healup
Back to Healup
Legal

Data Privacy

Detailed information about our data processing practices, legal bases, and your rights under applicable privacy laws.

Last updated: 15 May 2026

1. Data controller

Web Ninja Solutions Private Limited is the data controller for personal data collected through the Healup mobile application.

Contact: contact@webninjasolutions.com
Address: India

2. Applicable laws

Depending on your location, the following laws may apply to our processing of your personal data:

  • India: Digital Personal Data Protection Act 2023 (DPDPA)
  • European Union / EEA: General Data Protection Regulation (GDPR)
  • United Kingdom: UK GDPR and the Data Protection Act 2018
  • California, USA: California Consumer Privacy Act (CCPA) / CPRA
  • United States (children): Children's Online Privacy Protection Act (COPPA)
  • Australia: Privacy Act 1988 and the Australian Privacy Principles

We apply the highest standard that is applicable to you, irrespective of your jurisdiction.

3. Categories of personal data processed

The table below summarises each category of data we process and the legal basis for doing so.

Data categoryPurposeLegal basis
Account data (email, name)Authentication and account managementContract (Art. 6(1)(b) GDPR)
Health parameters (age, weight, height, goal)Personalised calorie targets and projectionsContract + Explicit consent (Art. 9(2)(a) GDPR)
Nutrition and meal logsCore app functionality — tracking and historyContract
Food photos (7-day retention)AI food identification via OpenAIContract + Explicit consent
Exercise and activity dataNet calorie calculation and progress chartsContract
Device metadata and crash logsApp stability and debuggingLegitimate interest
Pseudonymous analytics (PostHog)Product improvement and feature prioritisationLegitimate interest
Push notification tokenDelivering reminders you have opted intoConsent
Subscription stateEntitlement management and billingContract

4. Special category data

Health parameters (weight, height, dietary goal, biological sex, date of birth) and nutrition logs constitute health data, which is a special category under GDPR (Article 9). We process this data only:

  • With your explicit consent, given when you create a Healup account and enter this information; and
  • For the purpose of providing the Healup health-tracking service (explicit consent under Art. 9(2)(a)).

You may withdraw consent at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

5. Data transfers outside your country

Your data may be transferred to and processed in countries outside your country of residence, including Australia (Supabase), the United States (OpenAI, RevenueCat, Sentry), and the EU (PostHog). We ensure that:

  • Sub-processors are bound by data processing agreements that require them to protect your data to at least the same standard as this Policy.
  • Where required by GDPR, transfers are subject to Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Transfers to the US rely on SCCs or the applicable adequacy decision where available.

6. Your rights in detail

6.1 Right of access (GDPR Art. 15 / CCPA)

You may request a copy of all personal data we hold about you in a structured, commonly used, machine-readable format. Most of your data is accessible directly in the app. For a full export, email us.

6.2 Right to rectification (GDPR Art. 16)

You may correct inaccurate data. Profile data (name, height, weight, goal) is editable directly in the app under Profile → Edit Profile.

6.3 Right to erasure / "right to be forgotten" (GDPR Art. 17)

You may delete your account and all associated data via Profile → Settings → Delete account. This is irreversible and permanent. All server-side data will be erased within 30 days. Anonymised, aggregate analytics data that cannot identify you may be retained.

6.4 Right to data portability (GDPR Art. 20)

Premium users can export their full nutrition log as CSV or PDF. Free users may request a data export by emailing us.

6.5 Right to restriction (GDPR Art. 18)

You may ask us to restrict processing of your data (e.g., while you contest its accuracy) without deleting it.

6.6 Right to object (GDPR Art. 21)

Where we process data on the basis of legitimate interest (crash logging, analytics), you have the right to object. We will cease processing unless we can demonstrate compelling legitimate grounds.

6.7 Automated decision-making

Healup does not make decisions that produce legal or similarly significant effects on you through solely automated processing. AI-generated nutrition estimates are presented as information for you to review, not binding decisions.

7. California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and sell.
  • Delete your personal information (subject to exceptions).
  • Opt out of the sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioural advertising.
  • Non-discrimination for exercising your CCPA rights.
  • Correct inaccurate personal information.
  • Limit the use of sensitive personal information (health data).

To exercise CCPA rights, email contact@webninjasolutions.com. We will verify your identity before fulfilling the request.

8. India residents (DPDPA 2023)

As an Indian company subject to the Digital Personal Data Protection Act 2023, we act as a "Data Fiduciary" and process your data in accordance with the Act's requirements, including:

  • Processing data only for lawful purposes with your consent where required.
  • Ensuring data accuracy and completeness.
  • Deleting data when the purpose for which it was collected is fulfilled.
  • Notifying you and the Data Protection Board of India in the event of a data breach that is likely to affect you.

9. How to submit a data request

To exercise any of the rights described above, email contact@webninjasolutions.com from the email address associated with your Healup account, specifying:

  • Your name and registered email address.
  • The right(s) you wish to exercise.
  • Any specific data you are concerned about.

We will acknowledge your request within 7 days and fulfil it within 30 days. We may request additional verification to protect your account.

10. Data breach notification

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you without undue delay and in any case within 72 hours of becoming aware of the breach (where required by applicable law), along with the relevant supervisory authority.

11. Supervisory authority

If you are in the EU/EEA and believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your Member State. A list of EU data protection authorities is available at edpb.europa.eu.

UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

12. Contact

Data protection queries: contact@webninjasolutions.com
Web Ninja Solutions Private Limited, India.

Have questions about this policy?

Our team is happy to help clarify anything.

Contact us