Preppy — Privacy Policy

Last updated: 2026-04-28 Version: 1.0 (pre-launch)

Plain-English summary. Preppy is a meal-planning app. We collect the information you give us (your email, dietary preferences, recipes, meal plans) plus a small amount of technical data to keep the service working. If you choose to connect Google Fit, we process your fitness and nutrition data too — but only with your consent, and you can disconnect at any time. We don't sell your data. We store it on trusted providers (Supabase, Cloudflare, Vercel) and use AI providers (OpenAI, Anthropic, Google Gemini) to power recipe parsing and meal suggestions. You have the right to access, export, correct, and delete your data, and to complain to a data protection authority. Preppy is not a medical service — nothing we produce is medical or nutritional advice.

1. Who we are (the controller)

Preppy is a service operated by a sole proprietor based in Belgium. Formal company registration (e.g. a Belgian BV / SRL) is pending and the operator details below will be updated here when complete.

Operator: Sole proprietor based in Belgium. The full legal name and registered postal address will be published here once Belgian KBO/BCE registration is finalised. In the meantime, the operator's identity and contact address are available on request via privacy@trypreppy.com.
Company number (KBO/BCE): To be assigned upon registration.
VAT: Not yet VAT-registered (operating below the Belgian small-business threshold pre-launch). Will be assigned and published here upon registration.
General contact: contact@trypreppy.com
Privacy contact / data-subject requests: privacy@trypreppy.com
DPO: We have not appointed a Data Protection Officer because, at the scale of our current processing, Article 37 GDPR does not require one. We will reassess if our processing of health data becomes large-scale or systematic.

The controller is established in the EEA (Belgium). No Article 27 EU representative is required.

For users in the UK accessing the Service: a UK GDPR Article 27 representative has not been appointed at the pre-launch stage. We will appoint one if and when our processing of UK-resident personal data becomes substantial.

This Privacy Policy applies to the Preppy web application at trypreppy.com and the API at api.trypreppy.com, together the Service.

2. Scope

This policy covers personal data we process as a controller — data you provide to use Preppy as an individual consumer.

When a business customer uses Preppy under a B2B agreement (for example, a corporate wellness program), we may process personal data of that customer's end-users as a processor under a separate Data Processing Agreement. Business customers can request our DPA via legal@trypreppy.com.

3. Categories of personal data we process

We group the data we process by purpose. For each category, we list below the lawful basis (Section 4), the retention period (Section 8), and which sub-processors touch it (Section 10).

3.1 Account data

Email address
Name (optional)
Hashed password (if email/password sign-up) or OAuth subject identifier (if Google sign-in)
Account creation and last-login timestamps
Email verification status

3.2 Profile and preferences

Dietary preferences (e.g. vegetarian, halal)
Allergens and intolerances
"Ick list" / disliked ingredients
Cuisine preferences, spice level, meal size
Cooking skill and kitchen equipment
Household size and optional household-member profiles (name, relationship, age, height, weight, gender, activity level, dietary needs) — only if you choose to add them
Locale / language and time zone

3.3 Health and nutrition data (special category — see Section 6)

Optional nutrition profile: age, height, weight, gender, activity level, calorie target, macronutrient targets
Meal-skipping and fasting windows
Meal plans, meal history (cooked/skipped/swapped), and aggregated nutrition snapshots
If you connect Google Fit: step counts, weight readings, and/or nutrition entries you authorize

3.4 User-generated content

Recipes you import, paste, or create
Shopping lists and pantry items
Notes, ratings, favorites, recurring meal rules

3.5 Technical and usage data

IP address (truncated where feasible), user-agent, device/browser type
Pages viewed, feature events, error traces
Cookie and local-storage identifiers (see our Cookie Policy)

3.6 Communications

Support messages you send us and our replies
Emails we send you (transactional and, if you opt in, product updates) and delivery/open metadata from our email provider

4. Why we process your data and on which lawful basis

Under Articles 6 and 9 GDPR we rely on the following lawful bases. For each purpose we identify the basis, the data involved, and (where relevant) our legitimate interests assessment.

