Privacy Policy

Effective May 10, 2026

This Privacy Policy describes how Unifinity ("Unifinity", "we", "us", "our") collects, uses, discloses, and protects personal information when you use the Optimize application and related websites (the "Service"). By using the Service you consent to the practices described here. If you do not agree, do not use the Service.

Unifinity is the controller of personal information processed through the Service. You can reach our privacy team at privacy@unifinity.com.

What we collect

Identity: the name, email, and stable user identifier returned by the identity provider you sign in with (Microsoft or Google). No password ever touches the Service — authentication happens at the provider, which then tells the Service who you are.
Health and tracking data you enter: meals, weights, measurements, workouts, doses, vials, wellbeing check-ins, and the plans/cycles you build. This is sensitive personal information and is treated as such.
Settings and preferences: theme, units, coach persona, install state.
Operational data: minimal request and error telemetry generated by the hosting platform (timestamps, status codes, IP address for the duration of a session, user-agent). We do not embed third-party analytics, advertising trackers, or fingerprinting.

How we use it

To show you back what you logged and compute summaries (BMR, energy balance, macro totals, projections, adherence).
To generate the AI features you trigger.
To keep you signed in across visits via a session cookie.
To detect and prevent abuse, fraud, and security incidents.
To comply with legal obligations and enforce our Terms of Use.

Unifinity does not profile you for advertising, does not sell your personal information, and does not share your tracking data with third parties except the subprocessors listed below.

Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases: (a) contract — to provide the Service you have requested; (b) legitimate interests — to keep the Service secure and operational; (c) legal obligations — when we are required to retain or disclose information; and (d) consent — for any special-category health data you choose to enter, which you may withdraw at any time by deleting that data or your account.

Where data is stored

Personal information is stored in data centres located in the United States (eastern region). Data is encrypted at rest and in transit (HTTPS).

Subprocessors

Our cloud hosting provider — hosting, storage, and logging infrastructure.
Microsoft (Entra ID) and Google — identity providers used for sign-in. They see that you signed in to the Service; they do not see what you log.
A third-party AI provider — used for AI features such as "Describe a meal", coaching nudges, and plan-builder suggestions. Only the text you submit for that specific feature is sent for that request. The provider states that API content is not used to train its models. For each AI request we retain operational metadata only — the feature used, the model, token counts, an estimated cost, and a timestamp — to monitor service cost and detect abuse. We never store the prompt or response content for analytics.
Withings — optional connected-device integration. When you choose to connect a Withings account, we exchange OAuth tokens with Withings and import the measurements you authorize (such as weight and body composition). We send no information about you to Withings beyond the sign-in/authorization handshake, and you can disconnect at any time.
Open Food Facts — used for barcode → product lookups. We send the barcode you scan; nothing about you is sent.

International transfers

The Service is hosted in the United States (eastern region). Our AI provider processes API requests in the United States. If you sign in from outside the United States, your personal information is transferred to and stored in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards offered by our subprocessors.

Retention

Personal information is retained for as long as your account exists. Operational logs are kept for up to 30 days. When you delete an entry (meal, weight, dose, workout), the Service keeps a soft-deleted copy briefly to support undo, then sweeps it. When you delete your account, all associated personal information is permanently deleted within 30 days, except where we are required to retain it to comply with law, resolve disputes, or enforce our agreements.

Cookies

The Service sets one essential session cookie used to keep you signed in (an HTTP-only, SameSite cookie issued by the Service's backend). It does not set analytics, advertising, or tracking cookies. Because the cookie is strictly necessary to provide the Service you have requested, no separate consent banner is shown.

Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to processing of your personal information, and to withdraw consent. To exercise any of these rights:

Export: Settings → Data → Export. You will receive a single JSON file of all your entries.
Delete entries: from the page where they were logged (with a brief undo window).
Delete your account and all data: email privacy@unifinity.com from the address tied to your sign-in. Deletion is permanent.
Other rights: contact privacy@unifinity.com and we will respond within 30 days.

If you are an EEA, UK, or Swiss resident and believe your rights have not been respected, you have the right to lodge a complaint with your local data-protection authority. California residents have additional rights under the CCPA/CPRA, including the right to know, delete, and correct, and the right to non-discrimination for exercising those rights.

Security

Authentication is delegated to Microsoft or Google so that no password is held by the Service. Connections are HTTPS-only. Data is encrypted at rest by our cloud hosting provider. We restrict administrative access on a need-to-know basis. Despite reasonable measures, no system is perfectly secure; you use the Service at your own risk. If you believe you have discovered a security issue, please report it to security@unifinity.com.

Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.

Changes to this Policy

Unifinity may update this Privacy Policy from time to time. Material changes will be indicated by updating the "Effective" date at the top of this page and, where appropriate, by additional notice within the Service.

Contact

Questions, concerns, or data requests: privacy@unifinity.com.
Security reports: security@unifinity.com.