Privacy Policy
Last updated: March 30, 2026
1. Introduction
Devenira (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Devenira application and services (the “Service”).
Given the sensitive nature of health and body-related data we process, we take extra care to handle your information responsibly. Please read this policy carefully.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data Types | Purpose |
|---|---|---|
| Account Information | Email address, password (hashed), full name | Authentication and account management |
| Physical Profile | Age, gender, height, weight, ethnicity, activity level | Personalized calorie calculations, body fat estimation accuracy, and fitness recommendations |
| Body Images | Photos uploaded for body composition analysis and transformation previews | AI-powered body fat estimation and visualization |
| Food Data | Food photos, meal logs, dietary preferences, allergies | Nutrition tracking and AI food analysis |
| Fitness Data | Workout logs, exercise history, weight logs | Workout and progress tracking |
| Chat Messages | Messages sent to the AI coaching feature | Providing AI-powered fitness and nutrition guidance |
| Goals | Target weight, target body fat, daily calorie goal | Progress tracking and personalized recommendations |
| Payment Information | Payment method details (processed by Stripe/Apple/Google) | Subscription and credit pack purchases |
2.2 Information Collected Automatically
- Usage Data: Feature usage frequency, session duration, pages visited.
- Device Information: Browser type, operating system, device type.
- Log Data: IP address, access times, error logs.
3. How We Use Your Information
We use your information for the following purposes:
- Service Operation: To provide, maintain, and improve the Service, including AI-powered analyses and recommendations.
- Personalization: To customize your experience based on your physical profile, goals, and preferences.
- AI Processing: To transmit your data (including photos) to AI services for analysis — see Section 4 for details.
- Communication: To send you service-related notifications, updates, and promotional materials (with your consent).
- Payment Processing: To process subscriptions and purchases through third-party payment providers.
- Safety & Security: To detect and prevent fraud, abuse, and security incidents.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
We do NOT:
- Sell your personal data to third parties.
- Use your body images for advertising or marketing purposes.
- Use your data for purposes unrelated to the Service without your consent.
4. Third-Party AI Services and Data Sharing
This is particularly important. To provide AI-powered features, we transmit certain data to third-party AI service providers. Here is what gets shared with whom:
| Provider | Data Shared | Purpose |
|---|---|---|
| OpenAI | Food photos, body photos, chat messages, profile context | Food analysis, body fat estimation, AI coaching, body enhancement |
| Google (Gemini) | Food photos, body photos, profile context | Food analysis, body fat estimation (free tier) |
| Anthropic (Claude) | Food photos, body photos, profile context | Food analysis, body fat estimation (premium tier) |
| Replicate | Body photos | Body transformation previews, body part segmentation |
| Supabase | All user data | Database hosting, authentication, file storage |
| Stripe | Payment method, email, subscription details | Payment processing (web) |
| RevenueCat | User ID, purchase receipts | In-app purchase management (mobile) |
Each of these providers has their own privacy policies and data processing terms. We encourage you to review their respective privacy policies. We select providers that maintain industry-standard security practices, but we cannot guarantee the security of data once transmitted to third parties.
5. Body Image Data — Special Provisions
We recognize that body images are especially sensitive. The following additional protections apply:
- Purpose Limitation: Body images are used only to run the feature you request inside the app.
- AI Processing: Images may be sent to third-party AI providers over encrypted connections (HTTPS/TLS). We do not control provider-side retention and cannot promise provider-side deletion from this self-serve flow.
- Storage in Denevira: Guest try-flow photos are not saved to a Denevira account. Account-linked progress photos are stored in a private Supabase bucket until you delete them or delete your account.
- No Human Review: Under normal operations, your body images are processed only by automated AI systems. Human review may occur only in cases of abuse investigation or legal requirement.
6. Data Retention
- Active Account: Account-linked app data stays in Denevira until you delete it or delete your account.
- Self-Serve Account Deletion: From Profile, you can permanently delete your Denevira account and the app data tied to it immediately, including stored progress photo files.
- Billing and Provider Retention: Billing records may remain with Stripe, RevenueCat, Apple, or Google under their own policies. Third-party AI providers may retain submitted inputs under their own policies.
- Subscription Requirement: If you still have an active paid subscription, cancel billing first. Account deletion in Denevira does not cancel Stripe or app-store billing.
Deleted immediately from Denevira:
- Your Denevira auth account
- Profile, onboarding, goals, scans, chat history, food/workout/weight logs, streaks, challenge data, and notification settings stored in Denevira
- Stored progress photo files in Denevira private storage and their database rows
Not deleted from third parties by this flow:
- Stripe, RevenueCat, Apple, or Google may keep billing records under their own policies
- Third-party AI providers may keep submitted inputs under their own retention policies
- Operational logs may retain limited metadata for security and debugging
7. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS/HTTPS) and at rest.
- Row-Level Security (RLS) on database to ensure users can only access their own data.
- Secure authentication with hashed passwords.
- Regular security assessments and updates.
Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of your personal data.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Delete your Denevira account from Profile, or contact us if you cannot access the app.
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request restriction of processing of your data.
- Objection: Object to processing of your data for certain purposes.
- Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at privacy@devenira.com. If you can still sign in, the delete flow in Profile is the fastest way to remove your Denevira account data.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence, including the United States (where many of our AI service providers are based). These countries may have different data protection laws. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place through contractual obligations with our service providers.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us immediately.
11. Cookies and Tracking
We use essential cookies and local storage for:
- Authentication session management.
- Theme preference (dark/light mode).
- Onboarding state tracking.
We do not currently use third-party advertising cookies or tracking pixels in the web app codebase.
12. Data Breach Notification
In the event of a data breach that affects your personal data, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law (GDPR, Korea PIPA).
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Provide details of the breach, including the nature of the data affected, the approximate number of individuals concerned, and the measures taken or proposed to address the breach.
- Document all breaches internally, including their effects and the remedial action taken.
Notifications will be sent via the email address associated with your account.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on the Service and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the revised policy.
14. Contact Us
For privacy-related inquiries, requests, or complaints:
- Email: privacy@devenira.com