Privacy Policy

This Privacy Policy describes how alli ("we", "us") collects, uses, and shares personal data. It applies to users worldwide, with specific sections for the United Kingdom, European Union, and California.

1. Data We Collect

• Account details: email address and first name.
• Allergen profile and dietary preferences you provide.
• Scan history (barcodes, product photos, AI analysis results).
• Approximate location, only when you actively use Find Eats.
• Basic device and usage diagnostics needed to operate the service.

2. How We Use Your Data

• To personalise allergen analysis to your profile.
• To provide and improve the app's features.
• To respond to support and legal enquiries.

We do not sell your personal data to third parties and we do not use it for behavioural advertising.

3. Third Party Services

To provide alli's features we use carefully selected third party service providers across the following categories. We do not sell your data to any third party under any circumstances.

• Cloud infrastructure and data storage, your data is stored securely with enterprise grade cloud infrastructure providers operating under UK and EU GDPR compliant data processing agreements
• AI analysis services, allergen analysis is powered by third party AI services operating under strict data processing agreements. Ingredient text submitted for analysis is not stored or used to train AI models
• Mapping and location services, restaurant discovery uses third party mapping providers. Location data is only accessed when you use the Find Eats feature and is never stored or shared
• Product database services, barcode and product ingredient data is sourced from third party food product databases. No personal data is shared with these services
• Authentication and security, user accounts and authentication are managed by enterprise grade security providers under GDPR compliant agreements
• Payment processing, subscription payments are processed by PCI DSS compliant third party payment providers. alli never stores your payment card details

A full list of third party data processors is available on request. Contact us at hello@uralli.app and we will respond within 30 days as required under UK GDPR Article 15.

4. Data Retention & Deletion

You can delete your account and all associated data at any time from Settings, or by emailing hello@uralli.app. Verified requests are actioned within 30 days.

5. Cookies

alli uses only essential session cookies needed to keep you signed in. We do not use advertising or tracking cookies.

6. UK GDPR & EU GDPR

Our lawful basis for processing is (a) the performance of our contract with you, (b) your explicit consent, and (c) our legitimate interest in operating a safe service. You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. Complaints may be made to the UK ICO or your local EU supervisory authority.

6a. Health data (Article 9)

Your allergen profile, reaction logs, and symptom history constitute special-category health data under UK GDPR Article 9 and EU GDPR Article 9. We process this data only with your explicit consent and solely to provide personalised allergen analysis. We never sell, share, or use this data for advertising. You can withdraw consent at any time by deleting your allergen profile in Settings, which permanently removes the associated records.

6b. Data retention schedule

• Account profile: kept while your account is active and for 30 days after deletion request.
• Scan history: 12 months, then automatically deleted.
• Payment records (legal requirement): 7 years.
• Marketing preferences: until you unsubscribe.
• Consent log: kept in anonymised form for legal compliance.

6c. Children's privacy (COPPA)

alli is not directed at children under 13 and we do not knowingly collect personal information from them without verified parental consent, in compliance with COPPA. If you believe a child under 13 has provided personal information without consent, contact hello@uralli.app and we will delete it immediately.

7. California (CCPA / CPRA)

California residents have the right to know what personal information is collected, request deletion, correct inaccurate data, and opt out of any "sale" or "sharing" of personal information. alli does not sell or share personal information as those terms are defined under the CCPA.

To submit a California privacy request, email hello@uralli.app with the subject line "California Privacy Request".

8. International Data Transfers

Personal data may be processed in the European Union and the United States. Transfers are protected by Standard Contractual Clauses and other appropriate safeguards required by UK and EU law.

9. Data Controller & Contact

The Data Controller is the alli team. Contact us at hello@uralli.app for any privacy enquiry.