dyllo← Torna all'app

Personal Data Processing Notice (Privacy Policy)

Last updated: 17 June 2026· v2026-06-17-v2

This notice describes how Tecnigo Group SRL processes the personal data of users of the Dyllo.ai mobile application (the “App”) and the related services on dyllo.ai, in compliance with Regulation (EU) 2016/679 (the “GDPR”) and applicable privacy law. The information is provided in a transparent, accessible and plain-language way, so that the user can understand which data we process, for what purposes, on which legal bases, for how long and with which rights. This version is intended for publication and contains no internal notes or working references.

1. Data Controller

The controller of personal data processing is:

  • Tecnigo Group SRL
  • VAT: 14505480963
  • Registered office: Piazzetta Umberto Giordano, 2, 20122 Milan (MI), Italy
  • Privacy and support email: Hello@dyllo.ai

2. Data Protection Officer (DPO)

Tecnigo Group SRL has not appointed a Data Protection Officer (DPO), as the conditions making such designation mandatory under applicable law are not currently met. For any matter relating to personal data protection, users may contact the Controller at the address provided in section 1.

3. Service Description

Dyllo.ai is an AI mobile app for food, fitness and wellness tracking. The user can log meals, drinks, recipes, physical activities and personal progress via text, voice or meal photos/images. The App interprets the user’s inputs, estimates calories and macronutrients, saves information into the personal diary and shows daily or weekly summaries on calories, macros, water, steps, weight, workouts, sleep and progress, where these features are enabled by the user.

Dyllo.ai is designed as an informational and wellness-tracking support. It is not a medical device and does not replace the advice of doctors, nutritionists, dietitians, personal trainers or other qualified professionals.

4. Categories of Personal Data Processed

Dyllo.ai collects and processes several categories of personal data, limiting itself to what is necessary for the pursued purposes.

  • Account data: email address, unique user ID, language and country preferences, account and App settings.
  • Physical data and goals: age or age range, height, current weight, target weight, level of physical activity and wellness goals, for example weight loss, maintenance, muscle gain, performance or wellness.
  • Food data: information about meals, drinks, ingredients, portions, recipes entered by the user, estimates of calories, protein, carbohydrates, fats and other nutrients where available.
  • Health and wellness data: data that may reveal information about the user’s physical or mental health or wellbeing, such as voluntarily provided allergies or dietary restrictions, weight goals, activity data, fitness data, sleep data and data from health/fitness integrations if enabled.
  • Meal photos: images uploaded or taken by the user to allow nutritional analysis and estimation of ingredients, portions, calories and macronutrients.
  • Voice data: temporary audio recordings, used to transcribe voice inputs related to meals, activities or requests to the AI assistant. We do not use voice for biometric identification.
  • Physical activity and integration data: workouts, type and duration of activity, estimated calories burned, steps, water, weight, sleep, data shared by health/fitness apps, wearables or platforms such as Apple Health, Google Fit, Health Connect or equivalent services, only if enabled by the user.
  • Location data: approximate location derived from IP address and, only if the user enables specific local features and grants consent via the device permission, location data (latitude and longitude) provided by the device. This data is used to suggest nearby places (the «Where do I eat?» feature), in real time and without storing your location, and to track and save the GPS route of outdoor workouts to your diary when you start tracking. To return map results, the coordinates may be sent to third-party map services (OpenStreetMap – Nominatim/Overpass; Google Maps for directions and reviews). This data is not used for profiling.
  • AI-generated data and interactions: messages exchanged with the AI assistant, transcripts of voice inputs, estimates, summaries, suggestions and preferences needed to personalise the service. To optimise certain features, only isolated food keywords may be cached, for example “rice cake” or “tuna”, without keeping the full sentence context, where technically feasible.
  • Technical data: IP address, device type, operating system, App version, system logs, crash reports, performance data, technical identifiers, advertising or analytics identifiers where permitted.
  • Payment and subscription data: subscription status, active plan, renewal date, transaction information, technical tokens or receipts. Dyllo does not store full credit card data. Consumer subscriptions are handled by the Apple App Store or Google Play, which process payment data under their own privacy notices. Stripe handles creator payouts (Stripe Connect) and legacy/admin flows under its own privacy notice and applicable privacy roles.
  • Marketing, referral and campaign data: marketing consents, communication preferences, interactions with emails, push notifications, advertising campaigns, creator codes, referral links, conversion events, cookies, pixels and SDKs used on the website or App, within the limits permitted by applicable law and the user’s choices.

