MealFit Privacy Policy
Last updated: March 9, 2026
1. Who we are
MealFit is a mobile application for meal planning and nutritional tracking, available for iOS and Android.
Data Controller:
MealFit (di Marco Bevilacqua)
21052 Busto Arsizio (VA)
Italy
Privacy email: privacy@mealfitapp.com
Support email: support@mealfitapp.com
Under Regulation (EU) 2016/679 (GDPR), MealFit serves as the data controller for your personal data, meaning MealFit determines the purposes and means of data processing and is responsible for ensuring compliance with applicable data protection legislation.
2. What data we collect
MealFit collects several categories of data to provide a personalized service experience. The following is a comprehensive overview of the data collected.
2.1 Account data
Upon registration, MealFit collects the following information:
• Email address — to create and manage your account, and to facilitate communication
• Display name — to personalize the user experience and to identify you in shared plans
• Password — stored in encrypted form (hashed); MealFit does not access passwords in plain text
• Language preference — to display the app in your preferred language
2.2 Physical and health-related data
This category of data is subject to enhanced legal protections under the GDPR. To calculate your personalized nutritional needs, MealFit collects data that the GDPR classifies as health-related data (Article 9). The processing of this data requires your explicit consent, which is requested separately during registration.
MealFit collects the following health-related information:
• Biological sex — used in the basal metabolic rate calculation formula
• Birth year / age — required for basal metabolic rate calculation
• Body weight (kg) — to calculate caloric needs and monitor progress
• Height (cm) — required for basal metabolic rate calculation
• Weight history — historical weight data to enable progress monitoring
• Lifestyle type (sedentary, active, athlete) — to estimate daily energy expenditure
• Dietary goal (lose weight, build muscle, maintain) — to adjust nutritional targets
• Calculated nutritional targets — daily calories, protein, carbohydrates, and fats, derived using the Mifflin-St Jeor formula
• Preferred meal types — breakfast, lunch, dinner, snack
This data is classified as health-related under European law because the combination of body measurements, weight history, and dietary goals reveals information about your physical health and wellness objectives. Accordingly, MealFit implements enhanced protective measures for this category of data.
2.3 Content you create
While using the app, you may create the following content:
• Personal recipes — name, ingredients, nutritional values
• Recipe images — photographs you upload for your recipes
• Weekly meal plans — your meal planning records
• Custom portions — ingredient quantities adjusted to your goals
• Shopping list — automatically generated from your plans
• Favorite recipes — recipes you bookmark
2.4 Subscription data
If you subscribe to Premium, MealFit records the following information:
• Subscription status — active, cancelled, or expired
• Tier — free or Premium
• Dates — commencement, expiry, and cancellation dates if applicable
• Payment provider — Apple or Google
MealFit does not collect, process, or store credit card data or other financial information. Payment processing is handled entirely by Apple (App Store) or Google (Play Store) through the RevenueCat service.
2.5 Technical data
• Device language — automatically detected upon first launch
• Authentication tokens — securely stored on your device to maintain your session
• Authentication logs — sign-in events managed by MealFit's infrastructure (Supabase)
2.6 Data MealFit does not collect
MealFit explicitly does not collect, process, or store the following:
• Location data
• Browsing history
• Advertising data
• MealFit does not use tracking cookies within the app
• MealFit does not sell personal data to third parties
• MealFit does not use personal data to train artificial intelligence models
• MealFit does not display advertising within the app
3. Why we process your data and on what legal basis
The GDPR requires that every data processing activity be supported by a specific legal basis. The following table outlines the legal bases applicable to each processing activity conducted by MealFit:
| Processing activity | Legal basis | GDPR reference |
|---|---|---|
| Account creation and management (email, name) | Contract performance | Art. 6(1)(b) |
| Physical and health-related data (weight, height, sex, age, goals) | Explicit consent | Art. 9(2)(a) |
| Weight tracking over time | Explicit consent | Art. 9(2)(a) |
| Nutritional target calculation | Explicit consent | Art. 9(2)(a) |
| Recipe creation and management | Contract performance | Art. 6(1)(b) |
| Meal planning | Contract performance | Art. 6(1)(b) |
| Shopping list generation | Contract performance | Art. 6(1)(b) |
| Subscription management | Contract performance | Art. 6(1)(b) |
| Family plan sharing | Contract performance + Legitimate interest | Art. 6(1)(b) + (f) |
| Subscription record storage for 36 months | Legal obligation (fiscal) | Art. 6(1)(c) |
| Security and authentication logging | Legitimate interest | Art. 6(1)(f) |
| Marketing communications (if consented) | Consent | Art. 6(1)(a) |
4. Health-related data: special provisions
Given that your physical and dietary data qualifies as "health-related data" under GDPR Article 9, MealFit provides the following transparency regarding its processing.
