This Privacy Notice for SHINE DEVELOPMENT AND AI TECHNOLOGIES LTD (doing business as Shine AI) (‘we’, ‘us’, or ‘our’) describes how and why we may access, collect, store, use, and/or share (‘process’) your personal information when you use our services (‘Services’), including when you:

• Visit our website at https://shine-official.net/ or any website of ours that links to this Privacy Notice.
• Download and use our mobile application Median, or any other application of ours that links to this Privacy Notice.
• Engage with us in other related ways, including customer support, billing enquiries, or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for deciding how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at info@shine-official.net or median.ai.official@gmail.com.

This section highlights key points from our Privacy Notice. For details, follow the links at the end of each point or use the table of contents to jump to the relevant section.

• What personal information do we process? When you visit, use, or navigate our Services, we may process information such as your phone number (for WhatsApp verification/support), age, height, weight, country, health-related inputs (e.g. chronic conditions, allergies), lifestyle inputs (sleep, exercise, sun exposure, diet type, disliked foods), diet entries for nutrition analysis, and standard system logs. Learn more about the information you provide to us.
• Do we process any sensitive (special category) information? Yes—health-related inputs (such as chronic conditions and food allergies) may be considered “special category” data in some jurisdictions. We process these only as necessary to provide personalised nutrition analysis and educational insights, and where required, with your consent. Learn more about sensitive information we process.
• Do we collect any information from third parties? No. We do not collect personal information from third parties. We use service providers (e.g. Firebase, Twilio, app store billing) to process information on our behalf. Learn more.
• How do we process your information? We process your information to provide, improve, and administer the Services; personalise nutrition analysis and insights; authenticate accounts; manage payments/subscriptions; prevent fraud and free-trial abuse; ensure security and reliability; and provide customer support and administrative communications (including WhatsApp, no marketing). We process information only when we have a valid legal basis. Learn more about how we process your information.
• In what situations and with which parties do we share personal information? We share information with service providers acting on our behalf (e.g. Firebase in us-central1, Twilio for WhatsApp/verification, Apple and Google Play billing, Paddle where applicable, and AI providers for de-identified content generation only), or as required by law. Learn more about when and with whom we share information.
• How do we keep your information safe? We apply organisational and technical safeguards, including encryption in transit and at rest, Firebase Security Rules and App Check, and role-based access with logging. However, no method of transmission or storage is 100% secure. Learn more about how we keep your information safe.
• What are your rights? Depending on your location, you may have rights under GDPR/UK GDPR/CPRA, including access, correction, deletion, portability, restriction, and objection. Learn more about your privacy rights.
• How do you exercise your rights? Use the in-app account deletion feature or contact us at median.ai.official@gmail.com or info@shine-official.net. We will respond in accordance with applicable data protection laws. Learn how to exercise your rights.

Want to learn more about what we do with the information we collect? Review the Privacy Notice in full.

1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on to process your personal information?
4. When and with whom do we share your personal information?
5. Do we offer artificial intelligence-based products?
6. Is your information transferred internationally?
7. How long do we keep your information?
8. How do we keep your information safe?
9. Do we collect information from minors?
10. What are your privacy rights?
11. Controls for Do-Not-Track features
12. Do United States residents have specific privacy rights?
13. AI-based nutrition analysis
14. No medical advice disclaimer
15. WhatsApp-based communication
16. Third-party services used
17. Data retention
18. Do we make updates to this Notice?
19. How can you contact us about this Notice?
20. How can you review, update, or delete the data we collect from you?

In short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide when you register or sign in, use the Services, request support, make purchases or manage subscriptions, or otherwise contact us. The types of information we collect depend on your interactions and the features you use.

• Identifiers & contact details: Phone number (used for WhatsApp verification and administrative communications via Twilio).
• Profile & demographics: Age, height, weight, and country of residence.
• Health-related inputs (special category data): Chronic conditions and food allergies provided by you for personalised nutrition analysis and educational insights.
• Lifestyle inputs: Daily sleeping hours, weekly exercise count, sun exposure, diet type, and disliked foods.
• Diet entries: Meal details and related inputs required for nutrient analysis.
• System logs: Standard Firebase service logs (which may include IP addresses, timestamps, and device/application events) used for security, reliability, and abuse prevention.

Where required by law, we process health-related inputs only with your consent and solely to provide personalised nutrition analysis and educational insights. You may delete these inputs at any time in-app or by contacting us. See Your privacy rights.

Purchases are processed by the applicable app store or our payment provider. On Android and iOS, transactions are handled by Google Play Billing and Apple In-App Purchases; where applicable on web, payments may be processed by Paddle. We do not receive or store your full payment card number or security code. We receive limited information such as transaction identifiers and subscription status necessary to provide the Service and manage your purchases.

