptly.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required by law, notify you in the app or by email. Continued use of the Service after an updated policy takes effect constitutes your acceptance of the changes.

16. Contact

For questions about this Privacy Policy or to exercise your data subject rights, contact us at:

The Invenio Group B.V
Oosthavendijk 46A
3241LK Middelharnis
The Netherlands
privacy@movenutrition.app