Slimfio
PRIVACY POLICY
Data Protection and GDPR Notice for the Slimfio Application and Web Service
Effective Date: 1 August 2026
Document Date: 3 July 2026
Published and operated by Jaguár Média Kft.
1. Introduction and Data Controller
This Privacy Policy (the "Policy") explains how Jaguár Média Kft. ("the Company", "we", "us", "our"), a company organised under the laws of Hungary, with its registered seat at 1144 Budapest, Kőszeg utca 23. 2. em. 5. ajtó, Hungary (Cg. 01-09-961644), collects, uses, discloses, and protects personal data in connection with the Slimfio mobile application and web application (together, the "Service"), in its capacity as data controller within the meaning of Regulation (EU) 2016/679 (the "GDPR").
This Policy should be read together with the Slimfio Terms of Service, which governs your use of the Service. Capitalised terms not defined in this Policy have the meaning given to them in the Terms of Service.
For any question, request, or complaint relating to this Policy or to the processing of your personal data, you may contact the Company at info@jaguarmedia.hu.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Special Category Data" means personal data revealing health, biometric, or other data described in Article 9(1) GDPR.
"Processing" means any operation performed on personal data, as defined in Article 4(2) GDPR.
"Data Subject", "User", "you" means the natural person to whom the personal data relates.
"Processor" or "Sub-Processor" means a third party that processes personal data on behalf of, and under the instructions of, the Company.
"AI Providers" means the Third-Party AI Providers described in Section 7 of this Policy and in Section 32 of the Terms of Service.
3. Categories of Personal Data We Collect
3.1 Account Data
When you create an Account, we collect your email address and, where you register via a third-party identity provider (Apple Sign-In or Google Sign-In), the profile identifier and email address made available to us by that provider. We do not receive your Apple ID or Google account password.
3.2 Biometric and Health-Related Data
To provide AI Calorie Estimation, AI Nutrition Estimation, and related features, you may choose to provide biometric data such as height, weight, age, sex, and activity level, as well as any health-related information you voluntarily disclose (for example, dietary restrictions, allergies, or medical conditions mentioned within AI Chat). This data may constitute Special Category Data under Article 9 GDPR; Section 5 of this Policy sets out the specific legal basis and safeguards that apply to it.
3.3 User Content
This includes photographs of meals or food items submitted for AI Food Recognition, food logs, water-intake and weight entries, and the text of messages you exchange with the AI Chat feature.
3.4 Subscription and Billing Data
Where you purchase a Premium Subscription through the Apple App Store or Google Play Store, billing and payment card data is collected and processed directly by Apple Inc. or Google LLC, and the Company receives only limited transaction metadata (such as subscription status, plan, and renewal date) via RevenueCat. Where you subscribe through the Slimfio web application, payment card data is collected and processed by Stripe, Inc., and the Company does not receive or store your full card details.
3.5 Technical and Device Data
We automatically collect certain technical data when you use the Service, including device identifiers, IP address, operating system and version, app version, crash and performance diagnostics (via Firebase Crashlytics), and general usage statistics (via Firebase Analytics).
3.6 Marketing and Advertising Data
Where you have given your consent in accordance with Section 9 of this Policy, we and our advertising partners may collect data relating to your interaction with our marketing communications and with advertisements shown to you on third-party platforms, including through cookies and similar tracking technologies described in Section 10.
4. Purposes and Legal Bases of Processing
We process your personal data only where we have a valid legal basis to do so under Article 6 GDPR (and, for Special Category Data, Article 9 GDPR). The table below summarises the principal purposes and corresponding legal bases.
Providing the core Service (account creation, meal logging, weight and water tracking, statistics, and progress reports) — performance of a contract (Article 6(1)(b) GDPR).
Generating AI Output through AI Food Recognition, AI Calorie Estimation, AI Nutrition Estimation, AI Meal Suggestions, AI Daily Summaries, and AI Chat — performance of a contract (Article 6(1)(b) GDPR), save that, to the extent this processing involves Special Category Data, the legal basis is your explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR), as described in Section 5.
Processing Premium Subscription purchases and billing — performance of a contract (Article 6(1)(b) GDPR).
