Privacy Policy

In this privacy policy, we describe what kind of data we may collect from you regarding your use of our applications, websites, and related services and how we may use such data. Our policy follows Art. 12 and Art. 13 EU General Data Protection Regulation (GDPR).

Controller (Art. 4 GDPR):
Vanilla b.v.
Hurksestraat 19
5652 AH Eindhoven
The Netherlands
Company number: 76313271

Please direct any questions regarding data protection to us by email at [email protected].

General Information

We pay great attention to the protection and security of your personal data. This website and app store and process data in accordance with the applicable data protection laws. As a user of our services, you agree to the data processing in the sense of this declaration. In this privacy policy, we describe the kinds of data we collect and how we process them when you use our applications, websites, and related services.

Below we call these collectively “Services”. By using our Services, you agree to the processing of your data in accordance with this privacy policy.

Types of Data Processing & the Legal Basis

The following data processing is carried out during the use of our Services:

1. Data processing for our mobile app

As you use our mobile application, we may gather certain types of data, such as device identifiers, usage patterns, your IP address, and device information. We assure you that this data collection is performed strictly in accordance with the principles of data minimization and anonymization to ensure the highest level of privacy protection.

This information is employed for specific, legitimate purposes. It enables us to improve and personalize your in-app experience, process your subscriptions securely, and generate valuable insights that assist us in improving the quality and functionality of our app.

Health & wellness data

GutReset collects health-related data including meal logs, symptom logs, daily check-ins (sleep quality, energy, mood, stress, gut feeling), breathing exercise completion, and program progress. This data is stored locally on your device using Apple’s SwiftData framework and synced through your personal iCloud account. We do not maintain a separate server-side database of your health information.

We do NOT collect or transmit your specific food logs, symptom severity scores, bowel movement data, or any detailed health information to our analytics or advertising partners. We do NOT sell your personal information to third parties. We do NOT use your health data for advertising purposes.

Third-party services

We use the following third-party services in our mobile app. These services may process anonymous or aggregated device information, app events, subscription status, and technical data needed to operate our app. We limit the data each third-party service receives to only what is necessary for it to function.

• Apple iCloud (private data storage and sync) – https://www.apple.com/legal/privacy/data/en/apple-id/
• Meta Ads (install attribution) – https://www.facebook.com/privacy/policy/
• Mixpanel (product analytics, no health data) – https://mixpanel.com/legal/privacy-policy/
• RevenueCat (subscription and purchase processing) – https://www.revenuecat.com/privacy/

Device identifier

Our app may show you Apple’s App Tracking Transparency (ATT) request. If you allow tracking, we use the device’s advertising identifier (IDFA) for limited attribution purposes related to the performance of our marketing campaigns, for example to understand whether an app install or app interaction originated from one of our advertisements. We do not use the IDFA for personalized advertising or cross-app tracking.

Managing Ad Tracking

You can control how apps track your activity and reduce or disable personalised ads by adjusting your advertising settings.

On iOS:

• Open Settings
• Go to ‘Privacy & Security’
• Tap on ‘Tracking’
• Toggle ‘Allow Apps to Request to Track’ on or off, or manage individual apps

2. Data processing during email correspondence

If you contact us using a contact form or via email and, in this way, voluntarily provide us with your personal data such as title, name, address, and email address, then this data will be processed by us in accordance with the applicable data protection laws and protected accordingly.

We consider the voluntary submission of your data to us as consent to process them for the purpose of handling your request. Your data will be processed exclusively for the purpose of our Services, and you can contact us at any time for information on data processing. We will delete your data after your questions have been answered.

Cookies and Digital Content Stored on External Servers

Cookies apply to our website, not to our mobile app.

General information about cookies

Cookies are small text files that your browser stores on your device, such as a PC, tablet, or phone. They do not harm your device and help make using a website more convenient.

Technical and non-technical Cookies

We use cookies for the following purposes:

• to enable the use and functionality of the website (technical cookies).
• to analyze the visitors’ behavior on the website and improve the user experience (non-technical cookies).

