Who is responsible for your data
Last updated: 14 July 2026. The Chick website, app, and related services are operated by HOSSEINI NASAB LTD, a private limited company registered in England under company number 14644256. Its registered office is 55a Warwick Road, Beaconsfield, England, HP9 2PL. For data protection purposes, HOSSEINI NASAB LTD is the controller of personal data unless stated otherwise.
Privacy questions and rights requests can be sent to privacy@chick.health or through the Contact page.
This Policy applies to the Chick website, app, account features, AI features, food logging, photo and voice features, nutrition and fitness features, planning tools, support, emails, and related services.
The information we may collect
We collect information you provide directly, information generated by your use of Chick, information received from service providers, and information needed to run, secure, improve, bill, support, and legally protect the service.
- Account and login information, such as account identifiers, email address, verification status, authentication-provider references, login/session records, account status, settings, and support communications.
- Consent and preference records, such as terms acceptance, health/wellness consent, marketing consent, optional product analytics consent, accepted document versions, timestamps, checkout acknowledgements, immediate-access confirmations, and related audit or reset history.
- Profile and target information, such as age range or date of birth where provided, sex or gender where provided, height, weight, goals, activity level, dietary preferences, allergies or avoidances where provided, target calories, target protein, and custom nutrient preferences.
- Food, nutrition, and wellness information, such as meals, photos, voice notes, transcripts, food descriptions, calories, protein, vitamins, minerals, custom nutrients, grocery lists, scans, social meal plans, weight entries, exercise entries, sleep information, tasks, calendar entries, reports, triggers, corrections, feedback, and progress information.
- Uploaded content, such as food photos, packaging photos, exercise screenshots, handwritten lists, calendar screenshots, audio, text notes, and feedback.
- AI and feature-use information, such as prompts or inputs you provide, generated outputs, corrections, feedback, error reports, usage timestamps, and safety, abuse-prevention, reliability, or service-integrity signals.
- Payment, subscription, and billing information, such as plan, price, billing period, subscription status, payment-provider customer/subscription references, invoices, receipts, checkout acknowledgements, billing emails, payment status, failed-payment records, cancellation events, refund records, chargeback/dispute records, and billing-support records. Payment card details are normally processed by payment providers, not stored directly by Chick, unless clearly stated otherwise.
- Support, privacy, legal, and dispute communications, such as messages you send, request type, account reference, identity-verification status, actions taken, and outcome.
- Usage, device, browser, network, security, and diagnostic information, such as pages visited, features used, timestamps, IP address or approximate network information, browser or device type, session cookies, diagnostics, logs, error reports, security events, service-access timestamps, and approximate location inferred from technical data.
- We do not need, ask for, or want unnecessary identity documents, phone numbers, addresses, or sensitive details unless a product, billing, support, legal, security, or compliance need genuinely requires them.
Health and special category data
Chick is designed to help users understand food, calories, protein, nutrients, weight trends, activity, sleep, daily planning, grocery choices, social eating, triggers, and progress patterns. Chick is intended to support learning, direction, reflection, and better everyday decisions. It is not a medical service, but some information you choose to enter may reveal health-related information, including weight, eating patterns, allergies or avoidances, activity, sleep, goals, progress, photos, voice notes and related lifestyle context.
For UK users, where this information is special category data under UK GDPR, Chick relies on a UK GDPR Article 6 lawful basis for the relevant purpose and a separate Article 9 condition. For the core app features that need health and wellness information, we rely on explicit consent under Article 9(2)(a). We collect that consent through a clear active step that is separate from marketing consent.
You can withdraw explicit health/wellness consent. Because Chick's core service depends on processing this information, withdrawing required health/wellness consent may mean we have to disable core features or close/delete the account after confirmation, subject to any information we must keep for legal, security, billing, payment, accounting, fraud-prevention, dispute, enforcement or compliance reasons.
You should not enter health information about another person unless you have a lawful right to do so.
How we use information
We use personal data to provide, secure, maintain, personalise, improve, bill, support, audit, and legally protect Chick.
Authorised admin or support personnel may view limited account, consent, billing, support, and legal metadata where needed for compliance, support, audit, safety, billing, dispute handling, or account administration. Reports and support tools are designed to avoid unnecessary exposure of private food logs, weight records, photos, voice recordings, AI prompts, or private health details.
