Privacy Policy

Last updated: 2026-04-19 · Effective: 2026-04-19

This Privacy Policy explains how EatScore (eatscore.app, the "Service") collects, uses, and protects your personal data. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), the EU ePrivacy Directive as implemented in your country of residence, and any equivalent local data-protection law applicable to you. We designed the Service to be minimal by default and to give you complete control over your data.

1. Data controller

The data controller for the Service is the individual operator publishing EatScore. You can reach the controller at:

Email (general): privacy@eatscore.app
Email (data subject requests): dpo@eatscore.app
Postal address: available on request by email — see Section 11.

EatScore has not designated a mandatory Data Protection Officer under GDPR Article 37 because none of the criteria in that Article apply. All data-protection queries are handled by the controller directly.

2. Data we collect

2.1 Data you provide

Account: email address and a hash of your password (Argon2id — the plaintext never reaches our servers in storable form).
Health profile (optional): age, biological sex, weight, height, activity level, sleep, stress, alcohol frequency, dietary preferences, health goals, self-declared health conditions, allergies, and optional blood markers. You decide what to enter; none of it is mandatory to use the Service.
Nutrition data: foods you create, meals you log, prescriptions and advisors you configure.
Communications: the content of any email you send us (for example, support requests).

2.2 Data we generate or observe

Session cookie: a single HttpOnly, SameSite=Lax cookie containing a signed JWT used to keep you logged in. No tracking cookies, no third-party analytics cookies.
Security logs: IP address and request metadata for rate-limiting, intrusion detection, and abuse prevention. Retained for up to 90 days.
Operational logs: anonymised request timing and error traces used to keep the Service running. No request body or credentials are logged.

2.3 What we do not collect

We do not use third-party analytics, advertising trackers, fingerprinting scripts, or social-plugin cookies. We do not buy or enrich your data from brokers. We do not sell or rent your data to anyone, ever.

3. Why we process your data and on what legal basis

For each purpose below, we identify the GDPR Article 6 lawful basis we rely on.

Providing the Service: Contract (Art. 6(1)(b)). We need your account data and the profile / nutrition data you choose to enter to compute personalised scoring.
Transactional emails (password reset, email verification): Contract (Art. 6(1)(b)). You can't receive these without a registered email. We do not use these channels for marketing.
Optional digest / summary emails: Consent (Art. 6(1)(a)). You must explicitly opt in inside your profile; you can opt out with one click from any such email.
Security and abuse prevention: Legitimate interests (Art. 6(1)(f)) — keeping the Service available and protecting you and us from brute-force, scraping, and account-takeover attempts.
Legal compliance: Legal obligation (Art. 6(1)(c)) where we are required to retain or disclose data.

Health-profile fields you choose to enter (e.g. diagnoses, allergies) may qualify as special categories of personal data under GDPR Article 9. We process them only on the basis of your explicit consent (Art. 9(2)(a)), which you give by entering the data, and only to deliver the Service to you personally.

4. Email communications (AWS SES)

Email delivery is handled by Amazon Simple Email Service (AWS SES) operating from a European AWS region where available. We only email:

Users who have registered and confirmed their email address.
With transactional messages directly tied to your account (email verification, password reset, security notices).
With optional summary / digest emails — only if you have opted in inside your profile. Every such email contains a one-click unsubscribe link and honours List-Unsubscribe headers.

We maintain sender hygiene by processing AWS SES bounce and complaint notifications automatically: hard bounces and complaints result in the address being suppressed immediately, and you will be prompted to correct or remove the email the next time you sign in. We do not send unsolicited commercial email to anyone.

5. Recipients and sub-processors

We rely on a small set of infrastructure providers to deliver the Service. They act as processors on our behalf under written data-processing agreements aligned with GDPR Article 28.

Hetzner Online GmbH (Germany) — hosting and database storage, within the EU.
Amazon Web Services, Inc. (AWS SES) — transactional email delivery. AWS is a US company; transfers rely on the EU-U.S. Data Privacy Framework and/or the European Commission's Standard Contractual Clauses.
Cloudflare, Inc. — DNS and, where enabled, TLS edge termination. Transfers rely on the SCCs.

We do not share your personal data with any other third party, except where required by law or a binding legal order from a competent authority. Any such disclosure is minimised and, where legally permitted, we will notify you.

6. International transfers

Your data is stored in the European Union. Some sub-processors (AWS SES, Cloudflare) may process data outside the EU — primarily in the United States. For such transfers we rely on (i) the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, (ii) the EU-U.S. Data Privacy Framework. On request we will send you a copy of the safeguards in place.

7. How long we keep your data

While your account is active: for as long as you use the Service.
After you delete your account: account and nutrition data are marked for deletion and fully purged within 30 days, save for records we are legally required to keep.
Security / rate-limit logs: up to 90 days.
Operational logs: up to 30 days; aggregated, non-identifying metrics may be kept longer.
Email bounce / complaint suppression list: until you request removal or the suppression is no longer needed to protect deliverability.

8. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you (Art. 15).
Rectify inaccurate or incomplete data (Art. 16).
Erase your data (Art. 17) — the "right to be forgotten".
Restrict processing (Art. 18) in specific situations.
Object to processing based on legitimate interests (Art. 21).
Data portability — receive your data in a structured, machine-readable format (Art. 20).
Withdraw consent at any time for any purpose based on consent. Withdrawal does not affect lawfulness of past processing (Art. 7(3)).
Not be subject to automated decision-making that produces legal or similarly significant effects. EatScore scoring is informational and has no such effect (Art. 22).
Lodge a complaint with the supervisory authority of your EU habitual residence, place of work, or place of the alleged infringement (Art. 77). A list is maintained at edpb.europa.eu.

You can exercise most of these rights directly from inside the app (Settings → Account), including export and deletion. For anything else, email dpo@eatscore.app. We aim to respond within 30 days as required by Article 12(3).

9. Security

Passwords are hashed with Argon2id using a random per-user salt; we never see or store your plaintext password. Transport is protected with TLS 1.2+ end-to-end. Production secrets are encrypted at rest with SOPS + age. Access to production infrastructure is restricted to the operator and logged. We keep dependencies patched and run automated security checks in CI.

No online service can be 100 % secure. If we become aware of a personal-data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and inform affected users without undue delay as required by Art. 34.

10. Cookies

We use a single strictly necessary cookie — a signed session token used to keep you logged in. It is marked HttpOnly, Secure (in production) and SameSite=Lax. We do not use advertising, analytics, fingerprinting, or third-party cookies, which is why no consent banner is shown — strictly necessary cookies are exempt from consent under the ePrivacy Directive Art. 5(3).

11. Children

The Service is not directed at children under 16. We do not knowingly process personal data of children under 16. If you believe a child has provided us data, please contact privacy@eatscore.app and we will delete it.

12. Changes to this policy

We will update the "Last updated" date at the top of this page whenever we change this Privacy Policy. Material changes will additionally be announced inside the app or by email to registered users at least 14 days before they take effect, except where a faster change is required by law.

13. Contact

For any question, request, or complaint relating to your personal data, email privacy@eatscore.app. For formal GDPR rights requests, use dpo@eatscore.app — we respond within 30 days.