Consent requirement. The processing of health-related data is predicated upon your explicit and separate consent, obtained during registration. This consent is distinct from acceptance of the Terms of Service and the general Privacy Policy.
Withdrawal of consent. You may withdraw your consent to the processing of health-related data at any time. However, because this data is essential to the core functionality of the service (calculating nutritional needs and personalizing portions), withdrawal of consent will require deletion of your account and all associated data. You may initiate account deletion directly from the app under Settings.
Restrictions on use of health-related data. Your health-related data is subject to the following restrictions:
• MealFit does not share health-related data with third parties for marketing purposes
• MealFit does not use health-related data for commercial profiling
• MealFit does not sell health-related data under any circumstances
• Health-related data is not visible to other users. In shared plans, other members may only view your display name and recipe portions; your physical data remains private
5. Who we share your data with
MealFit does not sell your data. Data is shared only with service providers necessary for the operation of the app.
5.1 Family plan members
If you participate in a shared plan with family members, those members may view:
• Your display name
• Recipe portions assigned to you
• Meals planned for you
Family plan members do not have access to your physical data, including weight, height, goals, and nutritional targets.
5.2 Service providers (Data Processors)
| Provider | Location | Purpose | Data processed |
|---|---|---|---|
| Supabase Inc. | USA (hosting in EU — Frankfurt) | Database, authentication, file storage | All account and content data |
| RevenueCat Inc. | USA | Subscription and in-app purchase management | User ID, subscription status |
| Apple Inc. | USA | Payment processing (iOS) | Payment data (handled directly by Apple) |
| Google LLC | USA | Payment processing (Android) | Payment data (handled directly by Google) |
| Expo / Software Mansion | USA / Poland | App update delivery | No personal data |
MealFit has executed data processing agreements (DPAs) with each service provider to ensure that personal data is protected in accordance with GDPR requirements.
5.3 Restricted sharing
MealFit does not share, sell, or transfer personal data to third parties for marketing, advertising, or profiling purposes.
6. International data transfers
Your database is hosted on Supabase servers located in the European Union (Frankfurt, Germany). Personal data remains physically within the European Union.
However, certain service providers are based in the United States (RevenueCat, Apple, Google). For data transfers to these entities, MealFit relies upon:
• EU-US Data Privacy Framework — the transatlantic data protection mechanism approved by the European Commission
• Standard Contractual Clauses (SCCs) — contract terms approved by the European Commission that ensure an adequate level of data protection
You may request a copy of the Standard Contractual Clauses by contacting privacy@mealfitapp.com.
7. How long we keep your data
MealFit retains personal data only for as long as necessary. The following table specifies the retention period for each data category:
| Data category | Retention period | Reason |
|---|---|---|
| User profile (email, name, physical data, goals) | Duration of account | Required for the service |
| Weight history | 24 months from recording | Progress monitoring |
| Weekly plans and meals | 6 months from plan date | Planning history |
| Shopping list | Linked to associated plan (max 6 months) | Generated from plan |
| Personal recipes | Duration of account | User-created content |
| Custom portions | Linked to associated recipe | Service personalization |
| Favorite recipes | Duration of account | User preferences |
| Plan invitations (pending) | 30 days | Invitation management |
| Plan invitations (completed/expired) | 90 days | Traceability |
| Subscription data | 36 months after expiry/cancellation | Fiscal and legal obligations |
| Recipe images | Linked to associated recipe | User content |
| Session tokens | Duration of session (deleted on logout) | Authentication |
| Authentication logs | 90 days | Security |
Upon account deletion, all personal data is deleted immediately, with the exception of subscription data, which is retained for 36 months to satisfy fiscal and legal requirements.
8. Your rights
The GDPR grants you significant rights regarding your personal data. MealFit recognizes these rights and has implemented features within the app to facilitate their exercise.
8.1 Right of access (Art. 15)
You have the right to access all personal data held by MealFit. You may export your data at any time from the app under Settings > Export my data. The export is provided in JSON format and contains all your personal information.