#	Purpose	Data involved	Lawful basis
1	Create and secure your account; authenticate you	3.1	Contract (Art. 6(1)(b))
2	Deliver core features: meal planning, recipe management, shopping lists, pantry, stats	3.2, 3.4	Contract (Art. 6(1)(b))
3	Process your optional nutrition profile and generate nutrition recommendations	3.3 (non-health subset)	Contract (Art. 6(1)(b)) where strictly needed to deliver a feature you requested; otherwise Consent (Art. 6(1)(a))
4	Process health data from Google Fit or that you explicitly enter as health data	3.3 (health subset)	Explicit consent (Art. 9(2)(a)) + Art. 6(1)(a)
5	Send transactional emails (verification, password reset, important service notices)	3.1, 3.6	Contract (Art. 6(1)(b))
6	Send product updates / newsletters	3.1	Consent (Art. 6(1)(a)); you can unsubscribe any time
7	Product analytics (PostHog) to understand how features are used	3.5 (pseudonymous)	Consent (Art. 6(1)(a)) — only after you accept analytics cookies
8	Error tracking and reliability monitoring (Sentry, Axiom logs)	3.5	Legitimate interest (Art. 6(1)(f)): operating a stable, secure service. Balancing test: minimal identifiability; IPs truncated where feasible; no special-category data in error traces
9	Abuse prevention, rate-limiting, fraud detection	3.1, 3.5	Legitimate interest (Art. 6(1)(f))
10	Respond to support requests	3.6	Legitimate interest (Art. 6(1)(f)) / Contract
11	Comply with legal obligations (tax, accounting, lawful requests)	as needed	Legal obligation (Art. 6(1)(c))
12	Establish, exercise or defend legal claims	as needed	Legitimate interest (Art. 6(1)(f))
13	Train, evaluate or improve LLM prompts using aggregated, de-identified data	aggregated only	Legitimate interest (Art. 6(1)(f)); we do not send personal data to model providers for training

We do not make solely automated decisions that produce legal or similarly significant effects on you (Art. 22 GDPR). Meal suggestions are advisory; you always choose what to cook.

5. Cookies, analytics, and local storage

See the standalone Cookie Policy. Summary:

Strictly necessary cookies: authentication session, CSRF, cookie-consent record.
Analytics cookies (PostHog): only set after you opt in via the banner.
Preference storage (localStorage/IndexedDB via Dexie): theme, draft meal plans, offline caches. This stays on your device.

You can withdraw analytics consent at any time from the cookie banner or your browser settings. Withdrawal has no effect on past lawful processing.

6. Special-category data (health)

Nutrition, weight, activity, fasting windows and Google Fit data are "data concerning health" under Article 4(15) GDPR and are special-category data under Article 9.

We process these only on the basis of your explicit consent (Art. 9(2)(a)).
You can withdraw consent at any time in Settings → Privacy, which will disconnect the integration and delete or anonymise related records on the schedule described in Section 8.
We never process these categories to infer medical conditions, profile you, or make automated decisions that affect your rights.
We are not a healthcare provider, and we are not covered by HIPAA (we have not self-certified) or any FDA medical-device regime. See the Terms of Service for the full medical disclaimer.

7. Who we share data with (sub-processors and third parties)

We do not sell personal data.

We share data with carefully selected sub-processors who process data on our behalf under a written data-processing agreement. The current list is published at /sub-processors and summarised here.

