Privacy Policy

11. Introduction & Scope

This Privacy Policy explains how BuddyFood-AI collects, uses, stores, shares, and protects personal data when you use our website, quiz, calculators, account area, meal-plan generation, emails, and related services. It is intended for users in Romania, the European Economic Area, and other markets where the Service is available.

22. Controller and Contact

BuddyFood-AI is the service name used by the operator of this website and acts as the controller for personal data processed through the Service. Privacy requests can be sent to buddyfood.ai@gmail.com.

33. Personal Data We Collect

• →Account and identity data: email address, name if provided, account identifiers, authentication status, password status, and support messages.
• →Quiz and nutrition data: age, gender, height, current weight, target weight, body-fat estimate, activity type, goal, weight-loss or muscle-gain preferences, cooking time, meals per day, budget, preferred foods, avoided foods, dietary style, allergies, and restrictions.
• →Plan and progress data: generated meal plans, calculated BMR/TDEE/target calories/macros, PDF status, credits, check-ins, progress entries, and plan updates where you use those features.
• →Payment and subscription data: Stripe customer identifiers, subscription tier/status, billing schedule, payment status, invoices or transaction references, and upgrade/credit history. We do not store full card numbers.
• →Communications data: email delivery status, newsletter preferences, unsubscribe token/status, contact form messages, and support interactions.
• →Technical and security data: IP address or hashed IP where applicable, device/browser information, logs, page views, quiz analytics, cookie choices, and abuse-prevention signals.

44. Health-Related and Special Category Data

Some information you voluntarily provide, such as allergies, body measurements, weight goals, nutrition restrictions, and progress data, may reveal health-related information and may be treated as special category data under GDPR. We process this data only to provide and personalize the Service you request, generally based on your explicit consent where required by law. You may withdraw consent, but we may no longer be able to generate or update a personalized plan without the relevant data.

55. Sources of Data

• →Data you enter directly in the quiz, calculators, account area, contact form, newsletter forms, support forms, or plan-update flows.
• →Data generated by our systems when we calculate nutrition metrics, create plans, produce PDFs, assign credits, process subscriptions, or record consent and security events.
• →Data received from service providers such as payment processors, email providers, authentication providers, hosting/database/storage providers, and fraud/security tools.

66. Legal Bases for Processing

• →Contract or pre-contract steps: to generate plans, create accounts, deliver PDFs, manage subscriptions, provide support, and operate the Service you request.
• →Explicit consent: for health-related or special category nutrition data where required, and for optional marketing or non-essential cookies where applicable.
• →Legitimate interests: to secure the platform, prevent fraud, debug errors, improve product reliability, measure aggregate performance, enforce rights, and understand non-sensitive product usage, provided your rights do not override those interests.
• →Legal obligations: for tax, accounting, consumer-protection, payment, and regulatory obligations.
• →Legal claims: where processing is necessary to establish, exercise, or defend legal claims, handle chargebacks, or respond to lawful requests.

77. How We Use Your Data

• →To calculate BMR, TDEE, calories, macros, BMI/body metrics, meal variety, and personalized plan parameters.
• →To generate, store, deliver, and update meal plans, shopping lists, PDFs, and account dashboards.
• →To process payments, subscriptions, credits, invoices, upgrades, refunds, chargebacks, and fraud prevention.
• →To send transactional emails such as plan delivery, account setup, verification, password reset, support, and important service notices.
• →To send lifecycle or newsletter emails only where allowed by consent or applicable law, with unsubscribe options.
• →To maintain security, detect abuse, rate-limit attacks, troubleshoot errors, and protect users and the Service.
• →To improve formulas, product flows, reliability, and user experience using aggregated, minimized, or anonymized data where possible.

88. AI, Algorithms, and Automated Processing

BuddyFood-AI uses formulas, rule-based logic, and AI-assisted systems to calculate nutrition estimates and generate meal-plan content. These outputs are informational wellness tools, not medical advice. We do not use automated processing to make decisions that produce legal effects or similarly significant effects about you, such as employment, credit, insurance, or public-benefit decisions. If an automated output appears wrong or unsafe, contact us and do not rely on it.

99. Payments and Billing

Payments and subscriptions are processed through Stripe or another configured payment processor. We receive payment confirmations, customer/subscription identifiers, billing status, and limited transaction metadata needed to deliver paid features and manage credits. Full card details are handled by the payment processor, not stored by BuddyFood-AI.

