Privacy Policy

This Privacy Policy describes how mealtally ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our SMS-based meal tracking service, web dashboard, and mobile applications (collectively, the "Service").

We are committed to protecting your privacy and being transparent about our data practices. Please read this policy carefully to understand how we handle your information.

1. Information We Collect

1.1 Information You Provide

• Phone number: Required for SMS-based meal logging and account identification
• Email address: Optional, for account recovery and communications
• Meal descriptions: Text messages describing your meals, submitted via SMS or dashboard
• Nutrition data: Calorie, protein, carbohydrate, and fat information parsed from your meals
• Weight logs: Optional weight entries you provide for tracking
• Profile information: Display name, height, weight, bio, timezone, avatar image, and dietary preferences
• Payment information: Processed by Stripe (we do not store credit card details)

1.2 Information Collected Automatically

• Device information: Device type, operating system, browser type, IP address
• Usage data: Pages viewed, features used, time spent on the Service, interaction patterns
• SMS metadata: Message timestamps, delivery status, Twilio message SIDs (not message content beyond what you provide)
• Analytics data: Collected via PostHog for product improvement and usage analytics
• Cookies and similar technologies: Session cookies for authentication, analytics cookies (see our Cookie Policy)
• Push notification tokens: Expo Push tokens for mobile app notifications

2. How We Use Your Information

We use your personal information for the following purposes:

• Provide the Service: Process meal descriptions with AI, calculate nutrition estimates, store your meal history, send SMS confirmations and summaries
• Account management: Create and maintain your account, authenticate your identity via magic links
• Communications: Send meal confirmations, daily/weekly summaries, service announcements, re-engagement messages
• Payment processing: Process subscriptions and payments via Stripe
• Product improvement: Analyze usage patterns to improve accuracy, add features, fix bugs
• Security and fraud prevention: Detect and prevent abuse, unauthorized access, and fraudulent activity
• Legal compliance: Comply with legal obligations, enforce our Terms of Service
• Analytics: Understand how users interact with the Service, measure feature adoption, track retention

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

3.1 Service Providers (Third-Party Processors)

We share your data with trusted third-party service providers who help us operate the Service:

• OpenAI: Meal descriptions are sent to OpenAI's API for AI-powered nutrition parsing. OpenAI processes data according to their Privacy Policy and Business Terms.
• Twilio: SMS delivery and phone number verification. Twilio's Privacy Policy.
• Stripe: Payment processing and subscription management. Stripe's Privacy Policy.
• PostHog: Product analytics and usage tracking. PostHog's Privacy Policy.
• Expo (Push Notifications): Mobile push notification delivery. Expo's Privacy Policy.
• Railway: Cloud hosting for backend services. Railway's Privacy Policy.
• Netlify: Hosting for web dashboard and documentation. Netlify's Privacy Policy.
• Cloudflare: DNS, CDN, and DDoS protection. Cloudflare's Privacy Policy.

3.2 Legal Requirements

We may disclose your information if required by law, legal process, court order, or government request, or to protect the rights, property, or safety of mealtally, our users, or others.

3.3 Business Transfers

If mealtally is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

4. Data Retention

We retain your personal information as described in our Data Retention Policy:

• Active account data: Retained while your account is active
• Deleted account data: Soft-deleted for 30 days (recovery window), then permanently deleted from all systems including backups
• Inactive accounts: Retained indefinitely unless you request deletion
• Server logs and analytics: Retained for 30-90 days
• Billing records: Retained for 7 years for tax and audit compliance

5. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

5.1 GDPR Rights (European Economic Area, UK)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Request deletion of your data
• Restrict processing: Limit how we use your data
• Data portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent for processing where consent is the legal basis
• Lodge a complaint: File a complaint with your local data protection authority

5.2 CCPA Rights (California Residents)

• Know: Request disclosure of what personal information we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-out of sale: We do not sell your personal information
• Non-discrimination: You will not be discriminated against for exercising your rights

5.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@mealtally.com
• Dashboard: Use the "Delete Account" or "Export Data" features in your account settings (when available)

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

6. International Data Transfers

mealtally is based in the United States. Your information is processed and stored on servers located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, your information may be transferred to countries that do not provide the same level of data protection as your home country.

We rely on the following mechanisms for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Your explicit consent for the transfer

7. Security

We implement reasonable technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction:

• Encryption: Data in transit is encrypted using TLS/SSL. Passwords are hashed (though we use passwordless auth). Database backups are encrypted.
• Access controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
• Secure infrastructure: We use reputable cloud providers (Railway, Netlify, AWS) with industry-standard security practices.
• Monitoring and logging: We monitor for suspicious activity and maintain audit logs.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Children's Privacy

The Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you believe we have collected information from a child, please contact us at privacy@mealtally.com and we will delete it promptly.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email to your registered email address (if provided)
• Displaying a prominent notice on the Service

Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@mealtally.com
• Website: https://mealtally.com

For GDPR-related inquiries, you may contact our Data Protection Officer (DPO) at dpo@mealtally.com.