Privacy Policy

1. Scope

This Privacy Policy explains how Polar Origin AS collects, uses, stores, shares, and protects personal data when you use Devoured.

It applies to the Devoured iOS app, devoured.app, Devoured support, subscriptions, account sign-in, AI features, analytics, website cookies, marketing pages, advertising and attribution technologies, and related services. It does not apply to third-party websites, apps, products, or services that we do not own or control, even if they link to or from Devoured.

This Privacy Policy describes the services and integrations we use in production. Some integrations may be enabled only for certain features, builds, countries, devices, environments, or releases. A provider receives personal data only when the relevant feature, SDK, cookie, tag, integration, or service is enabled.

2. Controller and contact

Devoured is provided by Polar Origin AS, organisation number 936 893 864, c/o Burghard Riechel, Svenneviktoppen 23, 4521 Lindesnes, Norway.

For data protection laws such as the GDPR, Polar Origin AS is the controller of the personal data described in this Privacy Policy, unless this Privacy Policy says otherwise.

You can contact us about privacy, support, account deletion, or legal questions at support@devoured.app.

3. The basics

Devoured is a private consumer app for reducing food-delivery ordering, adding friction before ordering, building cooking routines, managing recipes, tracking progress, and using related habit-support features.

Devoured does not include public profiles, public posting, comments, messaging, or social feeds. Meal photos, recipes, pantry data, shopping data, cravings, check-ins, optional fasting-timer use, Pelicoins, streaks, savings estimates, and similar app content are private to your account.

We do not sell personal data. We do not use meal photos, recipes, pantry data, shopping lists, cravings, urge text, optional fasting-timer settings or status, exact Apple Screen Time app, category, or web-domain selections, private AI prompts, or similar private app content for personalised advertising, retargeting, or ad-network sharing.

Devoured uses Apple, Supabase, Superwall, RevenueCat, OpenAI, PostHog, email and communications providers, website hosting providers, analytics and diagnostics providers, and advertising, attribution, and marketing providers as described in this Privacy Policy.

Some information is stored locally on your device and some is stored through our backend. Exact Apple Screen Time apps, categories, and web domains you select are stored locally on your device. We may process related abstract configuration and usage data, such as selected target count, target type, schedule, block state, feature state, friction or unlock event type, timestamps, craving-window state, and related metadata. We do not receive or store the exact apps, categories, or web domains you select through Apple Screen Time controls.

4. Age and children

Devoured is not directed at children under 13, and we do not knowingly collect their personal data.

Users aged 13 to 17 may use Devoured only with a parent or legal guardian's consent where that consent is required by law. If the law where you live requires a higher age, or a different form of consent, you must meet that requirement before using Devoured.

Devoured may ask for your date of birth or age information during the age-gate flow to confirm eligibility. We use this only to determine whether you may use Devoured. We do not store your full date of birth; we store only confirmation that the age gate was completed.

If we become aware that a child under 13 has provided personal data to Devoured, we will take reasonable steps to delete it. Parents or guardians may contact us at support@devoured.app if they believe this has happened.

5. Personal data we collect

We collect different categories of personal data depending on how you use Devoured.

Account and sign-in data. This may include your email address, Apple authentication identifier, user ID, optional name, optional profile image or name information from Apple where provided, profile settings, authentication status, verification status, and confirmation that the app age gate has been completed.

Subscription and purchase data. We process subscription status, entitlement status, paywall interactions, purchase events, renewal or cancellation state, trial status, refund-related status, and related App Store transaction information. Apple processes your payment details, billing account, refunds, and App Store subscription management. Superwall and RevenueCat, where enabled, may process paywall, entitlement, subscription, and purchase-event data.

Onboarding, habit, and progress data. This may include onboarding answers, delivery-ordering goals, spending baselines, savings estimates, cravings, urges, setback events, check-ins, streaks, cooking progress, virtual points or rewards such as Pelicoins, Pelicoin earning and redemption events, app-blocking settings, and related app configuration.

