← Back to MealWise

Privacy Policy

Version 2026-03-22 · Last updated: 22 March 2026

1. Data Controller

MealWise is operated by Tenth Bridge Consulting Ltd, a company registered in England and Wales (“we”, “us”, “our”). We are the data controller for the personal data we process through the Service.

For any questions about this policy or to exercise your data rights, please contact us at: privacy@mealwise.guru

2. What Data We Collect

We collect and process the following categories of personal data:

Data CategoryWhat We CollectLawful Basis (GDPR Art. 6)
Account informationEmail address, display name, password (hashed), profile preferencesContract performance
Recipe contentRecipes you create, import, or photograph, including ingredients, steps, notes, adaptations, and photosContract performance
Organisation dataCollections, meal plans, shopping lists, cooking history, person tags, saved filtersContract performance
Family dataFamily group membership, sharing permissions, invite codesContract performance
AI interactionsRecipe content sent for AI analysis (dietary, nutritional, allergen, flavour, cost, meal building, leftover guidance), Chef Chat messagesContract performance & consent
Payment dataStripe customer ID, subscription status, billing history. We never store your card details.Contract performance
Consent recordsTimestamps and versions of your acceptance of Terms, Privacy Policy, and disclaimersLegal obligation
Technical dataIP address, browser type, device information, access times, error logsLegitimate interests (service reliability & security)

We do not collect any special category data (such as health data, racial or ethnic origin, or religious beliefs) as defined by GDPR Article 9. While you may voluntarily enter dietary preferences (e.g. halal, kosher, vegan), we treat these as recipe preferences, not as special category data about your personal beliefs or health.

3. How We Use Your Data

  • To provide and maintain the Service, including recipe storage, meal planning, and shopping list generation.
  • To power AI features (dietary analysis, allergen detection, nutritional estimates, flavour profiling, cost estimation, meal building, leftover guidance, and Chef Chat) via our AI provider.
  • To process payments and manage subscriptions via Stripe.
  • To send you essential service communications (account verification, password resets, security alerts, significant terms changes).
  • To improve and develop the Service based on aggregated, anonymised usage patterns.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

We will never sell your personal data to third parties. We do not use your data for advertising or marketing profiling.

4. Third-Party Data Processors

We share your data with the following third-party processors, each of which is bound by a Data Processing Agreement (DPA):

ProviderPurposeData SharedLocation
SupabaseDatabase hosting, authentication, file storageAll account and recipe dataUS (AWS)
VercelWeb application hosting, serverless functionsTechnical/request dataUS/Global CDN
StripePayment processingEmail, billing info (not card details stored by us)US/Ireland
AnthropicAI features (Claude API)Recipe content sent for analysis. Not used for AI model training.US
OpenAIRecipe image generation and embeddingsRecipe titles and descriptions sent for image generation. Not used for AI model training.US
ResendTransactional email (account verification, password resets, shopping-list emails)Email address and message bodyUS/EU
SentryError monitoring and performance tracing (only when cookie consent is granted)Technical/request data, user ID, browser + OS metadataEU (Frankfurt)
Web Push serviceBrowser push notifications for meal plan reminders and updates (only when you subscribe)Push endpoint URL and notification payloadDepends on browser vendor (Apple/Google/Mozilla)

Several of our processors (Anthropic, OpenAI, Resend, Vercel) operate in the United States. For each of those transfers we rely on the following legal mechanisms, in this order of preference:

  • Where the processor has self-certified under the EU-US Data Privacy Framework (“DPF”) and the UK Extension to it, we rely on that adequacy decision for transfers from the EEA and the UK respectively.
  • Otherwise, we rely on the European Commission’s 2021 Standard Contractual Clauses (Module 2, controller-to-processor) as approved by the UK ICO, together with the UK Information Commissioner’s International Data Transfer Addendum (the “UK Addendum”) or, where executed directly, the ICO’s International Data Transfer Agreement (“UK IDTA”).
  • We complete a transfer risk assessment before onboarding any US processor, and re-run it if the processor materially changes their sub-processors or infrastructure.

