Skip to content
H
Hista AI

Legal

Privacy Policy

Last updated: June 2026

Nourishly ("Nourishly", "we", "us", or "our") operates Hista AI, a web-based application designed to help people manage histamine intolerance and related conditions (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data.

By creating an account or otherwise using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Information you provide directly

  • Account information: name, email address, and password (encrypted) when you sign up.
  • Health and lifestyle data: food and symptom logs, reaction events, medication and supplement records, diagnosis status (e.g. histamine intolerance, MCAS, DAO deficiency), dietary preferences, sleep, stress, and cycle-tracking information you choose to log.
  • Communications: messages you send to our AI companion, support requests, and any feedback you provide.
  • Payment information: if you subscribe to a paid plan, billing details are collected and processed by our payment provider (see Section 5). We do not store full card numbers ourselves.

1.2 Information collected automatically

  • Usage data: pages visited, features used, timestamps, and general interaction patterns within the app, used to improve the Service.
  • Device and technical data: browser type, operating system, IP address, and device identifiers, primarily for security, fraud prevention, and troubleshooting.
  • Cookies and similar technologies: see Section 7 for details.

1.3 Sensitive health data

Much of the information you log within Hista AI constitutes health data under data protection laws such as the UK/EU General Data Protection Regulation (GDPR). We treat this information with the highest level of care. By using the Service and voluntarily entering this information, you provide your explicit consent to our processing of this data for the purposes described in this policy. You may withdraw this consent at any time by deleting your account (see Section 9).

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including generating your Trigger Fingerprint, reaction forecasts, and personalised insights;
  • Power our AI companion features, which may involve sending relevant portions of your logged data to third-party AI providers as described in Section 4;
  • Communicate with you about your account, including service updates, security alerts, and support responses;
  • Process payments and manage subscriptions;
  • Improve, test, and develop new features, using aggregated or de-identified data wherever possible;
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities, and protect the rights and safety of Nourishly, our users, and the public;
  • Comply with applicable legal obligations.

We do not sell your personal or health data to third parties, and we do not use your health data for advertising purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the UK or European Economic Area, our legal bases for processing your information are:

  • Consent — for processing health data and for optional communications such as marketing emails, which you may withdraw at any time;
  • Contract — to provide the Service you have signed up for, including subscription management;
  • Legitimate interests — for security, fraud prevention, and improving our Service, balanced against your rights and freedoms;
  • Legal obligation — where we are required to retain or disclose information by law.

4. AI Processing of Your Data

Hista AI's companion and analysis features are powered by large language models provided by third-party AI infrastructure providers. When you interact with the AI companion, or when our system generates forecasts, fingerprints, or insights on your behalf, relevant data (such as your recent food and symptom logs, or your message text) may be transmitted to these providers for the sole purpose of generating a response or analysis.

These providers process this data under their own data processing agreements and do not use your data to train their general-purpose models. We select providers that meet recognised security and data protection standards. Data sent for AI processing is transmitted securely and is not retained by the AI provider beyond what is necessary to generate the response.

5. Third-Party Service Providers

We work with carefully selected third-party providers to operate the Service, including:

  • Hosting and database infrastructure — to securely store your account and health data, with row-level security ensuring only you can access your own records;
  • Payment processing — our subscription payments are processed by a third-party payment provider, who acts as the merchant of record. We do not store your full payment card details;
  • AI infrastructure providers — as described in Section 4;
  • Location and mapping services — used only when you actively use features such as restaurant search, and scoped to provide only the functionality requested;
  • Analytics providers — to help us understand aggregate usage patterns and improve the Service.

Each of these providers is contractually obligated to protect your information and to use it only for the purposes we specify.

6. International Data Transfers

Your information may be processed and stored on servers located outside of your country of residence, including in jurisdictions that may not have data protection laws equivalent to those in your home jurisdiction. Where this occurs, we ensure appropriate safeguards are in place, such as standard contractual clauses, to protect your information in accordance with this Privacy Policy and applicable law.

7. Cookies and Tracking

We use cookies and similar technologies to:

  • Essential cookies: required for the Service to function, such as keeping you signed in and remembering your session across our marketing site and application.
  • Analytics cookies: help us understand how visitors use our site so we can improve it. These are only set with your consent.

You can manage your cookie preferences at any time using the cookie banner presented on your first visit, or by clearing your browser's cookies. Disabling essential cookies may prevent the Service from functioning correctly.

8. Data Retention

We retain your personal and health data for as long as your account remains active, or as needed to provide you the Service. If you delete your account, we will delete or anonymise your personal and health data within 30 days, except where we are required to retain certain information for longer to comply with legal obligations, resolve disputes, or enforce our agreements (for example, financial records relating to payments may be retained as required by tax law).

9. Your Rights

Depending on your location, you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your account and associated data ("right to erasure");
  • Export your data in a portable format ("right to data portability");
  • Restrict or object to certain processing of your data;
  • Withdraw consent at any time where processing is based on consent.

You can exercise most of these rights directly within the app under Settings → Privacy, including exporting or permanently deleting your data. For any other requests, contact us using the details in Section 13.

10. Data Security

We implement industry-standard technical and organisational measures to protect your information, including encryption of data in transit and at rest, row-level access controls ensuring your health data is only accessible to you, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of material changes by email or through a notice within the Service prior to the change becoming effective. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at support@histaai.com.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions, except where local data protection law grants you additional rights that cannot be waived.

See also our Terms of Service.