App-blocking configuration. Devoured may use Apple platform APIs such as FamilyControls, ManagedSettings, and DeviceActivity to provide app-blocking and friction features. Exact apps, categories, and web domains you select through Apple Screen Time controls are stored locally on your device. We may process related abstract configuration and usage data, such as selected target count, target type, schedule, block state, feature state, friction or unlock event type, timestamps, craving-window state, and related metadata. We do not receive or store the exact apps, categories, or web domains you select through Apple Screen Time controls.

Cooking, recipe, pantry, and shopping data. We process the private recipes, pantry entries, shopping lists, meal plans, cooking activity, and related information that you create or save in the app.

Meal photos and AI feature data. If you use a meal-photo or AI feature, we process the photos, prompts, text inputs, relevant app context, AI outputs, and related metadata needed to provide that feature. Some of this content may be sent to OpenAI as described below. If Pelicoins or similar virtual rewards are awarded based on meal photos, cooking activity, or app actions, we may process the relevant photo, action, timestamp, app context, and reward decision to provide that feature.

Habit-support data. Some information you provide or generate in Devoured may relate to takeaway-ordering habits, cooking activity, cravings, reflections, app-friction features, meal photos, recipes, pantry or shopping items, and optional fasting-timer use where enabled. We treat this information with extra care and do not use it for advertising, retargeting, or ad-network sharing.

Product analytics, diagnostics, and experiments. We use PostHog and may use similar analytics, diagnostics, feature-flag, experimentation, crash-reporting, and product-improvement tools to understand how Devoured is used, improve reliability, debug issues, prevent abuse, test features, measure paywall and onboarding flows, and improve the product. This may include internal user ID or account ID, device type, operating-system version, app version, timestamps, feature events, screen or page interactions, onboarding-step events, paywall events, subscription-entitlement events, Pelicoin earning or redemption events, abstract friction or unlock event types, error events, performance events, referral or campaign parameters, feature-flag assignments, experiment assignments, and event properties needed to understand the relevant feature.

Product analytics events may show that a feature was used, such as that a meal-photo feature was opened, a Pelicoin event occurred, or an abstract friction or unlock event occurred. We do not intentionally send meal photos, recipe text, pantry entries, shopping-list contents, private notes, craving or urge text, optional fasting-timer details, private AI prompts, exact Apple Screen Time app, category, or web-domain selections, passwords, payment-card details, or other sensitive private app content to general analytics tools such as PostHog.

Website, waitlist, email, and marketing data. If you visit devoured.app, join a waitlist, sign up for updates, create an account, contact us, or interact with our marketing pages, we may process your email address, name, message contents, consent preferences, unsubscribe status, IP address, device and browser information, pages viewed, referral source, campaign parameters, cookie identifiers, pixel identifiers, and similar technical, analytics, or marketing data.

Advertising and attribution data. Where enabled, we may process limited website, marketing, device, browser, referral, campaign, cookie, pixel, sign-up, trial, subscription, and conversion-related event data for advertising measurement, attribution, campaign analytics, audience measurement, and retargeting or similar advertising where permitted by law and consented to where required. We do not use sensitive private app content, habit-support data, or consumer-health data for these purposes.

Device, technical, and security data. We collect or generate technical data such as app-generated device identifiers, app version, operating-system version, timestamps, device settings relevant to the service, feature state, internal event logs, backend logs, IP address, request metadata, authentication logs, security records, and similar technical data when you use Devoured or devoured.app.

Notification data. Devoured may schedule local notifications on your device if you enable them. Local notifications are generated on your device. If we enable remote push notifications, we process the device token and notification preferences needed to send them.

Support communications. If you contact us, we collect the content of your message, your email address, and any information needed to respond.

6. How we collect data

We collect data directly from you when you create an account, use Sign in with Apple, answer onboarding questions, configure the app, upload a meal photo, use AI features, contact support, join a waitlist, sign up for updates, or otherwise use Devoured.

