Privacy Policy

Last updated: March 7, 2026

Your privacy is important to us. This policy explains how we collect, use, and protect your personal information.

Information We CollectHow We Use DataData SharingAccuracy CalibrationSecurityData RetentionYour RightsCookiesChildren's PrivacyInternational TransfersChanges to PolicyContact

1. Information We Collect

Account Information

  • Email address
  • Name and profile information
  • Height, weight, age, gender (for nutrition calculations)
  • Dietary preferences and restrictions

Usage Data

  • Meal logs and nutrition tracking data
  • Receipt images and barcode scans
  • Food items in your pantry
  • Nutrition tracking history
  • Accuracy calibration data
  • Device information and app usage patterns

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers. Stripe's privacy policy applies to payment data.

2. How We Use Your Information

  • Provide the Service: Process meal logs, calculate nutrition, run reconciliation algorithms
  • Improve Accuracy: Use your calibration data to improve personal model accuracy
  • Improve Predictions: Your meal corrections help improve the accuracy of future predictions
  • Communication: Send service updates, weekly reports, and support responses
  • Analytics: Understand usage patterns to improve the product
  • Legal Compliance: Comply with applicable laws and regulations

3. Data Sharing

✨ We do not sell your personal information.

We share data only in these limited circumstances:

  • Household Members: Other members in your household can see shared meals and household statistics
  • Service Providers: We work with trusted third-party service providers who help us operate the Service:
    • Stripe - Payment processing
    • Vercel - Website hosting and CDN
    • Railway - Backend infrastructure and database hosting
    • Mistral - Receipt OCR processing and email receipt parsing
    • AWS S3 - Storage for receipt scans and pantry data (EU region)
    • Google Analytics - Usage analytics (with your consent)
    • Microsoft Clarity - Behavior analytics (with your consent)
    • Meta (Facebook) - Advertising analytics (with your consent)
    • Intercom - Customer support chat (with your consent)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfer: If we merge or sell the company, your data may transfer to the new entity

4. Personal Accuracy Calibration

Your meal corrections and pantry tracking data are used to calibrate prediction accuracy for your account. This data:

  • Stays on your account to improve your predictions through physics-based reconciliation
  • Is not shared with other users or used for any external purposes
  • Can be exported or deleted anytime via Settings
  • Receipt images are stored for 30 days then automatically deleted for privacy

5. Data Storage and Security

We take data security seriously:

  • Data is encrypted in transit (TLS) and at rest (AES-256)
  • Stored on secure servers in the EU (GDPR compliant)
  • Access is restricted to authorized personnel only
  • Regular security audits and penetration testing
  • 2FA authentication for web dashboard access

6. Data Retention

  • Active Accounts: Data retained while your account is active
  • Canceled Subscriptions: If you cancel your subscription (but don't delete your account), we retain your data for 90 days after subscription ends. You can re-subscribe within 90 days to restore full access to all your data.
  • Deleted Accounts: If you delete your account (Settings → Account → Delete Account), you get a 30-day grace period to cancel deletion. After 30 days, personal data is permanently deleted per GDPR. If you re-register within 30 days, your account is automatically restored with all data intact.
  • Trial Abuse Prevention: To prevent abuse of our free trial, we store a hashed version of your email address for 2 years. This hash cannot be reversed to identify you. After 2 years, or when you request account deletion, this hash is automatically deleted. You can re-register at any time, but may not be eligible for an additional free trial.
  • Financial Records: Payment information (Stripe customer IDs) retained for 7 years to comply with UK tax law. This data cannot be deleted even upon account deletion request (legal obligation under GDPR Article 17(3)(e)).
  • Legal Requirements: Some data retained longer if required by law

7. Your Rights (GDPR)

Under GDPR, you have the right to:

Access:

Request a copy of your personal data

Rectification:

Correct inaccurate data

Erasure:

Delete your account and data

Portability:

Export your data

Objection:

Opt out of anonymized usage analytics

Restriction:

Limit data processing

8. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our Service. You can manage your cookie preferences at any time.

Cookie Categories

Necessary Cookies (Always Active)

Required for the website to function. These cannot be disabled.

  • • Cookie consent preferences (eatomate_consent_v1) - 180 days
  • • Authentication token (auth-token) - 30 days
  • • Refresh token (refresh-token) - 90 days
  • • Invite session (invite_session) - 15 minutes (temporary, used only during household invitations)
  • • Security features and CSRF protection

Analytics Cookies (Requires Consent)

Help us understand how visitors interact with our website.

  • • Google Analytics (_ga, _gid, _gat)
  • • Microsoft Clarity (_clck, _clsk)
  • • Duration: Up to 2 years

Marketing Cookies (Requires Consent)

Used to track visitors across websites for advertising purposes.

  • • Meta Pixel (_fbp, _fbc)
  • • Duration: Up to 90 days

Functional Cookies (Requires Consent)

Enable enhanced functionality like live chat support.

  • • Intercom (intercom-*)
  • • Duration: Up to 1 year

Manage Your Preferences: You can change your cookie preferences at any time by clicking the "Cookie Settings" link in the footer or by visiting your browser settings.

9. Children's Privacy

Eatomate can be used by families with children. For household accounts where children under 18 use the Service:

  • A parent or guardian must create and manage the household account
  • Parents/guardians are responsible for meal logging for children's meals
  • Children's meal data is associated with the household account, not individual child profiles
  • All data protection measures apply equally to children's meal data

If you believe we have collected data from a child without proper parental consent, contact us immediately for deletion.

10. International Transfers

Your data is stored and processed exclusively within the European Union. All services run on EU servers:

  • Railway: Backend infrastructure and database (EU region)
  • AWS S3: Receipt and data storage (eu-north-1 region)
  • Mistral: Receipt OCR processing (EU servers)

We do not transfer your personal data outside the European Union. All processing remains within EU jurisdiction for full GDPR compliance.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy questions or to exercise your rights:

Data Protection Officer

dpo@eatomate.co.uk

Registered Address

71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
United Kingdom