Privacy Policy
Last updated: October 13, 2025
Welcome to Miobi!
We are pleased that you are using our app and take the protection of your personal data very seriously. Below we inform you in detail about the type, scope and purpose of the processing of personal data in connection with Miobi. If you have any questions, you can contact us at any time at info@miobi.app
1. Information about the collection of personal data and contact details of the controller
We are pleased that you are using our app. Below we inform you about the handling of your personal data when using our app. Personal data is any data with which you can be personally identified.
The controller for data processing regarding this app within the meaning of the General Data Protection Regulation (GDPR) is Featuring GmbH, Tal 44, 80331 Munich, Germany, Tel.: +49 176 32344295, Email: info@miobi.app. The controller for the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
For security reasons and to protect the transmission of personal data and other confidential content (e.g. requests to the controller), this app uses SSL or TLS encryption. You can recognize an encrypted connection by the character string "https://".
2. Legal basis for processing
We process your personal data based on the following legal grounds:
- • Art. 6(1)(b) GDPR – Contract fulfillment: Provision of the app and its core functions.
- • Art. 6(1)(a) GDPR – Consent: e.g. push notifications, camera access.
- • Art. 6(1)(f) GDPR – Legitimate interest: Ensuring security, error analysis, product improvement.
- • Art. 6(1)(c) GDPR – Legal obligation: e.g. retention and disclosure obligations to authorities.
Interest balancing for Art. 6(1)(f) GDPR:
Our interests: Our legitimate interests: Ensuring app security, quality assurance, fraud prevention, product improvement
Your interests: Your interests: Data protection, privacy, control over your data
Balancing: Balancing: Our interests prevail as they are essential for secure and functional app operation. You can object at any time (Art. 21 GDPR).
3. Storage duration
We store personal data only as long as necessary to achieve the respective purpose or legal retention periods exist.
If processing is based on your consent, it ends with your revocation, unless another legal basis applies.
If data is no longer required for the original purpose, it is regularly deleted or anonymized, unless its (temporary) further processing is necessary to fulfill legal obligations or to protect legitimate interests.
Concrete retention periods:
| Data Category | Purpose | Retention Period | Legal Basis |
|---|---|---|---|
| Log files (IP, Timestamp, User-Agent) | Security, Stability | 30 days | Art. 6(1)(f) GDPR |
| User profile (Name, Email, Health data) | App functionality | Immediate deletion upon account deletion | Art. 6(1)(b) GDPR |
| Avatar data and images | Personalization | Immediate deletion upon account deletion | Art. 6(1)(b) GDPR |
| Meal photos | Nutrition analysis | Immediate deletion upon account deletion | Art. 6(1)(b) GDPR |
| Analytics data (anonymized) | Product improvement | 2 months | Art. 6(1)(f) GDPR |
4. What data do we process and for what purpose?
4.1 App Download and Log Files
When you download our mobile app via an app store, the required information is transmitted to the app store, in particular username, email address and customer number of your account, time of download, payment information and the individual device identifier. We have no influence on this data collection and are not responsible for it. We only process the data to the extent necessary for downloading the mobile app to your mobile device.
When using our mobile app, we collect the personal data described below to enable the comfortable use of the function. If you want to use our mobile app, we collect the following data that is technically required for us to offer you the functions of our mobile app and to ensure stability and security:
• Date and time of the request • Time zone difference to Greenwich Mean Time (GMT) • Content of the request • Access status/HTTP status code • Amount of data sent in bytes • Source/reference from which you reached the page • Browser used • Language and version of browser software • Operating system used and its interface • IP address used (in anonymized form, shortened to 3 octets)
Processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our app. The data is not passed on or used in any other way. However, we reserve the right to subsequently check the aforementioned log files if there are concrete indications of unlawful use.
Furthermore, we require your unique device number (IMEI = International Mobile Equipment Identity), unique network subscriber number (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), possibly MAC address for WLAN use and the name of your mobile device. This data is used exclusively to provide the app functionality.
4.2 Registration and user account
To use Miobi, you must create a user account. For this we process:
Required information: First name, last name, email address
Login options:
- • Apple Sign-In (Apple ID)
- • Google Sign-In (Google account)
Profile picture can be changed at any time
Legal basis: Art. 6(1)(b) GDPR.
4.3 Content created by you
Miobi stores your health and nutrition data to provide you with personalized avatar experiences and health recommendations. This includes: user profile (name, email, date of birth, gender, body data), health goals, avatar data and images, meal photos, notification settings, and unit preferences. If you delete your account, all your data is automatically deleted from Firebase Auth and Firestore - we then have no access to it.