We collect data automatically from the app, website, cookies, SDKs, tags, backend, analytics tools, and service providers as you use features, create events, update settings, interact with paywalls, use subscriptions, or visit devoured.app.

We receive limited account, authentication, subscription, transaction, entitlement, paywall, analytics, attribution, advertising, and communications-related information from Apple, Supabase, Superwall, RevenueCat, PostHog, email providers, advertising or attribution providers, and our backend and operational providers.

We process local device information through Apple platform APIs only as needed to provide the features you enable.

7. How we use personal data

We use personal data to provide Devoured, create and manage accounts, authenticate users, sync account data, operate subscriptions, provide app-blocking and friction features, track progress, manage streaks and Pelicoins, support cooking and recipe features, process meal photos, generate AI outputs, provide sign-up and sign-in flows, and respond to support requests.

We use personal data to maintain, debug, secure, measure, and improve Devoured, including for product analytics, diagnostics, feature flags, experiments, crash analysis, fraud prevention, abuse prevention, service reliability, troubleshooting, and support.

We use website, cookie, referral, campaign, event, and account data to operate devoured.app, send communications you request, maintain suppression lists, measure website traffic, understand campaign performance, improve marketing pages, attribute conversions, and, where enabled and permitted by law, retarget or advertise to users and visitors.

We use personal data where needed to comply with legal obligations, enforce our Terms of Service, protect our rights and users, process account deletion requests, handle disputes, and respond to safety, security, or legal issues.

We do not use meal photos, recipes, pantry data, shopping lists, cravings, urge text, optional fasting-timer settings or status, habit-support data, exact Apple Screen Time app, category, or web-domain selections, private AI prompts, or similar sensitive private app content for personalised advertising, retargeting, or ad-network sharing.

8. Legal bases for processing

If GDPR, UK GDPR, or similar law applies, we rely on the following legal bases.

Contract. We process account, subscription, app-use, app-configuration, and service data to provide Devoured and perform our agreement with you.

Consent. We rely on consent where you choose to enable optional features, notifications, AI meal-photo features, email marketing, non-essential cookies, pixels, local storage, advertising or retargeting technologies, or where applicable law otherwise requires consent for specific processing.

Sensitive data and special-category data. Where applicable law treats optional cravings, urge notes, meal photos, habit-support data, optional fasting-timer settings, or similar information as sensitive, special-category, consumer-health, or similar data, we process it with explicit consent, authorisation, or another legally available basis where required and when you choose to provide it or use the relevant feature.

Legitimate interests. We process limited data for security, debugging, fraud prevention, abuse prevention, product analytics, diagnostics, service reliability, support, service administration, product improvement, and marketing measurement, provided those interests are not overridden by your rights and provided consent is not required for the specific processing.

Legal obligations. We process data when needed to comply with law, tax, accounting, consumer-protection, App Store, safety, security, or dispute obligations.

9. AI features and OpenAI

Some Devoured features use OpenAI to analyse meal photos, assist with recipes, and generate related outputs.

When you choose to use those features, we may send OpenAI the content and context needed to process your request. This may include meal photos, prompts, text inputs, relevant app data, AI outputs, metadata, and related feature context.

OpenAI processes this information on our behalf to provide, secure, and operate the AI features. OpenAI states that API data is not used to train or improve OpenAI models unless the API customer opts in. OpenAI may retain abuse-monitoring logs, which can include prompts, responses, and related metadata, for up to 30 days by default, unless a different retention setting applies or a longer period is required by law or needed to protect OpenAI, its services, or others.

We configure OpenAI API requests not to store response state where supported.

We do not use private meal photos, recipes, cravings, optional fasting-timer use, exact Apple Screen Time selections, private AI prompts, or similar private app content to train models made available to other users or the public, except with your consent.

AI outputs can be incomplete, wrong, unsafe, or inappropriate for your situation. AI meal checks, optional fasting-timer information, recipes, and related outputs are for informational and educational purposes only and should not be treated as professional advice.