• Precise geolocation data.
• Photos, files, or your device’s contact list.
• Device sensor data (e.g. motion, microphone).
• Advertising or analytics identifiers from third-party ad networks (we do not use ad or analytics SDKs).

All personal information you provide must be true, complete, and accurate, and you should notify us of any changes to such information.

For how we use these categories, see How do we process your information?. For sharing with service providers (e.g. Firebase us-central1, Twilio, Apple/Google/Paddle), see When and with whom we share information.

In short: We process your information to provide, improve, and administer the Services; communicate with you; prevent fraud and abuse; and comply with law. We process personal information only when we have a valid legal basis and, where required, your consent.

• Account creation, authentication, and management: To let you register/sign in and keep your account in working order.
• Deliver and personalise the Services: To analyse your diet and provide tailored nutrition insights, checklists, and educational guidance.
• Customer support: To respond to enquiries and resolve issues.
• Administrative communications (no marketing): To send important notices about the Services, terms, policies, security, and billing—via in-app notices, email, or WhatsApp for administrative purposes only.
• Subscriptions and billing: To fulfil and manage purchases, subscriptions, and refunds through Google Play Billing, Apple In-App Purchases, and, where applicable, Paddle.
• Fraud and abuse prevention: To protect free-trial integrity and service reliability (including use of a one-way hashed anti-abuse token). See Retention.
• Security and service integrity: To operate, secure, and troubleshoot the Services using standard logs and safeguards (no third-party analytics SDKs).
• Feedback and quality improvement: To request non-marketing feedback and understand feature usage through aggregate/de-identified service data so we can improve the experience.
• Vital interests and legal obligations: To act where necessary to protect individuals and to comply with applicable laws and lawful requests.

• Personalised nutrition guidance: We use the health and lifestyle information you provide (e.g. age, weight, chronic conditions, allergies, diet type) to generate tailored, educational nutrition suggestions.
• Food and nutrient analysis: When you log meals, we estimate nutrient values (60+ vitamins, minerals, amino acids, etc.) and compare them to personalised daily targets to provide feedback and learning tips.
• Use of AI providers: We may use AI services for generic content generation only. We do not send health-related or personal data to AI providers; prompts are de-identified and limited in scope. We do not allow AI providers to train on our data.
• Improving our features: We may analyse aggregate, de-identified usage patterns to evaluate and improve our algorithms and user experience. This analysis does not train third-party models and does not identify you.

In short: We process personal information only when necessary and when we have a valid legal basis under applicable law—such as consent, performance of a contract, legitimate interests, compliance with legal obligations, or protection of vital interests.

• Consent: For processing health-related inputs (special-category data) and where required for certain optional features. You can withdraw consent at any time; see Your rights.
• Performance of a contract: To provide and personalise the Services you request, operate your account, and manage subscriptions and payments.
• Legitimate interests: To maintain security and service reliability; prevent fraud and free-trial abuse (including the hashed anti-abuse token); send administrative WhatsApp/email notices; and improve the Service using aggregate, de-identified data—balanced against your rights and freedoms.
• Legal obligations: To comply with laws, lawful requests, and to establish, exercise, or defend legal claims.
• Vital interests: To help protect an individual’s life or safety.

We act as the data controller for the personal information described in this Notice.

We rely on your consent (express or implied, as permitted) for the purposes described above. You may withdraw consent at any time. In limited cases, applicable law may allow processing without consent (e.g. fraud prevention, legal obligations, emergencies, or where required by court order).

In short: We share information only in specific situations and with service providers that help us operate the Services. These third parties act on our instructions under contracts that require confidentiality, appropriate safeguards, and deletion at our direction. We do not sell or “share” personal information for cross-context behavioural advertising, and we do not use advertising or analytics SDKs.

• Legal and compliance: To comply with laws or lawful requests, or to establish, exercise, or defend legal claims.
• Business transfers: In connection with a merger, acquisition, financing, or sale of assets. We will continue to protect your data and notify you of any material changes.

In short: Yes. Certain features use AI to generate educational guidance and explanations. These features are governed by this Privacy Notice and are not a substitute for professional medical advice. See No medical advice.

• We may use third-party AI services (currently OpenAI and Google) for generic content generation only (e.g., rephrasing tips, templated explanations).
• We do not send health-related or personal data to AI providers. Prompts are de-identified and limited in scope, and we do not permit providers to train on our data.
• You must not use AI features in ways that violate applicable laws or the providers’ terms.

• AI insights & explanations: Help present educational nutrition guidance based on your logged data.
• Natural language processing: Generate readable summaries and learning tips inside the app.

