PRIVACY POLICY – Jade AI Nutritional Coach
Applicable to Users in the United Kingdom · Last Updated: 26 February 2026 · Compliant with: UK GDPR and Data Protection Act 2018
1. Data Controller
Controller: Vivarium S.r.l. Registered Address: Via Montello 18, 40131 Bologna (BO), Italy General Contact: [email protected] Privacy Requests: [email protected]
2. Categories of Personal Data Collected
Jade AI collects only data you voluntarily provide via Telegram: Identifiers: Name, nickname, Telegram User ID, email address (if provided), language, time zone. Health and Biometric Data (Special Category): Biological sex, date of birth, weight, height, body measurements, heart rate, VO2max, BMR, wearable device data (if provided). Health and Lifestyle Information (Special Category): Medical conditions, fitness and nutritional goals, training and nutrition plans, athletic experience, and additional personal notes. We do not knowingly collect data from users under 16. If we become aware that such data has been collected, it will be deleted immediately.
3. Purposes of Processing
Your data is processed to: • Provide personalised informational responses and plans. • Improve service accuracy and functionality through aggregated or pseudonymised analysis. • Ensure correct operation and security of the service. • Comply with applicable legal obligations.
4. Legal Basis for Processing
Processing is based on your explicit consent (Art. 6(1)(a) and Art. 9(2)(a) UK GDPR) for all data, and on the performance of the service you have requested (Art. 6(1)(b) UK GDPR) for strictly necessary data. Withdrawal of Consent: You may withdraw consent at any time by contacting [email protected] (general enquiries) or [email protected] (privacy-specific requests). Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
5. How We Process Your Data
Your data is processed through digital tools and automated procedures via a chain of interconnected services. We implement appropriate technical and organisational security measures, including encryption in transit and at rest, strict access controls based on the principle of least privilege, and contractual safeguards with all third-party processors (Data Processing Agreements). AI Transparency Notice: Jade is an artificial intelligence system. Responses are generated automatically and may contain inaccuracies. You are encouraged to verify relevant health-related information independently.
6. Third-Party Service Providers (Data Processors)
Your personal data is never sold to third parties. Data is shared only with the following processors, each bound by a Data Processing Agreement compliant with UK GDPR: Messaging Platform Telegram: Jade AI operates exclusively through the Telegram platform. All messages sent and received transit through Telegram's servers. We strongly recommend reviewing Telegram's Privacy Policy, as it governs a critical part of how your data is handled within this service. Integration and Automation Platforms n8n: Used for backend workflow automation and the coordination of processes. Make.com: Used to orchestrate message and data flows between the different services. Artificial Intelligence Providers We use third-party artificial intelligence models to process requests and generate Jade's responses. Current providers include Google (Gemini), Anthropic (Claude), and OpenAI (ChatGPT). Text prompts and necessary parameters (e.g. health-related information and goals) may be transmitted to these providers solely to generate real-time responses. Under the terms of their respective paid services, data is not used for AI model training. Providers may temporarily log prompts solely for abuse monitoring and enforcement of their own security policies. All providers are bound by Data Processing Agreements compliant with UK GDPR. AI Model Routing OpenRouter: Acts as an intermediary routing layer that directs requests to the appropriate AI model provider. Only the text and parameters strictly necessary to generate responses are transmitted. OpenRouter does not use your data for model training and is bound by a Data Processing Agreement. Data Management and Cloud Infrastructure Cloudflare: Used for data storage, management, and the cloud infrastructure underpinning the Jade AI service. Email Communications Mailchimp: Used as an email communication channel to send service and informational messages to users.
7. International Data Transfers
Some providers operate globally; your data may be processed outside the UK. All such transfers are carried out using appropriate safeguards, including UK International Data Transfer Agreements (IDTAs), UK Addendums to EU Standard Contractual Clauses, or transfers to countries covered by UK adequacy regulations.
8. Data Retention
Data is retained for the duration of your active use of the service. If your account has been inactive for more than 6 months, all personal data (including health and biometric data) will be automatically deleted. You may request complete deletion at any time (see Section 9).
9. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the right to: • Access your personal data. • Rectify inaccurate or incomplete data. • Erase your data ("right to be forgotten"). • Restrict processing in certain circumstances. • Port your data to another service. • Object to processing based on legitimate interests. • Withdraw consent at any time without detriment. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. Complaints
You have the right to lodge a complaint with the Information Commissioner's Office (ICO): Website: www.ico.org.uk Phone: 0303 123 1113 We encourage you to contact us first so we can attempt to resolve any concern directly.
11. Data Protection Impact Assessment
Vivarium S.r.l. has conducted a Data Protection Impact Assessment (DPIA) for the processing carried out through Jade, in accordance with Art. 35 UK GDPR.
12. Changes to This Policy
This Privacy Policy may be updated from time to time. We will notify you of material changes via Telegram or email with reasonable notice. Continued use of the service after notification constitutes acceptance of the updated Policy.