Privacy Policy
Last updated: 2026-05-08
This Privacy Policy explains how [LEGAL ENTITY NAME], registered seat at [REGISTERED ADDRESS], Greece, GEMI no. [GEMI NUMBER], VAT no. [VAT NUMBER] ("DietPlan", "we", "us") collects, uses, shares and protects your personal data when you use the DietPlan website, applications and related services (the "Service").
We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), Greek Law 4624/2019 implementing the GDPR, the ePrivacy provisions of Law 3471/2006 and any other applicable EU and Greek data- protection law.
1. Controller and contact details
DietPlan is the controller of the personal data described in this Policy (Article 4(7) GDPR), unless stated otherwise.
- Postal address: [REGISTERED ADDRESS], Greece
- Privacy contact: privacy@dietplan.example
- Data Protection Officer (DPO): [DPO NAME / CONTACT EMAIL] (appointed where Article 37 GDPR requires it)
- EU representative: not applicable — we are established in the European Union (Article 27 GDPR).
2. Roles in the dietitian-client relationship
DietPlan is a multi-tenant platform that connects independent Dietitians with their Clients. As a rule:
- The Dietitian is an independent controller for the professional dietary file they keep about their Client (meal plan content, professional notes, advice). They determine the purposes and means of that processing in their professional capacity.
- DietPlan is an independent controller for the operation, security, abuse prevention, and improvement of the Service, and for direct relationships with each user (account, authentication, billing, support, mandatory security and accounting records).
- Where required, DietPlan and a Dietitian may enter into a separate Article 28 GDPR data-processing agreement (DPA) or Article 26 GDPR joint-controller arrangement.
3. Categories of personal data we process
- Account & identification data: full name, email address, role (Dietitian / Client), preferred language (el / en), timezone, account creation / activation / archive timestamps.
- Authentication data: magic-link tokens, OAuth identifiers from Google where you choose to sign in with Google, IP address and user-agent at sign-in (kept by our auth provider for security).
- Health-related data (special category — Article 9 GDPR): meal-plan items assigned to a Client, ticks (eaten / partial / skipped), per-meal and per-item notes, optional meal photos, weight measurements over time, derived compliance metrics.
- Client-roster data (entered by the Dietitian): Client name, email, status, archive flag.
- Communications: emails you send to support, transactional email delivery metadata.
- Technical and operational data: error logs (Sentry), service logs, security events (e.g. failed sign-ins, abuse signals), audit timestamps.
- Cookies and similar technologies: see section 11.
4. Special-category (health) data
Meal-tracking data, meal photos, weight logs and dietary plans are likely to qualify as data "concerning health" under Article 4(15) GDPR and as a special category of personal data under Article 9(1) GDPR. We process such data only on the following lawful bases:
- Your explicit consent (Article 9(2)(a) GDPR), given at sign-up / activation and re-confirmed for optional features such as meal photos. You may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
- Where applicable to a Dietitian: provision of preventive or occupational nutrition services by a regulated health professional bound by professional secrecy (Article 9(2)(h) GDPR, in conjunction with Greek Law 2519/1997 and Presidential Decree 133/2014).
5. Purposes and legal bases (Article 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service you signed up for or were invited to | Article 6(1)(b) — performance of contract |
| Processing health-related data (ticks, weight, photos) | Article 6(1)(a) + Article 9(2)(a) — explicit consent |
| Securing the Service, preventing fraud and abuse | Article 6(1)(f) — legitimate interest |
| Sending transactional emails (invites, magic links, weekly digest) | Article 6(1)(b) — performance of contract |
| Complying with tax, accounting and other legal obligations | Article 6(1)(c) — legal obligation |
| Establishing, exercising or defending legal claims | Article 6(1)(f) + Article 9(2)(f) |
| Service-quality improvement (aggregated, no marketing profiling) | Article 6(1)(f) — legitimate interest |
We do not sell your personal data, do not use it for advertising, do not run third-party analytics in the MVP, and do not engage in solely automated decision- making producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.
6. Recipients and sub-processors
Personal data is shared only with the following categories of recipients, each of whom is bound by a written data-processing agreement under Article 28 GDPR (or by an equivalent independent-controller relationship where applicable):
- Supabase Inc. — managed Postgres, authentication and object storage (EU region: Frankfurt, eu-central-1). Hosts the database, sign-in flow and any meal photos you upload.
- Vercel Inc. — application hosting and edge network. Receives request metadata necessary to deliver the Service.
- Resend, Inc. — transactional email delivery (sign-in links, invites, weekly digests).
- Functional Software, Inc. (Sentry) — error monitoring; receives crash reports and a minimum of identifiers needed to triage them.
- Google LLC (Gemini API) — only generic food-item names are sent for shopping-list categorisation. No account data, no health data, no Client identifiers are sent. Results are cached so each food name is sent at most once.
- Your counterparties on the platform — your Dietitian (if you are a Client) or your Clients (if you are a Dietitian) see the data they need for your shared meal-tracking relationship.
