Effective date: 2026-03-28. Last updated: 2026-06-14.
1. Who we are
Wellix ("we", "us") provides an AI-powered calorie and macronutrient tracking mobile application (the "App"). The data controller is Valeria Levitan, registered as a tax-exempt sole proprietor (Osek Patur) in Israel under tax-file no. 341083038. Postal address: Anna Frank 34, Rishon LeZion, Israel. Contact: privacy@wellix.cc. We have not appointed a representative under GDPR Article 27; EEA and UK data subjects may exercise their rights by contacting us directly at the address above.
2. What we collect
- Account: email, hashed password, name, date of birth, country, language.
- Health-related profile: gender, height, weight, activity level, optional body measurements, nutrition goals, dietary preferences. We treat this as special-category data (GDPR Art. 9).
- App usage: photos of food you submit for AI analysis, recognised items, meals you log, water and weight history, nutrition recommendations generated for you, support messages.
- Device: device model, OS version, language, time-zone offset, IP address, and crash logs. We serve only non-personalised ads: on iOS we do not use the advertising identifier (IDFA) or App Tracking Transparency. On Android, Google AdMob may use the Google Advertising ID (AAID) solely to deliver non-personalised ads and cap ad frequency; you can reset or limit it in your device settings.
- Billing: a RevenueCat subscriber ID and your subscription state. Card payments are handled by Apple or Google — we never see card numbers.
3. Why we process it (legal bases under GDPR Art. 6 / Art. 9)
- Performance of contract: creating your account, AI food recognition, generating recommendations, processing subscriptions.
- Explicit consent (Art. 9(2)(a)): processing of health-related profile and food intake data — collected via an onboarding checkbox; withdrawable at any time via account deletion.
- Legitimate interest: abuse prevention, rate limiting, security, product analytics, defending legal claims.
- Consent (ePrivacy / GDPR Art. 6(1)(a)): serving ads in the EEA/UK (non-personalised), optional push notifications. Manageable in Settings → Privacy.
- Legal obligation: tax records, fraud reporting, lawful requests from competent authorities.
4. AI processing and sub-processors
Food photographs and short textual descriptions are sent for inference to xAI (https://x.ai), based in the United States. Images are processed transiently and, per our agreement with xAI, are not retained for model training. We do not store the raw image after analysis — only the parsed nutrition result, in your account.
Other sub-processors:
- RevenueCat (US) — subscription state.
- Google (Firebase, AdMob, Google Sign-In) (US) — push delivery, authentication, advertising.
- Apple (Sign in with Apple) (US/IE) — authentication.
- Resend (US) — transactional email.
- VPS hosting in Frankfurt, Germany (EU) — application and database hosting.
Transfers from the EEA/UK to the United States rely on the EU-US Data Privacy Framework where the provider is certified, or otherwise on the European Commission's Standard Contractual Clauses with supplementary measures.
5. Retention
- Account and profile data: until you delete your account, or after 3 years of inactivity.
- Food scan jobs (AI recognition and conversation state, no raw image): up to 24 hours.
- Meal, weight, water history: until deletion.
- AI usage logs (no prompt text, metadata only): 12 months for billing audit.
- Daily database backups: 7 days.
- Records we are legally required to keep (e.g. tax invoices): the statutory retention period of the relevant jurisdiction.
6. Your rights
You have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data, and to withdraw consent at any time. To exercise these rights, email privacy@wellix.cc or use the in-app "Delete account" option. You may lodge a complaint with your data protection authority.
California (CCPA / CPRA) — Do Not Sell or Share My Personal Information
California residents have the right to know, delete, correct, and to opt-out of the "sale" or "sharing" of personal information. Wellix serves only non-personalised advertising via Google AdMob and does not "sell" or "share" personal information for cross-context behavioural advertising as defined by the CPRA. We nonetheless honor opt-out requests:
You can opt out at any time:
- In the app: Settings → Privacy → Manage privacy choices → Do Not Sell or Share My Personal Information.
- By email: privacy@wellix.cc with the subject "CCPA Do Not Sell or Share". We respond within 15 business days.
- Via your browser's Global Privacy Control (GPC) signal — when our web surfaces detect
Sec-GPC: 1on an incoming request, we treat it as a valid opt-out for that browser without requiring any further action. The in-app preference set as described above is honored across all interfaces.
We do not knowingly sell personal information of users under 16.
Russia (152-ФЗ)
Wellix is operated from Israel and is not specifically directed at users in the Russian Federation. All personal data is stored and processed on servers located outside Russia. We are not registered as an operator of personal data with Roskomnadzor and we do not represent that the App satisfies the local-storage requirement of Russian Federal Law 152-ФЗ. Russian residents who choose to use the App do so on their own initiative; if you are not comfortable with this, please do not use the App.
Israel (Privacy Protection Law 5741-1981)
If you are an Israeli resident you have substantially the same rights as set out above for EU residents. Marketing emails require opt-in and contain an unsubscribe link in every message.
7. Children
Wellix is not intended for children under 13. We do not knowingly collect data from children under 13 anywhere, or under 16 in the EU member states whose national law sets that threshold. If we learn we have collected such data, we will delete it promptly.
8. Cookies and trackers
The App does not use cookies. We serve only non-personalised ads and do not use the Apple IDFA or App Tracking Transparency on iOS. The App uses the following on-device identifiers: Google Advertising ID (Android, used only to deliver non-personalised ads and cap ad frequency; controllable via OS settings and the consent banner), Firebase installation ID, RevenueCat anonymous ID. The first time you launch the App in the EEA or UK, a consent banner appears asking for your ad-serving consent.
9. Security
Data is encrypted in transit (TLS 1.2+) and at rest at the database and backup layers. Passwords are stored hashed with bcrypt. Access to production systems is restricted to authorised personnel under a least-privilege policy.
10. Data breach notification
In case of a personal data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay.
11. Changes
We will publish material changes to this Policy and notify you in-app at least 30 days before they take effect. Continued use after that date constitutes acceptance.
12. Contact
Email: privacy@wellix.cc · Support: support@wellix.cc