1010. Marketing, Newsletter, and Unsubscribe

If you subscribe to updates or consent to marketing, we may send nutrition tips, lifecycle emails, product updates, or offers. Every newsletter or marketing email should include an unsubscribe option. You can withdraw marketing consent at any time without affecting transactional emails needed for your account, purchase, security, or legal notices.

1111. Cookies and Similar Technologies

We use strictly necessary cookies and local storage for security, sessions, language, preferences, and checkout functionality. Analytics, marketing, or preference cookies are used only where allowed by your choices and applicable law. You can manage choices through the cookie banner, browser settings, or the relevant privacy-choice page where available.

1212. Sharing and Processors

• →We do not sell your personal data or health-related data.
• →We may share data with processors and service providers that help us operate the Service, including authentication, database, hosting, storage, PDF delivery, email, support, analytics, payment processing, security, and AI/automation infrastructure.
• →Current or expected providers may include Supabase for authentication/database/storage, Stripe for payments and subscriptions, email/SMTP providers such as Nodemailer-configured SMTP or Resend if configured, hosting providers such as Vercel/Render/Hetzner depending on deployment, and infrastructure providers used for logs, storage, or backups.
• →We may disclose data to professional advisers, payment networks, banks, tax/accounting providers, regulators, courts, law enforcement, or other parties where required by law or necessary to protect rights and safety.
• →If the business is reorganized, sold, merged, or transferred, user data may be transferred as part of that transaction subject to this Policy and applicable law.

1313. International Transfers

Some providers may process personal data outside Romania or the European Economic Area. When this happens, we rely on appropriate safeguards required by GDPR, such as adequacy decisions, Standard Contractual Clauses, equivalent contractual protections, and provider security commitments where applicable.

1414. Data Retention

• →Account, subscription, and plan data are kept while your account is active and for as long as needed to provide the Service, resolve disputes, preserve security, or meet legal obligations.
• →Quiz, personalization, and generated plan data are kept while needed for delivery, account history, plan updates, support, audit, and security, unless you request deletion and no legal exception requires retention.
• →Payment, invoice, transaction, refund, and accounting data are retained as required by tax, accounting, consumer-protection, chargeback, and legal limitation periods.
• →Newsletter data is retained until you unsubscribe or request deletion, except for minimal suppression records needed to respect your opt-out.
• →Cookie consent records and security logs are retained for limited periods needed to demonstrate consent, prevent abuse, debug issues, and comply with legal obligations.
• →Aggregated or anonymized data that no longer identifies you may be retained for analytics, product improvement, and statistical purposes.

1515. Security

We use technical and organizational safeguards such as access restrictions, encrypted connections, private storage where applicable, rate limiting, security monitoring, password/authentication controls, and limited access to production data. No online service can guarantee absolute security, so you should use a strong password, protect your account, and contact us immediately if you suspect unauthorized access.

1616. Your GDPR Rights

• →Right of access: ask whether we process your personal data and request a copy.
• →Right to rectification: ask us to correct inaccurate or incomplete personal data.
• →Right to erasure: ask us to delete personal data where GDPR allows deletion.
• →Right to restriction: ask us to limit processing in certain situations.
• →Right to object: object to processing based on legitimate interests or direct marketing.
• →Right to portability: request data you provided in a structured, commonly used, machine-readable format where applicable.
• →Right to withdraw consent: withdraw consent at any time, without affecting processing already carried out lawfully before withdrawal.
• →Right not to be subject to solely automated decisions with legal or similarly significant effects, where applicable.

1717. Supervisory Authority

If you are in Romania or the EEA, you may contact us first so we can try to resolve your request. You also have the right to lodge a complaint with the competent data protection authority. In Romania, this is Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP): www.dataprotection.ro.

1818. Children’s Privacy

The Service is intended for adults and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it where required.

1919. Changes to This Policy

We may update this Privacy Policy when our Service, providers, legal obligations, or data practices change. The most recent version will be posted on the Service with the updated date. For material changes, we may provide additional notice where required by law.

2020. Contact

For privacy requests, account-data questions, deletion requests, consent withdrawal, or concerns about a generated plan, contact us at buddyfood.ai@gmail.com.