- Authorities, courts and regulators — where compelled by legally valid requests.
- Professional advisers and successors — auditors, lawyers, and any successor in connection with a corporate transaction, under confidentiality.
An up-to-date list of sub-processors is available on request at privacy@dietplan.example. We will give reasonable advance notice of any new sub-processor for in-scope health data.
7. International transfers
We aim to keep your personal data within the European Economic Area (EEA). Some of our sub-processors (notably Vercel, Sentry and Google) are US-based and may process limited data outside the EEA. Where this happens, we rely on:
- the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (Implementing Decision (EU) 2023/1795), where the recipient is self-certified; and / or
- the Standard Contractual Clauses (SCCs) adopted by Implementing Decision (EU) 2021/914, combined with supplementary technical and organisational measures (encryption in transit and at rest, access logging, minimisation of data sent).
You can obtain a copy of the safeguards in place by writing to privacy@dietplan.example.
8. Retention
- Account, plans, ticks, weights, notes: retained while your account is active.
- Meal photos: default retention of 90 days, subject to change with notice.
- After account deletion: personal data is removed from active systems within 30 days. Backups are overwritten in the ordinary backup cycle (up to 30 days).
- Anonymisation for Clients:when a Client deletes their account, we anonymise their identifiers in the Dietitian's historical compliance records (replacing email and name with non-identifying values) so that the Dietitian's professional file is not retroactively gutted, before deleting the underlying auth identity.
- Mandatory legal retention: tax and accounting documents are retained for the periods required by Greek law (typically 5-10 years under Law 4308/2014 / Law 4174/2013).
- Security and audit logs: up to 12 months, unless a security incident requires longer retention.
9. Your rights under the GDPR
You have the right to:
- Access your personal data and obtain a copy (Article 15) — Settings → Export my data produces a JSON file.
- Rectify inaccurate or incomplete data (Article 16) — most fields are editable in Settings.
- Erasure("right to be forgotten", Article 17) — Settings → Delete account.
- Restrict processing (Article 18) — contact us.
- Data portability (Article 20) — the Settings export is a structured, machine-readable JSON.
- Object to processing based on legitimate interests (Article 21) and to withdraw any consent you have given (Article 7(3)) at any time.
- Not be subject to solely automated decisions with legal or similarly significant effects (Article 22) — we do not engage in such decision-making.
- Lodge a complaint with the Hellenic Data Protection Authority ( Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifisias 1-3, 115 23 Athens, Greece, tel. +30 210 6475 600, www.dpa.gr, or with the supervisory authority of your country of residence.
To exercise any right, write to privacy@dietplan.example from the email address associated with your account, or use the in-app Settings flows. We will reply within one month under Article 12(3) GDPR (extendable by two further months for complex requests), free of charge for reasonable requests.
10. Children
The Service is not directed at children under the age of 15. Under Article 21 of Greek Law 4624/2019, the consent of a child for information-society services is valid from the age of 15. Below that age, processing is lawful only with the consent of, or authorisation by, the holder of parental responsibility. If you become aware that a child below the applicable age has provided us with personal data without such authorisation, please contact us at privacy@dietplan.example and we will delete that data.
11. Cookies and similar technologies
The Service uses only strictly necessary cookies within the meaning of Article 4(5) of Greek Law 3471/2006 and the ePrivacy Directive 2002/58/EC, namely:
- Authentication cookies issued by Supabase to keep you signed in and to rotate session tokens (HTTP-only, Secure, SameSite).
- Locale cookie remembering your chosen interface language (el / en).
These cookies do not require prior consent because they are strictly necessary for the Service you have requested. We do not set advertising or third-party analytics cookies in the MVP. If we ever introduce non-essential cookies, we will request your prior consent through a cookie banner that allows granular accept / reject choices.
12. Security
We implement appropriate technical and organisational measures (Article 32 GDPR), including: HTTPS / TLS in transit, encryption at rest at the database and storage level, Supabase row-level security as the multi-tenant fence (each query is auto-scoped to the requesting user), least-privilege service-role keys held server-side only, audit logging of administrative actions, error monitoring, regular security updates, and EU data residency for primary storage.
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Hellenic Data Protection Authority within 72 hours under Article 33 GDPR and, where required, inform affected users without undue delay under Article 34 GDPR.
13. Automated decision-making and profiling
Compliance percentages, trend arrows and inactivity badges are computed automatically and shown to your Dietitian. These are statistics, not decisions producing legal or similarly significant effects on you. We do not engage in profiling for marketing purposes.
14. Changes to this Policy
We may update this Policy. Material changes will be communicated by email or in-app notice at least fifteen (15) days before they take effect (or sooner if required by law), and where the change requires a new legal basis (in particular new consent for special- category data), we will obtain it before relying on it. The "Last updated" date at the top of this Policy reflects the most recent version.
15. Contact
For any privacy-related question or to exercise your rights, write to privacy@dietplan.example or to [REGISTERED ADDRESS], addressed to the Data Protection Officer.