8.2 Right to rectification (Art. 16)
You may correct inaccurate personal data directly through the app by editing your profile and goals.
8.3 Right to erasure / Right to be forgotten (Art. 17)
You may delete your account and all associated personal data at any time from the app under Settings > Delete account. Deletion is immediate and irreversible.
8.4 Right to restriction of processing (Art. 18)
Under certain circumstances, you may request that MealFit restrict the processing of your personal data. To exercise this right, contact privacy@mealfitapp.com.
8.5 Right to data portability (Art. 20)
You may export your data in a structured, machine-readable JSON format using the export feature available in the app.
8.6 Right to object (Art. 21)
You may object to the processing of your data based on legitimate interest. You may also revoke your consent to marketing communications at any time from the app (Settings > Privacy).
8.7 Right to withdraw consent (Art. 7(3))
You may withdraw your consent to the processing of health-related data at any time. As explained in section 4, withdrawal of consent will require deletion of your account, as this data is essential to the service.
8.8 Right to lodge a complaint (Art. 77)
If you believe that MealFit's processing of your personal data violates applicable regulations, you have the right to lodge a complaint with the competent data protection authority:
Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
Piazza Venezia 11 — 00187 Rome, Italy
www.garanteprivacy.it
email: protocollo@gpdp.it
If you reside in another EU Member State, you may contact the data protection authority of your country.
How to exercise your rights
You may exercise your rights through any of the following methods:
• Utilize the built-in features in the app (export, profile editing, account deletion)
• Submit a request in writing to privacy@mealfitapp.com
MealFit will respond to all requests within 30 days, as required by the GDPR. For particularly complex requests, MealFit may extend this period to 60 days, with advance notification.
9. Children's privacy
MealFit is intended for users aged 16 and over. MealFit does not knowingly collect personal data from individuals under this age.
If you are a parent or guardian and become aware that a minor has created an account without your consent, contact privacy@mealfitapp.com and MealFit will immediately delete the account and all associated data.
Regarding shared family plans: all plan members must maintain their own account and must meet the minimum age requirement. It is not possible to create profiles on behalf of minors.
10. Data security
MealFit implements appropriate technical and organizational measures to protect personal data:
• Encryption in transit — all communications between the app and MealFit's servers use HTTPS (TLS 1.2 or higher)
• Encryption at rest — data stored in the database is encrypted
• Data isolation — Row Level Security (RLS) policies ensure that each user can access only their own data
• Secure token storage — authentication tokens are securely stored on your device using Secure Store
• Absence of financial data — MealFit does not store credit card data or payment information
• Password protection — passwords are stored in hashed form and are never stored in plain text
In the event of a data breach that poses a risk to your rights and freedoms, MealFit will provide notification without undue delay and will notify the competent supervisory authority within 72 hours, as required by GDPR Articles 33 and 34.
11. Automated decision-making
MealFit uses an algorithm (the Mifflin-St Jeor formula) to calculate your daily nutritional needs based on physical data you provide. MealFit provides the following transparency regarding this automated processing:
• The calculation does not produce legal effects or similarly significantly affect you
• You may manually override the calculated targets at any time
• The results are estimates based on standard scientific formulas and do not constitute medical diagnoses or prescriptions
12. On-device storage
The MealFit app utilizes your device's storage exclusively for purposes necessary for service delivery:
• Authentication tokens — to maintain your session (Secure Store)
• Image cache — to optimize recipe image loading
• Temporary files — for export features (automatically deleted upon completion)
MealFit does not use cookies, tracking pixels, or similar technologies within the app. All information stored on your device is necessary for the requested service and is therefore exempt from the consent requirement under the ePrivacy Directive.
13. Changes to this policy
MealFit may update this policy periodically to reflect changes to the service or to applicable legislation. For material changes:
• MealFit will provide notification within the app
• MealFit will provide email notification for significant changes
• For health-related data, substantial changes to processing methods will require new explicit consent
Continued use of the app following notification of policy changes constitutes acceptance of the updated policy.
14. Contact us
For privacy inquiries or to exercise your rights:
Privacy email: privacy@mealfitapp.com
Support email: support@mealfitapp.com
Website: https://www.mealfitapp.com
MealFit is committed to responding to all requests within 30 days.
15. Applicable law
This privacy policy is governed by Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018, and all other applicable Italian and European data protection legislation.