Privacy Policy

Effective date: 3 June 2026

Who we are

Mealody is a household meal-planning service operated by MEALODY APP SRL ("Mealody", "we", "us" or "our"), a company incorporated in Romania.

Registered office: Str. Prunului nr. 35, ap. 25, Brașov, județul Brașov, 500024, Romania
Sole registration number (CUI): 54713267
Trade Register number: J2026032593006
Privacy & legal contact: legal@mealody.app
General support: support@mealody.app

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Romanian data-protection law (Law no. 190/2018), MEALODY APP SRL is the data controller of the personal data described in this Privacy Policy.

Mealody is currently provided free of charge. We do not run advertising on the service, we do not sell your personal data, and we do not use your data for interest-based advertising or audience profiling.

What this policy covers

This Privacy Policy explains what personal data we collect when you use the Mealody website and application (together, the "Service"), why we collect it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to the data concerning you and the household members you choose to add to your account.

Please also read our Terms and Conditions, which govern your use of the Service.

The personal data we collect

We collect only the data we need to operate a household meal planner. This falls into the following categories.

1. Account data

When you create an account, authentication and identity management are handled by our processor Clerk. This includes your email address and the account identifiers and credentials needed to sign you in and keep your account secure.

2. Household and member profile data

To generate meal plans, you (the account holder) enter information about your household and the people in it, which may include:

household name and household settings (preferred language, measurement units, country/region/time zone);
for each household member: a name or label, role in the household, age (including the ages of children in the household), and dietary preferences;
allergens to avoid; and
free-text medical or dietary notes you choose to add (for example, an intolerance or a condition relevant to meal planning).

Allergen information and any medical or health-related notes are special categories of personal data ("health data") under Article 9 GDPR. You provide this data voluntarily, and we process it only to generate and display meal plans for your household. See "Health data and special categories" below.

3. Meal plans and grocery lists

The Service generates and stores the meal plans, day plans, individual meals and grocery lists created for your household, so that you can view, regenerate and manage them.

4. Usage and product-analytics data

We use PostHog to understand how the Service is used so we can improve it — for example, which features are used and where users encounter problems. This may include event data, pages or screens viewed, approximate location derived from IP address, device and browser information, and identifiers associated with your session.

5. Diagnostic and error data

We use Sentry to capture technical error reports and diagnostics when something goes wrong, so we can fix bugs and keep the Service reliable. This may include technical information about the error, your device/browser, and limited contextual data.

6. Communications

When we send you transactional or service emails (for example, account or notification emails), these are delivered through Resend. If you contact us at legal@mealody.app or support@mealody.app, we process the contents of your message and your contact details to respond.

We do not collect data from wearables or connected fitness devices, we do not offer social-media login or public community forums, and we do not obtain data about you from data brokers or other third-party sources.

Health data and special categories

Allergens and any medical or dietary notes you enter are health data. Because Mealody is a meal-planning convenience tool and not a medical service, we process this data only on the basis of your explicit consent (Article 9(2)(a) GDPR), which you give by choosing to enter it. You are not required to provide health data to use the Service, but some personalisation will be limited without it.

You can withdraw your consent at any time by removing the relevant notes or allergens in the app, or by deleting the member or your account. Withdrawal does not affect processing carried out before withdrawal.

Important: Mealody does not verify allergen or medical information and does not provide medical, nutritional or dietary-medical advice. Always independently verify ingredients and allergens, and consult a qualified professional for any health condition. See section 7 (Health, nutrition and dietary disclaimer) of our Terms and Conditions.

Children's data

Mealody accounts are for adults. You must be at least 18 years old to create and hold a Mealody account. Children do not create their own accounts and do not interact with the Service directly.

Where a household includes children, it is the adult account holder who enters any data about those children (such as a name or label and age) for the sole purpose of generating appropriate household meal plans. By entering data about a child, you confirm that you are the child's parent or legal guardian, or are otherwise authorised to provide that data, and that you consent to its processing as described here.

Why we process your data, and our legal bases

Purpose	Legal basis (GDPR Article 6 / 9)
Creating and securing your account; authenticating you	Performance of a contract — Art. 6(1)(b)
Generating, storing and displaying meal plans and grocery lists for your household	Performance of a contract — Art. 6(1)(b)
Processing allergens and medical/dietary notes to personalise meal plans	Your explicit consent — Art. 9(2)(a)
Sending service and notification emails	Performance of a contract — Art. 6(1)(b)
Understanding and improving the Service (product analytics)	Our legitimate interests in operating and improving the Service — Art. 6(1)(f)
Detecting, diagnosing and fixing technical errors; keeping the Service secure	Our legitimate interests in a reliable, secure Service — Art. 6(1)(f)
Responding to your enquiries and support requests	Our legitimate interests in supporting users — Art. 6(1)(f)
Complying with legal obligations and responding to lawful requests	Compliance with a legal obligation — Art. 6(1)(c)

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can object to such processing as described in "Your rights" below.