Do not submit content to AI features that you do not have the right to submit, including personal data about another person unless you have a lawful basis and permission to do so.

10. Product analytics, PostHog, diagnostics, and experiments

We use PostHog and may use similar product analytics, diagnostics, feature-flag, experimentation, and product-improvement tools. These tools help us understand onboarding, feature usage, paywall flows, subscription conversion, app reliability, app-friction features, Pelicoin usage, retention, errors, and product performance.

In the Devoured iOS app, analytics events are intended to be defined events and properties rather than unrestricted capture of private app content. On devoured.app, analytics may include page views, referrals, campaign parameters, cookie identifiers, browser and device information, and sign-up or conversion events.

Feature flags and experiments may affect which onboarding flow, paywall, copy, feature variant, friction rule, or product experience you see. We use these tools to test and improve Devoured, subject to the sensitive-data limits in this Privacy Policy.

We do not intentionally send meal photos, recipe text, pantry entries, shopping-list contents, private notes, craving or urge text, optional fasting-timer details, private AI prompts, exact Apple Screen Time app, category, or web-domain selections, passwords, payment-card details, or other sensitive private app content to PostHog or general analytics tools.

We do not use session replay inside the Devoured iOS app unless we update this Privacy Policy or obtain appropriate consent. We may use session replay or similar tools on devoured.app only where enabled, masked or restricted, and consented to where required by law. Session replay must not intentionally capture passwords, payment-card details, meal photos, private recipes, pantry data, shopping lists, craving or urge text, optional fasting-timer details, AI prompts, exact Screen Time app, category, or web-domain selections, or similar sensitive private app content.

11. Website, cookies, pixels, advertising, and attribution

devoured.app uses or may use cookies, pixels, local storage, SDKs, tags, and similar technologies. These technologies may be used for the purposes below.

Strictly necessary purposes. Hosting, security, fraud prevention, load balancing, consent management, authentication, remembering privacy choices, and functionality requested by the user.

Analytics and product-improvement purposes. Measuring website traffic, page views, referrals, campaign parameters, device and browser information, conversion events, sign-up flows, and feature usage. We use PostHog and may use similar analytics tools for these purposes.

Advertising, attribution, and marketing purposes. Measuring advertising performance, understanding whether campaigns lead to visits, sign-ups, trials, or subscriptions, building or measuring audiences, and, where enabled and permitted by law, retargeting or similar advertising. We may use advertising and attribution providers for these purposes if those tools are enabled.

Where required by law, we ask for consent before using non-essential cookies, pixels, local storage, SDKs, tags, or similar technologies. You can manage or withdraw cookie consent through the cookie banner or privacy controls we make available.

We do not use meal photos, recipes, pantry data, shopping lists, cravings, urge text, optional fasting-timer settings or status, habit-support data, exact Apple Screen Time app, category, or web-domain selections, private AI prompts, or similar sensitive private app content for personalised advertising, retargeting, or ad-network sharing.

12. Sharing personal data

We share personal data only as needed to provide, operate, secure, measure, market, and improve Devoured, or where required by law. We require service providers that receive personal data from us to process it only for authorised purposes, protect it using appropriate safeguards, and comply with applicable law.

Apple. We use Apple services for Sign in with Apple, App Store distribution, StoreKit, in-app purchases, subscription management, App Store Connect, device permissions, notifications, and Screen Time-related APIs.

Supabase. We use Supabase for authentication, database, storage, backend functions, and related infrastructure.

Superwall. We use Superwall for paywall, subscription, entitlement, offer, and conversion-related flows. Superwall may process user ID, email address if available, attribution source, onboarding motivation, baseline delivery-order frequency, average order value, paywall interactions, subscription status, entitlement status, offer events, trial events, purchase events, renewal or cancellation state, and conversion-related events.

RevenueCat. If enabled, we use RevenueCat for subscription infrastructure, entitlement management, receipt validation, subscription analytics, and purchase-event processing.