We do not sell personal data. We do not sell private wellness content, food logs, photos, voice recordings, transcripts, or health/wellness information to data brokers. We do not use private health or wellness content to build third-party advertising profiles.
- To create and manage accounts, authentication, sessions, security, and support.
- To record, manage, and evidence your legal acceptance, health/wellness consent, marketing consent, optional product analytics consent, age confirmation, checkout acknowledgements, immediate-access confirmations, and related consent history.
- To log food, estimate calories, protein, nutrients, portions, and other wellness information.
- To provide AI features, including text interpretation, image understanding, audio transcription, planning, reports, daily guidance, food scan, grocery suggestions, trigger insights, and progress summaries.
- To personalise guidance based on your profile, goals, recent logs, trends, preferences, and context.
- To process subscriptions, payments, invoices, receipts, renewals, cancellations, refunds, failed payments, payment disputes, chargebacks, and billing support.
- To send transactional emails, service notices, security notices, billing messages, legal notices, and support replies.
- To detect, prevent, and investigate abuse, fraud, payment misuse, security issues, bugs, unauthorised access, policy breaches, and legal claims.
- To improve the product, fix errors, test features, measure performance, and understand how people use Chick, using privacy-conscious controls where appropriate.
- To comply with legal obligations, enforce our terms, respond to regulators/courts, and retain proportionate commercial evidence where needed for accounting, tax, dispute, legal, support, audit, fraud-prevention, deletion evidence, and enforcement purposes.
AI processing
Chick may send relevant text, images, audio, transcripts, nutrition context, user profile information, recent logs, goals, preferences, and similar context to external AI, image, audio, transcription, or related technical service providers so that AI features can work. For example, Chick may process a meal description, a food photo, a voice note, a product scan, or recent trend data to create an estimate or explanation.
AI processing may involve automated interpretation, estimation, classification, summarisation, planning, or generation. AI providers and models may change over time. We aim to send only what is reasonably needed for the feature, but the information sent may include personal data and health-related context where needed to provide the feature. Chick asks for explicit health/wellness consent before protected AI features use this processing.
Where Chick uses external AI infrastructure providers, those providers process information to deliver the requested AI feature under our provider agreements. We do not sell user health data to AI providers.
We may use aggregated, de-identified, or security-filtered information to understand service performance, abuse, reliability, and product quality. We do not use private wellness content for public dispute responses except where required by law or where expressly necessary and appropriate.
AI outputs may be inaccurate, incomplete, delayed, unavailable, limited, or unsuitable for your circumstances. AI features are subject to availability, safety, fair-use, capacity, abuse-prevention, technical, commercial, and operational controls. The Privacy Policy explains data handling; the AI, Health, Nutrition and Fitness Disclaimer explains the practical limitations of the outputs.
Payments and billing data
Payments are handled by payment providers. Chick does not need to store your full card number. Payment providers may collect and process card, wallet, bank, billing address, authentication, fraud, tax, invoice, receipt, subscription, refund, and dispute information under their own terms and privacy notices.
Chick may store payment-provider references and billing evidence needed to manage your subscription, provide support, prove checkout acknowledgements, defend or process disputes, comply with accounting/tax obligations, prevent fraud or abuse, enforce terms, and retain lawful commercial evidence after account deletion.
Our lawful bases
We use different lawful bases for different processing activities. The main lawful bases we expect to rely on are below.
We do not rely on broad consent for everything. Where we rely on legitimate interests, those interests include operating and improving Chick, securing the service, preventing fraud and abuse, handling billing and support, retaining proportionate commercial evidence, protecting legal rights, and avoiding unnecessary exposure of private wellness content in a way that is balanced against your rights.
