Shervy AI — Last updated: 17 June 2026
Shervy AI is operated by Vincent Chew, an individual developer.
If you are in the European Union or United Kingdom you may contact us at the address above to exercise your rights under GDPR or UK GDPR.
We collect only the data necessary to provide personalised nutrition coaching.
| Category | Data Elements | Source |
|---|---|---|
| Identity | Name, email address | Apple/Google Sign-In at account creation |
| Body metrics | Weight, height, biological sex, age, activity level, goal | Provided by you during onboarding |
| Food logs | Meal names, macro estimates (calories, protein, carbs, fat), timestamps | Entered by you via chat, photo, or voice |
| Meal photos | Camera frames captured for food recognition | Captured in-app with your permission; immediately discarded after AI processing — not stored |
| HealthKit data |
Read: steps, active energy, sleep duration, workouts, body mass Written back: dietary energy, protein, carbohydrates, fat, water |
Apple HealthKit on-device (requires explicit iOS permission) |
| Coaching memory | Structured facts extracted from your conversations (food preferences, dislikes, routines, life context, goals, struggles); stored as records and vector embeddings | Extracted from your chat messages by AI |
| Session summaries | Rolling structured summaries of recent coaching conversations | Generated automatically from chat history |
| Authentication tokens | Apple refresh token (encrypted at rest); Google identity token (session only) | Provided by Apple/Google during sign-in |
| Purchase history | Subscription status, entitlement level, purchase receipts | Apple App Store via RevenueCat |
We share data with the following third-party service providers as necessary to operate Shervy. We do not sell your personal data and do not share it with advertisers.
| Subprocessor | Role | Data shared | Location |
|---|---|---|---|
| Supabase (supabase.com) | User authentication and identity management | Email address, session tokens, Apple refresh token (encrypted) | US / EU |
| Cloudflare (cloudflare.com) | API server (Cloudflare Workers) and database (D1); data stored in Cloudflare global network | All app data described in Section 2, except meal photos | Global CDN / US primary |
| Vercel AI Gateway (vercel.com) | Stateless AI request routing proxy. Routes AI requests to Google on our behalf. Acts as a pass-through layer and does not persistently store conversation content. | Meal photo content (during processing only), coaching conversation text, coaching memory facts | US / EU |
|
Google (Gemini) (ai.google.dev) Our AI vendor |
AI recognition and coaching generation. Google's Gemini models:
|
Meal photo content (during processing only), coaching conversation text, coaching memory facts (text and vector embeddings) | Global (Google infrastructure) |
| RevenueCat (revenuecat.com) | Subscription and in-app purchase management; App Store receipt validation | RevenueCat user ID, purchase history, subscription entitlement | US |
| Apple / Google | Sign-In identity providers | Identity token used for account creation/sign-in; Shervy does not receive your Apple/Google password | Apple: US / Google: Global |
Important: All AI requests — for photo recognition, coaching chat, and memory embedding — flow through Vercel AI Gateway to Google (Gemini). There are no other AI vendors involved. Your data is never sent to any other large language model provider.
We process your personal data on the following legal grounds:
| Data Category | Retention Period |
|---|---|
| Account data (profile, food logs, body metrics) | Until account deletion. Deleting your account triggers an immediate cascade deletion of all associated data. |
| Meal photos | Deleted immediately after AI processing. Photos are never stored persistently on our servers. |
| Coaching memory facts and embeddings | Until account deletion. |
| Session summaries | Until account deletion. |
| Authentication logs (Supabase) | 30-day rolling window per Supabase defaults. |
| Purchase history (RevenueCat) | Per RevenueCat's retention policy; required for subscription management and App Store receipt validation. |
If you are in the EU or UK, you have the following rights:
| Right | How to exercise it |
|---|---|
| Access (Art. 15) — receive a copy of all data we hold about you | Email shervyai.1@gmail.com with the subject "Data Export Request — Shervy AI". We will verify your identity against your registered account and return a JSON export of your profile, food logs, coaching memory facts, session summaries, and body metrics within 30 days. |
| Erasure (Art. 17) — delete all your data |
Use the in-app Profile → Account → Delete Account feature,
which triggers an immediate cascade deletion of your profile, food logs, coaching memory,
vector embeddings, and session summaries from all Shervy systems. Alternatively, email shervyai.1@gmail.com with the subject "Data Deletion Request — Shervy AI" if in-app deletion is unavailable. We will complete manual deletion within 30 days after identity verification. |
| Rectification (Art. 16) — correct inaccurate data | Update your profile directly in-app, or email shervyai.1@gmail.com. |
| Portability (Art. 20) — receive your data in a portable format | Included in the Art. 15 export. We provide data in JSON format. |
| Objection (Art. 21) — object to processing based on legitimate interests | Email shervyai.1@gmail.com. We will review and respond within 30 days. |
All GDPR requests are directed to: shervyai.1@gmail.com. We will verify your identity (by matching your request to your registered account or Apple relay email) before processing any export or deletion to prevent unauthorised access to another user's data.
You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national supervisory authority in the EU) if you believe your rights have been infringed.
| Data | Protection |
|---|---|
| All API traffic (app ↔ server) | TLS 1.3 in transit for all connections to Cloudflare Workers and Supabase Auth. |
| Database at rest (D1) | Cloudflare manages AES-256 at-rest encryption for D1 (Cloudflare-managed key). |
| Apple refresh token |
Encrypted with AES-GCM 256-bit before storage in Supabase using a
server-side encryption key (APPLE_RT_ENC_KEY) that is never exposed
to the client.
|
| HealthKit data | HealthKit data is processed on-device by Apple's HealthKit framework before being sent to Shervy's server. Apple encrypts HealthKit data on-device per iOS security standards. |
| Auth session tokens (client-side) |
Stored in an AES-256 encrypted MMKV store on your device, with the
encryption key protected by iOS Keychain (SecureStore.WHEN_UNLOCKED).
|
Shervy AI is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child under 13, please contact shervyai.1@gmail.com immediately and we will delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Policy periodically. Continued use of Shervy after changes are posted constitutes acceptance of the updated Policy.