Privacy Policy

This Privacy Policy describes how the Aipa Plate website at aipaplate.com (the “Website”) and the Aipa Plate mobile application (the “App”, together the “Service”) handle personal data. We aim to be specific rather than aspirational — what we collect, why, on what legal basis, and what you can do about it.

By using the Service, you confirm that you have read this policy. If you do not agree with how we process your data, please stop using the Service.

Defined terms

We, us, our.Aipa Plate, the service operated by Maria Prodan as the founder and project owner. Where applicable, the legal entity behind Aipa Plate acts as the data controller for the personal data described below. You can reach the controller at the contact details in the “Contact” section.

You, user.Any individual who visits the Website, downloads the App, creates an account, or otherwise interacts with the Service.

Personal data.Any information that relates to an identified or identifiable natural person, as defined by the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA, the UK Data Protection Act, and Russian Federal Law No. 152-FZ “On Personal Data”.

Processing.Any operation performed on personal data — collection, storage, use, disclosure, deletion, and so on.

Aipa Plate is the controller of personal data processed through the Service. As the controller we decide why and how your data is processed and we are accountable for it.

If you are located in the European Union, the European Economic Area, or the United Kingdom, you also have the right to lodge a complaint with your national supervisory authority. We list the most common authorities in the “Your rights” section below.

We try to collect only what we need to operate the Service and to provide the features you actually use. Personal data falls into the following categories.

Account data

• Email address.
• Display name (you can choose any name).
• Hashed password if you sign up with email and password. We never store your password in a readable form.
• Authentication identifiers from Apple Sign-In or Google Sign-In if you choose to sign in with those providers. We receive a stable identifier and the email address you authorized the provider to share.

Content you submit

• Meal logs, hunger ratings on a 1–10 scale, satiety notes, mood and context tags that you choose to record in the App.
• Photographs of food that you upload in the App.
• Free-text notes that you add to your meals or to your daily reflection.
• Survey responses, feedback, and messages you send to us.

Technical and usage data

• IP address, approximate location derived from the IP address (city or region level), and timezone.
• Device model, operating system, application version, browser type and version, language and locale.
• Pages and screens you visit, features you interact with, the date and time of those events, and crash diagnostics.
• A pseudonymous installation identifier used only inside our analytics so we can count unique sessions without identifying you by name.

Payment data

• Subscription status, plan, renewal dates, country of purchase, transaction identifiers.
• We do not see, store, or process your payment card details. Subscriptions on iOS run through Apple In-App Purchase, and we use Adapty solely to reconcile entitlements.
• Tax-relevant information that the platform shares with us for our accounting obligations.

Communications

• The content of emails, support tickets, and any other messages you send us, including attachments.
• If you opt in, your email address for product updates and educational content.

Sensitive categories. Hunger, satiety, and meal patterns are not formally health data under the GDPR, but they are close in nature. We treat them with the same caution as Article 9 “special category” data, and we only process them on the basis of your explicit consent (creating an account and using the App) and only to provide the Service to you.

We process personal data for clearly defined purposes. Each purpose is matched to a legal basis under Article 6 of the GDPR (and the equivalent grounds under the UK GDPR and Article 6 of Russian Federal Law No. 152-FZ).

To provide the Service

Creating and maintaining your account, authenticating you, storing your meals and notes, generating insights, syncing data between the App and the Website, and supporting your subscription. Legal basis: performance of a contract with you (GDPR Article 6(1)(b)). Without this data, we cannot provide the Service you signed up for.

To keep the Service safe and reliable

Detecting fraud, preventing abuse, applying rate limits, debugging crashes, and improving stability. Legal basis: our legitimate interest in protecting our users and our infrastructure (GDPR Article 6(1)(f)).

To improve the Service

Analyzing aggregate usage of features so we can fix what does not work and prioritize what does. Wherever possible, we use pseudonymous or aggregated data for this purpose. Legal basis: legitimate interest in product improvement, and your consent for non-essential analytics in jurisdictions where consent is required.

To communicate with you

Replying to your support requests, sending essential service notices (security alerts, important changes to this policy), and — only if you opt in — sending educational and marketing content. Legal basis: performance of the contract for service notices, consent for marketing, and our legitimate interest for support replies.

To comply with the law

Tax and accounting obligations, responding to lawful requests from public authorities, and enforcing our Terms. Legal basis: compliance with a legal obligation (GDPR Article 6(1)(c)) and, where relevant, our legitimate interest in defending legal claims.

We share personal data only with carefully selected service providers, only to the extent they need it to perform a specific task on our behalf, and always under a written data processing agreement. The categories below summarize the third parties involved in operating the Service today.

Hosting, authentication, and database

• Google LLC (Firebase Hosting, Firebase Authentication, Cloud Firestore, Cloud Functions, Firebase Analytics) — primary infrastructure for the Website and the App. Servers are operated in the United States and the European Union.
• Apple Inc. — App Store distribution, Apple Sign-In if you use it, App Store Connect analytics.

Subscriptions

• Apple Inc. — In-App Purchase processing.
• Adapty — subscription orchestration and entitlement reconciliation.

Communications and email

• Email service providers used to send transactional emails (account recovery, receipts) and, if you opt in, marketing emails.

Public authorities

We disclose personal data to courts, regulators, and law-enforcement authorities only when we are legally required to do so or when disclosure is necessary to protect the rights, property, or safety of users, of Aipa Plate, or of the public.

Business transfers

If Aipa Plate is involved in a merger, acquisition, financing, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you in advance and you will keep all rights described in this policy.

