Privacy Policy

1. Data controller

The data controller is EatBright (Marius Lė, Individual Activity, Lithuania). Contact: eatbright.support@gmail.com.

2. Data we collect

• Account data: email, password (hashed), display name, sign-in provider.
• Profile & health data you choose to enter: age, sex, height, weight, activity level, diet preference, goals.
• Logs: meal logs, water and weight entries, recipes, meal plans, photos you upload.
• Subscription data: plan, status, billing period (Stripe handles card details — we never see them).
• Technical data: device type, app version, IP address, language, crash/error reports.

3. How we use your data (purposes & legal bases)

• Provide the Service (Art. 6(1)(b) GDPR — contract): host your account, run AI estimations, sync your logs.
• Process payments (Art. 6(1)(b) — contract): activate and renew your subscription via Stripe.
• Special category (health) data (Art. 9(2)(a) — explicit consent): you knowingly enter weight, body metrics and food data; you can delete it at any time.
• Improve the product & prevent abuse (Art. 6(1)(f) — legitimate interest): aggregated analytics, error monitoring, rate limiting.
• Communications (Art. 6(1)(b)/(a)): transactional emails (receipts, security) are required; marketing emails only with your consent.
• Legal obligations (Art. 6(1)(c)): tax & accounting records.

4. AI processing

When you use Scan or Analyse Photo features, the image and any text you provide are sent to AI models (e.g. Google Gemini via the Lovable AI Gateway) to estimate the meal contents. The result is stored in your account; the AI provider processes data on our behalf and does not use your content to train their public models under our agreement.

5. Sharing & processors

We share data only with vetted service providers acting on our instructions:

• Supabase — database, authentication and storage hosting.
• Stripe — subscription and payment processing.
• Lovable AI Gateway / Google Gemini — AI inference for meal analysis.
• Email & error-reporting providers — transactional email and crash reports.

We do not sell your personal data and do not share it for third-party advertising.

6. International transfers

Some processors are based outside the EU/EEA. Where this is the case, transfers are protected by the European Commission’s Standard Contractual Clauses or an equivalent safeguard.

7. Retention

• Account data and logs: kept while your account is active.
• After deletion: your account and personal data are erased within 30 days, except where law requires us to keep records (e.g. tax invoices — up to 10 years).
• Backups: encrypted backups are rotated within 35 days.

8. Security

We use industry-standard measures including encryption in transit (TLS), encryption at rest, Row-Level Security on the database, role-based access controls, and audit logging for admin actions.

9. Your rights

Under the GDPR you have the right to:

• Access, rectify, erase or restrict processing of your data;
• Data portability (receive your data in a machine-readable format);
• Object to processing based on legitimate interests;
• Withdraw consent at any time (without affecting prior lawful processing);
• Lodge a complaint with your local supervisory authority — in Lithuania, the State Data Protection Inspectorate (VDAI).

To exercise these rights, use the in-app “Delete Account” option or write to eatbright.support@gmail.com.

10. Children

EatBright is not intended for children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this Policy

We will notify you of material changes in-app or by email. The “Last updated” date at the top reflects the current version.