1. Who We Are
- The controller of your personal data is Wiktor Strzelczyk, a sole proprietor registered at ul. Stanisławowska 47, 54-611 Wrocław, Poland, entered in the Central Register and Information on Economic Activity (CEIDG), Tax ID (NIP): 7692137634, REGON: 385207659.
- Yummo is an AI-powered meal planning application. We help individuals and households plan meals tailored to their nutritional needs, allergies, and culinary preferences.
- Contact for data protection matters: privacy@yummo.ai
- No Data Protection Officer (DPO) has been designated.
2. Data We Collect
Account data:
- Email address and name (at registration or from your Google account)
- Profile picture (if you sign in with Google)
- Preferences: language, country, measurement system (metric/imperial)
Health and dietary data (special category under GDPR Art. 9):
- Biometric data: date of birth, biological sex, height, weight, physical activity level
- Allergies and food intolerances (over 40 categories, including the top 14 EU allergens)
- Diet style: standard, vegetarian, vegan, pescatarian, paleo, Mediterranean
- Nutrition goals: weight loss, maintenance, or muscle building
- Health goals: e.g. heart health, immune support, endurance, recovery
- Macronutrient targets: target calories, protein/carbs/fat distribution
- Excluded ingredients and dietary notes (text you type)
Content you create:
- Recipes (name, description, ingredients, steps, variants, storage instructions)
- Meal plans (schedule, recipe assignments, cooking groups)
- Shopping lists
Payment data:
- Stripe customer ID and checkout sessions
- Subscription status (active/inactive)
- We do not store your card details — Stripe handles all payment card data directly
Technical data:
- Session and preference cookies (see our Cookie Policy for details)
- Firebase authentication tokens
- IP address and browser information (server logs)
- Google Analytics data (with your consent)
- Microsoft Clarity data: session recordings, heatmaps, clicks, and on-site behavior (with your consent)
- Meta Pixel data: site-visit events sent to Meta (Facebook) for marketing purposes (with your consent)
Household member profiles:
- Yummo allows you to create multiple profiles within a single account — e.g. for a partner, parent, or housemate.
- Household member profiles do not contain identifying data. The only descriptive field is "profile name" — a free-text nickname (e.g. "Partner", "Mom", "Jake") used solely to distinguish profiles within the app.
- Yummo does not ask for the full name, email address, phone number, or any other identifying information of household members.
- Dietary and biometric data of household members (allergies, height, weight, nutrition goals) is processed solely for meal planning purposes and does not allow Yummo to identify the person it relates to.
3. Why We Collect Your Data
- Meal plan personalization — we tailor recipes to your calorie targets, macronutrients, and taste preferences
- Allergen safety — we exclude ingredients based on your declared allergies
- AI recipe generation — we create recipes from your text descriptions
- Nutritional calculations — we calculate calories and macronutrients based on your biometric data
- Subscription management — processing payments and managing access to premium features
- Account security — authentication and protection against unauthorized access
- Marketing communication — sending nutrition tips, updates, surveys and reminders (with your consent)
- Analytics and service improvement — anonymous usage statistics (with your consent)
4. Legal Basis for Processing
Explicit consent (Art. 9(2)(a) GDPR):
- Health and dietary data (allergies, biometric data, nutrition goals). We ask for your explicit consent when you create a profile. You can withdraw it at any time.
Contract performance (Art. 6(1)(b) GDPR):
- Account data, recipes, meal plans, shopping lists — necessary to provide the service.
Legitimate interest (Art. 6(1)(f) GDPR):
- Account security, fraud prevention, server logs.
Consent (Art. 6(1)(a) GDPR):
- Analytics and marketing cookies (Google Analytics, Microsoft Clarity, Meta Pixel). You can manage your consent through the cookie banner.
- Marketing communication (tips, updates, surveys, reminders). You can withdraw your consent at any time in account settings.
5. Who We Share Data With
- We do not sell your personal data. We never have and never will.
- We use the following service providers:
- • AWS (Amazon Web Services) — application hosting, image storage (S3), AI generation (AWS Bedrock), and email delivery (Amazon SES: login codes, invitations, notifications). Data processed in the EU region (Frankfurt). AI receives ONLY the text you type and the ingredient catalog — no personal, health, or identifying data; the email service processes your email address and name to deliver messages.
- • OpenAI (USA) — AI recipe draft generation, ingredient translation, and nutrition data extraction. AI receives ONLY the text you type (recipe names, ingredient names) — no health data, identifying data, or biometrics. Data transferred to the USA under Standard Contractual Clauses (SCCs). OpenAI retains prompts for up to 30 days for abuse-monitoring purposes, after which they are deleted.
