1. About This Policy
This Privacy Policy explains how The GFF Co. Ltd, trading as Tucki and Tucki AI, collects, uses, stores, and protects personal data when you use the Service. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Where these regulations are updated, replaced, or extended, we will adapt our practices and this policy to remain compliant.
2. Who We Are
The GFF Co. Ltd is the data controller responsible for your personal data.
- Company number: 15047548
- Registered office: 124 City Road, London, EC1V 2NX
- ICO registration reference: ZB672005
For any questions about this policy or how we handle your data, please contact support@tucki.ai.
3. Information We Collect
3.1 Information You Provide
- Account details (name, email address, encrypted password)
- Household setup, including the number and ages of family members
- Dietary preferences and allergens
- Goals related to eating habits and household nutrition
- Content you create within the app, including meal logs, notes, and progress entries
- Messages you send to our support team
3.2 Information We Collect Automatically
- Device information (device type, operating system, app version)
- Anonymised IP address
- Usage analytics
- Crash reports and performance logs
- Subscription and purchase data via RevenueCat
3.3 Information About Children
Parents and guardians may create and manage profiles for children within their household. These profiles may include the child's first name or nickname, age, dietary preferences, and allergens. We process this information only on the instructions of the parent or guardian responsible for the account.
4. How We Use Your Information
We process personal data to:
- Deliver, personalise, and improve the Service
- Generate AI-driven recommendations and household insights
- Manage subscriptions, payments, and account functionality
- Communicate service updates, security notices, and, where applicable, marketing
- Detect, prevent, and respond to fraud, misuse, or security incidents
- Comply with our legal and regulatory obligations
We never sell your personal data to third parties.
5. Legal Bases for Processing
We process personal data under one or more of the following lawful bases under the UK GDPR:
- Performance of a contract: to deliver the Service you have subscribed to and to manage your account.
- Legitimate interests: to analyse usage, improve the Service, protect our systems, and communicate with existing customers about similar features.
- Consent: for optional features, where required by law, and for the processing of children's data by the responsible parent or guardian.
- Legal obligation: to meet financial, tax, regulatory, or law enforcement requirements.
6. Data Sharing
We share personal data only with trusted service providers acting on our behalf, under contractual safeguards that comply with the UK GDPR. These include:
- AWS (Amazon Web Services) for secure hosting, primarily in the EU (eu-west-1) region
- RevenueCat for subscription management and billing analytics
- Apple App Store and Google Play Store for app distribution, billing, and subscription handling
We may also share personal data where required by law, regulation, court order, or other legal process, or in connection with a corporate transaction such as a merger, acquisition, or sale of assets.
7. International Data Transfers
Most personal data is stored on servers within the European Economic Area. Some of our service providers may process limited data outside the UK and EEA.
Where this happens, we rely on the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as appropriate. These mechanisms ensure that your personal data continues to receive a level of protection equivalent to that provided under the UK GDPR.
You may request more information about the specific safeguards in place by contacting support@tucki.ai.
8. Data Retention
We retain personal data for as long as your account is active and for as long as needed to provide the Service.
After account deletion, we retain personal data for one month to allow for account recovery and to meet any related legal or operational requirements. After this period, data is either permanently deleted or anonymised so that it can no longer be associated with you.
Certain records, such as financial and tax records, may be retained for longer where required by law (typically six years).
9. Data Security
We use industry-standard measures to protect personal data, including:
- AWS Cognito for secure authentication
- JWT-based authorisation
- Encryption of data in transit and at rest
- Anonymisation where appropriate
- Access controls and ongoing monitoring
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify affected users and the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, as required by law.
10. Children's Privacy and the Children's Code
Tucki is designed with families in mind, and we take the protection of children's data seriously.
In line with the UK GDPR, we do not knowingly collect personal data directly from a child under the age of 13 without verified parental consent. Where the regulatory position on the digital age of consent changes in the UK, we will adapt our practices and this policy to remain compliant.
We design our Service in line with the principles of the ICO's Age Appropriate Design Code (the "Children's Code"), which sets out 15 standards for online services likely to be accessed by children. These principles include consideration of the best interests of the child, age-appropriate application, transparency, data minimisation, and turning high-privacy settings on by default.
As Tucki introduces dedicated child-facing profile views and experiences, we will continue to update our processing activities, communications, and product design to remain compliant with the Children's Code and any equivalent successor framework.
Where a parent or guardian wishes to exercise any data protection right on behalf of a child, they may do so by contacting support@tucki.ai.
11. Automated Decision-Making and Profiling
Tucki uses automated processing and AI-driven personalisation to generate recommendations, nudges, and household insights. These outputs are designed to assist, not replace, your own decision-making.
We do not use automated processing to make decisions that produce legal or similarly significant effects on you. If you would like to understand how a particular recommendation has been generated, or wish to object to certain types of profiling, please contact support@tucki.ai.
12. Your Rights
Under the UK GDPR, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your personal data (the "right to be forgotten")
- Restrict or object to certain processing
- Request data portability
- Withdraw consent at any time where we rely on consent
- Lodge a complaint with the Information Commissioner's Office
To exercise any of these rights, contact support@tucki.ai. We will respond within one month of receiving your request, in line with the UK GDPR.
13. Marketing & Communications
We may send you occasional in-app messages or emails about new features, product updates, and offers we think will be of interest to you.
You can opt out of marketing communications at any time by using the unsubscribe link in any marketing email, by updating your communication preferences within the app, or by contacting support@tucki.ai. Opting out of marketing will not affect service-related communications you receive as part of using the Service.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or the law. Where changes are material, we will notify you by email or by in-app notice.
The "Last updated" date at the top of this policy indicates when it was most recently revised.
16. Contact & Complaints
The GFF Co. Ltd
124 City Road, London, EC1V 2NX
Email: support@tucki.ai
ICO Registration Reference: ZB672005
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office at www.ico.org.uk, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.