This Privacy Policy explains how Bartolomeo Steccanella (“Sour”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use the Sour: Quit Added Sugar mobile application and the website at getsour.app (together, the “Service”).

By using the Service, you acknowledge that you have read and understood this Policy. Where we rely on your consent to process certain data, we ask for that consent separately in the app.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

Legal entity: Bartolomeo Steccanella
Postal address: 42 Barmouth Way, L5 9RP Liverpool, UK
Privacy contact: privacy@getsour.app
General contact: hello@getsour.app

If you are in the EU/EEA or UK, you may also contact us about any matter relating to your personal data using the details above.

2. Data we collect

We only collect data needed to run Sour and help you reduce added sugar. The list below sets out each category, the specific data, and our lawful basis under the UK GDPR / EU GDPR.

2.1 Account data

Data: email address, first name, monogram/initials, account creation date, authentication identifiers.
How: created when you sign up using a magic link (email) or Google Sign-In, handled through our authentication provider Supabase.
Lawful basis: performance of a contract (Art. 6(1)(b)) — we need this to create and operate your account.

2.2 Health-adjacent data (sensitive / special category)

Data: sex, age, height, weight, weight goal, sugar goal, daily calorie estimate.
How: you enter this during onboarding and in settings so we can personalise your goals and estimates.
Lawful basis: explicit consent (Art. 9(2)(a)). This is special category data under Art. 9 GDPR. We process it only after you provide it, and you can withdraw consent at any time by deleting the data or your account (see Section 7).

2.3 Behavioural and content data

Data: motivations / reasons to quit, past quit attempts, craving frequency, typical sugar sources, food log entries, saved foods, custom food entries, streak data, in-app progress.
How: generated as you use the app to track your habits.
Lawful basis: performance of a contract (Art. 6(1)(b)) for core tracking features. Where any of this content reveals health information, we additionally rely on your explicit consent (Art. 9(2)(a)).

2.4 Subscription and transaction data

Data: subscription status, plan type, purchase/renewal timestamps, store transaction identifiers.
How: managed through Superwall (paywall) and the app stores’ in-app purchase systems (Apple StoreKit / Google Play Billing).
Lawful basis: performance of a contract (Art. 6(1)(b)) and our legitimate interests (Art. 6(1)(f)) in fraud prevention and account management.
Note: We never see or store your card number or bank details. Payment is handled entirely by Apple or Google. See their policies in Section 4.

Camera: used only to scan product barcodes for food logging. Images are processed for scanning and are not stored as a photo library.
Microphone: used only for voice food logging when you choose it.
Notifications: local notifications only (reminders and streak nudges generated on your device).
Lawful basis: consent (Art. 6(1)(a)) — granted through your device’s permission prompts, and revocable at any time in your device settings.

2.6 AI food-parsing data

When you use the AI food-parse feature, the text and/or image you submit (for example, a description of a meal or a photo of a label) is sent to our AI provider, DeepSeek, to generate a nutritional/sugar estimate.

Data: the food text or image you submit (with image metadata removed where technically possible) and the resulting estimate.
Lawful basis: consent (Art. 6(1)(a)), and explicit consent (Art. 9(2)(a)) where the submission reveals health information.
Important: DeepSeek processes this data on infrastructure located in China, which is outside the UK/EEA and is not covered by a UK or EU adequacy decision. See Section 8 (International transfers). Do not submit information you do not want processed in this way. You can use manual food entry instead of the AI feature.

2.7 What we do not collect

We do not collect your card or bank details (these go directly to Apple/Google), we do not run third-party advertising SDKs, and we do not sell your personal data.

3. How we use your data

We use your data to: create and secure your account; personalise your sugar and calorie goals; record and display your food logs, saved foods, and streaks; process and verify subscriptions; provide AI food estimates when you request them; send local reminders; respond to support requests; prevent fraud and abuse; and comply with our legal obligations.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects about you.

4. Sub-processors and third parties

We share data only with the service providers needed to operate Sour. Each acts under contract and processes data on our instructions.