OpenAI. We use OpenAI to process AI-feature inputs and generate AI-feature outputs.

PostHog and analytics providers. We use PostHog and may use similar analytics, diagnostics, feature-flag, experimentation, and product-improvement providers to process limited account, device, technical, event, usage, referral, campaign, and performance data. We configure these tools to avoid intentionally collecting sensitive private app content.

Email, waitlist, newsletter, and support providers. We may use email delivery, waitlist, newsletter, support, and customer-communications providers to process email addresses, message contents, communication preferences, unsubscribe status, and delivery metadata.

Advertising, attribution, and marketing providers. Where enabled, we may use advertising, attribution, and marketing providers to process limited website, campaign, referral, device, cookie, pixel, and event data for campaign measurement, attribution, advertising analytics, audience measurement, and retargeting where permitted by law and consented to where required.

Hosting, security, and operations providers. We may use providers that host devoured.app, deliver infrastructure, monitor security, process technical logs, prevent fraud, or support service operations.

Legal and safety disclosures. We may disclose information if required by law, legal process, regulators, courts, law enforcement, or if disclosure is needed to protect rights, safety, security, or service integrity.

Corporate transactions. If Polar Origin AS is involved in a merger, acquisition, financing, reorganisation, sale of assets, or similar transaction, personal data may be transferred as part of that transaction, subject to appropriate protections.

We do not sell personal data. We do not knowingly sell or share personal data of users under 16. We do not disclose meal photos, recipes, pantry data, shopping lists, cravings, urge text, optional fasting-timer settings or status, habit-support data, exact Apple Screen Time app, category, or web-domain selections, private AI prompts, or similar sensitive private app content to advertising networks for personalised advertising or retargeting.

13. International transfers

Polar Origin AS is based in Norway. We may process and store personal data in Norway, the European Economic Area, the United States, and other countries where our service providers operate.

Where required by data protection law, we use safeguards such as data processing agreements, Standard Contractual Clauses, adequacy decisions, and other legally recognised transfer mechanisms.

14. Retention and deletion

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including providing Devoured, maintaining security, analysing and improving the product, complying with law, resolving disputes, enforcing agreements, and maintaining business records.

While your account is active, we retain account data and app data needed to provide the service.

Product analytics, diagnostics, feature-flag, experiment, and event data is generally retained for up to 24 months unless a shorter or longer period is needed for security, debugging, fraud prevention, legal compliance, dispute handling, or legitimate business records.

Marketing, waitlist, newsletter, and communications data is kept until you unsubscribe, withdraw consent, request deletion, or we no longer need it for the purpose for which it was collected, subject to limited records needed for suppression lists, compliance, security, or dispute handling.

When you delete your account in the app, we begin deleting account records and associated personal data from active systems. Account data is generally deleted or anonymised within 30 days after account deletion, except where we need to keep limited records for legal compliance, security, fraud prevention, billing, dispute handling, suppression lists, or legitimate business records.

Backup copies, security logs, and technical logs may remain for up to 90 days before expiring through normal backup and log cycles, unless longer retention is required for legal, security, fraud-prevention, or dispute reasons.

Apple may retain App Store purchase, billing, refund, and subscription records under Apple's own policies. OpenAI may retain abuse-monitoring logs as described in Section 9. Advertising, analytics, and communications providers may retain limited data under their own processor settings and legal obligations.

Deleting your Devoured account does not automatically cancel an Apple subscription; subscriptions must be cancelled through your Apple ID or App Store settings. Some local data may remain on your device until the app clears it, you delete the app, or you erase device data.

15. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You may also have the right to withdraw consent where processing is based on consent, opt out of certain advertising or sharing, or limit certain uses of sensitive personal information.

You can delete your account through the in-app account deletion flow. You can also contact us at support@devoured.app to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, advertising opt-out, or other privacy assistance.

You can unsubscribe from marketing emails using the unsubscribe link in those emails. You can manage non-essential cookies through the cookie banner or privacy controls we make available.

