Privacy Policy

Last updated: April 17, 2026

Make a Meal AI ("we", "us", "our", "the app") is operated by Jesse Zuidema, trading as Make a Meal AI, located at Nijmegen, the Netherlands, registered under KvK 42026018. This privacy policy explains what personal data we collect, why we collect it, how we process it, who we share it with, and what rights you have.

By creating an account and using Make a Meal AI, you acknowledge that you have read and understood this privacy policy. Where we rely on your consent as a legal basis, you may withdraw that consent at any time (see Section 9).

1. Data Controller

The data controller responsible for your personal data is:

Entity: Jesse Zuidema, trading as Make a Meal AI
Address: Nijmegen, the Netherlands
Email: privacy@makeamealai.com
Chamber of Commerce (KvK): 42026018

For any privacy-related questions or requests, you can contact us at privacy@makeamealai.com.

2. Data We Collect

We collect and process the following categories of personal data:

Category	Data	Purpose	Legal Basis (GDPR)
Account data	Email address, name, password (hashed)	Account creation and authentication	Contract performance (Art. 6(1)(b))
Profile data	Gender, date of birth, height, weight, fitness goals, activity level, dietary preferences and restrictions	Personalized recipe generation, calorie/macro calculations, training recommendations	Contract performance (Art. 6(1)(b))
Usage data	Ingredient scans, recipes generated and saved, meals logged, workout sessions, water intake, weight logs, barcode scan history	Core app functionality: tracking nutrition, workouts, and fitness progress	Contract performance (Art. 6(1)(b))
Photos	Images you take or select for ingredient scanning or product scanning	AI-powered ingredient detection and product analysis	Consent (Art. 6(1)(a))
Health & fitness data	Step count, weight measurements, nutrition data, workout data (only if you enable health sync)	Syncing with Apple Health / Google Health Connect for a unified health overview	Explicit consent (Art. 9(2)(a))
Subscription data	Subscription tier, purchase date, expiration date, transaction identifiers (no payment card details)	Managing your subscription and access to premium features	Contract performance (Art. 6(1)(b))
Device & technical data	Device type, operating system version, app version, IP address, push notification tokens	App functionality, troubleshooting, push notifications, security (bot protection)	Legitimate interest (Art. 6(1)(f))
Security data	IP address, login timestamps, failed login attempts	Bot protection, abuse prevention, rate limiting, account security	Legitimate interest (Art. 6(1)(f))

3. Special Categories of Data (Sensitive Data)

Some data we process may qualify as special category data under GDPR Article 9:

Health & fitness data: Weight, nutrition intake, workout performance, step count, and dietary restrictions (e.g., allergies, medical diets). We process this data based on your explicit consent (Art. 9(2)(a)), which you provide when creating your profile and enabling health sync features.
Dietary preferences indicating beliefs: If you select dietary preferences that may indicate religious or philosophical beliefs (e.g., halal, kosher), this is processed solely to personalize your recipe recommendations. We do not use this data for any other purpose.

You may withdraw consent for processing sensitive data at any time by disabling health sync in the app settings or by contacting us.

4. How We Use Your Data

To provide and personalize the core app experience: recipe generation, nutrition tracking, workout logging, meal planning, and shopping lists.
To generate AI-powered recommendations based on your ingredients, dietary preferences, and fitness goals.
To calculate and display your calorie targets, macronutrient breakdowns, and progress.
To manage your account, subscription, and access to features.
To send you push notifications (meal reminders, streak warnings, water reminders) — only if you enable them.
To protect the app from abuse, bots, and unauthorized access.
To improve the app, fix bugs, and monitor performance.
To comply with legal obligations.

We do not use your data for advertising, profiling for third-party marketing, or selling to data brokers.

5. Automated Decision-Making

Make a Meal AI uses artificial intelligence to:

Detect ingredients from photos you upload.
Generate personalized recipes based on your ingredients, dietary preferences, and fitness goals.
Calculate nutritional scores (NutriScore, NOVA classification) for scanned products.
Suggest training and nutrition schemas based on your fitness profile.