- • Firebase (Google) — user authentication. EU-US Data Privacy Framework certified.
- • Stripe — payment processing. EU entity: Stripe Payments Europe, Ltd. (Ireland). EU-US Data Privacy Framework certified.
- • Google Analytics — analytics (only with your consent). EU-US Data Privacy Framework certified.
- • Microsoft Clarity — behavioral analytics: session recordings, heatmaps, and behavioral metrics (only with your consent). Data is captured using first and third-party cookies. For more information, see the Microsoft Privacy Statement (https://privacy.microsoft.com/privacystatement).
- • Meta Platforms (Facebook) — a marketing pixel measuring ad performance and site visits (only with your consent). It sends Meta browsing events (e.g. page views) linked to cookie identifiers. Transfer to the USA under the EU-US Data Privacy Framework. For more information, see the Meta Privacy Policy (https://www.facebook.com/privacy/policy).
- All providers are bound by Data Processing Agreements (DPAs) in accordance with GDPR Art. 28.
- Data may be disclosed to law enforcement only based on a valid court order.
6. AI and Automated Processing
- Yummo uses artificial intelligence (AI) to generate recipes and personalize meal plans.
- What AI receives: ONLY the text you type (e.g. "a light chicken lunch recipe") and the public ingredient catalog (names, categories, units).
- What AI does NOT receive: your name, email, health data, allergies, weight, height, or any identifying information. Profiles are identified only by anonymous identifiers (UUIDs).
- Yummo uses two AI providers:
- • AWS Bedrock — meal plan generation. EU region (Frankfurt, Germany), data does not leave the European Union. Zero prompt retention (Bedrock does not store data after the request completes).
- • OpenAI — recipe draft generation and ingredient translation. Processing in the USA under Standard Contractual Clauses (SCCs). OpenAI retains prompts for up to 30 days for abuse-monitoring, after which they are deleted. Yummo does NOT use the training mode — your prompts are NOT used to train models.
- Yummo is NOT a medical or dietary application. Generated recipes and plans are culinary suggestions, not medical advice. Always consult a doctor or dietitian for health matters.
7. Cookies
- We use cookies for proper service operation, remembering your preferences, and — with your consent — for analytics.
- For detailed information about all cookies, their purposes, and how to manage them, please see our Cookie Policy.
8. How Long We Keep Your Data
- Account data and content — for the duration of your use of the service.
- After account deletion — personal data is deleted within 30 days.
- Backups — deleted within 90 days of account deletion.
- Payment data — Stripe retains data in accordance with its own retention policy and legal requirements.
- Server logs (IP, user agent) — retained for a maximum of 90 days.
- Anonymized data — may be retained indefinitely for statistical purposes, but cannot be used to identify you.
9. Data Security
- Encryption of data in transit (HTTPS/TLS) and at rest
- Secure password storage (bcrypt hashing) — we cannot access your password
- Session tokens with limited lifetime (7 days)
- Data access restricted to authorized personnel (principle of least privilege)
- Infrastructure hosted in the European Union
- In the event of a data breach, we will notify the supervisory authority (UODO) within 72 hours and notify you if the breach poses a high risk to your rights
10. Your Rights
- Right of access — you can request a copy of all your data
- Right to rectification — you can correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — you can request deletion of all your data
- Right to restriction of processing — you can ask us to temporarily stop processing
- Right to data portability — on request (privacy@yummo.ai) we will provide a copy of your data in a structured, commonly used format
- Right to withdraw consent — you can withdraw consent for health data processing at any time, without affecting the lawfulness of prior processing
- Right to object — you can object to processing based on legitimate interest
- Right to lodge a complaint with a supervisory authority — in Poland, this is the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl
- To exercise these rights, contact us at: privacy@yummo.ai. We will respond within 30 days.
11. For Users in the USA
California Consumer Privacy Act (CCPA/CPRA):
- You have the right to know what categories of personal information we collect and for what purposes (described in sections 2 and 3)
- You have the right to request deletion of your personal information
- You have the right to opt out of the sale of your data — however, Yummo does not sell and has never sold personal data
- You will not be discriminated against for exercising your privacy rights
Automated decision-making:
- Yummo uses AI to generate recipe and meal plan suggestions. These are suggestions only — we do not make binding automated decisions about you. You always have full control over what you accept into your plan.
Do Not Sell or Share:
- Yummo does not sell or share your personal information as defined by the CCPA. We do not engage in targeted advertising based on your personal data.
