Last updated 2026-04-15.
This policy describes how Richly Labs Inc. ("Richly Labs," "we," "us") collects and uses personal information when you use the Nutriterm website, TUI, and Premium cloud service. We are a federally-incorporated Canadian company based in Ontario, and we handle your data under Canadian privacy law (PIPEDA) as well as GDPR, UK-GDPR, and CCPA where those apply to you.
The free, open-source TUI is local-first: your diary lives in a SQLite file under ~/.local/share/nutriterm/ and never leaves your machine unless you enable Premium sync.
When you create an account, subscribe to Premium, or browse this website, we collect the specific data described below — and nothing else. We do not sell your data. We do not use your diary to train AI models. We do not run advertising.
The marketing pages on nutriterm.com run no analytics, no tracking pixels, and no third-party scripts. Our hosting provider keeps standard short-lived server access logs (IP address, user agent, requested path) for operational purposes — abuse prevention and uptime — and we do not ourselves attach those logs to your account. We do not set any advertising or tracking cookies on the marketing site.
When you create an account, we store your email address and a hashed password through Supabase Auth, plus a user ID. We log sign-in timestamps and source IP addresses for 30 days for security and abuse prevention.
If you turn on Premium sync, we store the diary data that your clients push to our cloud: meals, diary entries, weight log, water log, activity log, sleep log, nutrient targets, custom foods, and daily notes. This is exactly the data you can see yourself when you sign into the web app. We store it so that any client you sign into (TUI, web, mobile) can read and write the same view.
If you subscribe to Premium, Stripe handles payment and stores card and billing data on their infrastructure. We never see your card number. We store your Stripe customer ID, the state of your subscription, and invoice history.
Inside the signed-in web and mobile apps, we record a small set of named events through PostHog (EU region) so we can see which features people use and whether the product is working. These are explicit events like “food logged”, “subscription purchased”, and “trends viewed” — never your diary contents, weights, or food entries themselves. We do not run automatic click or scroll tracking, do not record sessions, and do not use this data for advertising.
We use Sentry to capture crashes and errors in the web and mobile apps so we can fix them. Sentry receives the error message, stack trace, browser/device type, and the URL or screen the error occurred on. We have configured it to never include screenshots, view hierarchies, or default personal information.
When you email contact@nutriterm.com, we store the message and our reply so we can keep the conversation coherent.
We don't use your cloud data to train machine learning models, target advertising, or build profiles about you.
That is the complete list. We do not sell, rent, or trade personal information to anyone.
Our primary infrastructure is in the United States. If you use Nutriterm from the EU, UK, or Canada, your personal data is transferred to and stored in the United States. We rely on standard contractual clauses and the safeguards our sub-processors provide for cross-border transfers. If we add an EU-region deployment in the future, we will update this section to describe where data is routed.
We use industry-standard safeguards to protect your data — encryption in transit (TLS) and at rest, hashed passwords via Supabase Auth, scoped Postgres row-level security so one user’s data cannot be read by another, and least-privilege access for everyone on the team.
No system is perfect. If a security incident affects your personal information, we will notify affected users and the relevant data protection authorities without undue delay — typically within 72 hours of becoming aware (per GDPR Art. 33) and in any event no later than 60 days, as required by the U.S. FTC Health Breach Notification Rule for personal health record vendors. The notification will describe what happened, what data was involved, what we’re doing about it, and what (if anything) you should do.
You can access, correct, export, or delete your personal information at any time. Email contact@nutriterm.com and we will respond within 30 days (usually within 48 hours). Deleting your cloud data does not touch the local SQLite file on your machine — that one is always yours.
Sec-GPC: 1, we treat that as an opt-out of analytics for that session. You can also opt out of product analytics explicitly in /app/settings (signed-in users).The marketing site does not set tracking or advertising cookies and does not run analytics scripts. The signed-in web app sets two HTTP-only session cookies through Supabase Auth — those are strictly necessary and expire when you sign out or when the session expires. PostHog stores a randomly generated identifier in your browser’s localStorage so the events you trigger across page navigations are attributable to the same session; it is not a tracking cookie and is not shared with third parties. Sign out clears the identifier.
Nutriterm is not intended for individuals under 16. We do not knowingly collect personal information from children under 16. If you believe a child has created an account, contact us and we will remove it.
We may update this policy when we add new features, new sub-processors, or when the law changes. If the change is material, we will email active subscribers and update the date at the top of this page. Continued use after an update means you accept the new version.
Data protection questions: contact@nutriterm.com
Richly Labs Inc.
Suite 6D - 7398 Yonge St Unit #531
Thornhill, ON L4J 8J2
Canada