All AI-related processing aligns with this Notice and our vendor agreements. We apply technical and organisational safeguards and restrict prompts to de-identified content. We may analyse aggregate, de-identified usage patterns to improve our features; this analysis does not train third-party models and does not identify you.

If you prefer not to use AI-assisted features, you may limit your use of those features and/or contact us at median.ai.official@gmail.com or info@shine-official.net to discuss options. You can also delete your health inputs or your account at any time; see How to review, update, or delete data.

In short: Yes. We may transfer, store, and process your information in countries other than your own.

Our primary hosting is provided by Google Firebase in the United States (us-central1). If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States and in other countries where our service providers (see When and with whom we share information) operate.

If you are located in the EEA, UK, or Switzerland, please note that these countries may not provide the same level of data protection as your home jurisdiction. We implement appropriate safeguards to protect your personal information in accordance with this Notice and applicable law.

For transfers of personal information from the EEA/UK to countries without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (and the UK addendum where applicable) with our service providers. These require recipients to protect personal information in line with European data protection laws. Details of these safeguards can be provided upon request.

Note: We do not currently use EU-region Firebase hosting; data is hosted in us-central1 with SCCs and vendor safeguards in place.

In short: We keep personal information only as long as necessary for the purposes described in this Notice, unless a longer retention is required or permitted by law (e.g., tax or accounting obligations).

• While your account is active: We retain your profile and app data to operate and personalise the Service.
• When you delete your account: We delete personal data from production systems promptly. Operational backups may persist for up to 30 days and are then purged automatically.
• Anti-abuse protection: To enforce free-trial limits and prevent abuse, we retain a one-way hashed token derived from your phone number for 12 months. This hash is stored separately, cannot be used to contact you, and is deleted after the retention period.
• Payments and compliance: Limited transaction records may be retained as required by law and for fraud prevention, chargebacks, and audit purposes.

When we no longer have an ongoing legitimate business need to process your personal information, we will delete or de-identify it. If immediate deletion is not possible (for example, because data resides in backup archives), we will securely store it and isolate it from further processing until deletion is possible.

You can request deletion or access your data at any time; see How to review, update, or delete your data.

In short: We protect your personal information with a combination of organisational and technical measures.

• Encryption: Data is encrypted in transit (TLS) and at rest.
• Access control: Role-based, least-privilege access; admin access is logged and periodically reviewed.
• Firebase safeguards: Firebase Security Rules limit reads/writes to the authenticated user’s own data; App Check is enabled.
• Secure infrastructure: No public data buckets; routine monitoring and safeguards against abuse.

Despite our safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee that unauthorised third parties will never defeat our security. Transmission of personal information to and from the Services is at your own risk; please access the Services in a secure environment.

In short: We do not knowingly collect data from or market to children under 13 years of age (or 16 in the EEA/UK, where required).

By using the Services, you represent that you are at least 13 years old (or 16 in the EEA/UK, as applicable), or that you are the parent or legal guardian of a minor and consent to their use of the Services. If we learn that we have collected personal information from a child under the applicable minimum age, we will deactivate the account and take reasonable steps to delete the data promptly.

If you believe we may have collected data from a child under the applicable age, please contact us at median.ai.official@gmail.com or info@shine-official.net.

In short: Depending on your location (e.g., EEA, UK, Switzerland, Canada, certain US states), you may have rights that give you greater control over your personal information. You may review, change, or terminate your account at any time.

• Access: Request a copy of your personal information.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal information.
• Restriction: Request that we limit the processing of your data.
• Portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Objection: Object to certain processing, including where we rely on legitimate interests.
• Automated decisions: Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions in the Services; if that changes, we will inform you and provide a simple way to request human review.
• Withdraw consent: Where processing relies on consent (e.g., health inputs in some regions), you can withdraw it at any time. This does not affect processing carried out before withdrawal.

• In-app: Use the account deletion feature to remove your data.
• Contact: Email median.ai.official@gmail.com or info@shine-official.net.

We will consider and act upon any request in accordance with applicable data protection laws, typically within 30 days (and longer where permitted).

If you are in the EEA, you may lodge a complaint with your local supervisory authority. If you are in the UK, you may contact the Information Commissioner’s Office (ICO). If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC).

• Review or update: Log in to your account settings to review or change your information.
• Terminate: Use the in-app deletion feature to deactivate and delete your account and associated data from active systems. Some information may be retained as described in Retention (e.g., backups up to 30 days and a one-way hashed anti-abuse token retained for 12 months).

If you have questions or comments about your privacy rights, contact us at median.ai.official@gmail.com.

Most web browsers and some mobile operating systems and applications include a Do-Not-Track (“DNT”) setting you can activate to signal that you prefer not to be tracked online. At present, no uniform standard for recognising and responding to DNT signals has been finalised, and we do not currently respond to such signals or similar mechanisms.