5. Purposes and Legal Bases of Processing

Every processing of personal data pursues explicit, legitimate and specified purposes and is grounded on an appropriate legal basis. For data falling within special categories, such as health or wellness data, processing only takes place when a specific condition provided by applicable law also applies, typically the user’s explicit consent.

PurposeLegal basisSpecial-category condition
Service delivery: account creation, meal and activity diary, recipes, progress view, management of core features.Performance of the contract with the user.For health/wellness data: explicit consent, where required.
Advanced features: AI estimates, meal photos, voice inputs, health/fitness integrations, activity, workout, sleep data and data shared from other apps.User consent and, where necessary, performance of the requested service.Explicit consent for health data or special categories.
Payments and subscription management via the Apple App Store or Google Play for consumers, and via Stripe for creator payouts and legacy/admin flows.Performance of the contract and compliance with legal/tax obligations.Not applicable, except in specific cases.
Security, abuse prevention, debugging, crash reports, technical maintenance and protection of the infrastructure.Legitimate interest of the Controller in keeping the service secure and operational.Not applicable, except for data potentially required for security and processed with adequate safeguards.
Service communications: operational emails, account notices, alerts on security, privacy, subscriptions or material changes.Performance of the contract or legitimate interest.Not applicable.
Marketing, newsletters, promotions, promotional push notifications, advertising campaigns, retargeting and conversion measurement.User consent where required; legitimate interest only where permitted by law.Health/wellness data and diary content are not used for behavioural advertising.
Cookies, pixels, SDKs and tracking tools on the website/landing pages and, where applicable, within the App.Consent via cookie banner or equivalent tools, where required.Not applicable, save for specific consent and a ban on using health data for behavioural advertising.
Creators, affiliates and referrals: management of discount codes, referral links, conversion attribution and commissions.Commercial legitimate interest or performance of contractual agreements, as applicable.Not applicable.
Legal, tax and accounting compliance, complaint handling, requests from authorities and protection of rights.Legal obligation or legitimate interest in protecting rights.Not applicable, except for specific legal needs.
Product improvement and statistical analysis.Legitimate interest on pseudonymised/minimised data; outside the GDPR scope if data is genuinely anonymous.Not applicable if data is anonymous; consent if required for further processing.

6. Nature of Data Provision and Consent Management

Providing account data and certain technical data is necessary to create an account, deliver the service and manage the contractual relationship. Without such data, the App or some of its essential features cannot be used.

Providing health and wellness data, as well as the use of photos, microphone, camera, push notifications, activity data, sleep, wearables, Apple Health, Google Fit, Health Connect or equivalent services, is optional and based on the user’s consent where required. Lack of consent may limit some advanced features but does not necessarily prevent use of the App’s core features.

Explicit, granular consent is collected in-app, during onboarding or when the relevant feature is activated, through clear affirmative actions, such as unchecked checkboxes or dedicated consent screens. Users may withdraw consent at any time through the App settings or by contacting Hello@dyllo.ai. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

7. Photos, Voice and Health/Fitness Integrations

7.1 Meal photos

The user may upload or take photos of meals to allow Dyllo.ai to estimate ingredients, portions, calories and macronutrients. Images are processed temporarily for analysis and saved into the diary only if the user explicitly chooses to keep them. If not saved, they are deleted after processing, within the timelines indicated in the retention section. Where possible, we remove or limit non-essential metadata. Users are asked not to upload photos containing third parties or unnecessary information.

7.2 Voice and transcripts

Users can use voice commands to log meals, workouts or requests. Raw audio files are processed for transcription and are not retained as permanent audio data. Dyllo retains the textual transcript only when needed for the diary, the chat history or service delivery. We do not use voice to biometrically identify the user.