| Purpose | Main lawful basis | Special category condition, if relevant |
|---|---|---|
| Creating and managing your account, login sessions, app access, saved settings and core app features. | Contract performance, because the processing is needed to provide Chick to you. | Where health/wellness information is needed for core features, explicit consent under Article 9(2)(a). |
| Food logging, nutrition estimates, profile targets, weight/progress tracking, photo/voice features, planning tools, reports and personalised AI guidance. | Contract performance for the service, plus consent where we ask for optional choices. | Explicit consent under Article 9(2)(a) where the information reveals health-related or other special category data. |
| Recording terms acceptance, required health/wellness consent, age confirmation, cookie choices, checkout acknowledgements, immediate-access confirmations, subscription acknowledgements and optional marketing/product analytics preferences. | Legal obligation where we need evidence of compliance, contract performance, and legitimate interests in operating a safe, accountable service and retaining proportionate commercial evidence. | Explicit consent records are kept as evidence of the Article 9(2)(a) condition where relevant. |
| Security, fraud prevention, payment misuse prevention, abuse prevention, debugging, uptime monitoring, audit logs and protecting Chick, users and legal rights. | Legitimate interests and, where required, legal obligation or establishment, exercise or defence of legal claims. | We try to avoid using special category data for this purpose unless it is necessary and proportionate. |
| Responding to support, privacy requests, complaints, billing issues, disputes, legal claims, chargebacks, regulator requests or court/public authority requests. | Legitimate interests, legal obligation, establishment, exercise or defence of legal claims, and where needed contract performance. | Only if the request, support matter or dispute involves health/wellness information. |
| Sending optional marketing messages. | Consent. You can withdraw marketing consent at any time. | We do not use health/wellness details for marketing consent decisions. |
| Optional analytics or product improvement where enabled. | Consent or legitimate interests depending on the technology and context. Non-essential cookies or similar technologies are only used where the required consent has been obtained. | Approved analytics events should not include food names, weight values, photos, voice recordings, AI prompts or detailed health/wellness content. |
| Billing, subscriptions, invoices, receipts, renewals, cancellations, failed payments, refunds, chargebacks, payment disputes and payment-related support. | Contract performance, legal obligation, legitimate interests, accounting/tax obligations, fraud prevention, and establishment, exercise or defence of legal claims. | Not normally applicable unless the specific support matter or dispute involves health/wellness information. |
| Transactional emails, service notices, security notices, billing messages, legal notices and support replies. | Contract performance, legal obligation and legitimate interests. | Not normally applicable unless the message relates to health/wellness information or a privacy request. |
How long we keep information
We keep personal data only for as long as reasonably needed for the purpose it was collected, unless a longer period is needed for legal, security, tax, accounting, backup, fraud-prevention, payment, dispute, support, audit, enforcement or compliance reasons. The retention periods below are current working retention rules for Chick.
| Type of information | Usual retention period |
|---|---|
| Account and login records | For as long as your account is active. After account closure or verified deletion request, we aim to delete or anonymise ordinary account data within 30 days unless we need to keep limited records for legal, security, billing, payment, dispute, accounting, fraud-prevention or enforcement reasons. |
| Profile, targets, food logs, nutrition records, activity, weight, sleep, planning records, reports and other wellness content | For as long as your account is active so the app can show history, trends and progress. After account deletion, we aim to delete or anonymise this data within 30 days unless a limited exception applies. |
| Retained food-scan images and related upload metadata | For as long as the related account and scan history remain active. When the related scan or account is deleted, the retained image should be deleted from private object storage as part of the deletion process, subject to backup limits and legal exceptions. |
| Temporary uploads, such as temporary voice recordings or temporary image-analysis files | Only for the time needed to process the request, then deleted or made unavailable from temporary processing storage unless you deliberately save the result into your account history. |
| AI prompts, AI inputs, AI outputs and generated explanations saved in your account | For as long as needed to provide the relevant feature, history, report or support record. If saved to your account, they follow the same retention period as the related account content. |
| Consent, legal acceptance, age confirmation, cookie preference, checkout acknowledgement, immediate-access confirmation, subscription acknowledgement and privacy request records | For as long as your account is active and normally up to 6 years afterwards where needed to evidence compliance, handle disputes, support billing/account requests, enforce terms, or respond to legal/regulatory questions. |
| Support, complaint, billing-support, dispute, chargeback and rights-request communications | Normally up to 6 years after the matter is closed, unless a shorter or longer period is appropriate for the specific request, dispute, payment-network rule, legal claim or legal duty. |
| Security logs, audit logs, fraud/abuse prevention records and technical diagnostics | Usually up to 12 months, but serious security, abuse, fraud, payment misuse, dispute or legal incidents may be kept for up to 6 years where needed. |
| Marketing consent and suppression records | Until you withdraw consent or unsubscribe. Suppression records may be kept afterwards so we know not to contact you again. |
| Payment, subscription, invoice, tax, accounting, refund, failed-payment, cancellation, chargeback and dispute records | Normally up to 6 years after the relevant transaction, subscription event, dispute, accounting period or support matter, unless the law, payment-network rules, tax/accounting duties, fraud prevention, enforcement needs or legal claims require a different period. |
| Backups | Backups are kept for disaster recovery and overwritten or deleted on the backup cycle. If data is deleted from the live system, it may remain in backups for a limited period until those backups expire, and is not normally restored except for disaster recovery, security or legal reasons. |
Retention periods may vary by provider, legal requirement, dispute window, payment-network rule, tax/accounting rule, backup cycle, and operational necessity.