Sub-processor	Purpose	Data categories	Primary hosting region	DPA / safeguard
Supabase, Inc.	Database, authentication	3.1 – 3.4	EU (`eu-west-2`, London) — corporate entity US	SCCs Module 2 + DPA
Cloudflare, Inc.	CDN, edge workers (API)	3.5 and any data transiting requests	Global (edge)	SCCs + UK Addendum + DPA
Vercel, Inc.	Web hosting	3.5 and data transiting requests	US	SCCs Module 2 + DPA
PostHog, Inc.	Product analytics (after consent)	3.5	US (decision: stay US for now; EU Cloud migration revisited at first paying customer)	SCCs + DPA
Sentry (Functional Software, Inc.)	Error monitoring	3.5	US / EU	SCCs + DPA
Axiom, Inc.	Log storage	3.5	US	SCCs; DPA via trust.axiom.co or `support@axiom.co` (no public URL)
Resend, Inc.	Transactional + marketing email	3.1, 3.6	US	SCCs + DPA
OpenAI, L.L.C.	LLM for recipe parsing, shopping-list normalisation, meal scheduling	Recipe text and meal-plan context; no account identifiers beyond a pseudonymous request ID	US	SCCs + API DPA at `openai.com/policies/data-processing-addendum/` (opt-in via OpenAI platform). We use the API (not consumer ChatGPT). OpenAI does not train on API data by default.
Anthropic, PBC	LLM fallback	Same as OpenAI	US	SCCs; DPA via Anthropic commercial sales / `usersafety@anthropic.com` (no public URL)
Google LLC (Gemini / Google AI Studio)	LLM (primary per stack)	Same as OpenAI	US	SCCs + Google Cloud DPA
Google LLC (Google Fit OAuth)	Health data source (optional)	3.3 health subset, only if you connect	US	Google API terms; your explicit OAuth consent; same Google Cloud DPA
Edamam, Inc.	Recipe and food-database search	Search query text	US	SCCs; DPA via Edamam support (no public URL)
USDA FoodData Central	Nutrition reference data	Food-name queries only	US	Public API; no personal data sent
Kroger	Grocery pricing (US)	Product queries and ZIP code if supplied	US	Kroger API terms; no public DPA

Other recipients in limited circumstances:

Professional advisors (auditors, lawyers, insurers) under confidentiality.
Authorities where required by law or to protect our rights (Art. 6(1)(c) or (f)).
A buyer or successor in the event of a merger, sale or restructuring, subject to the same protections.

We notify users 30 days before adding a new sub-processor — see our public sub-processor register.

8. How long we keep data (retention schedule)

Category	Retention
Account data	While the account is active. Deleted within 30 days of account deletion (soft delete) and purged within 90 days from backups.
Profile & preferences	Same as account.
Health data (Section 3.3)	Default 365 days rolling window, configurable in Settings. Deleted within 30 days after integration is disconnected.
Meal plans, recipes, shopping lists	While the account is active; you can delete earlier in-app.
Support messages	3 years from last correspondence.
Billing / invoicing records	7 years from the end of the relevant tax year (Belgian accounting law, Art. III.86 CDE).
Analytics events (PostHog)	12 months from collection.
Error logs (Sentry, Axiom)	90 days.
Cookie-consent records	12 months or until you withdraw.
Backups	Rolling 35 days then overwritten.

After retention, data is deleted or irreversibly anonymised.

9. International transfers

Most sub-processors are established in the United States. We rely on one or more of the following safeguards for transfers of personal data outside the EEA / UK:

EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision of 10 July 2023), where the sub-processor is self-certified.
Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module 2 (Controller → Processor) or Module 3 (Processor → Processor) as applicable, plus the UK International Data Transfer Addendum for UK transfers.
Supplementary measures where appropriate: encryption in transit (TLS 1.2+) and at rest, access controls, and contractual commitments to challenge disproportionate government requests.

You may request a copy of the safeguards in place for a specific transfer at [privacy@trypreppy.com].

10. Record of processing (Art. 30 summary)

We maintain a Record of Processing Activities under Article 30 GDPR. On request, we will share a suitable summary with competent supervisory authorities. High-level contents:

Controller: Preppy (sole proprietor based in Belgium — operator details available on request, see Section 1).
Purposes: as in Section 4.
Categories of data subjects: registered users and, if applicable, their household members.
Categories of data: as in Section 3.
Recipients: sub-processors listed in Section 7.
Transfers: as in Section 9.
Retention: as in Section 8.
Security measures: see Section 12.