7.3 Integrations with health, fitness and wearable apps

If the user enables integrations with Apple Health, Google Fit, Health Connect, wearables or equivalent apps, Dyllo.ai may read activity, workout, steps, calories burned, sleep, weight and other data that those apps or devices make available and that the user chooses to share. Dyllo may also, where the feature provides for it and the user authorises it, write or sync some data back to those services. Users may revoke access at any time from the settings of the device, the App or the third-party platform. Data coming from these integrations is not used for behavioural advertising and is not sold.

8. Use of Artificial Intelligence and Third-Party Providers

Dyllo.ai uses artificial intelligence systems and language or multimodal models to interpret text, voice and images, generate nutritional estimates, summaries and personalised suggestions. To deliver these features we may use an orchestration system and a combination of models and providers, including OpenAI, Google Gemini, Anthropic Claude, Kimi, DeepSeek or other equivalent providers.

We will send AI providers only the data necessary to generate the response requested by the user and, where possible, apply minimisation, pseudonymisation or context-reduction measures. Users’ personal data is not used to train third-party AI models, unless the user has provided explicit, specific and informed consent or unless the data has been effectively anonymised.

AI responses, estimates of calories, macros, activity and suggestions may contain errors, omissions or incomplete information. Users must verify important information and use their own judgement.

9. Marketing, Cookies, Pixels, SDKs, Push Notifications and Referrals

Dyllo.ai may use marketing, analytics and campaign measurement tools, including, by way of example, Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Microsoft Clarity, advertising tools, retargeting, affiliate/referral tracking, Stripe cookies, analytics SDKs and equivalent systems.

  • Email marketing and newsletters: may be sent subject to consent or in cases permitted by applicable law. Users may unsubscribe at any time.
  • Push notifications: may include operational notifications related to the service and, subject to consent where required, promotional or motivational notifications. Users may manage them through the device or App settings.
  • Advertising and retargeting: we may measure campaigns, conversions and audiences via pixels, cookies, SDKs or technical identifiers, subject to cookie/marketing consent where required.
  • Creators, affiliates and referrals: if users use discount codes, creator links or referrals, we may process attribution data to recognise conversions, commissions or campaign performance.
  • Cookie Policy: the dyllo.ai website will have a separate Cookie Policy and, where necessary, a cookie banner to manage consent, preferences and withdrawal for non-essential cookies.

Dyllo.ai does not sell users’ personal data. Diary content, health/wellness data, meal photos, voice data, sleep data, data from health/fitness apps and data relating to personal goals are not used for behavioural advertising.

10. Recipients of the Data

Personal data may be disclosed to third parties acting, as the case may be, as processors, independent controllers or joint controllers, based on the applicable roles and agreements. The categories of recipients include:

  • hosting, cloud, database and storage providers;
  • AI, speech-to-text, image recognition and multimodal-model providers;
  • analytics, crash reporting, heatmap, session analytics, performance monitoring and security providers;
  • marketing, advertising, retargeting, email, push notification and attribution providers;
  • the Apple App Store and Google Play for consumer subscription payments; Stripe and other payment or billing providers for creator payouts (Stripe Connect) and legacy/admin flows;
  • customer support and user-request management providers;
  • creator, affiliate or referral partners, limited to the data needed for attribution and partnership management;
  • consultants, professional vendors, public authorities or other legitimate parties where required by law or necessary to protect rights.

11. Transfers of Data Outside the European Economic Area

The use of certain providers, in particular cloud, AI, analytics, marketing and payment providers, may involve transferring personal data outside the European Economic Area, including the United States or other countries where those providers operate.

When transferring personal data to third countries, we apply the safeguards required by applicable law, such as European Commission adequacy decisions, Standard Contractual Clauses, the Data Privacy Framework where applicable, supplementary security measures and transfer impact assessments. Users may request further information about the safeguards in place by contacting us at Hello@dyllo.ai.

12. Data Retention Period

Personal data is retained for no longer than necessary for the purposes for which it is processed. We apply deletion, rotation or periodic-review criteria, depending on the nature of the data and the needs of the service.