Complying with tax, accounting, and other statutory record-keeping obligations relating to Subscription Fees — legal obligation (Article 6(1)(c) GDPR).
Maintaining the security, integrity, and availability of the Service, preventing fraud and abuse, and enforcing the Terms of Service — legitimate interest (Article 6(1)(f) GDPR), specifically the Company's interest in protecting the Service and its Users.
Diagnosing technical issues and improving the Service through aggregate usage analytics — legitimate interest (Article 6(1)(f) GDPR), balanced against your interests as described in Section 10.
Sending you marketing communications, engaging in remarketing, and running advertising analytics as described in Section 9 — your consent (Article 6(1)(a) GDPR), which you may withdraw at any time.
5. Special Category Data: Explicit Consent
The Company does not process Special Category Data (including biometric and health-related data described in Section 3.2) on the basis of your general acceptance of the Terms of Service or this Policy.
Instead, before any such data is first collected, the Application presents a dedicated, standalone consent request that clearly identifies the categories of Special Category Data to be collected and the purposes of that processing (namely, generating AI Calorie Estimation, AI Nutrition Estimation, and related AI Output). Your consent is freely given, specific, informed, and unambiguous, and is recorded together with a timestamp. You may withdraw this consent at any time through the Application's account settings or by contacting the Company; withdrawal does not affect the lawfulness of processing carried out before withdrawal, but will disable the AI Features that depend on that data.
This Section 5 corresponds to, and should be read together with, Section 4.3 of the Terms of Service.
6. Firebase as Primary Datastore
The Service uses Firebase, a backend-as-a-service platform provided by Google LLC ("Firebase"), as its primary datastore and supporting infrastructure, including Firebase Authentication, Cloud Firestore, Cloud Storage, Firebase Analytics, and Firebase Crashlytics. Firebase stores and processes the categories of data described in Section 3 on the Company's behalf, acting as a processor within the meaning of Article 28 GDPR. Data processed through Firebase for Users of the Service is stored in Google's European Union data-storage region (europe-west).
7. AI Providers
Certain AI Features are powered, in whole or in part, by artificial-intelligence models operated by independent Third-Party AI Providers, which may include OpenAI, L.L.C., Anthropic, PBC, Google LLC, and Microsoft Corporation (Azure). Depending on which AI Feature you use, the following categories of data may be transmitted to the relevant AI Provider strictly for the purpose of generating the requested AI Output: photographs submitted for AI Food Recognition; biometric data submitted for AI Calorie Estimation and AI Nutrition Estimation; food logs and dietary history used for AI Meal Suggestions and AI Daily Summaries; and the text of your AI Chat messages.
Where available to the Company, we obtain contractual commitments from AI Providers that data submitted through their API is not used to train their general-purpose models. AI Providers act as processors or independent controllers in respect of this processing, depending on the terms agreed with each provider, and the Company maintains an appropriate data-processing agreement or equivalent safeguard with each AI Provider it uses.
8. Recipients of Personal Data
We disclose personal data only to the following categories of recipients, and only to the extent necessary for the purposes described in this Policy:
Firebase (Google LLC) — primary datastore and application infrastructure (Section 6);
Third-Party AI Providers (OpenAI, Anthropic, Google, Microsoft Azure) — generation of AI Output (Section 7);
RevenueCat, Inc. — subscription entitlement management across platforms;
Stripe, Inc. — payment processing for web-based subscriptions;
Apple Inc. and Google LLC — billing and subscription administration for purchases made through the respective App Store, in their capacity as independent controllers of that billing data;
Meta Platforms, Inc. (Facebook) and Google LLC (Google Ads / Google Analytics) — advertising and remarketing, solely where you have given consent in accordance with Section 9;
professional advisers (legal, accounting, tax) and competent authorities, where necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.
We do not sell your personal data. Where we share pseudonymised identifiers with advertising partners for remarketing purposes, this is done solely on the basis of your consent and solely for the purpose described in Section 9, and is not a sale of personal data.
9. Marketing, Remarketing, and Profiling
9.1 Marketing Communications
Where you have opted in, we may send you marketing communications relating to the Service by email or in-app notification. You may withdraw your consent to receive marketing communications at any time, free of charge, by using the unsubscribe mechanism included in each communication or through the Application's account settings, without affecting your ability to use the core Service.
