Back to homepage

Yummo Privacy Policy

Last updated: April 2026

1. Who We Are

  • The controller of your personal data is Wiktor Strzelczyk, a sole proprietor registered at ul. Stanisławowska 47, 54-611 Wrocław, Poland, entered in the Central Register and Information on Economic Activity (CEIDG), Tax ID (NIP): 7692137634, REGON: 385207659.
  • Yummo is an AI-powered meal planning application. We help individuals and households plan meals tailored to their nutritional needs, allergies, and culinary preferences.
  • Contact for data protection matters: privacy@yummo.ai
  • No Data Protection Officer (DPO) has been designated.

2. Data We Collect

Account data:

  • Email address and name (at registration or from your Google account)
  • Profile picture (if you sign in with Google)
  • Preferences: language, country, measurement system (metric/imperial)

Health and dietary data (special category under GDPR Art. 9):

  • Biometric data: date of birth, biological sex, height, weight, physical activity level
  • Allergies and food intolerances (over 40 categories, including the top 14 EU allergens)
  • Diet style: standard, vegetarian, vegan, pescatarian, paleo, Mediterranean
  • Nutrition goals: weight loss, maintenance, or muscle building
  • Health goals: e.g. heart health, immune support, endurance, recovery
  • Macronutrient targets: target calories, protein/carbs/fat distribution
  • Excluded ingredients and dietary notes (text you type)

Content you create:

  • Recipes (name, description, ingredients, steps, variants, storage instructions)
  • Meal plans (schedule, recipe assignments, cooking groups)
  • Shopping lists

Payment data:

  • Stripe customer ID and checkout sessions
  • Subscription status (active/inactive)
  • We do not store your card details — Stripe handles all payment card data directly

Technical data:

  • Session and preference cookies (see our Cookie Policy for details)
  • Firebase authentication tokens
  • IP address and browser information (server logs)
  • Google Analytics data (with your consent)
  • Microsoft Clarity data: session recordings, heatmaps, clicks, and on-site behavior (with your consent)

Household member profiles:

  • Yummo allows you to create multiple profiles within a single account — e.g. for a partner, parent, or housemate.
  • Household member profiles do not contain identifying data. The only descriptive field is "profile name" — a free-text nickname (e.g. "Partner", "Mom", "Jake") used solely to distinguish profiles within the app.
  • Yummo does not ask for the full name, email address, phone number, or any other identifying information of household members.
  • Dietary and biometric data of household members (allergies, height, weight, nutrition goals) is processed solely for meal planning purposes and does not allow Yummo to identify the person it relates to.

3. Why We Collect Your Data

  • Meal plan personalization — we tailor recipes to your calorie targets, macronutrients, and taste preferences
  • Allergen safety — we exclude ingredients based on your declared allergies
  • AI recipe generation — we create recipes from your text descriptions
  • Nutritional calculations — we calculate calories and macronutrients based on your biometric data
  • Subscription management — processing payments and managing access to premium features
  • Account security — authentication and protection against unauthorized access
  • Marketing communication — sending nutrition tips, updates, surveys and reminders (with your consent)
  • Analytics and service improvement — anonymous usage statistics (with your consent)

4. Legal Basis for Processing

Explicit consent (Art. 9(2)(a) GDPR):

  • Health and dietary data (allergies, biometric data, nutrition goals). We ask for your explicit consent when you create a profile. You can withdraw it at any time.

Contract performance (Art. 6(1)(b) GDPR):

  • Account data, recipes, meal plans, shopping lists — necessary to provide the service.

Legitimate interest (Art. 6(1)(f) GDPR):

  • Account security, fraud prevention, server logs.

Consent (Art. 6(1)(a) GDPR):

  • Google Analytics and non-essential analytics cookies. You can manage your consent through the cookie banner.
  • Marketing communication (tips, updates, surveys, reminders). You can withdraw your consent at any time in account settings or via the unsubscribe link in every email.

5. Who We Share Data With

  • We do not sell your personal data. We never have and never will.
  • We use the following service providers:
  • • AWS (Amazon Web Services) — application hosting and AI generation (AWS Bedrock). Data processed in the EU region (Frankfurt). AI receives ONLY the text you type and the ingredient catalog — no personal, health, or identifying data.
  • • Firebase (Google) — user authentication. EU-US Data Privacy Framework certified.
  • • Stripe — payment processing. EU entity: Stripe Payments Europe, Ltd. (Ireland). EU-US Data Privacy Framework certified.
  • • Google Analytics — analytics (only with your consent). EU-US Data Privacy Framework certified.
  • • Microsoft Clarity — behavioral analytics: session recordings, heatmaps, and behavioral metrics (only with your consent). Data is captured using first and third-party cookies. For more information, see the Microsoft Privacy Statement (https://privacy.microsoft.com/privacystatement).
  • All providers are bound by Data Processing Agreements (DPAs) in accordance with GDPR Art. 28.
  • Data may be disclosed to law enforcement only based on a valid court order.