Provider	Purpose	Region	More information
Supabase	Hosting, authentication, database	EU (European Union)	https://supabase.com/privacy
Superwall	Paywall management and subscription/analytics events	US	https://superwall.com/privacy
Apple	In-app subscription billing (App Store)	Global	https://www.apple.com/legal/privacy/
Google	In-app subscription billing (Play) and Google Sign-In	Global	https://policies.google.com/privacy
DeepSeek	AI food-parsing (text/image → nutritional estimate)	China	https://www.deepseek.com/en/privacy

We may also disclose data where required by law, to enforce our Terms, to protect the rights and safety of our users or the public, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you and this Policy will continue to apply unless superseded).

5. Storage and retention

Your account and app data are hosted by Supabase in the EU.

We keep your personal data for as long as your account is active.
When you delete your account, we permanently delete your personal data from our active systems within 30 days, except where we must retain limited records to meet legal obligations (for example, transaction records for tax/accounting) or where data has been irreversibly anonymised.
AI food-parse submissions are retained only as long as needed to return your result and for short-term abuse prevention, and are then deleted in line with our and DeepSeek’s retention practices.
Backups containing your data are cycled out on a rolling basis and overwritten in the ordinary course.

6. Your rights

You have the right to: access your data; rectify inaccurate data; erase your data (“right to be forgotten”); restrict processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time (without affecting processing already carried out).

You also have the right to lodge a complaint with your supervisory authority. In the UK this is the Information Commissioner’s Office (ICO), https://ico.org.uk. In the EU it is the authority in your country of residence.

6.2 If you are in California (CCPA/CPRA)

You have the right to know what personal information we collect and how we use it, to delete it, to correct it, and to opt out of the sale or sharing of personal information.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we do not process it for cross-context behavioural advertising. We do not discriminate against you for exercising your rights.

6.3 How to exercise your rights

Email privacy@getsour.app, or
Use the “Delete account” button in the app’s settings to erase your account and associated personal data.

We respond to requests within the timeframe required by law (generally 30 days). We may need to verify your identity before acting on a request.

7. Account deletion

To delete your account and personal data, open Settings → Delete account in the app. This permanently removes your account and associated personal data from our active systems (subject to the limited legal-retention exceptions in Section 5). Deletion cannot be undone, and we cannot recover deleted information.

If you signed in with Google, please also review and disconnect Sour from your Google account if you wish: https://myaccount.google.com/permissions.

Subscriptions purchased through Apple or Google are managed by those stores; deleting your Sour account does not automatically cancel a store subscription. Cancel through your Apple ID or Google Play account (see our Terms of Service).

8. International data transfers

Your core account and app data are stored in the EU (Supabase).

Some providers process data outside your country:

Superwall and the app stores may process data in the United States.
DeepSeek processes AI food-parse submissions in China.

Where personal data is transferred outside the UK or EEA to a country without an adequacy decision, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum and the EU Standard Contractual Clauses (SCCs), together with additional measures where needed. The transfer to DeepSeek (China) is a transfer to a third country without an adequacy decision; we ask for your consent before using the AI feature, and you can avoid this transfer by using manual food entry instead.

Sour asks you to enter information such as your sex, age, height, weight, and goals so it can personalise your experience. This is special category (sensitive) personal data under Article 9 of the UK/EU GDPR.

By entering this information, you give your explicit consent to our processing of it for the purposes described in this Policy. You can withdraw consent at any time by removing the data or deleting your account. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

10. Children’s privacy

Sour is intended for adults working on their own health habits. You must be at least 13 years old to use the Service, and at least 16 years old in the EU/EEA (or the minimum digital-consent age set by your country, if higher).

We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact privacy@getsour.app and we will delete it.

11. Security

We use industry-standard technical and organisational measures to protect your data, including encryption in transit, access controls, and processing through reputable providers such as Supabase. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Links to other services

The Service may contain links to third-party websites or apps (for example, app store or provider policies). We are not responsible for the privacy practices of those third parties, and we encourage you to review their policies.

13. Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify you in the app and/or by email and update the “Last updated” date above. Your continued use of the Service after an update means you accept the revised Policy.

14. Contact us

Questions about this Policy or your data?

Privacy: privacy@getsour.app
General: hello@getsour.app
Post: Bartolomeo Steccanella, 42 Barmouth Way, L5 9RP Liverpool, UK

Privacy Policy