Privacy Policy - PlateMate

This Privacy Policy (“Policy”) describes how PlateMate (“we,” “us,” or “our”) collects, uses, discloses, and otherwise processes the personal information of users (“you” or “your”) of the PlateMate mobile application (the “App”) and the website located at platemate.app (the “Site,” and together with the App, the “Services”). By using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use the Services.

1. Information We Collect

1.1 Information You Provide Directly

Health & Biometric Profile Data. During onboarding and through your ongoing use of the App, you may provide: date of birth, height, weight, biological sex (optional), activity level, fitness goals (e.g., lose weight, build muscle, maintain weight), dietary restrictions and food allergens (e.g., nut-free, gluten-free, vegan, keto), and cuisine preferences. We use this information to calculate personalized calorie and macronutrient targets using the Mifflin-St Jeor equation and to generate tailored meal recommendations.

First Name. You may optionally provide your first name to personalize the in-app experience.

Favorite Restaurants. You select restaurants you frequently visit so we can pre-load personalized recommendations for those locations.

AI Nutritionist Conversations. When you use the PlateMate AI Nutritionist chat feature, we collect the text of your messages, any images you attach (e.g., photos of meals), and the conversation history. This data is transmitted to our servers and processed using third-party AI services (see Section 4) to generate nutritional analysis and advice.

Discovery Source. We may ask how you heard about PlateMate (e.g., social media, word of mouth) for marketing attribution purposes.

Support Communications. If you contact us at support@platemate.app, we collect the content of your message, your email address, and any attachments you provide.

1.2 Information Collected Automatically

Device & Usage Data. We automatically collect information about your device and how you interact with the Services, including: device type, operating system version, unique device identifiers, app version, session duration, screens viewed, features used, tap and interaction events, crash logs, and performance diagnostics.

Location Data. With your permission, we collect your approximate location (“When In Use”) to identify nearby restaurants and provide location-relevant recommendations. If you decline location permission or skip this step, we display popular chain restaurants instead. You may revoke location permission at any time through your device’s Settings.

Subscription & Transaction Data. We receive subscription status information (e.g., active trial, plan type, renewal date, cancellation) from Apple’s App Store and our subscription management provider to determine your access tier. We do not directly collect or store your payment card number or Apple ID credentials.

Push Notification Tokens. If you opt in to push notifications, we receive a device token to deliver notifications about your personalized restaurant picks and app updates.

2. How We Use Your Information

We process your personal information for the following purposes:

Personalized Recommendations. Calculate your daily calorie and macronutrient targets; rank and score restaurant menu items against your profile; filter items based on your dietary restrictions and allergen settings.
AI-Powered Features. Process your messages, images, and profile data through our AI Nutritionist to provide conversational nutritional guidance, meal analysis, and healthier alternatives.
Subscription Management. Verify your subscription status, process free trial enrollment, and manage plan changes.
Product Improvement. Analyze aggregated and anonymized usage patterns to improve the accuracy of our recommendation engine, fix bugs, and develop new features.
Analytics & A/B Testing. Understand how users interact with the App, measure conversion funnels, and test different paywall configurations and onboarding flows to optimize the user experience.
Communications. Send you push notifications about personalized picks at nearby restaurants (with your permission), respond to support inquiries, and provide transactional messages related to your subscription.
Legal Compliance & Safety. Comply with applicable laws; enforce our Terms of Use; protect the rights, safety, and property of PlateMate, our users, and others.

3. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, we rely on the following legal bases under the General Data Protection Regulation (“GDPR”):

Performance of a Contract. Processing necessary to deliver the Services you requested (e.g., generating your personalized meal recommendations).
Consent. Processing of health-related data (dietary restrictions, biometric information) and location data, which you provide voluntarily through the App. You may withdraw consent at any time by deleting the relevant data in Settings or contacting us.
Legitimate Interests. Analytics, product improvement, fraud prevention, and securing our Services, balanced against your privacy rights.
Legal Obligation. Compliance with applicable laws and regulations.

4. Third-Party Service Providers

We share personal information with the following categories of service providers, solely to the extent necessary for them to perform services on our behalf. We do not sell your personal information to any third party.