These AI-generated results are recommendations only and do not constitute medical, dietary, or professional advice. You can always edit, override, or disregard AI suggestions. No decisions with legal or similarly significant effects are made solely through automated processing.

6. Third-Party Services & Data Sharing

We share your data with the following third-party service providers, solely to operate the app:

Service	Purpose	Data shared	Location
Supabase	Database, authentication, file storage	All account and usage data	EU / US (see Section 7)
Google Gemini (Google AI)	AI recipe generation	Ingredient lists, dietary preferences (no photos)	United States
OpenAI	AI ingredient detection (Vision), recipe generation, recipe image generation (DALL-E)	Photos of ingredients, ingredient lists, dietary preferences	United States
RevenueCat	Subscription management	User ID, subscription status, purchase receipts	United States
Open Food Facts	Product nutritional data	Barcode numbers (no personal data)	France (EU)
FatSecret	Nutritional data lookup	Food search queries, barcode numbers (no personal data)	Australia
Google Places	Restaurant finder	Location (only when using restaurant finder)	United States
hCaptcha	Bot protection during login and registration	IP address, device characteristics, browser/app fingerprint	United States
Expo (push notifications)	Delivering push notifications	Push notification tokens, notification content	United States
Apple Health / Google Health Connect	Health data sync (optional)	Steps, weight, nutrition, workouts — data is read/written locally on your device	On-device only
Resend	Transactional emails (verification, password reset)	Email address	United States

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers.

Photo Processing

When you scan ingredients, your photo is sent to OpenAI's Vision API for ingredient detection. According to OpenAI's data usage policy, images submitted via API are not used to train their models and are not retained after processing. We store the original photo in our secure storage (Supabase) linked to your account so you can access your scan history.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and Australia. We ensure appropriate safeguards for these transfers:

Standard Contractual Clauses (SCCs): Our service providers (OpenAI, Google, RevenueCat, hCaptcha, Expo, Resend) operate under EU-approved Standard Contractual Clauses or equivalent data protection agreements.
EU-US Data Privacy Framework: Where applicable, our US-based providers are certified under the EU-US Data Privacy Framework.
Adequacy decisions: For transfers to countries with EU adequacy decisions, no additional safeguards are needed.

You can request a copy of the applicable safeguards by contacting us at privacy@makeamealai.com.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

Data type	Retention period
Account data	Until you delete your account
Profile and usage data	Until you delete your account
Scan photos	Until you delete your account (stored in Supabase Storage with signed URLs, max 30-day access per URL)
AI-generated recipe images	Until you delete your account
Security logs (IP, login attempts)	90 days, then automatically deleted
Push notification tokens	Until you disable notifications or delete your account
Subscription data	Until you delete your account, plus any period required by tax/accounting laws

When you delete your account (via Profile > Delete Account), all your data is permanently and irreversibly deleted, including scans, meals, workouts, recipes, stored images, and all personal information. This deletion is performed server-side and cannot be undone.

9. Your Rights (GDPR — EEA Residents)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

Right of access (Art. 15): You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16): You can correct inaccurate personal data via your profile settings or by contacting us.
Right to erasure (Art. 17): You can delete your account and all associated data at any time from Profile > Delete Account.
Right to restriction of processing (Art. 18): You can request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20): You can request a machine-readable export of your personal data. Contact us at privacy@makeamealai.com.
Right to object (Art. 21): You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent (photos, health data), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal. To withdraw consent:
- Photos: stop using the scan feature; existing photos can be deleted with your account.
- Health sync: disable health sync in app settings.
- Push notifications: disable in your device settings or in-app notification settings.
- Full withdrawal: delete your account.
Right to lodge a complaint: You have the right to file a complaint with your local supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (AP): autoriteitpersoonsgegevens.nl.

To exercise any of these rights, email us at privacy@makeamealai.com. We will respond within 30 days.