  • Account and profile data: retained as long as the account remains active. On account deletion, data is erased, subject to technical timelines and legal obligations.
  • Diary, meal, activity, recipe and chat data: retained until deleted by the user or until account deletion.
  • Meal photos: if saved to the diary, retained as part of the diary; if used only for analysis, deleted within a maximum of 72 hours from processing.
  • Raw voice audio: not retained as permanent data; processed for transcription and then deleted.
  • Voice transcripts: retained as part of the diary or chat history until deleted by the user or with the account.
  • Health/fitness and integration data: retained until integration is revoked, data is deleted by the user or the account is deleted, save for legal obligations.
  • Subscription and billing data: retained for the time needed for contractual management and for applicable tax and accounting obligations, generally up to 10 years in Italy.
  • Technical and security logs: retained for up to 12 months, except where longer retention is needed for security investigations, abuse or legal obligations.
  • Analytics and crash reports: retained in aggregated or pseudonymised form for up to 24 months, save for different provider settings or justified technical needs.
  • Marketing and referral data: retained until consent is withdrawn, the user objects, or for the period needed for campaign management, consent evidence, attribution or contractual obligations.
  • Backups: progressively deleted according to rotation policies, within a maximum of 90 days, save for legal obligations or security needs.

13. Rights of the Data Subject

As a data subject, the user may exercise the rights granted by applicable law, including:

  • Access: obtain confirmation of processing and access to personal data.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of data in the cases provided by law.
  • Restriction: request restriction of processing in certain circumstances.
  • Portability: receive data in a structured, commonly used and machine-readable format, where applicable.
  • Objection: object to processing based on legitimate interest, including some marketing processing, in the cases provided.
  • Withdrawal of consent: withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.
  • Complaint: lodge a complaint with the competent supervisory authority. In Italy, this is the Garante per la Protezione dei Dati Personali, www.garanteprivacy.it.

To exercise these rights, users may send a request to Hello@dyllo.ai. Users may also request account deletion through the App, if available, or by contacting the Controller.

14. Automated Decision-Making and Profiling

Dyllo.ai uses artificial intelligence systems to generate nutritional estimates, summaries and personalised suggestions. These processes are automated, but do not constitute decisions based solely on automated processing producing legal effects or similarly significantly affecting the user.

In particular, Dyllo.ai’s AI does not decide on access to services, does not grant or deny benefits, does not impose obligations, does not provide medical diagnoses and does not replace a qualified professional. Estimates and suggestions are informational and supportive. The user always retains full control and final responsibility over their food, health, wellness and physical-activity choices.

We may personalise the experience, for example by adapting suggestions, summaries, goals or notifications based on data entered by the user. Such personalisation does not produce legal or similarly significant effects. Users may request clarification or contest AI-generated results by contacting Hello@dyllo.ai.

15. Security Measures

We adopt technical and organisational measures appropriate to the risk to protect personal data from unauthorised access, loss, destruction, alteration, disclosure or unlawful processing. By way of non-exhaustive example, these measures include:

  • encryption of data in transit, for example via TLS;
  • authentication procedures and access controls;
  • limited access to data by authorised personnel and on a need-to-know basis;
  • minimisation of data collected and processed;
  • system logging and monitoring for security purposes;
  • backup and restore procedures;
  • periodic review of third-party vendors and applicable security measures.

16. Minors

The Dyllo.ai service is intended exclusively for persons aged 18 or older.

We do not knowingly collect or solicit personal data from persons under 18. If we learn that we have collected personal data from a person under 18, we will take the steps necessary to delete that information. If a parent or guardian becomes aware that a minor has provided us with personal data, they can contact us at Hello@dyllo.ai.

17. Health, Wellness and AI Disclaimer

Dyllo.ai is designed to support the monitoring of food, fitness and wellness habits. The information provided by the App is for informational purposes only and does not constitute medical, nutritional or professional advice. Before starting a diet, training programme or making significant changes to their habits, users should consult a qualified professional, especially in the presence of medical conditions, pregnancy, eating disorders, ongoing therapies or other pathologies.

Dyllo.ai is not a medical device and must not be used to diagnose, treat or prevent any disease. AI responses, estimates and suggestions may contain errors, omissions or incomplete information. We do not guarantee that every estimate of calories, nutrients, physical activity or progress is accurate or suitable for the user’s specific situation.

18. Updates to the Privacy Policy

This notice may be updated from time to time, for example to reflect legal, technical, organisational or functional changes to the App. The date of the last update will always be shown at the top of the document. Should we intend to process personal data for purposes different from those for which it was collected, we will provide prior notice and, where required, request a new consent.