← Back to WolfAI

Privacy Policy

Last updated April 29, 2026

This policy describes how WolfAI ("WolfAI", "we", "our", or "us") collects, uses, stores, and shares personal data when you use the WolfAI iOS or Android app, the website at wolf-ai.uk, or any related service (together, the "Service"). It applies to data collected through the app, our marketing site, our quiz funnel, and our subscription billing — whether billing happens through Apple App Store In-App Purchase, Google Play Billing, or Stripe-powered web checkout.

WolfAI is operated by [LEGAL_ENTITY], registered in the United Kingdom. For data-protection purposes, we are the data controller. You can reach our data team at [email protected].

1. Information we collect

1.1 Account information

  • Email address, name (if provided), profile picture (if provided).
  • Authentication identifiers from Clerk (our auth provider), including OAuth IDs from Apple Sign In and Google Sign In if you use those sign-in methods.

1.2 Health and nutrition data

  • Age, sex assigned at birth, height, weight, activity level.
  • Dietary preferences and goals (lose / maintain / gain).
  • Meals you log (food items, portions, timestamps, calories and macronutrients), water intake, fasting sessions, streak data, and AI-generated meal plans.

Although this is health-related, WolfAI is a wellness tool and is not a medical device. We do not connect to Apple Health, Google Fit, or any clinical record system unless and until we add an explicit, opt-in integration.

1.3 Meal photos

When you take a photo to log a meal, we upload it to our object storage (Cloudflare R2) and send a short-lived URL to OpenAI's vision model for nutrition estimation. Photos are kept so you can review and edit past meals from the app. You can delete any photo from Settings → Privacy → Delete account, or by removing the meal log entry.

1.4 Device and usage data

  • Push-notification tokens (Firebase Cloud Messaging) so we can deliver alerts.
  • Device type, OS version, app version, locale — used to debug crashes and tailor formatting (e.g. metric vs imperial defaults).
  • Aggregated, non-identifying analytics (page / screen views, button taps, retention cohort) once we wire PostHog or Statsig — disabled until then.

1.5 Subscription & payment information

WolfAI does not handle your card details. Payments are processed by:

  • Apple App Store for in-app purchases on iOS. Apple shares with us only the purchase receipt, transaction identifiers, and entitlement state we need to unlock premium features.
  • Google Play Billing for in-app purchases on Android. Google shares purchase tokens, transaction identifiers, and entitlement state on the same basis.
  • Stripe for web checkout at the end of the quiz funnel (when enabled). Stripe receives card details directly; we receive a customer ID, subscription status, and the last 4 digits of the card for receipt purposes.

1.6 Quiz responses

Answers you provide in the web quiz are stored against an anonymous quiz session. If you create an account or subscribe, the quiz session is linked to your account so we can personalise your plan. If you abandon the quiz, the anonymous session is deleted after 30 days.

2. How we use your information

  • To run the calorie-tracking, meal-photo, water, fasting, and meal-plan features.
  • To deliver push notifications you have asked for (meal reminders, water reminders, streak alerts, plan ready notifications).
  • To process payments and grant or revoke premium entitlements.
  • To respond to support requests and operate the Service securely.
  • To improve the product through aggregated, de-identified usage statistics — never to target advertising, and never sold.

3. Legal bases (UK / EU users)

Under UK GDPR and EU GDPR we rely on:

  • Performance of a contract — to deliver the Service you signed up for.
  • Legitimate interests — to keep the Service secure, debug crashes, and improve the product through aggregate analytics.
  • Consent — for push notifications, optional analytics, and any future marketing emails. You can withdraw consent at any time from in-app Settings or by unsubscribing.
  • Legal obligations — to keep tax records, respond to lawful requests.

4. Sharing & third-party processors

We do not sell your personal data and we do not share it with advertisers. We share data only with the processors below, each bound by a contract that limits them to operating the Service on our behalf:

  • Clerk — authentication, sessions, OAuth.
  • Cloudflare — hosting, R2 object storage for meal photos, CDN.
  • Fly.io — backend application hosting.
  • Neon — managed PostgreSQL database.
  • Upstash — Redis for background-job queues.
  • OpenAI — vision model for meal-photo nutrition estimation. We use the API plan that does not train OpenAI models on customer data.
  • Firebase Cloud Messaging (Google) — push notification delivery.
  • Apple App Store — iOS subscription billing and receipt verification.
  • Google Play — Android subscription billing and purchase token verification.
  • Stripe — web subscription billing (when enabled).
  • RevenueCat — entitlement reconciliation across Apple, Google, and Stripe.

We may also disclose data when required by law, to protect our rights, or in connection with a corporate transaction (merger, acquisition, asset sale) — and in that case we will notify you and require the recipient to honour this policy.

5. International data transfers

Our processors are located in the UK, the EU, and the United States. When personal data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or another lawful transfer mechanism.

6. Data retention

We keep your data while your account is active and for a short period afterwards to meet legal and accounting obligations:

  • Active account data — until you delete your account.
  • After deletion — soft-deleted immediately and permanently purged within 30 days, in line with Apple App Store account-deletion guidelines.
  • Billing records — kept for 7 years to comply with UK tax law, even after account deletion (we keep only the minimum receipt and identifiers).
  • Anonymous quiz sessions — 30 days after last activity if no account is created.

7. Your rights

Subject to applicable law (UK GDPR, EU GDPR, CCPA/CPRA, and similar) you have the right to:

  • Access a copy of the personal data we hold about you.
  • Export your data (in the app: Settings → Privacy → Export my data) as a JSON archive of meals, water, goals, plans, and account info.
  • Correct inaccurate data through the app or by emailing us.
  • Delete your account and personal data (Settings → Privacy → Delete account).
  • Object to processing based on legitimate interests.
  • Restrict processing while a request is being resolved.
  • Withdraw consent for any processing based on consent.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local data-protection authority.

California residents may also direct us not to "sell" or "share" their personal information — although as noted above, we never do.

Submit any rights request to [email protected]. We respond within 30 days.

8. App Tracking Transparency (iOS)

WolfAI does not track you across other companies' apps and websites for advertising or measurement purposes. We do not show the App Tracking Transparency prompt because we do not engage in tracking as Apple defines it.

9. Google Play Data Safety

The data WolfAI collects, the purposes, and the processors are summarised in this policy and mirrored in the Data Safety section on our Google Play listing. Categories we declare include account, health and fitness, photos, app activity, and device IDs.

10. Security

We use TLS for all data in transit, encrypt data at rest in our database and object storage, restrict employee access to production systems, and use single-sign-on with hardware keys for engineering staff. No system is perfectly secure; if you suspect a vulnerability, please email [email protected].

11. Children

WolfAI is not directed at children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal data from minors. If you believe a child has signed up, please contact us and we will delete the account.

12. Changes to this policy

We may update this policy when we add features, change processors, or to reflect regulatory changes. The "Last updated" date at the top of the page reflects the most recent version. For material changes we will notify you in-app or by email before the change takes effect.

13. Contact

Privacy and data-rights questions: [email protected]
Security disclosures: [email protected]
General support: [email protected]

STAGE