12. For Users in the United Kingdom
- Your data is protected under the UK GDPR and the Data Protection Act 2018.
- You have the same rights as described in section 10 (Your Rights).
- The supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk
- A UK representative has not yet been appointed. For data protection matters, please contact: privacy@yummo.ai
- Data transfers between the EU and UK take place under the adequacy decision.
13. For Users in Canada
- Your data is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA).
- We collect data only with your knowledge and consent, for the purposes described in this document.
- You have the right to access your data, correct it, and withdraw your consent.
- We retain personal data only as long as necessary to fulfill the purposes described above.
- We protect your data with appropriate technical and organizational safeguards.
- Questions or complaints: privacy@yummo.ai or the Office of the Privacy Commissioner of Canada (priv.gc.ca)
14. For Users in Australia
- Your data is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs).
- As an application processing health information (allergies, dietary goals), we are subject to Privacy Act obligations regardless of our revenue.
- You have the right to access your data and request correction of inaccurate information (APP 12 and 13).
- Your data may be processed outside Australia: AI in the EU (AWS Frankfurt), authentication (Firebase, DPF-certified), payments (Stripe, SPEL Ireland).
- Questions or complaints: privacy@yummo.ai or the Office of the Australian Information Commissioner (oaic.gov.au)
15. For Users in Other Countries
- If you reside in a country not listed above, we apply the GDPR standard of data protection as the minimum level of protection for your personal data.
- This means that regardless of your location, you have the right to access, correct, delete, and port your data.
- For questions or concerns: privacy@yummo.ai
16. Children
- Yummo is intended for users who are at least 18 years old.
- We do not knowingly collect personal data from children under 18.
- If you become aware that a child under 18 has provided us with personal data, please contact us at privacy@yummo.ai and we will promptly delete it.
17. Changes and Contact
- We may update this Privacy Policy as the service evolves or laws change.
- We will notify you of significant changes by email or in-app notification at least 14 days in advance.
- Privacy contact: privacy@yummo.ai
- General contact: contact@yummo.ai
- Address: ul. Stanisławowska 47, 54-611 Wrocław, Poland
18. Household Partner Data
- Yummo lets you invite another person to plan meals together within a household. For a shared plan to work, some dietary data is shared between household members — but only after each person gives separate, explicit consent (see below).
- • You never enter the other person’s data yourself — each member creates their own account and fills in their own profile. To invite, you only provide an email address or send a link through your own messenger (Messenger, WhatsApp, SMS).
- • What household members see about each other (data needed to cook together): diet style, allergens and intolerances, excluded ingredients, the number and type of meals, and the daily calorie target and macronutrient split in the plan.
- • What household members do NOT see about each other (private biometric data): weight, height, age, biological sex, physical activity level, or weight goal (e.g. “lose 5 kg”). This data stays visible only to the profile owner.
- • Each member has their own account, controls their own data, and can delete it at any time (Delete account in settings) or leave the household.
- • Sharing of dietary data is based on your explicit consent (Art. 9(2)(a) GDPR), which we ask for when you join a household. You can withdraw it at any time — leaving the household revokes the consent and stops any further sharing of your data with the other members.
19. Received an Invitation?
- If someone invited you to Yummo:
- • The decision is yours — you can accept, decline, or report abuse.
- • After accepting, you create your own account and enter your own data yourself. The person who invited you cannot see your biometric data (weight, height, age, sex). To cook together, they do see your diet style, allergens, excluded ingredients, and daily calorie target — and only after you give consent when joining.
- • "Report abuse" removes the invitation and blocks that account from inviting you again. Let us know at privacy@yummo.ai if invitations keep arriving from other accounts.
- • Your rights: access, rectification, erasure, data portability, objection to processing, and the right to lodge a complaint with the President of the Personal Data Protection Office (uodo.gov.pl).
20. Legal Basis for Processing (Invitations)
- • Inviter’s data: consent (Art. 6(1)(a) GDPR) and performance of a contract (point (b)).
- • Inviter’s health data (weight, allergies, goal): explicit consent (Art. 9(2)(a) GDPR).
- • Invited person’s data: that person’s consent, expressed by accepting the invitation and completing their own profile themselves.
- • Sharing of dietary data between household members (diet style, allergens, exclusions, meal slots, daily calorie and macro targets): each member’s explicit consent to “Household data sharing” (Art. 9(2)(a) GDPR), collected when joining and withdrawn when leaving the household.
- • The invited person’s email used to send the invitation and any anti-abuse logs (blocked_invitations): legitimate interest (Art. 6(1)(f) GDPR) — abuse prevention and service delivery.