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(f) GDPR (legitimate interest in the ongoing operation of the platform).
4.4 Use of Your Photos and Camera Access
At the beginning of using our mobile app, we ask you in a pop-up for permission to use your camera and photos. If you do not grant consent, we do not use this data. You may not be able to use all functions of our app in this case. You can grant or revoke consent later in your operating system settings.
If you grant access to your camera and photos, the mobile app will only access your data and transfer it to our server to the extent necessary to provide the functionality:
Food Scan (Meal Photos):
Food Scan (Meal Photos): Your meal photos are stored in your personal Firebase Storage folder and used for AI-based nutrition analysis. These photos remain in your private storage area and are automatically deleted when you delete your account.
Avatar Creation (Onboarding Selfie):
Avatar Creation (Onboarding Selfie): To generate your personalized avatar, you upload a temporary selfie once. This photo is transmitted exclusively to our AI model (Google Vertex AI) for avatar generation and is automatically deleted immediately after successful avatar creation (typically within 5-30 seconds). We do not permanently store your selfie. No biometric data, facial recognition data, or facial measurements are extracted or analyzed. The avatar generation is purely artistic and does not enable user identification or authentication.
Your photos are treated confidentially by us and deleted when you revoke the right to use them or they are no longer required to provide the service and there are no legal retention obligations.
Legal basis for processing is Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract fulfillment).
4.5 Subscription Management (RevenueCat & Superwall)
For the management of in-app purchases and subscriptions, we use the services RevenueCat (RevenueCat, Inc., 633 Tarava St, San Francisco, CA 94116, USA) and Superwall (Superwall, Inc., USA).
RevenueCat:
RevenueCat processes the following data: App User ID, Device ID (IDFV), purchase history, subscription status, platform (iOS/Android), app version, country. This data is used to synchronize your subscriptions across platforms, grant access to premium features, and manage subscription renewals.
Superwall:
Superwall processes the following data: App User ID, Device ID, paywall interactions, A/B test assignments. This data is used to show you personalized subscription offers and optimize conversion rates.
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) for subscription management and Art. 6(1)(f) GDPR (legitimate interest) for optimizing paywall presentation.
Third Country Transfer USA:
Third country transfer USA: Both providers process data on servers in the USA. Protective measures: Standard Contractual Clauses (SCC 2021/914), technical encryption (TLS/SSL), pseudonymization of user IDs. RevenueCat and Superwall have joined the EU-US Data Privacy Framework.
Storage Duration: Storage duration: RevenueCat stores subscription data for the duration of your active subscription plus 12 months for support purposes. Superwall stores paywall interactions for 90 days. Upon account deletion, all data is deleted unless legal retention obligations exist.
4.6 Contact with us
For support requests (email, in-app form) we process your name, your email address and the content of the message exclusively to process your request (Art. 6(1)(f) GDPR; possibly Art. 6(1)(b) GDPR, if contract-related). After final clarification, the data is deleted, unless legal retention periods are opposed.
4.7 Push notifications
After consent (Art. 6(1)(a) GDPR) you receive push messages about Miobi care reminders or important app updates. Your device push tokens are stored server-side. You can deactivate push messages at any time in the app/system settings.
4.8 Web Analytics Services - Google Analytics 4
This app uses Google Analytics 4, a service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), with which the use of apps can be analyzed.
When using Google Analytics 4, so-called "cookies" are used by default. Cookies are text files that are stored on your device and enable an analysis of your use of the app. The information collected by cookies about your use of the app (including the IP address transmitted by your device, shortened by the last digits) is usually transmitted to a Google server and stored and processed there. This may also result in the transmission of information to the servers of Google LLC based in the USA and further processing of the information there.
When using Google Analytics 4, the IP address transmitted by your device when you use the app is always collected and processed by default and automatically only in an anonymized manner, so that direct personal identification of the collected information is excluded. This automatic anonymization is achieved by Google shortening the IP address transmitted by your device within member states of the European Union (EU) or other contracting states of the Agreement on the European Economic Area (EEA) by the last digits.
On our behalf, Google uses this and other information to evaluate your use of the app, to compile reports on your app activities or usage behavior, and to provide us with other services related to your app usage. The shortened IP address transmitted by your device as part of Google Analytics 4 is not merged with other Google data. The data collected as part of using Google Analytics 4 is retained for 2 months and then deleted.
Google Analytics 4 also enables the creation of statistics with statements about age, gender and interests of app users through a special function, the so-called "demographic features", based on an evaluation of interest-based advertising and with the inclusion of third-party information. This makes it possible to determine and distinguish user groups of the app for the purpose of target group-optimized alignment of marketing measures. However, data collected via the "demographic features" cannot be assigned to a specific person and therefore not to you personally. This data collected via the "demographic features" function is retained for two months and then deleted.
