Trulu

Privacy Policy

Last updated: April 2026

1. Introduction

Trulu Pty Ltd (“Trulu”, “we”, “us”, “our”) is operated in Australia. We are committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what data we collect, why we collect it, how we use and protect it, and your rights.

By using the Trulu mobile application or website you consent to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

When you create an account via Apple Sign In, Google Sign In, or email we collect your email address and display name. Apple Sign In may provide a private relay email at your election; we respect that choice.

2.2 Device Information

We generate a random, anonymous device identifier stored locally on your device. This identifier is used to associate your saved products, scan history, and preferences before you create an account. It is not linked to hardware identifiers and is replaced by your authenticated user ID once you sign in.

2.3 Product & Scan Data

When you scan a barcode or search for a product we record the product barcode, the time of the scan, and your device or user ID. This data powers your scan history, trending products, and helps us improve our database.

2.4 Camera Access

Trulu requests access to your device camera solely for barcode scanning. Camera frames are processed on-device to detect barcodes and are never transmitted to our servers.

2.5 Voice Input

If you use voice search, audio is processed using Apple's on-device speech recognition. We receive only the transcribed text, not raw audio.

2.6 Push Notification Tokens

If you opt in to push notifications we store an Expo push token associated with your account so we can send you product updates and alerts. You can disable notifications at any time through your device settings.

2.7 User Feedback

When you submit feedback or report an issue through the app, the content of your message and your user ID are stored so we can respond and improve the service.

2.8 Local Storage

We use on-device storage (AsyncStorage) to persist your preferences, recent searches, and device identifier. This data remains on your device unless synced to your account.

3. How We Use Your Information

  • Provide personalised product health scores and recommendations.
  • Display your saved products, scan history, and list health score.
  • Identify trending and popular products across the platform.
  • Improve our scoring algorithms and product database.
  • Send push notifications you have opted in to.
  • Respond to your feedback and support requests.
  • Detect and prevent misuse of the service.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Third-Party Services

We use the following third-party services to operate Trulu. Each service has its own privacy policy governing the data it processes:

  • Supabase - cloud database and authentication. Your account data and product information are stored on Supabase infrastructure with encryption at rest and in transit.
  • Apple Sign In & Google Sign In - authentication providers. We receive only the minimal profile information you authorise.
  • OpenAI and Anthropic - AI providers used to generate product health scores and ingredient analysis. Product names, ingredients, and nutrition data may be sent to these services for scoring. No personal user data (email, name, or identifiers) is included in AI requests.
  • Open Food Facts - an open-source product database we query for ingredient and nutrition data. Barcode lookups are sent to their API.
  • Superwall - manages in-app subscription paywalls. Superwall may collect device-level identifiers for attribution purposes in accordance with its own privacy policy.
  • Apple App Store - processes all subscription payments. We do not collect or store your payment card details.
  • Expo Push Notifications - delivers push notifications using anonymous push tokens.

5. AI-Generated Content & Data Accuracy

Product health scores, ingredient analyses, and recommendations in Trulu are generated by artificial intelligence. While we strive for accuracy, AI outputs may contain errors or omissions. Product data may originate from third-party sources (including web scraping and Open Food Facts) and may not always be complete or up to date.

Trulu is not a medical or dietary advisory service. Scores and information are provided for general informational purposes only and should not replace professional health advice.

6. Data Storage & Security

Your data is stored on Supabase-hosted PostgreSQL databases with encryption at rest (AES-256) and in transit (TLS 1.2+). Row-level security policies restrict access so that users can only read and modify their own data.

While we implement industry-standard security measures, no system is 100 % secure. We cannot guarantee absolute security of your data.

7. Data Retention

  • Authenticated users:we retain your data for as long as your account is active. When you delete your account (via app settings or by contacting us), all associated personal data is permanently deleted within 30 days.
  • Anonymous users:scan history and saved products associated with a device identifier are retained for up to 12 months of inactivity, after which they may be purged.
  • Aggregated & de-identified data: we may retain aggregated, non-personal data (e.g. total scans per product) indefinitely to improve the service.

8. Data Breach Notification

In the event of an eligible data breach as defined under Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

9. Your Rights

Under the Australian Privacy Principles you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your personal information.
  • Withdraw consent for push notifications or marketing at any time.
  • Lodge a complaint with the OAIC if you believe your privacy has been breached.

To exercise any of these rights, contact us at the address below.

10. Children's Privacy

Trulu is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification or email. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of Trulu after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at team@trulu.app.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at www.oaic.gov.au.