You can request a copy of the safeguards in place for any specific transfer by emailing us using the contact details in section 12.

5. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256).
  • Row-level security (RLS) policies ensuring users can only access their own data.
  • Secure password hashing (bcrypt via Supabase Auth).
  • Regular security audits and dependency vulnerability scanning.
  • Access controls limiting employee access to personal data on a need-to-know basis.

6. Data Retention

  • Active accounts: your data is retained for as long as your account is active.
  • Account deletion: when you delete your account, all personal data is permanently removed from our primary systems within 30 days. Backups containing your data are purged within 90 days.
  • Inactive accounts: we may contact you if your account has been inactive for 24 months. If we receive no response, we reserve the right to delete the account and its data after a further 30-day notice period.
  • Legal obligations: we may retain certain data for longer where required by law (e.g. billing records for tax purposes, typically 6 years in the UK).

7. Your Rights

Under the UK GDPR, EU GDPR, and other applicable data protection laws, you have the following rights:

  • Right of access (Art. 15): request a copy of all personal data we hold about you.
  • Right to portability (Art. 20): export your data in a structured, machine-readable format (JSON) from Settings.
  • Right to erasure (Art. 17): permanently delete your account and all associated data from Settings.
  • Right to rectification (Art. 16): update or correct your personal data at any time through your profile.
  • Right to restrict processing (Art. 18): request that we limit the processing of your data in certain circumstances.
  • Right to object (Art. 21): object to processing of your data where we rely on legitimate interests.
  • Right to withdraw consent: where we process data based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, use the self-service tools in Settings or contact us at privacy@mealwise.guru. We will respond within 30 days (or one calendar month under GDPR).

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

8. Your Rights by Region

In addition to the GDPR rights above, you may have additional rights depending on where you live:

United Kingdom

Your rights are governed by the UK GDPR and the Data Protection Act 2018. You may contact the ICO if you are dissatisfied with how we handle your data.

European Economic Area (EEA)

Your rights are governed by the EU GDPR (Regulation 2016/679). You may contact your national data protection authority. Where we transfer your data outside the EEA, we rely on Standard Contractual Clauses or adequacy decisions.

California, USA (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale or sharing of personal information (we do not sell your data); and non-discrimination for exercising your privacy rights.

Other US States

If you reside in Virginia, Colorado, Connecticut, Utah, or other US states with consumer privacy laws, you may have similar rights to access, correct, delete, and obtain a copy of your personal data. Contact us to exercise these rights.

Other Jurisdictions

We aim to respect the privacy rights of all our users regardless of location. If your local laws grant you additional rights not covered above, please contact us and we will do our best to accommodate your request.

9. Cookies

MealWise uses only essential cookies required for authentication and session management. We do not use tracking, advertising, or third-party analytics cookies. For full details, see our Cookie Policy.

10. Children's Privacy

MealWise is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us immediately and we will delete it promptly.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect data from children under 13. In the UK, we have regard to the ICO's Age Appropriate Design Code.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice at least 14 days before the changes take effect. The version number and “Last updated” date at the top of this page reflect the most recent revision. We may ask you to re-accept the updated policy before continuing to use the Service.

Version history

  • 2026-03-22 — Initial published version. Sub-processor list, international-transfer mechanisms (UK IDTA / UK Addendum / DPF), data-retention promises, and rights-request procedures established. See the in- code commit history for the exact diff.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to make a complaint, please contact us:

Tenth Bridge Consulting Ltd

Registered in England and Wales. Company registration number and registered office address available via the UK Companies House public register or on request from the Data Protection Contact below.

Data Protection Contact: privacy@mealwise.guru

We have not appointed a statutory Data Protection Officer (UK GDPR Article 37 does not require one for our scale and data processing profile), but the address above reaches the person responsible for data protection decisions at MealWise.

For postal correspondence, please write to us via the address on the UK Companies House public register for Tenth Bridge Consulting Ltd, or request it directly from the contact address above. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk, or your national data protection authority if you are based in the EEA.

Terms of ServiceCookie Policy
Privacy Policy — MealWise | MealWise