We may need to verify your identity before responding to a privacy request. We will respond within the period required by applicable law.

If you are in the EEA, UK, or Switzerland, you may lodge a complaint with your local data protection authority. In Norway, the supervisory authority is Datatilsynet.

16. Account deletion

Devoured provides an in-app account deletion flow in Settings.

Account deletion removes your Devoured account and starts deletion of associated account data from active systems, subject to the retention rules in this Privacy Policy.

Account deletion is separate from subscription cancellation. To stop future subscription charges, cancel the subscription through your Apple ID or App Store settings.

17. Security

We use administrative, technical, and organisational safeguards designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

No app, website, database, provider, or internet transmission is completely secure. You are responsible for protecting your device, Apple ID, email account, and account access.

18. Consumer health and sensitive data notice

To the extent consumer-health-data, sensitive-data, or similar laws apply, this section supplements the rest of this Privacy Policy.

Some information processed by Devoured may be treated as sensitive personal data, consumer-health data, or health-related data under certain privacy laws, depending on where you live and how you use the app. This may include meal photos, recipe data, pantry data, shopping data, cravings or urge events, check-ins, optional fasting-timer settings or status, cooking activity, AI outputs, and related habit-support inferences.

Sources of this data include you, your device, your use of Devoured features, local Apple platform APIs, our backend, and our service providers when they process data on our behalf.

We use this data to provide the features you choose, process meal photos, generate AI outputs, calculate Pelicoins or virtual rewards, support app-friction features, track progress, maintain security, provide support, debug the service, comply with law, and improve Devoured. Product analytics may record abstract feature events, but general analytics tools should not receive sensitive private app content.

We may share consumer-health or sensitive app data with service providers that process it on our behalf, such as Supabase, OpenAI, hosting and security providers, support providers, and, for limited abstract event data only, analytics providers. We may also disclose information where required by law or needed to protect rights, safety, security, or service integrity.

We do not sell consumer-health data. We do not use or disclose consumer-health data, meal photos, recipes, pantry data, shopping lists, cravings, urge text, optional fasting-timer settings or status, habit-support data, exact Apple Screen Time app, category, or web-domain selections, private AI prompts, or similar sensitive private app content for personalised advertising, retargeting, or ad-network sharing.

Where applicable law gives you rights relating to consumer-health or sensitive data, you may request access, deletion, withdrawal of consent or authorisation, or other applicable rights by contacting support@devoured.app. We may need to verify your identity before responding.

19. California and similar privacy laws

To the extent California privacy law or similar law applies, the categories of personal information we may collect include identifiers, contact information, commercial information, subscription and transaction information, internet or electronic network activity, device information, user content, inferences related to app use, and sensitive or health-related information that you choose to provide through Devoured features.

We use these categories for the purposes described in this Privacy Policy, including app functionality, account management, subscriptions, analytics, diagnostics, security, support, product improvement, website operations, marketing, advertising measurement, attribution, legal compliance, and dispute handling.

We do not sell personal information. Where enabled and permitted by law, we may share limited website, campaign, referral, browser, device, cookie, pixel, sign-up, trial, subscription, or conversion-related event data for cross-context behavioural advertising, retargeting, advertising measurement, or attribution. We do not share sensitive private app content, consumer-health data, or habit-support data for cross-context behavioural advertising.

We do not use sensitive personal information to infer characteristics for advertising. We do not knowingly sell or share personal information of users under 16.

You may contact us at support@devoured.app to exercise applicable rights, including access, deletion, correction, portability, opt-out of sale or sharing, and limitation of certain sensitive-data uses where those rights apply.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify users, such as updating the app, website, or policy date, or providing an in-app notice where appropriate.

The updated Privacy Policy applies from the Last updated date shown at the top unless a different date is stated.

21. Contact

Polar Origin AS

Organisation number: 936 893 864

Address: c/o Burghard Riechel, Svenneviktoppen 23, 4521 Lindesnes, Norway

Email: support@devoured.app