11. Your rights

You have the following rights in respect of your personal data. We will respond within one month (extendable by two months for complex requests, Art. 12(3)).

Right	What it means	How to use it
Access (Art. 15)	Get confirmation we process your data and a copy.	In-app Export in Settings, or email `[privacy@trypreppy.com]`.
Rectification (Art. 16)	Correct inaccurate or incomplete data.	Edit your profile in Settings or contact us.
Erasure / "right to be forgotten" (Art. 17)	Delete your data where the legal tests are met.	In-app Delete account, or email us.
Restriction (Art. 18)	Temporarily halt processing while a dispute is resolved.	Email us.
Data portability (Art. 20)	Receive your data in a structured, machine-readable format (JSON) and/or transmit it to another controller.	Settings → Export.
Object (Art. 21)	Object to processing based on legitimate interests or direct marketing.	Unsubscribe link in emails; email us for other processing.
Withdraw consent (Art. 7(3))	Withdraw any consent at any time, without affecting the lawfulness of past processing.	Cookie banner; disconnect integrations in Settings.
Not be subject to automated decisions (Art. 22)	We do not carry out such decisions.	—

We verify requests reasonably (normally by confirming you control the account email) and do not charge a fee unless requests are manifestly unfounded or excessive.

Right to complain to a supervisory authority

If you believe our processing infringes data-protection law, you have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or the alleged infringement (Art. 77 GDPR).

Belgium (our lead authority): Gegevensbeschermingsautoriteit / Autorité de protection des données, Drukpersstraat 35, 1000 Brussels — https://www.dataprotectionauthority.be
UK: Information Commissioner's Office — https://ico.org.uk
Other EU Member States: https://edpb.europa.eu/about-edpb/about-edpb/members_en

US / California rights

For California residents, we honor rights under the CCPA/CPRA equivalent to access, deletion, correction, and the right to opt out of "sharing" (we do not "sell" or "share" in the statutory sense). Contact [privacy@trypreppy.com]. We do not knowingly collect personal data from California minors under 16 without affirmative authorisation.

Canada (PIPEDA) and UK

We honor access, correction and withdrawal-of-consent rights equivalent to those above for users in Canada and the United Kingdom.

12. Security

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR), including:

Encryption in transit (TLS 1.2+) and at rest for primary data stores.
Role-based access control; principle of least privilege for staff.
Separate environments for development, staging and production.
Secrets management; no secrets in source control.
Audit logs for access to production data.
Vendor due diligence on sub-processors.
Regular dependency updates and vulnerability monitoring.
Backups with restore testing.

We have not (yet) obtained ISO 27001, SOC 2, or HIPAA attestation. If this changes, we will update this policy.

13. Breach notification (Art. 33/34)

If a personal-data breach occurs and is likely to result in a risk to your rights and freedoms, we will:

Notify the competent supervisory authority within 72 hours of becoming aware (Art. 33).
Notify affected users without undue delay where the breach is likely to result in a high risk (Art. 34), by email to the address on file.

14. Minors

Preppy is not directed to children. You must be at least:

16 years old in the EEA, UK and Switzerland (default GDPR-K age), or
13 years old in the United States and other jurisdictions where a lower age applies.

We do not knowingly collect personal data from users below these ages. If you believe a child has provided us with personal data, please contact [privacy@trypreppy.com] and we will delete it.

We do not currently verify age beyond a self-declared checkbox at sign-up, because we do not collect date of birth.

15. Changes to this policy

We may update this policy. Material changes will be announced in-app and by email at least 14 days before they take effect, except where immediate changes are required by law. The "Last updated" date at the top always reflects the current version. An archive of prior versions is available on request.

16. Contact

Privacy / data-subject requests: privacy@trypreppy.com
General: contact@trypreppy.com
Postal: Available on request via privacy@trypreppy.com (registered postal address pending Belgian KBO/BCE registration; see Section 1).

This privacy policy is published in plain English for the pre-launch phase of Preppy. We will engage qualified Belgian/EU privacy counsel to review it before our public launch.