Privacy Policy
Effective Date: April 20, 2026 · Last Updated: April 20, 2026
Nutrition DAO ("NDAO," "we," "us") is a decentralized non-profit initiative operated by Heart Media Agency Inc. This Privacy Policy describes how we collect, use, store, share, and protect information when you interact with our website, our consumer application Phytos, our enterprise product Conquer, our AR-powered food label system Nutrition One, our health coach certification program Optima, our DAO governance infrastructure, and any associated services, APIs, or protocols (collectively, the "Platform").
By accessing or using any part of the Platform, you acknowledge that you have read and understood this Privacy Policy.
1. Our Privacy Principles
Nutrition DAO is built on a foundational belief: your health data belongs to you. Our architecture is designed around data sovereignty, programmable privacy, and the principle that no corporation should hold monopolistic power over the most intimate information about your body. We adhere to: data minimization, purpose limitation, privacy by design (using zero-knowledge proofs), user sovereignty, and transparency.
2. Information We Collect
2.1 Information You Provide Directly
Account and profile data: When you create an account or participate in DAO governance, we may collect your name, email address, username, and cryptocurrency wallet address(es).
Health and nutrition data (Phytos): If you use the Phytos app, you may voluntarily provide dietary inputs, meal logs, activity data, wellness goals, supplement protocols, sleep patterns, and other health-related information. Phytos models your body across seven health signals including microbiome health, glucose response, phytonutrient diversity, hormone balance, inflammation markers, BMR, and nutrient density.
Biometric and wearable data: If you connect wearable devices, the Platform may ingest data streams including heart rate variability (HRV), VO2 max, step counts, sleep staging, and blood glucose readings.
Epigenetic data: As our protocol matures, Phytos will support integration of epigenetic test results, including methylation clock data and biological age assessments. This data is provided at your sole discretion and is treated with the highest level of protection.
Enterprise data (Conquer): Aggregated and anonymized employee health metrics may be processed. Individual employee data is never shared with employers in identifiable form.
Donations: When you donate via cryptocurrency, we record the transaction hash, wallet address, amount, and network. We do not collect credit card numbers or fiat payment information.
2.2 Information Collected Automatically
We collect basic analytics including device type, browser type, operating system, pages visited, time spent, and referral sources. Our servers automatically record IP addresses, access times, and request metadata for security and operational purposes.
2.3 Blockchain and On-Chain Data
Transactions conducted through the NDAO protocol — including token transfers, staking actions, governance votes, and donation transactions — are recorded on public blockchains. Wallet addresses, transaction amounts, timestamps, and smart contract interactions are inherently public and immutable. We do not control or have the ability to delete on-chain data.
Soulbound Tokens (SBTs): The Platform may issue non-transferable Soulbound Tokens to represent verified health milestones, governance participation, and reputation. SBT metadata is designed to verify achievements without revealing underlying health data, using zero-knowledge proofs where technically feasible.
3. How We Use Your Information
We use your information to operate the Phytos app and generate personalized nutrition models; calculate and distribute $PHYTOS utility tokens based on health milestones; facilitate DAO governance; improve our open-source nutrition algorithms; provide enterprise analytics (Conquer) using only aggregate, anonymized data; send service-related notices and community updates; detect and prevent abuse, Sybil attacks, and smart contract exploits; and comply with applicable laws and regulations.
4. Health Data: Special Protections
We recognize that health and nutrition data is among the most sensitive categories of personal information. We apply enhanced protections:
No sale of health data: We will never sell, rent, or license your individual health data to any third party, under any circumstances.
No employer access to individual data: In Conquer, employers receive only aggregate, de-identified workforce wellness metrics.
Zero-knowledge proofs: Our protocol leverages zk-proofs to validate health data and verify milestones without exposing underlying sensitive information.
Core principle: No monopolistic power over data in apps. Your health data is yours. The protocol validates it, the community benefits from aggregated insights, but no corporation owns the most intimate information about your body.
5. AI Agents and Automated Processing
Phytos uses AI agents — a nutrition agent, metabolic agent, microbiome agent, and circadian agent — to deliver personalized health recommendations. AI agents process your data locally where possible. Automated decisions include health signal scoring, reward multiplier calculations, and adaptive nutritional recommendations. You may request human review of any significant automated decision that affects your token rewards or account standing.
AI models are continuously improved using aggregated, anonymized data only. Our commitment to open-source algorithms means the logic behind AI recommendations is transparent and auditable by the community.
6. How We Share Information
We do not sell personal data. We may share information with trusted service providers contractually bound to process data only on our behalf; with public blockchain networks for on-chain transactions; with academic researchers and public health organizations using anonymized, aggregated datasets only; and as required by law or legal process.
7. Data Retention
Account data is retained while your account is active. Health data is permanently erased within 30 days of account deletion. On-chain data is immutable and cannot be deleted. Log and analytics data is retained for up to 12 months then deleted or anonymized.
8. Data Security
We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, regular security audits, and monitoring. Smart contracts undergo independent security audits before deployment. We encourage you to protect your wallet credentials and use hardware wallets for significant token holdings.
9. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data, withdraw consent at any time, and request human review of significant automated decisions. To exercise any of these rights, contact us at arun@nutritiondao.com. We will respond within 30 days.
10. International Data Transfers
Your data may be processed in Canada, the United States, or other jurisdictions where our service providers operate. For EEA, UK, and Swiss users: we rely on consent, contractual necessity, and legitimate interests, ensuring compliance with GDPR and UK GDPR. For Canadian users: we comply with PIPEDA and applicable provincial legislation.
11. Cookies and Tracking
We use essential cookies for site functionality, session management, and security only. We do not use cookies for advertising or cross-site tracking. We do not integrate third-party advertising networks.
12. Children's Privacy
The Platform is not directed at individuals under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, contact us immediately and we will delete it promptly.
13. Open-Source Algorithms and Transparency
Nutrition DAO is committed to open-sourcing its nutrition algorithms so the global community can audit, improve, and build upon our models. Open-source code does not create any right for third parties to access user data. The separation of open-source logic from private user data is a core architectural principle.
14. Third-Party Integrations
The Platform may integrate with wearable device APIs, nutritional databases (FoodData Central, Nutritionix, Phenol-Explorer, FooDB, McCance & Widdowson, NuVal), blockchain networks (Base, Ethereum, and future Superchain infrastructure), and DeFi platforms. Each is governed by its own privacy policy. We are not responsible for third-party privacy practices.
15. Nutrition One (AR Food Labels)
Nutrition One processes camera data locally on your device to identify food items and overlay nutritional intelligence. Camera feeds are not transmitted to our servers or stored. Only the identified food item and your nutritional context are processed to generate personalized AR overlays.
16. Changes to This Policy
We may update this Policy to reflect changes in our practices, technology, legal requirements, or governance decisions. Material changes will be communicated through the Platform. Continued use after changes constitutes acceptance.
17. Governing Law
This Privacy Policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Where GDPR, UK GDPR, or other data protection regulations apply, those regulations take precedence with respect to the rights they confer.