Privacy Policy

1. Data Controller

Mealchat is operated by Purpose Labs LLC, a company incorporated in the State of Wyoming, United States. Purpose Labs LLC ("we", "us", or "our") is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can reach us at:

• Email: privacy@mealchat.ai
• Website: https://mealchat.ai

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

• Name and email address
• Profile picture (if provided)
• Authentication credentials (password hash or Google OAuth tokens)
• Language preference and timezone

2.2 Health and Body Data (Special Category)

The following data is classified as special category (health) data under GDPR Article 9 and requires your explicit consent:

• Date of birth (used to calculate your basal metabolic rate)
• Biological sex
• Height and weight
• Body composition and activity level
• Weight goal, target weight, and weekly change preference
• Calculated calorie and macronutrient targets (calories, protein, carbs, fat)
• Weight entries over time

2.3 Meal and Nutrition Data (Special Category)

• Meal descriptions and chat messages
• Food photos you upload for AI analysis
• Nutritional breakdowns per meal item (calories, protein, carbs, fat, fiber, sugar, saturated fat, water, micronutrients)
• Saved meal templates
• Voice recordings (when using voice logging, processed for transcription only)

2.4 Usage and Engagement Data

• Meal logging streaks and statistics
• Achievement progress
• Onboarding and tutorial completion state

2.5 Device and Technical Data

• Device type, operating system, and app version
• Push notification tokens
• IP address and user agent (collected during authentication)

2.6 Subscription Data

• Subscription status, product identifier, and expiration date
• Payment processing is handled entirely by Apple (App Store) and Google (Play Store) — we do not receive or store payment card details

3. How We Collect Your Data

We collect data in the following ways:

• Directly from you: When you create an account, complete your profile, log meals, upload photos, record voice messages, or contact us
• Automatically: Device information, IP address, and session data are collected when you use the app
• From third-party sign-in: If you sign in with Google, we receive your name, email, and profile picture from Google

4. Why We Process Your Data

We process your personal data for the following purposes:

• Providing the service: Calculating your metabolic rate, tracking meals, analyzing nutrition, and generating calorie estimates
• Account management: Creating and maintaining your account, authenticating your identity, and managing sessions
• Personalization: Tailoring calorie targets and nutritional recommendations based on your body profile and goals
• Communication: Sending push notifications (meal reminders, streak updates) that you have opted into
• Service improvement: Understanding which features are used and identifying UX friction points (via anonymized analytics)
• Service reliability: Detecting and fixing crashes and errors
• Subscription management: Verifying your subscription status and entitlements

5. Legal Basis for Processing

We process your data under the following legal bases as defined by the GDPR:

6. Special Category (Health) Data

Mealchat processes health-related data including your weight, height, date of birth, biological sex, meal descriptions, food photos, calorie counts, and macronutrient values. Under GDPR Article 9, this data is classified as "special category" data because it can be used to draw conclusions about your health.

Legal basis: We process this data based on your explicit consent, which you provide during account creation via a dedicated health data consent checkbox. This consent is separate from general terms acceptance.

Purpose: This data is essential for providing the calorie tracking and nutrition analysis service. Without it, the core functionality of Mealchat cannot operate.

Third-party processing: To provide nutritional analysis, meal descriptions, food photos, nutrition goals, weight history, and daily progress are sent to AI providers (see Section 8 for the full list of data per provider). Voice recordings are sent to transcription providers for conversion to text and then immediately discarded. Food photos are stored on secure cloud infrastructure.

Safeguards: No health data is included in analytics or crash report events. Health data is not used for advertising or profiling purposes. Food photos are not visible in session recordings.

Withdrawal: You may withdraw your consent at any time by deleting your account in Settings > Account > Delete Account. Upon deletion, all your health data is permanently removed from our systems and all third-party processors.

7. AI and Automated Decision-Making

Mealchat uses artificial intelligence (AI) to analyze your meals and estimate nutritional content. When you log a meal via text, photo, or voice:

• Your meal description, photo, nutrition goals, weight history, and daily progress are sent to an AI language model for analysis (see Section 8 for details)
• The AI returns estimated calorie and macronutrient values for each identified food item
• These estimates are approximations and should not be relied upon for medical or clinical nutrition decisions

You can review and manually adjust any AI-generated nutritional estimates. No decisions with legal or similarly significant effects are made solely by automated processing.

8. Third-Party Data Processors

We use the following third-party service providers to operate Mealchat. Each processor acts under our instructions and is bound by a Data Processing Agreement (DPA):

AI provider data handling: OpenRouter routes requests to upstream AI model providers (such as OpenAI and Google), each with their own data handling policies. We select providers and configurations that minimize data retention where possible. We do not use your data to train our own AI models. For details on how upstream providers handle data, see OpenRouter's privacy policy.