Provider	Purpose	Data Shared
RevenueCat	Subscription and in-app purchase management, receipt validation, trial tracking	Anonymous app user ID, purchase receipts, subscription status, device platform
Superwall	Paywall presentation, A/B testing of subscription offers, conversion optimization	Anonymous user ID, device metadata, paywall interaction events, subscription status
Mixpanel	Product analytics, event tracking, funnel analysis, feature usage measurement	Anonymous user ID, device type, OS version, app events (e.g., screens viewed, features used, onboarding completion steps)
OpenAI	AI-powered nutritional analysis, menu item scoring, AI Nutritionist chat responses	User messages and attached images sent to the AI Nutritionist; anonymized dietary profile data (calorie/macro targets, meal slot); restaurant menu data. Processed via our server — no direct client-to-OpenAI connection.
Google (Gemini)	AI-powered nutritional analysis, menu item scoring, recommendation generation	Same categories as OpenAI above. We may route requests to either provider depending on availability and performance.
Apple (App Store / StoreKit)	In-app purchase processing, subscription billing	Purchase transactions are processed entirely by Apple. We receive subscription status and receipt data but never your payment credentials.
Railway (Cloud Hosting)	Hosting our backend API servers	All data transmitted between the App and our servers passes through Railway’s infrastructure.

Each provider is contractually obligated to process your data only as instructed by us and in accordance with their own published privacy policies. We encourage you to review their policies:

5. AI-Specific Disclosures

PlateMate uses artificial intelligence to power its core features. You should be aware of the following:

Server-Side Processing. All AI requests are routed through PlateMate’s servers before being sent to third-party AI providers (OpenAI and/or Google Gemini). Your device never communicates directly with these providers.
Profile Data in AI Context. When you use AI-powered features, your nutritional profile (daily calorie target, macronutrient targets, remaining daily budget, current meal slot) is included in the request to provide personalized responses. Your name, date of birth, and raw biometric measurements are not sent to AI providers.
Image Processing. Images you submit to the AI Nutritionist (e.g., photos of meals) are transmitted to our server and then to the applicable AI provider for analysis. We do not permanently store these images after processing is complete.
No AI Training on Your Data. We use OpenAI’s and Google Gemini’s API services, which, per their respective API terms, do not use data submitted through the API to train or improve their general models.
Conversation History. AI Nutritionist conversation history is maintained on your device and transmitted to our server during active sessions to provide contextual continuity. Conversation data is not used for any purpose other than delivering the chat experience.

6. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Profile Data. Retained for the duration of your use of the Services. Deleted upon account deletion request.
AI Conversation Data. Images submitted to the AI Nutritionist are processed in real time and not permanently stored on our servers. Conversation text is retained on-device and in server logs for up to 90 days for quality assurance, then deleted.
Analytics Data. Mixpanel event data is retained in accordance with Mixpanel’s data retention settings, which we configure not to exceed 12 months.
Subscription Records. Transaction and subscription status records are retained as required by applicable tax and financial reporting laws.

7. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information, including:

Encryption of data in transit using TLS/HTTPS.
On-device storage of sensitive health profile data in iOS UserDefaults with app sandbox isolation.
Server infrastructure hosted on Railway with managed security controls.
Access controls limiting employee and contractor access to personal data on a need-to-know basis.

No method of electronic transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

8. Your Rights and Choices

8.1 All Users

Access & Edit. You can view and modify your health profile, dietary restrictions, allergen settings, cuisine preferences, and favorite restaurants at any time in the App’s Settings.
Location. You may disable location services for PlateMate at any time via your device’s Settings > Privacy > Location Services.
Push Notifications. You may disable push notifications via your device’s Settings > Notifications.
Deletion. You may request deletion of your personal data by emailing support@platemate.app. We will process your request within 30 days, subject to any legal retention obligations.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to Know. You may request the categories and specific pieces of personal information we have collected about you.
Right to Delete. You may request deletion of your personal information, subject to certain exceptions.
Right to Correct. You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Non-Discrimination. We will not discriminate against you for exercising any of these rights.

To exercise your rights, contact us at support@platemate.app. We will verify your identity before processing your request.

8.3 EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

Request data portability (receive your data in a structured, machine-readable format).
Restrict or object to certain processing activities.
Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Lodge a complaint with your local supervisory authority.

9. Children’s Privacy

The Services are not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. The App enforces a minimum date-of-birth threshold during onboarding. If we learn that we have inadvertently collected personal information from a child under the applicable minimum age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@platemate.app.

10. International Data Transfers

PlateMate is operated from the United States. If you access the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those in your country of residence. By using the Services, you consent to such transfers. Where required by applicable law, we implement appropriate safeguards (such as Standard Contractual Clauses) for cross-border data transfers.

11. Third-Party Links

The Services may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy within the App or on the Site with a revised “Effective Date.” For material changes that affect how we process health or biometric data, we will use reasonable efforts to provide advance notice (such as an in-app notification). Your continued use of the Services after any changes become effective constitutes your acceptance of the revised Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

PlateMate
Email: support@platemate.app