Service providers and sub-processors

We host the Service and rely on a small number of carefully selected service providers ("processors") who process personal data on our behalf, under contract and on our instructions. We do not sell or rent your personal data, and we do not share it for anyone's marketing purposes.

Processor	Role	Data involved	Location
Clerk (Clerk, Inc.)	Authentication & user identity	Email, account identifiers, sign-in data	United States
Supabase (Supabase, Inc.)	Application database & storage (household, member, meal-plan and grocery-list data)	All account, household, member and content data	European Union
OpenAI (OpenAI, L.L.C.)	AI generation of meal plans from household inputs	Household and member inputs needed to generate a plan (dietary preferences, allergens, ages, notes)	United States
PostHog (PostHog, Inc.)	Product analytics	Usage/event data, device & approximate-location data, session identifiers	European Union (EU Cloud)
Sentry (Functional Software, Inc.)	Error tracking & diagnostics	Technical error and device/context data	United States
Resend (Resend, Inc.)	Transactional email delivery	Email address and message content	United States
Vercel (Vercel, Inc.)	Application hosting, content delivery & infrastructure	Technical data processed in serving the Service (e.g. IP address, request data)	United States / global edge network

We require each processor to provide appropriate safeguards for your data and to process it only as needed to provide their service to us. We may update this list as our infrastructure evolves; the current version is always the one published here.

Note on OpenAI: household and member inputs are sent to OpenAI solely to generate your meal plans. These inputs may include allergens and medical/dietary notes you have chosen to provide. We rely on OpenAI's commitment not to use data submitted via its API to train its models.

International transfers

Your account and meal-planning data is stored in the European Union (Supabase), and product analytics are processed in the EU (PostHog). Several of our other processors are based in, or process data in, the United States and other countries outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure an appropriate transfer mechanism is in place — in particular the European Commission's Standard Contractual Clauses (SCCs), and/or reliance on a valid adequacy decision (such as the EU–U.S. Data Privacy Framework where the provider is certified). You can ask us for more information about the safeguards that apply by emailing legal@mealody.app.

How long we keep your data

We keep your personal data for as long as your account exists and you use the Service. When you delete your account, we delete the personal data associated with it — including your household(s), members, meal plans, day plans, grocery lists, notification records and account settings — and we instruct Clerk to delete your authentication account.

After deletion, residual copies may persist for a limited period in encrypted backups and in our processors' systems before they are overwritten in the ordinary course, and we may retain limited data where we are required to do so by law or to establish, exercise or defend legal claims. De-identified or aggregated analytics data that can no longer be linked to you is not subject to these retention limits.

How to delete your account

You can permanently delete your account and its associated data directly in the app, from your account settings (which calls our account-deletion process). You can also ask us to do this by emailing legal@mealody.app. Deletion removes your households, members, meal plans, grocery lists, notifications and settings, and deletes your Clerk authentication account.

Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage — including encryption in transit, access controls, and the use of reputable infrastructure providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; if you believe your account has been compromised, contact us immediately at support@mealody.app.

Your rights

Under the GDPR, you have the following rights in relation to your personal data:

Access — obtain confirmation of whether we process your data, and a copy of it;
Rectification — have inaccurate data corrected and incomplete data completed;
Erasure — have your data deleted ("right to be forgotten");
Restriction — ask us to restrict processing in certain circumstances;
Portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible;
Objection — object to processing based on our legitimate interests;
Withdraw consent — where we rely on your consent (such as for health data), withdraw it at any time, without affecting processing already carried out.

To exercise any of these rights, email legal@mealody.app. We will respond within the time limits set by the GDPR (normally one month). Exercising these rights is free of charge, save in the exceptional cases the GDPR permits.

Right to complain to the supervisory authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Romanian Data Protection Authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — B-dul G-ral Gheorghe Magheru nr. 28–30, Sector 1, București, 010336, Romania. Email: anspdcp@dataprotection.ro · Web: www.dataprotection.ro

If you are in another EEA country, you may also complain to your local supervisory authority. We would, however, appreciate the chance to address your concerns first — please contact us at legal@mealody.app.

Cookies and similar technologies

We use only the cookies and local storage necessary to run the Service and understand its use:

Strictly necessary — used by Clerk to keep you signed in and to secure your session;
Analytics — used by PostHog to measure and improve how the Service is used.

We do not use advertising cookies and we do not use cookies to build advertising profiles or to track you across other websites.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time — for example, when we add features or change a service provider. When we do, we will revise the "Effective date" above and, where the change is significant, take reasonable steps to notify you. Your continued use of the Service after an update means you have read the updated policy.

When we introduce paid plans, we will update this policy to describe any payment-related processing before that processing begins.

Contact us

For any question about this Privacy Policy or your personal data, contact MEALODY APP SRL, Str. Prunului nr. 35, ap. 25, Brașov, județul Brașov, 500024, Romania. Privacy & legal: legal@mealody.app · Support: support@mealody.app