Personal Data Processing Policy

In accordance with Federal Law No. 152-FZ “On Personal Data”

Privacy Personal Data Terms of Use Public Offer
Effective date: March 19, 2026 · Last updated: March 19, 2026

1. General provisions

1.1. This Personal Data Processing Policy (the “Policy”) has been prepared in accordance with Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” and defines the procedure for processing personal data and the measures taken to ensure their security within the “Mera” mobile application and website (the “Service”).

1.2. The operator of personal data is Individual Entrepreneur Shagabutdinov Renat Khannanovich (the “Operator”), State Registration Number 324774600675720, Taxpayer Identification Number 773389350806.

1.3. This Policy applies to all personal data that the Operator may obtain from the User in the course of the use of the Service.

2. Definitions

  • Personal data — any information relating directly or indirectly to an identified or identifiable natural person (the data subject).
  • Processing of personal data — any act or set of acts performed on personal data, whether with or without the use of automated means, including collection, recording, systematisation, accumulation, storage, clarification, retrieval, use, transfer, blocking, deletion, and destruction.
  • Automated processing — processing of data by means of computing equipment.
  • User — a natural person using the Service.

3. Categories of personal data processed

The Operator processes the following categories of personal data:

Category Contents Purpose of processing
Account data Email, password hash, registration method (email/Google/Apple), email-verification status Registration, authentication, account recovery
Profile data Gender, age, height, weight, target weight, activity level, rate of weight change, diet type, time zone Calculating personalised calorie and macronutrient goals (Mifflin–St Jeor equation); personalising the Service
Nutrition data Meal names, portion weights, calories, macronutrients, notes, meal times, ingredients, product barcodes Maintaining the nutrition diary, calorie counting, analytics
Photographs Images of food in base64 format (up to approximately 7.5 MB) AI analysis of meal composition. Images are not retained after processing
Weight data Weight entries with dates Tracking weight trends and producing projections
AI chat data Messages sent by the user and responses from the assistant Operation of the AI assistant for nutrition questions
Device data Push token, platform (iOS/Android), application version, operating-system version, device model Delivering push notifications; handling support requests
Payment data Subscription identifier, plan, status, period, amount, currency Managing subscriptions and recurring payments via YooKassa

4. Processing principles

The processing of personal data is carried out on the following principles:

  • Processing is conducted on a lawful and fair basis.
  • Processing is limited to the attainment of specific, pre-defined, and lawful purposes.
  • Combining databases containing personal data whose processing serves purposes incompatible with one another is not permitted.
  • Only data that corresponds to the purposes of processing is subject to processing.
  • The content and volume of the data processed are commensurate with the stated purposes.
  • The accuracy, sufficiency, and currency of the data are ensured during processing.
  • Data is retained no longer than the purposes of processing require.

5. Legal bases for processing

Processing is carried out on the following legal bases:

  • The consent of the data subject (Article 6, Part 1, Clause 1 of Federal Law No. 152-FZ), given at the time of registration in the Service.
  • The performance of a contract to which the data subject is a party (Article 6, Part 1, Clause 5 of Federal Law No. 152-FZ), namely the provision of the Service’s functions.
  • The performance of obligations imposed on the Operator by law (Article 6, Part 1, Clause 2 of Federal Law No. 152-FZ).

6. Procedure for collecting personal data

6.1. Personal data is collected by the following means:

  • Direct provision by the User at registration and during profile completion (POST /api/v1/user/register, POST /api/v1/onboarding/).
  • Automatic collection during use of the Service (maintaining the nutrition diary, weigh-ins, requests to the AI assistant).
  • Receipt from third parties during OAuth authentication through Google or Apple.
  • Receipt from the payment provider YooKassa during payment processing.

6.2. The provision of personal data is voluntary. A refusal to provide mandatory data (email) makes use of the Service impossible.

7. Processing and storage

7.1. Processing is carried out by means of automation.

7.2. Data is stored on servers located within the territory of the Russian Federation.

7.3. Retention periods:

  • Account and profile data: until the User deletes the account.
  • Nutrition and weight data: until the User deletes the account.
  • Food photographs: not retained after AI analysis.
  • AI chat history: until the User deletes the account.
  • Payment data: for the periods prescribed by the accounting law of the Russian Federation.
  • Support requests: three (3) years from the date of the request.

8. Measures to protect personal data

The Operator takes the necessary legal, organisational, and technical measures to protect personal data:

  • Encryption of passwords (hashing; passwords are not recoverable).
  • JWT authentication with a token-refresh mechanism (access + refresh).
  • Rate limiting on critical endpoints: registration, authentication, email confirmation, token refresh.
  • Access control: each user has access only to their own data.
  • HTTPS encryption of data in transit.
  • Verification of YooKassa webhooks via JWKS (ES256).

9. Transfer of personal data

9.1. The Operator does not transfer personal data to third parties, save in the cases provided for by law and by this Policy.

9.2. Data may be transferred to:

  • YooKassa (LLC “YuMoney”) — for payment processing. YooKassa is certified under the PCI DSS standard.
  • AI model providers — for the analysis of photographs and text requests. Data is transferred in a de-identified form without being linked to the identity of the User.
  • Google LLC / Apple Inc. — to the extent necessary for OAuth authentication.

9.3. Cross-border transfers are effected only to countries that provide adequate protection of the rights of data subjects.

10. Rights of the data subject

The User has the right to:

  • Obtain information concerning the processing of their personal data (Article 14 of Federal Law No. 152-FZ).
  • Require clarification of their personal data (profile updates: PUT /api/v1/profile/; email change: PUT /api/v1/user/change-email).
  • Require the blocking or destruction of personal data where it is incomplete, out of date, or inaccurate.
  • Withdraw consent to the processing of personal data (account deletion: DELETE /api/v1/user/delete-account).
  • Appeal the Operator’s actions or inaction to Roskomnadzor or through the courts.

11. Obligations of the Operator

  • Use personal data solely for the purposes set out in this Policy.
  • Keep personal data confidential; not disclose it without the User’s consent.
  • Take measures to ensure the accuracy and currency of personal data.
  • Cease processing and destroy personal data when the purposes of processing have been achieved or at the User’s request.

12. Final provisions

12.1. The Operator is entitled to make changes to this Policy. The new version takes effect upon its publication on this page.

12.2. This Policy is governed by the law of the Russian Federation.

12.3. For all inquiries, please contact: contact@mera-api.ru.

Download on the App Store