10. Your Rights (CCPA — California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You can request the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the third parties we share it with.
Right to delete: You can request deletion of your personal information. Use Profile > Delete Account or email us.
Right to correct: You can request correction of inaccurate personal information.
Right to opt-out of sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

CCPA Categories of Personal Information Collected

CCPA Category	Collected	Sold
Identifiers (name, email, IP)	Yes	No
Personal information (physical characteristics — height, weight)	Yes	No
Commercial information (subscription history)	Yes	No
Internet activity (app usage, scan history)	Yes	No
Geolocation (approximate, via IP; precise only for restaurant finder)	Yes	No
Sensory data (photos of food/ingredients)	Yes	No
Health information (nutrition, fitness, weight)	Yes	No
Inferences (AI-generated recommendations)	Yes	No

To exercise your CCPA rights, email privacy@makeamealai.com or use the in-app account deletion feature. We will verify your identity before processing requests.

11. Apple HealthKit & Google Health Connect

Important: Health data synced via Apple HealthKit or Google Health Connect is handled with extra care in compliance with Apple and Google platform requirements.

If you choose to enable health sync, Make a Meal AI may read and/or write the following data types:

Read & Write: Active energy burned, body mass (weight), dietary energy consumed, dietary macronutrients (protein, carbohydrates, fat), step count.
Write only: Workout sessions (type, duration, calories burned).

How we handle health data:

Health data is accessed only with your explicit permission and only after you enable health sync in the app.
Health data read from HealthKit/Health Connect is used solely to display your health metrics within the app. It is not sent to our servers, third parties, or AI services.
Health data written to HealthKit/Health Connect (e.g., logged meals, workouts) stays on your device within the health platform.
We do not use HealthKit or Health Connect data for advertising, data mining, or any purpose other than providing health and fitness features to you.
We do not sell or share HealthKit or Health Connect data with any third party.
You can revoke health sync permissions at any time in your device settings (Settings > Health > Make a Meal AI on iOS, or Settings > Health Connect > App permissions on Android).

12. Data Security

We take the security of your data seriously and implement the following measures:

Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption.
Encryption at rest: Database data is encrypted at rest using AES-256.
Row Level Security: Every database table has Row Level Security (RLS) enabled, ensuring you can only access your own data.
Server-side API keys: All third-party API keys (OpenAI, Google, FatSecret) are stored as server-side secrets and never exposed to the client app.
Password security: Passwords are hashed using bcrypt and are never stored in plaintext.
Rate limiting: AI endpoints are rate-limited to prevent abuse.
Bot protection: Login and registration are protected by hCaptcha to prevent automated attacks.
Input validation: All user inputs are validated and sanitized server-side to prevent injection attacks.
Signed URLs: Stored images use time-limited signed URLs (maximum 30 days) for access control.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to privacy@makeamealai.com.

13. Children's Privacy

Make a Meal AI is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will promptly delete that data and the associated account.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@makeamealai.com so we can take appropriate action.

Users between 16 and 18 years of age should review this privacy policy with a parent or guardian.

14. Cookies & Tracking Technologies

Make a Meal AI is a mobile application and does not use browser cookies. However:

Local storage: We use on-device storage (AsyncStorage) to maintain your session, cache data for offline use, and store your preferences. This data stays on your device.
hCaptcha: During login and registration, hCaptcha may use device fingerprinting and IP analysis for bot detection. See hCaptcha's privacy policy.
Push notification tokens: We store your device's push notification token on our servers to deliver notifications you have opted into.

We do not use third-party analytics, advertising SDKs, or cross-app tracking at this time. If we introduce analytics in the future, this policy will be updated accordingly.

15. Do Not Track

We do not track users across third-party websites or apps. We do not respond to Do Not Track (DNT) signals because we do not engage in the type of tracking that DNT is designed to prevent.

16. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes:

The "Last updated" date at the top will be revised.
For material changes (new data collection, new third parties, changes to your rights), we will notify you via in-app notification or email before the changes take effect.
Continued use of the app after notification constitutes acceptance of the updated policy. If you disagree, you may delete your account.

17. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Email: privacy@makeamealai.com
Entity: Jesse Zuidema, trading as Make a Meal AI
Address: Nijmegen, the Netherlands

For complaints about our handling of your personal data, you may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or your local supervisory authority if you are located in another EEA country.