Under Article 17 of EU Regulation 2016/679 (GDPR), you have the right to request the deletion of your personal data ("right to be forgotten"). This page describes how to exercise that right, which data are deleted or anonymised, and which are retained for legal obligations.
How to request deletion
1. From the mobile app (patient)
- Open PappAI on your smartphone
- Go to Profile → Settings → Privacy
- Tap "Delete my account"
- Confirm by typing your email
- You will receive a confirmation email once deletion is complete (typically within a few minutes)
2. From the web dashboard (nutritionist)
- Sign in to app.pappai.it
- Go to Settings → Privacy
- Click "Delete my account" and confirm with your email
3. By email
If you cannot access the app or web dashboard, write to privacy@pappai.it stating the email of your account. We will process manually within 30 days (GDPR Art. 12), typically within a few business days.
What is deleted or anonymised
When you confirm the request, PappAI immediately performs the following operations on your account:
Anonymised (row kept, personal data removed)
- First name, last name, tax code, date of birth, sex
- Email address (replaced with irreversible hash)
- Phone number
- Health notes, anamnesis, allergies, symptoms (entered by you or the nutritionist)
- Answers to assessment questionnaires (D-A-B series)
- Messages sent and received via app or WhatsApp
- Nutrition AI output (meal analyses, suggestions) concerning you
- Diet plan PDF documents (denormalised fields anonymised)
Permanently deleted (row + physical file)
- Progress photos you uploaded
- Meal photos uploaded for AI analysis
- Any audio recordings of consultations
- Document attachments (reports, manually uploaded images)
- Push notification tokens of your device
What is retained and why
Some records are retained for national and European legal obligations, in anonymised form. They cannot be deleted even on your explicit request, because retention is mandated by binding regulations:
| What | How long | Why |
|---|---|---|
| Audit log of operations (security and compliance) | 12 months | Security and compliance monitoring (Italian DPA Provision of 27/11/2008) |
| Electronic invoices (if applicable) | 10 years | DPR 633/72 — Italian tax invoice retention |
| GDPR rights exercise requests | 6 years | Italian Data Protection Authority audit of GDPR requests |
| Proof of patient consent to data processing | For the period set by the professional (Controller) based on their own obligations | Proof of the lawfulness of processing (Arts. 7 and 9 GDPR) |
In all these cases, your personal information is anonymised (email replaced with hash, name replaced with [redacted]) before retention. The record remains traceable only for audit purposes, no longer linkable to your identity.
Timing and process
- Immediate confirmation: you receive on-screen confirmation within seconds of submitting the request.
- Processing: typically within 5 minutes, up to 30 minutes under high load.
- Confirmation email: you receive an email at the original account address once the operation is complete.
- Legal maximum: 30 days (GDPR Art. 12), but in practice we complete on the same day.
The operation is irreversible
Once deletion is confirmed, the account cannot be recovered. If you change your mind after submitting the request but before completion (5–30 min), write immediately to privacy@pappai.it to attempt to interrupt the process. After completion, recovery is technically impossible: you will need to create a new account from scratch.
Contacts
- Privacy & deletion: privacy@pappai.it
- General support: support@pappai.it
PappAI is a product of Electric Flock Ltd. This page applies to users of the PappAI app (iOS and Android) and the web dashboard app.pappai.it.