Important: No health data (meal descriptions, calorie counts, weight entries, macronutrient values) is sent to analytics or crash reporting services. Health data is only shared with AI and storage providers as necessary to deliver the core service.

9. International Data Transfers

Some of our third-party processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• The EU-U.S. Data Privacy Framework, where applicable
• Data Processing Agreements with all processors that mandate equivalent protections

Our primary database is hosted in the United States (US East). Our analytics service (PostHog) is configured to use EU-based infrastructure for data storage.

10. Data Retention

We retain your data for the following periods:

When you delete your account, all your personal data is permanently deleted from our servers and we instruct all third-party processors to delete your data. This process is completed within 30 days.

11. Tracking Technologies and SDKs

Mealchat is a native mobile app and does not use browser cookies. However, we use the following SDKs that may collect data on your device:

• PostHog SDK: Collects pseudonymous usage events (screen views, feature interactions), app version, device type, and OS version. Does not collect health data, name, or email. Can be disabled in Settings > Privacy & Data.
• Sentry SDK: Captures crash stack traces and device information when errors occur. Identified by anonymous user ID only. Can be disabled in Settings > Privacy & Data.
• RevenueCat SDK: Manages subscription status and in-app purchases. Uses an anonymous app user identifier.

12. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate or incomplete data (you can edit most data directly in the app)
• Right to erasure (Art. 17): Request deletion of your data (via Settings > Account > Delete Account, or by contacting us)
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to restrict processing (Art. 18): Request that we limit how we use your data
• Right to object (Art. 21): Object to processing based on legitimate interest (e.g., analytics)
• Right to withdraw consent (Art. 7): Withdraw your health data consent at any time by deleting your account

To exercise any of these rights, contact us at privacy@mealchat.ai. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

13. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate personal information
• Right to opt out: Opt out of the "sale" or "sharing" of personal information
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights

To exercise these rights, contact privacy@mealchat.ai.

14. Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. We do not use your health data, meal data, or any personal information for advertising purposes.

15. Consent and Withdrawal

During account creation, you provide explicit consent for the processing of your health data via a dedicated consent checkbox. This consent is:

• Freely given, specific, informed, and unambiguous
• Separate from acceptance of the general Terms of Use
• Not pre-checked — you must actively opt in

How to withdraw consent: You can withdraw your health data consent at any time by deleting your account via Settings > Account > Delete Account. Since health data processing is essential to the service, withdrawal of consent means the service can no longer be provided.

Analytics and crash reporting: You can opt out of usage analytics and crash reporting at any time via Settings > Privacy & Data. Processing stops immediately upon opt-out.

16. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (TLS/HTTPS) for all communications
• Encrypted data storage at rest
• Secure password hashing (passwords are never stored in plain text)
• Authentication tokens stored in secure device storage (iOS Keychain / Android Keystore)
• Access controls limiting data access to authorized personnel
• Regular security reviews of third-party processors

While we take every reasonable precaution, no method of electronic transmission or storage is 100% secure. If you become aware of any security breach, please contact us immediately at privacy@mealchat.ai.

17. Children's Privacy

Mealchat is not intended for users under 16 years of age. We enforce this minimum age globally due to the health-related nature of the data we process and the potential impact of calorie tracking on younger users. We do not knowingly collect personal information from anyone under 16.

We verify age during account setup based on the date of birth provided. Users who do not meet the minimum age are prevented from completing registration and no personal data is stored.

If we learn that we have collected personal data from a user under 16, we will take steps to delete that data promptly. If you believe someone under 16 has provided us with personal data, please contact us at privacy@mealchat.ai.

18. Legitimate Interest Assessment

Where we rely on legitimate interest as a legal basis (usage analytics and crash reporting), we have conducted a balancing test:

Our interest: Improving app quality and user experience, understanding which features are used, identifying navigation issues and UX friction points, and maintaining service reliability. As a small team, this data is necessary to prioritize development effectively.

User impact: Data is pseudonymous (internal user ID only — not name or email). No behavioral profiling for advertising. No data sold or shared with third parties for their own purposes. No health data is included in analytics events.

Safeguard: Users can opt out at any time via Settings > Privacy & Data. Processing stops immediately upon opt-out.

19. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via in-app notification or email for significant changes that affect your rights
• Request renewed consent if changes affect how your health data is processed

We encourage you to review this page periodically. Your continued use of Mealchat after changes are posted constitutes acceptance of the updated policy.

20. Contact and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@mealchat.ai

We aim to respond to all requests within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found at edpb.europa.eu.