9.2 Remarketing and Advertising Analytics
Where you have given your consent through the cookie or app-tracking consent mechanism described in Section 10, we use Google Analytics to understand aggregate usage of the Service, and Facebook Pixel / Google Ads remarketing tags to show you relevant advertisements for the Service on third-party platforms (including Meta platforms and the Google Display Network) based on your prior interaction with the Service.
For this purpose, we may share a pseudonymised identifier derived from your email address or device identifier (for example, via one-way cryptographic hashing) with Meta Platforms, Inc. and Google LLC, solely to enable those platforms to recognise that you have previously interacted with the Service and to serve or measure the relevant advertisement. These partners are not permitted to use the pseudonymised identifier for their own independent marketing purposes beyond what is necessary to provide the advertising and measurement service to the Company.
9.3 Profiling
The selection and targeting of the advertisements described in Section 9.2 involves profiling within the meaning of Article 4(4) GDPR, based on your usage of the Service and your interaction with prior advertisements. This profiling affects only which advertisement you may see on a third-party platform and does not affect the features, pricing, or functionality available to you within the Service, and does not produce a legal or similarly significant effect on you within the meaning of Article 22 GDPR.
You may object to this profiling, or withdraw your consent to it, at any time through the cookie/consent settings described in Section 10, without affecting your use of the core Service.
9.4 AI Features Are Not Profiling for Article 22 Purposes
For the avoidance of doubt, the AI Features described in Sections 22 through 25 of the Terms of Service (AI Food Recognition, AI Calorie Estimation, AI Nutrition Estimation, AI Meal Suggestions, AI Daily Summaries, and AI Chat) generate estimates and suggestions intended to inform your own decisions; they do not produce a decision that is based solely on automated processing and that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR, and no such fully automated decision-making is carried out by the Service.
10. Cookies and Similar Technologies
The Slimfio web application uses cookies and similar technologies (such as mobile SDK identifiers within the Application) to operate the Service, remember your preferences, and, where consented to, measure and improve our marketing. We use the following categories of cookies/technologies:
Strictly necessary — required for the Service to function (e.g. session and authentication cookies); these cannot be disabled and do not require consent.
Analytics — Google Analytics, used to understand aggregate usage patterns of the web application; requires your consent.
Advertising / Remarketing — Facebook Pixel and Google Ads remarketing tags, used to show relevant advertisements for the Service on third-party platforms as described in Section 9.2; requires your consent.
On first visiting the Slimfio web application, you are presented with a cookie-consent banner allowing you to accept or reject non-essential cookies, and to change your preferences at any time through a persistent "Cookie Settings" link. Within the mobile Application, equivalent tracking consent is requested in accordance with the applicable platform's tracking-transparency requirements (including Apple's App Tracking Transparency framework, where applicable) before any advertising identifier is used for the purposes described in Section 9.2.
You may also control cookies through your browser settings; further general information about cookies is available at www.aboutcookies.org.
11. International Data Transfers
Certain recipients described in Section 8 (including Firebase/Google, the AI Providers, RevenueCat, Stripe, Meta, and Google Ads) may process personal data outside the European Economic Area, in particular in the United States. Where such a transfer occurs, the Company relies on one or more of the following safeguards, as applicable to the specific recipient: (i) the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); (ii) the recipient's certification under the EU-U.S. Data Privacy Framework, where applicable; or (iii) another valid transfer mechanism recognised under Chapter V of the GDPR. A copy of the relevant safeguard is available upon request to the contact address in Section 19.
12. Data Security
The Company implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of personal data, appropriate to the nature of that data and consistent with Article 32 GDPR, including encryption of data in transit, access controls limiting data access to personnel who require it for their role, and regular review of critical infrastructure components, including those operated by Firebase.
No method of electronic transmission or storage is completely secure, and the Company cannot guarantee absolute security. Section 16 describes how the Company handles any personal-data breach.
13. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The table below sets out our general retention periods; specific circumstances (such as an active legal dispute) may extend these periods.