If an industry or legal standard for online tracking is adopted that we must follow, we will update this Privacy Notice to describe our response. California law requires us to state how we respond to browser DNT signals; because there is no recognised standard, we do not respond at this time.

In short: Depending on your U.S. state of residence, you may have rights to access, correct, obtain a copy of, or delete personal information we maintain about you, as well as rights to opt out of certain processing. These rights may be limited by applicable law.

We collect personal information directly from you (including your entries in the app) and from your device/service logs. We do not use advertising or analytics SDKs and do not collect precise geolocation.

• We use personal information to operate the Services as described in How we process your information.
• We disclose personal information to service providers under contract (see When and with whom we share information). We have not sold or “shared” personal information for cross-context behavioural advertising in the last 12 months.
• Retention: Category J and K data are retained while your account is active; on deletion, production data is removed and backups purge within 30 days. An anti-abuse one-way hashed token derived from your phone number is retained for 12 months to prevent free-trial abuse; it cannot be used to contact you.

• Right to know/access: Whether we process your data and to access it.
• Right to correct: Fix inaccuracies.
• Right to delete: Request deletion of personal information.
• Right to obtain a copy (portability): Receive a copy of personal information you provided.
• Right to non-discrimination: No unlawful discrimination for exercising rights.
• Opt-out rights: We do not sell or “share” personal information or use it for targeted advertising; if that changes, we will provide a method to opt out.

• In-app: Use the account deletion feature.
• Email: median.ai.official@gmail.com or info@shine-official.net.

You may designate an authorised agent to submit a request on your behalf, subject to verification and applicable law. We will verify requests using information already on file and may request additional details to confirm identity or authority.

We use artificial intelligence (AI) and rules-based algorithms to analyse the health and lifestyle information you provide in order to generate personalised, educational nutrition guidance. This includes drawing inferences such as estimated nutrient intake and dietary needs derived from your logged meals and profile data.

• Purpose-limited: These inferences are used solely to provide you with in-app insights and learning tips; they are not shared with third parties for their own purposes.
• Third-party AI: Where we use third-party AI services (e.g., OpenAI or Google), prompts are de-identified and limited to generic content generation (e.g., phrasing tips). We do not send your health or personal data to AI providers, and we do not allow training on our data.

See also Third-party services and No medical advice.

Median is for educational purposes only. It is not a medical device and does not replace professional medical advice, diagnosis, or treatment. The app does not recommend medications or herbs. Always consult your physician.

We may contact users through WhatsApp for service-related purposes, such as confirming subscription status, sending payment instructions, or providing technical support. These communications are administrative in nature and do not include marketing content.

WhatsApp messaging is facilitated via our provider Twilio. See Third-party services.

We engage service providers under contract to help us operate the Services. They process personal information only on our instructions and subject to confidentiality and security obligations.

We retain personal data—including AI-generated insights—only while your account is active and as needed to operate the Service. When you delete your account, we delete personal data from production systems promptly. Operational backups may persist for up to 30 days and are then purged automatically.

To prevent repeat free-trial abuse, we keep a one-way hashed token derived from your phone number for 12 months. This hash is stored separately, cannot be used to contact you, and is deleted after the retention period. Limited transaction records may be retained as required by law.

For full details, see How long do we keep your information?.

In short: Yes. We will update this Notice as necessary to remain compliant and transparent.

We may update this Privacy Notice from time to time. The updated version will be indicated by a revised date at the top of this page. If we make material changes, we may provide additional notice (e.g., in-app banner, email, or WhatsApp administrative notice). We encourage you to review this Notice periodically to stay informed about how we protect your information.

If you have questions or comments about this Notice, please email us at median.ai.official@gmail.com or info@shine-official.net, or contact us by post at:

SHINE DEVELOPMENT AND AI TECHNOLOGIES LTD
71–75 Shelton Street
Covent Garden
London WC2H 9JQ
England

Website: https://shine-official.net/

If you are a resident in the United Kingdom, SHINE DEVELOPMENT AND AI TECHNOLOGIES LTD is the data controller of your personal information. You can contact us using the details above regarding our processing of your information.

Depending on your country, province, or U.S. state of residence, you may have the right to request access to the personal information we hold about you, learn how it has been processed, correct inaccuracies, delete your personal information, or withdraw consent where applicable. These rights may be limited in some circumstances by law.

• In-app: Use the account deletion feature to remove your data.
• By email: Contact median.ai.official@gmail.com or info@shine-official.net.

We will verify your request and respond in accordance with applicable data protection laws (typically within 30 days). For more details on your rights, see What are your privacy rights?.