Privacy Policy
Version 1.0
Note for Compumeal: this policy was drafted from how the application actually handles data. The placeholders marked [TO BE COMPLETED] must be filled in before publication — the operating legal entity, its registered address, the privacy contact address, and the email provider. It should be reviewed by your legal counsel alongside the Terms and Conditions.
This Privacy Policy explains how [TO BE COMPLETED] ("Compumeal", "we", "us" or "our") collects, uses, shares and protects personal data when you use the Compumeal application (the "App"). It forms part of, and should be read together with, our Terms and Conditions.
Compumeal is a digital nutrition and meal-planning service. It is not a medical device and does not provide medical advice — see the health disclaimer in our Terms and Conditions.
1. Data we collect
1.1 Data you give us
| Category | Examples | Why we need it | | --- | --- | --- | | Account data | Name, email address, password (hashed), phone number, profile photo | To create and secure your account | | Organisation data | Organisation name, logo, members and their roles | To let teams share a workspace | | Health and dietary data | Age, sex, weight, height, activity level, goals, allergies, intolerances, dietary preferences, medical conditions you choose to record | To calculate nutrient targets and generate meal plans | | Client records | Where you use Compumeal professionally, the details you record about the people you advise | To let you manage plans on their behalf | | Content | Recipes, meal plans, notes, and messages you send to the AI assistant | To provide the service | | Payment data | Billing name, email, and the masked card number shown on your receipt | To take payment and show your billing history |
1.2 Data collected automatically
IP address, device and browser information, and the date and time of access, recorded in server logs. Session cookies that keep you signed in, and a cookie storing your language preference.
1.3 Sensitive data
Health and dietary information is special category personal data under the GDPR and comparable laws. We process it only on the basis of your explicit consent, given when you choose to enter it, and only to provide the App's nutrition features. You may withdraw that consent at any time by deleting the data or your account.
We do not use your health data to train any AI model.
2. Why we process your data, and on what basis
| Purpose | Lawful basis | | --- | --- | | Creating your account and providing the App | Performance of a contract | | Generating meal plans and nutrient targets from your health data | Explicit consent | | Taking payment and preventing payment fraud | Performance of a contract; legal obligation | | Keeping the App secure (rate limiting, account lockout, device tracking) | Legitimate interests | | Sending service emails (receipts, password resets, security alerts) | Performance of a contract | | Meeting accounting, tax and legal obligations | Legal obligation |
We do not sell your personal data, and we do not use it for advertising.
3. AI processing
Meal-plan generation and the AI assistant send the relevant parts of your prompt and plan context — which may include health and dietary information — to third-party AI providers so they can produce a response.
- These providers act as our processors and are contractually prohibited from using your data to train their models.
- Data is sent for the purpose of producing your response, and is not retained by us beyond the conversation you save.
- You can avoid AI processing entirely by not using the meal-generation and AI assistant features; the rest of the App works without them.
4. Who we share data with
We share personal data only with the service providers ("subprocessors") we need in order to run the App:
| Subprocessor | Purpose | Location | | --- | --- | --- | | DigitalOcean | Application hosting, database, cache | Netherlands (EU) | | Cloudflare (R2) | Image and file storage | European Union | | MontyPay | Payment processing | Lebanon | | Google (Gemini) | AI meal-plan generation and assistant | United States | | OpenAI | AI meal-plan evaluation | United States | | [TO BE COMPLETED] | Transactional email delivery | [TO BE COMPLETED] |
We may also disclose personal data where we are legally required to do so, or to establish, exercise or defend legal claims.
Where data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses or on an adequacy decision.
5. How long we keep data
- Account and health data: for as long as your account is open.
- After you delete your account: erased within 30 days, except where we must retain records for legal reasons.
- Payment and invoice records: retained for the period required by applicable accounting and tax law.
- Server logs: retained for a limited period for security and troubleshooting.
6. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- correct data that is inaccurate or incomplete;
- delete your data (the "right to be forgotten");
- export your data in a portable, machine-readable format;
- restrict or object to certain processing;
- withdraw consent to the processing of your health data at any time; and
- complain to your national data protection authority.
You can exercise the access, export and deletion rights yourself from Settings → Privacy in the App. For anything else, contact us at [TO BE COMPLETED]. We respond within 30 days.
7. Security
We protect your data with encryption in transit (HTTPS/TLS), hashed passwords, optional two-factor authentication and passkeys, account lockout after repeated failed sign-ins, new-device notifications, and role-based access control within organisations.
No system is perfectly secure. If a breach affects your personal data and is likely to result in a high risk to your rights, we will notify you and the relevant authority as required by law.
8. Cookies
We use only the cookies the App needs in order to function:
| Cookie | Purpose |
| --- | --- |
| Session cookie | Keeps you signed in |
| LOCALE | Remembers your language preference |
We do not use advertising or third-party tracking cookies.
9. Children
The App is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. The date below shows when it was last revised, and material changes will be notified to you by email or in the App.
11. Contact
- Legal entity: [TO BE COMPLETED]
- Registered address: [TO BE COMPLETED]
- Privacy contact: [TO BE COMPLETED]
Last updated: [TO BE COMPLETED]