Account data (email, authentication identifiers) — for as long as your Account remains active, and for a further period of up to ninety (90) days following deletion to allow for account recovery and to comply with technical backup cycles.
Biometric and health-related data (Special Category Data) — until you withdraw your consent or delete the relevant entry, whichever is earlier, save for aggregated or anonymised data retained for product-improvement purposes.
User Content (food photos, food logs, AI Chat messages) — for as long as your Account remains active, unless you delete specific entries earlier; AI Chat conversation logs are retained for a maximum of twenty-four (24) months for quality and safety review purposes, save where a longer period is required by law.
Subscription and billing metadata — for the period required by Hungarian accounting and tax law, generally eight (8) years from the end of the financial year in which the relevant transaction occurred.
Technical and diagnostic data (crash logs, device identifiers) — a rolling period of up to fourteen (14) months.
Marketing and advertising consent records and related pseudonymised identifiers — until you withdraw consent, and in any event no longer than twelve (12) months from your last interaction with the Service, consistent with Section 9.2.
Upon expiry of the applicable retention period, we delete or irreversibly anonymise the relevant personal data.
14. Your Rights
Subject to the conditions and exceptions set out in the GDPR, you have the following rights in respect of your personal data:
Access — to obtain confirmation as to whether we process your personal data, and, where we do, to obtain a copy of that data and related information (Article 15 GDPR).
Rectification — to have inaccurate personal data corrected and incomplete personal data completed (Article 16 GDPR).
Erasure — to have your personal data deleted in certain circumstances, including where you withdraw consent and no other legal basis applies (Article 17 GDPR).
Restriction of processing — to limit how we use your personal data in certain circumstances, for example while a dispute about its accuracy is resolved (Article 18 GDPR).
Objection — to object, on grounds relating to your particular situation, to processing based on our legitimate interest, and to object at any time to processing for direct-marketing purposes, including profiling related to such marketing (Article 21 GDPR).
Data portability — to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller, where technically feasible (Article 20 GDPR).
Withdrawal of consent — to withdraw, at any time, any consent you have given, including consent to the processing of Special Category Data (Section 5) and consent to marketing and remarketing (Section 9), without affecting the lawfulness of processing carried out before withdrawal.
15. Exercising Your Rights
You may exercise any of the rights described in Section 14 by contacting us at info@jaguarmedia.hu, or, in respect of Special Category Data consent and marketing consent specifically, directly through the relevant settings within the Application. We will respond to your request without undue delay and, in any event, within one month of receipt, which period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension within the initial one-month period. We do not charge a fee for exercising these rights, save in the case of manifestly unfounded or excessive requests, as permitted under Article 12(5) GDPR. Where we have reasonable doubts about your identity, we may request additional information necessary to confirm it.
16. Data Breach Notification
A personal-data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Where a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of it, in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, without undue delay, in accordance with Article 34 GDPR.
17. Children
The Service is available only to individuals who are at least sixteen (16) years of age, as set out in Section 3 of the Terms of Service. We do not knowingly collect personal data from individuals under sixteen (16) years of age. If we become aware that we have collected personal data from an individual under sixteen (16), we will take reasonable steps to delete that data and terminate the associated Account without delay.
18. Changes to This Policy
We may update this Policy from time to time to reflect changes in our data-processing practices or applicable law. Where a change is material, we will notify you by email, in-app notification, or by posting the updated Policy within the Application, in accordance with Section 63.1 of the Terms of Service. The "Effective Date" at the top of this Policy indicates when it was last revised.
19. Complaints and Contact
If you have a question, request, or complaint relating to this Policy or to our processing of your personal data, please contact us at:
Jaguár Média Kft.
1144 Budapest, Kőszeg utca 23. 2. em. 5. ajtó, Hungary
Company Registration Number: Cg. 01-09-961644
Email: info@jaguarmedia.hu
You also have the right to lodge a complaint with a supervisory authority. In Hungary, the competent authority is the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH), address: 1055 Budapest, Falk Miksa utca 9-11.; telephone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu. If you are resident in another EU Member State, you may instead lodge a complaint with the supervisory authority of your own Member State of habitual residence.
You also have the right to seek a judicial remedy before a competent court in respect of any infringement of your rights under the GDPR.