AI processing

We use third-party large-language-model and image-generation providers exclusively for our own internal content production (writing public articles, generating illustrative images for the Website). Your account data, meal logs, photographs, hunger ratings, and notes are not sent to those providers.

Our infrastructure is operated by Google and Apple, which means your personal data may be processed outside your country of residence — most often in the United States and the European Union. We rely on the following safeguards.

Transfers from the EU/EEA, the UK, and Switzerland

• Standard Contractual Clauses (SCCs) approved by the European Commission, including the UK Addendum where the UK GDPR applies and the Swiss Addendum where the FADP applies.
• Reliance on the EU–US Data Privacy Framework where the recipient is self-certified and the transfer falls within the certified scope.
• Supplementary technical measures such as encryption in transit and at rest.

Transfers from the Russian Federation

Russian Federal Law No. 152-FZ requires that personal data of Russian citizens be initially recorded, systematized, and stored on databases located in the Russian Federation. The Service relies on Google and Apple infrastructure operated outside the Russian Federation. If you are a Russian citizen and you choose to use the Service, you are providing your informed, written consent to cross-border transfer of your personal data under Article 12 of Federal Law No. 152-FZ. You can withdraw that consent at any time by deleting your account and writing to us at the address in the “Contact” section.

Transfers to other countries

Transfers to any other country are made only when there is a valid legal basis (an adequacy decision, SCCs, or your explicit consent) and when the destination provides an essentially equivalent level of protection.

We keep personal data only for as long as we need it for the purpose it was collected, plus any minimum statutory retention period.

• Account data — for the lifetime of your account, then deleted within 30 days after you delete the account, except for items we must retain by law (for example tax records).
• Meal logs, photographs, and notes — stored for the lifetime of your account; you can delete individual entries at any time.
• Technical and analytics data — pseudonymous data is retained for up to 26 months and is then deleted or further aggregated.
• Communications — retained for up to 3 years after the last interaction so we can answer follow-up questions and defend legal claims.
• Tax-relevant payment metadata — retained for the period required by tax law in the relevant jurisdiction (typically 4 to 10 years).

When a retention period ends, we delete the data or anonymize it so that it can no longer be linked back to you.

You have meaningful rights over your personal data. Some rights apply everywhere. Others depend on where you live. We honor all of them, free of charge, within the statutory deadlines.

Rights under the GDPR and the UK GDPR

• Right of access (Article 15) — receive a copy of the personal data we hold about you.
• Right to rectification (Article 16) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Article 17) — ask us to delete your data when one of the legal grounds applies.
• Right to restriction (Article 18) — ask us to limit how we use your data while a request is being resolved.
• Right to data portability (Article 20) — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object (Article 21) — object to processing based on our legitimate interests, including marketing.
• Right not to be subject to solely automated decision-making producing legal or similarly significant effects (Article 22).
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority — you can find a list at edpb.europa.eu and at ico.org.uk for the UK.

Rights under the California CCPA/CPRA

• Right to know what personal information we have collected about you, the sources, the purposes, and the categories of recipients.
• Right to delete personal information, subject to limited exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the “sale” or “sharing” of personal information — we do not sell or share it.
• Right to limit the use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination for exercising any of these rights.
• Right to designate an authorized agent to make a request on your behalf, with proper documentation.

Rights under Russian Federal Law No. 152-FZ

• Right to obtain confirmation of processing and to receive information about it (Article 14).
• Right to demand correction, blocking, or destruction of personal data that is incomplete, outdated, inaccurate, or unlawfully obtained.
• Right to withdraw consent to processing.
• Right to file a complaint with Roskomnadzor (rkn.gov.ru) or with a Russian court.

How to make a request

Send your request to the contact email at the bottom of this page. To protect your account, we may ask you to verify your identity. We respond within one calendar month for GDPR requests, within 45 calendar days for CCPA/CPRA requests, and within 30 days for Federal Law No. 152-FZ requests. If we need more time, we will tell you why and when to expect an answer.

The Service is not intended for children. We do not knowingly collect personal data from individuals under the following ages, and we will delete such data promptly if we become aware of it.

• Under 13 in the United States, in line with the Children's Online Privacy Protection Act (COPPA).
• Under 16 in the European Economic Area and the United Kingdom, unless local law sets a lower age (with valid parental consent).
• Under 14 in the Russian Federation, unless valid parental consent is provided in accordance with Federal Law No. 152-FZ.

If you are a parent or legal guardian and you believe your child has provided personal data to the Service, please contact us so we can review and remove it.

We protect personal data using a combination of technical and organizational measures appropriate to the risk.

• Encryption in transit (TLS 1.2+) and at rest for databases and backups.
• Strict access controls — only authorized personnel access production systems, and access is logged.
• Hashed and salted passwords for email/password accounts.
• Routine reviews of dependencies, third-party processors, and security configurations.
• Backups, incident response procedures, and a documented breach-notification workflow.

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly.

The App produces personalized insights from the meals, hunger ratings, and notes you log. These insights are educational and have no legal or similarly significant effect on you. They are not used to deny services, set prices, or restrict access.

If we ever introduce processing that produces a legal or similarly significant effect, we will tell you in advance, ask for your explicit consent where required, and offer the safeguards required by Article 22 of the GDPR.

We may update this Privacy Policy to reflect changes in the law, in our practices, or in the Service. The “Last updated” date at the top of this page indicates the version that is currently in force. The historical versions of the policy are available on request.

Material changes that affect your rights will be communicated to you in advance — by email, by an in-product notice, or both — at least 30 days before they take effect, except where the law requires a shorter or longer notice period.