All processing described above, in particular the setting of Google Analytics cookies for storing and reading information on the device you use to use the app, is based on our legitimate interest in the statistical analysis of user behavior for optimization and marketing purposes according to Art. 6(1)(f) GDPR.
We have concluded a so-called data processing agreement with Google for our use of Google Analytics 4, through which Google is obliged to protect the data of our app users and not to pass it on to third parties. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European data protection level based on an adequacy decision by the European Commission.
4.9 Firebase Services
In addition to Google Analytics 4, we use the following Firebase services to improve stability, performance and user experience:
All data is processed IP-anonymized. Google LLC is certified under the EU-US Data Privacy Framework; a data processing agreement according to Art. 28 GDPR exists.
These services are required for the app's core functionality and cannot be disabled separately. Legal basis is Art. 6(1)(f) GDPR (legitimate interest).
| Service | Provider | Purpose | Retention |
|---|---|---|---|
| Firebase Crashlytics | Google Ireland Ltd. | Crash reports (anonymized) | 90 days |
| Firebase Cloud Messaging | Google Ireland Ltd. | Push notifications | as long as token is active |
4.10 AI-powered functions
Miobi uses Artificial Intelligence (AI) for two main functions: Food Scan for nutrition analysis and Avatar generation for your personalized Miobi character.
Food Scan: When you take a photo of your meal, it is transmitted to Google Vertex AI to analyze nutritional values and health insights. The photo is stored in your personal Firebase Storage and the AI analysis is provided for you in Firestore.
Avatar Generation: During onboarding, you upload a temporary selfie that is processed by Google Vertex AI to create your personalized Miobi avatar. The selfie is deleted immediately after avatar generation (typically within 5-30 seconds). No biometric data, facial recognition data, or facial measurements are extracted, stored, or analyzed. The process is purely artistic avatar generation and does not enable user identification or authentication. You initially receive 1 avatar style, with 6 additional styles unlocked upon subscription.
Important notice: AI analyses serve informational purposes only and do not replace medical advice. You can object to AI processing (Art. 21(2) GDPR), which however limits the core functions of the app.
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) for app functionality and Art. 6(1)(f) GDPR (legitimate interest) for improving AI models. Third country transfer: AI processing occurs on Google Cloud servers (USA/EU). Protective measures: EU-US Data Privacy Framework, Standard Contractual Clauses.
Technical details on AI processing:
Models: Google Vertex AI (nutrition analysis and avatar generation)
Provider: Google Cloud Platform (USA/EU) - Data processor according to Art. 28 GDPR
Processing: Processing logic: 1) Image recognition of food and nutritional analysis, 2) Facial recognition for avatar style generation
Automation: Automated processing: Nutritional calculation and avatar creation without human decision, but without legal effect
Categories: Processed categories: Food types, portion sizes, nutritional values, facial features for avatar style
Rights: Your rights: Objection to AI processing (Art. 21 GDPR), Information about processing logic, Deletion of AI data
Consequences: Consequences of objection: Limitation of Food Scan and Avatar functions, as these are essential for the app
4.11 App Tracking Permission (iOS)
Our iOS app contains a permission for app tracking that is technically required as some development libraries we use may require this permission.
Important notice: We do NOT actively use this permission for tracking purposes. Miobi does not perform tracking for advertising purposes and does not collect personal data for advertising.
The permission serves exclusively for technical compatibility with development libraries we use. Should the system display a corresponding request, you can decline it without any functional limitations.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical compatibility). Since no actual tracking takes place, you experience no data protection disadvantages.
5. Hosting and infrastructure
We host our app services with Google Cloud / Firebase (Google Ireland Ltd.). Data processing takes place primarily in data centers within the EU (Frankfurt, Belgium). In case of emergency replication, AI processing or support cases, data may be transmitted to the USA.
Third country transfer to the USA (Art. 44 ff. GDPR):
Notice: Your data may be transmitted to the USA. The following protective measures apply:
- • EU-US Data Privacy Framework (EU Commission Adequacy Decision of 10.07.2023)
- • Standard Contractual Clauses (SCC 2021/914) as additional guarantee
- • Technical protective measures: AES-256 encryption, pseudonymization, zero-knowledge architecture
- • Organizational measures: Data protection impact assessment, regular compliance audits
- • Legal assessment: Continuous monitoring of US legal situation (Schrems II-compliant)
Risks: Risks of US transfer: Despite protective measures, US authorities may access your data under certain circumstances (FISA, CLOUD Act). You have the right to object to US transfer, which however limits AI functions and thus the core functionality of the app.