Deletion and privacy requests may be handled through account tools and/or operational processes. Deletion from live systems does not always remove information immediately from backups, provider records, logs, accounting records, legal records, or records that must be retained for lawful reasons.
Sharing information
We do not sell your personal data. We share personal data only where needed to run, secure, support, bill, improve, legally protect, or maintain Chick, or where the law requires it.
We use service providers to help run, secure, support and maintain Chick. We describe provider categories rather than publishing unnecessary operational detail. Current provider and recipient categories may include:
- hosting, storage, backup, logging, monitoring, security, and operational infrastructure providers;
- authentication and login infrastructure providers;
- AI, transcription, image, audio, and model-processing providers;
- payment, subscription, invoice, tax, fraud, refund, chargeback, and dispute-processing providers;
- email delivery, transactional communication, and support providers;
- professional advisers, insurers, auditors, legal representatives, regulators, courts, law enforcement, public authorities, banks, card networks, and payment providers where needed;
- buyers, investors, successors, or restructuring parties if Chick is involved in a merger, acquisition, financing, asset sale, reorganisation, or similar transaction, subject to appropriate safeguards where required.
International transfers
Chick is operated from the United Kingdom, but some service providers may process or access personal data in other countries. This may include providers in the categories described above, such as hosting, private storage, email delivery, support, security and AI infrastructure providers.
Where data protection law requires safeguards for an international transfer, we use appropriate measures such as adequacy decisions, approved transfer terms, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other lawful safeguards.
If you use Chick from outside the United Kingdom, your information may be processed in the United Kingdom and in other countries where Chick or its service providers operate.
Security
We use technical and organisational measures designed to protect personal data, such as access controls, secure authentication practices, encrypted connections where appropriate, logging, monitoring, and provider security controls.
No service is completely secure. You are responsible for keeping your account, email, devices, passwords, and login providers secure.
Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, transfer your data, withdraw consent, complain to a regulator, and not be subject to certain automated decisions without safeguards.
You can object to direct marketing at any time. Where processing is based on consent, you can withdraw that consent, but withdrawal does not make earlier lawful processing unlawful and may mean Chick can no longer provide features that require that processing.
These rights may be limited by law, security, identity verification, technical feasibility, legal claims, tax/accounting rules, payment/dispute obligations, and the need to protect other people. We may need to retain limited records even after deletion where legally justified.
If you are in the UK, you may have the right to complain to the Information Commissioner's Office. If you are in the EEA, you may contact your local data protection authority.
If you are in another location, you may have similar privacy rights under local law. We will handle privacy requests according to the law that applies to your request and to Chick.
Children
Chick is intended for adults aged 18 or over. We do not knowingly allow children to create accounts. If we discover that a child has created an account, we may suspend or delete the account and related data where appropriate.
Chick is not designed to provide weight loss, nutrition, or fitness guidance for children without professional oversight.
Cookies and similar technologies
We use strictly necessary cookies and similar technologies for essential site and app functions, login sessions, security and remembering choices. Optional analytics or marketing cookies or similar technologies are only used where the required consent has been obtained. More information is in the Cookie Policy, where you can also change your cookie choices.
Changes to this Policy
We may update this Policy as Chick changes. We will update the date and, where appropriate, provide additional notice or seek consent if required by law. Continued use after an update means the updated Policy applies to future use, subject to mandatory law.
Contact
Questions, privacy requests or cookie questions should be sent to privacy@chick.health or through the Contact page.