Cookies that are not strictly necessary to provide you with the services on our website (non-technical cookies) will only be used after your consent. In some cases, these consent-based cookies are also operated by companies that process data in the USA (e.g. Google Ireland Ltd. through its commissioned data processor Google LLC). By giving your consent, you agree to the use of non-technical cookies, especially the analytics and marketing cookies in the course of your visit to our website. By agreeing to the use of cookies from these providers, you also expressly consent to the transfer of your data to the USA (Art 49 para 1 lit. a GDPR). Your consent to the use of non-technical cookies can be revoked at any time.

We use the following non-technical cookies after we have your consent for them. We ask for your consent through our cookie banner.

1. We use Google Analytics cookies (non-technical cookies).

These are for online marketing and web analysis. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and its holding company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, offer these cookies. You can find out more about them on this Google website: https://marketingplatform.google.com/intl/en_uk/about/analytics/. In addition, you can find Google’s privacy policy here: https://policies.google.com/privacy. You can opt out at any time, please click here: https://tools.google.com/dlpage/gaoptout.

Links

If you are redirected to other sites via links on our site (e.g. Facebook or Instagram), we ask you to inform yourself about data protection on the respective other website. For example, you can read the data protection policy from Meta here: https://www.facebook.com/privacy/policy/.

Please note that the use of such third-party sites or content is subject to the privacy policies and usage terms of the third party instead of our own terms, and we do not have control over or assume any liability regarding their data processing.

Data Sharing, Collection, and Storage of Personal Data

We do not share your personal data with third parties without your consent. However, there are cases where we are legally obliged to share personal data with authorities. This is the case, for example, in the course of criminal investigations.

The browser on your end device automatically sends information to the respective servers of our service providers when you visit our website. The information is temporarily stored on these servers. The following data is affected by this and is stored until it is automatically deleted: IP address of the requesting computer, date/time of access, name/URL of the retrieved file, referrer URL, browser used, the used operating system/name of the access provider.

We have concluded Data Processing Agreements with our hosting providers to protect your data.

In accordance with Art. 6 para. 1 lit. f GDPR, this information may be used for purposes such as ensuring a seamless connection of the website, ensuring comfortable use of our website, evaluating system security and stability, as well as for other administrative purposes. We do not use this data for personal profiling or similar purposes under any circumstances. If we make evaluations, then these are made anonymously.

We may process your data outside the country where you live (for example, if you are an EU citizen living outside the EU) because some of our servers are located in the US and Asia. This can also happen if, for instance, the service provider of our analytical services is located outside your country. In such cases, we will take steps to ensure that your personal data is processed lawfully and in accordance with this privacy policy.

Our Services are not directed at children under 13, and we do not knowingly collect personal data from children under this age.

Data Security

We secure your data properly and use all necessary technical and organizational measures in this regard. Your health data is stored locally on your device and protected by Apple’s device encryption. Data in transit uses TLS/SSL encryption. Nevertheless, we must point out that complete protection of data against unlawful access by third parties is not possible, especially due to cyberattacks.

For our website and all data transfers, we use SSL (Secure Socket Layer) encryption for security and to protect confidential content. You can recognize this encrypted connection by the fact that the address line of the browser changes from “http://” to “https://”, as well as by the lock symbol. SSL encryption prevents third parties from reading the data that is transmitted.

Data Subject Rights

You have extensive rights under data protection law as a data subject. These are your rights as a data subject: right to information about the processing of your personal data, right to rectification, right to deletion (also known as the right to be forgotten), right to restriction of processing, right to object to processing, and the right to withdraw consent. If you have any further questions in this regard, please contact us.

In the app, you can export all your data at any time from Settings > Export My Data, or delete all your data from Settings > Delete All Data.

You also have the right to complain to the data protection authority in your country if you believe that your rights have been violated. Here is a list of all European Data Protection Authorities and their contact information: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. However, we would still appreciate it if you would contact us first before approaching any of the authorities. We will listen to you and your concerns and take care of them in all seriousness.

California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at [email protected].

Washington State Health Data (My Health My Data Act)

GutReset processes health-related data (meal logs, symptom logs, wellness check-ins) solely for the purpose of providing you with personalized wellness insights. This data:

• Is stored locally on your device and in your iCloud account
• Is not sold, shared with, or disclosed to third parties for advertising
• Is not used for any purpose other than providing the app’s functionality
• Can be deleted at any time through the app’s settings

We obtain your consent to collect and process health data through the app’s onboarding flow and this Privacy Policy.

Last update: 17-02-2026