Alternatives: Alternatives: In case of objection to US transfer, your account will be deactivated as AI-powered nutrition analysis and avatar generation are essential for the app. An EU-only version is currently not available.
6. Rights of the Data Subject
The applicable data protection law grants you comprehensive data subject rights (information and intervention rights) vis-à-vis the controller with regard to the processing of your personal data, about which we inform you below:
- • Right of access according to Art. 15 GDPR: You have in particular a right to information about your personal data processed by us, the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it was not collected by us from you, the existence of automated decision-making including profiling and, if applicable, meaningful information about the logic involved and the scope and intended effects of such processing concerning you, as well as your right to be informed which guarantees according to Art. 46 GDPR exist when your data is forwarded to third countries
- • Right to rectification according to Art. 16 GDPR: You have a right to immediate rectification of incorrect data concerning you and/or completion of your incomplete data stored with us
- • Right to erasure according to Art. 17 GDPR: You have the right to request the erasure of your personal data if the requirements of Art. 17(1) GDPR are met. However, this right does not exist in particular if the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims
- • Right to restriction of processing according to Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data disputed by you is being verified, if you refuse erasure of your data due to unlawful data processing and instead request restriction of the processing of your data, if you need your data for the establishment, exercise or defense of legal claims after we no longer need this data after the purpose has been achieved, or if you have lodged an objection for reasons of your particular situation as long as it is not yet established whether our legitimate grounds override
- • Right to notification according to Art. 19 GDPR: If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients
- • Right to data portability according to Art. 20 GDPR: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller, insofar as this is technically feasible
- • Right to withdraw given consents according to Art. 7(3) GDPR: You have the right to withdraw consent to the processing of data at any time with effect for the future. In the event of withdrawal, we will delete the affected data immediately, unless further processing cannot be based on a legal basis for processing without consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal
- • Right to lodge a complaint according to Art. 77 GDPR: If you believe that the processing of personal data concerning you violates the GDPR, you have - without prejudice to any other administrative or judicial remedy - the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. Responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach
RIGHT TO OBJECT
IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A BALANCING OF INTERESTS DUE TO OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL END THE PROCESSING OF THE DATA CONCERNED. HOWEVER, FURTHER PROCESSING REMAINS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL END THE PROCESSING OF THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.
Special rights for AI processing:
Since we perform AI-based nutrition analysis and avatar generation, you have additional rights: 1) Detailed information about AI processing logic (Art. 15(1)(h) GDPR), 2) Objection to AI processing (Art. 21(2) GDPR), 3) Rectification of incorrect AI data, 4) Deletion of your AI analyses, 5) Restriction of AI processing. To exercise these rights, contact us at info@miobi.app.
Avatar generation and biometric data:
Your onboarding selfie is only used for avatar generation and is deleted immediately after creation. This facial recognition does not serve biometric authentication or identification. No biometric data, facial measurements, or facial recognition data is extracted, stored, or analyzed. The selfie is used exclusively for artistic avatar generation. If we introduce biometric authentication functions in the future, we will inform you in good time and obtain separate consent (Art. 9 GDPR).
Minors:
The app is exclusively intended for users aged 13 and over; we do not process data from persons under 13.
Contact and Exercise of Your Rights
For all inquiries about your data subject rights, data protection questions or to exercise your rights, you can reach us at:
By post: Featuring GmbH, Tal 44, 80331 Munich, Germany
7. Duration of Storage of Personal Data
The duration of storage of personal data is determined by the respective legal basis, the processing purpose and - if applicable - additionally by the respective statutory retention period (e.g. commercial and tax retention periods).
When processing personal data on the basis of express consent according to Art. 6(1)(a) GDPR, the data concerned is stored until you withdraw your consent.
If statutory retention periods exist for data that is processed on the basis of Art. 6(1)(b) GDPR in the context of contractual or contract-like obligations, this data is routinely deleted after the retention periods expire, provided it is no longer required for contract fulfillment or contract initiation and/or we have no legitimate interest in continued storage.
When processing personal data on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object according to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
When processing personal data for the purpose of direct marketing on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object according to Art. 21(2) GDPR.
Unless otherwise stated in the other information in this declaration about specific processing situations, stored personal data is otherwise deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.
8. Changes to this Privacy Policy
Legal, technical or organizational changes may require an adjustment of this privacy policy. We will inform you in good time about significant changes in the app. Your continued use after the entry into force is considered consent. Otherwise, you can delete your account at any time.
Previous versions of this privacy policy are available upon request.