6. AI and Automated Processing

  • Yummo uses artificial intelligence (AI) to generate recipes and personalize meal plans.
  • What AI receives: ONLY the text you type (e.g. "a light chicken lunch recipe") and the public ingredient catalog (names, categories, units).
  • What AI does NOT receive: your name, email, health data, allergies, weight, height, or any identifying information. Profiles are identified only by anonymous identifiers (UUIDs).
  • Where it is processed: AWS Bedrock in the EU region (Frankfurt, Germany). Your data does not leave the European Union.
  • Data retention: AWS Bedrock does not store prompts or responses — zero data retention.
  • Yummo is NOT a medical or dietary application. Generated recipes and plans are culinary suggestions, not medical advice. Always consult a doctor or dietitian for health matters.

7. Cookies

  • We use cookies for proper service operation, remembering your preferences, and — with your consent — for analytics.
  • For detailed information about all cookies, their purposes, and how to manage them, please see our Cookie Policy.

8. How Long We Keep Your Data

  • Account data and content — for the duration of your use of the service.
  • After account deletion — personal data is deleted within 30 days.
  • Backups — deleted within 90 days of account deletion.
  • Payment data — Stripe retains data in accordance with its own retention policy and legal requirements.
  • Server logs (IP, user agent) — retained for a maximum of 90 days.
  • Anonymized data — may be retained indefinitely for statistical purposes, but cannot be used to identify you.

9. Data Security

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Secure password storage (bcrypt hashing) — we cannot access your password
  • Session tokens with limited lifetime (7 days)
  • Data access restricted to authorized personnel (principle of least privilege)
  • Infrastructure hosted in the European Union
  • In the event of a data breach, we will notify the supervisory authority (UODO) within 72 hours and notify you if the breach poses a high risk to your rights

10. Your Rights

  • Right of access — you can request a copy of all your data
  • Right to rectification — you can correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — you can request deletion of all your data
  • Right to restriction of processing — you can ask us to temporarily stop processing
  • Right to data portability — you can download your data in a machine-readable format (JSON)
  • Right to withdraw consent — you can withdraw consent for health data processing at any time, without affecting the lawfulness of prior processing
  • Right to object — you can object to processing based on legitimate interest
  • Right to lodge a complaint with a supervisory authority — in Poland, this is the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl
  • To exercise these rights, contact us at: privacy@yummo.ai. We will respond within 30 days.

11. For Users in the USA

California Consumer Privacy Act (CCPA/CPRA):

  • You have the right to know what categories of personal information we collect and for what purposes (described in sections 2 and 3)
  • You have the right to request deletion of your personal information
  • You have the right to opt out of the sale of your data — however, Yummo does not sell and has never sold personal data
  • You will not be discriminated against for exercising your privacy rights

Automated decision-making:

  • Yummo uses AI to generate recipe and meal plan suggestions. These are suggestions only — we do not make binding automated decisions about you. You always have full control over what you accept into your plan.

Do Not Sell or Share:

  • Yummo does not sell or share your personal information as defined by the CCPA. We do not engage in targeted advertising based on your personal data.

12. For Users in the United Kingdom

  • Your data is protected under the UK GDPR and the Data Protection Act 2018.
  • You have the same rights as described in section 10 (Your Rights).
  • The supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk
  • A UK representative has not yet been appointed. For data protection matters, please contact: privacy@yummo.ai
  • Data transfers between the EU and UK take place under the adequacy decision.

13. For Users in Canada

  • Your data is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • We collect data only with your knowledge and consent, for the purposes described in this document.
  • You have the right to access your data, correct it, and withdraw your consent.
  • We retain personal data only as long as necessary to fulfill the purposes described above.
  • We protect your data with appropriate technical and organizational safeguards.
  • Questions or complaints: privacy@yummo.ai or the Office of the Privacy Commissioner of Canada (priv.gc.ca)

14. For Users in Australia

  • Your data is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs).
  • As an application processing health information (allergies, dietary goals), we are subject to Privacy Act obligations regardless of our revenue.
  • You have the right to access your data and request correction of inaccurate information (APP 12 and 13).
  • Your data may be processed outside Australia: AI in the EU (AWS Frankfurt), authentication (Firebase, DPF-certified), payments (Stripe, SPEL Ireland).
  • Questions or complaints: privacy@yummo.ai or the Office of the Australian Information Commissioner (oaic.gov.au)

15. For Users in Other Countries

  • If you reside in a country not listed above, we apply the GDPR standard of data protection as the minimum level of protection for your personal data.
  • This means that regardless of your location, you have the right to access, correct, delete, and port your data.
  • For questions or concerns: privacy@yummo.ai

16. Children

  • Yummo is intended for users who are at least 18 years old.
  • We do not knowingly collect personal data from children under 18.
  • If you become aware that a child under 18 has provided us with personal data, please contact us at privacy@yummo.ai and we will promptly delete it.

17. Changes and Contact

  • We may update this Privacy Policy as the service evolves or laws change.
  • We will notify you of significant changes by email or in-app notification at least 14 days in advance.
  • Privacy contact: privacy@yummo.ai
  • General contact: contact@yummo.ai
  • Address: ul. Stanisławowska 47, 54-611 Wrocław, Poland