PappAI
Try free

Privacy Policy

How Electric Flock Ltd collects, uses, and protects your personal data.

Version 1.8 · In force · 18 June 2026

1. Data controller

The data controller for PappAI is Electric Flock Ltd, a company incorporated in England and Wales (Company Number 16375990), with registered office at 27 Old Gloucester Street, London, United Kingdom WC1N 3AX.

Privacy enquiries: privacy@pappai.it. General support: support@pappai.it.

2. Scope of this policy

This policy applies to personal data that Electric Flock Ltd processes as a data controller — specifically, data relating to nutrition professionals who register for or use the PappAI platform.

PappAI also acts as a data processor when nutrition professionals (acting as data controllers in their own right) use the platform to store and manage their patients' health data. In that capacity, our processing is governed by the Data Processing Agreement (DPA) entered into with the professional, not by this policy. The professional remains solely responsible for the lawfulness of processing their patients' data and for providing patients with appropriate privacy information.

3. Personal data we collect about professionals

  • Account data: name, email address, professional role, and credentials provided at registration.
  • Billing data: subscription plan, payment status. Card details are processed directly by Stripe and are not stored by Electric Flock Ltd.
  • Usage and operational data: log-in timestamps, feature interactions, and error reports necessary to operate and improve the service.
  • Security and audit logs: access records and AI interaction logs retained for security monitoring and compliance purposes.
  • Communications: support requests and correspondence sent to our team.

4. Purposes and legal bases

PurposeLegal basis (UK GDPR / EU GDPR)
Providing the SaaS platform and subscription serviceArt. 6(1)(b) — performance of a contract
Account creation and authenticationArt. 6(1)(b) — performance of a contract
Billing and payment processingArt. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (VAT, accounting)
Security monitoring, abuse prevention, and audit loggingArt. 6(1)(f) — legitimate interests (protecting the platform and its users)
Service improvement and debuggingArt. 6(1)(f) — legitimate interests (improving reliability and user experience)
Compliance with legal and regulatory obligationsArt. 6(1)(c) — legal obligation

We do not use your data for advertising, profiling for marketing purposes, or automated decision-making that produces legal or similarly significant effects.

5. Recipients and sub-processors

We share personal data only where necessary to provide the service. Our key sub-processors are:

  • Google LLC / Google Ireland Ltd (Firebase Authentication, Firebase Cloud Messaging, Google Cloud Platform, Cloud Run, Cloud Storage, Vertex AI, Google Workspace for Meet video consultations; Google Analytics 4 for public website analytics, subject to consent) — authentication, infrastructure, AI, push notifications, video conferencing.
  • Stripe, Inc. — payment processing for practitioner (SaaS) and patient-practitioner payments via Stripe Connect. Stripe acts as an independent controller for certain payment data under applicable law.

We do not sell personal data to third parties. We do not share data with advertising networks. An up-to-date list of sub-processors (including current DPA versions) is available on request at privacy@pappai.it.

6. International transfers

Some of our sub-processors (including Google and Stripe) may process data outside the UK and the European Economic Area. Where such transfers occur, we rely on appropriate safeguards:

  • For transfers from the UK: the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
  • For transfers from the EEA: the European Commission Standard Contractual Clauses (SCCs).
  • Where applicable, adequacy decisions adopted by the UK Secretary of State or the European Commission.

7. Retention

  • Practitioner account data: retained for the duration of your subscription and for up to 3 years after account closure, to handle disputes and comply with statutory obligations.
  • Patient health data (Art. 9 GDPR): processed by PappAI as a data processor on behalf of the professional (the controller). The retention period is determined by the professional in accordance with their own professional and ethical obligations and applicable tax obligations; PappAI does not act as a repository of clinical records, nor does it independently impose clinical-health retention terms. The arrangements are governed by the Data Processing Agreement (DPA).
  • Billing and financial records: retained for 10 years in Italy (Art. 2220 Civil Code) and 7 years in the United Kingdom, depending on the applicable jurisdiction of the controller/practitioner.
  • Data transmitted to the Italian Healthcare Card System (Sistema TS): retained for 10 years for fiscal compliance (Art. 2220 Italian Civil Code).

8. Your rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access — to obtain a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate data corrected.
  • Right to erasure — to request deletion of your data, subject to legal retention obligations.
  • Right to restriction — to limit how we process your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to object to processing based on legitimate interests.
  • Right not to be subject to automated decisions — we do not make solely automated decisions with legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@pappai.it. We will respond within one month. We do not charge a fee for standard requests.

9. Right to complain to a supervisory authority

If you are based in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

If you are based in the European Union, you may lodge a complaint with the supervisory authority in your country of residence or establishment (e.g., Garante Privacy in Italy, AEPD in Spain, CNIL in France, BfDI in Germany, CNPD in Portugal).

We encourage you to contact us first so we can address your concern directly.

10. Health and fitness data in the mobile app (Apple Health / HealthKit)

The PappAI mobile app is provided directly to you, the end user, and for the data described in this section Electric Flock Ltd acts as data controller. You can create your account with email, Google, or Sign in with Apple. With your explicit consent, the app can connect to Apple Health (HealthKit) on iOS — and to equivalent platforms on other systems — to import your fitness and body-measurement data so you can track your progress. This connection is entirely optional: the app is fully usable without it, and you can grant or withdraw access at any time from your device's system settings.

When you enable the integration, the app reads the following data from Apple Health:

  • Body weight
  • Step count and active energy burned (calories)
  • Heart rate
  • Height, body-fat percentage and sleep analysis — only if you grant the optional additional permission

When you log information in PappAI, and only if you allow it, the app writes the following back to Apple Health so your records stay in sync:

  • Body weight you log in the app
  • Water intake (hydration) you log in the app

Health and fitness data you choose to share is sent to our servers (Google Cloud Platform) solely to provide the in-app progress-tracking features and, where you are linked to a nutrition professional, to make it available to that professional within the platform. We process this data on the basis of your explicit consent (Art. 9(2)(a) UK/EU GDPR) and to perform our agreement with you (Art. 6(1)(b)). We never use Apple Health (HealthKit) data — or any other health and fitness data — for advertising or marketing, we never sell it, and we never share it with third parties for their own purposes. HealthKit data is used exclusively to deliver health and fitness features inside PappAI, consistent with Apple's HealthKit requirements.

If you use the optional AI meal-recognition feature, the meal photo you capture is processed by our AI sub-processor (Google Vertex AI) for the sole purpose of estimating the foods and their nutritional values shown in the image. Meal photos are not used for advertising and are not used to train third-party advertising models; this processing is governed by Section 5 (sub-processors) and Section 6 (international transfers).

You can disconnect Apple Health at any time from iOS Settings, and you can request deletion of synced health data through in-app account deletion or by contacting privacy@pappai.it (see Section 7 on retention).

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify registered users by email or via an in-app notice at least 14 days before the changes take effect. The current version and its effective date are shown at the top of this page.

We value your privacy

We use cookies to improve your experience, analyse site traffic, and enable personalised features. You can accept all cookies, reject non-essential ones, or manage your preferences. Cookie Policy