This Privacy Policy applies to Mealisto ("we," "us," "our") and describes how we collect, use, and protect your personal data in accordance with the Swiss Federal Act on Data Protection (FADP, SR 235.1), effective 1 September 2023.
1. Controller
Mealisto
Contact: privacy@mealisto.com
2. Data We Collect
2.1 Data You Provide
- Account data: name, email address, password (stored as bcrypt hash)
- Profile data: dietary preferences, allergies, household members, language settings
- Usage data: recipes, meal plans, shopping lists, ratings, notes
- Payment data: handled exclusively by Apple App Store or Google Play — we receive only a subscription status confirmation; no payment details are transmitted to us
2.2 Automatically Collected Data
- Technical data: device type, operating system, app version, IP address (anonymised after processing), session tokens
- Analytics data: features used, session duration, error reports (anonymised, no personal identifiers)
2.3 Family and Sharing Data
When you create a family group or invite members, we process the names and email addresses of invited persons, shared meal plans and shopping lists, and family preferences and settings.
3. Purposes and Legal Basis of Processing
We process your personal data for the following purposes in accordance with Art. 19 FADP:
- Providing and operating the Service — performance of our contract with you
- Account management and authentication — performance of our contract with you
- Personalised meal plan generation (including AI-assisted recommendations) — performance of our contract with you
- Sending transactional notifications — performance of our contract with you
- Analytics to improve the Service — our overriding legitimate interest (data anonymised before use)
- Fraud prevention and security — our overriding legitimate interest and legal obligation
- Compliance with legal obligations — legal obligation
We process sensitive personal data (Art. 5(c) FADP) only in the form of dietary preferences and allergy information that you explicitly provide, and solely to operate the Service.
4. Sharing Data with Third Parties
We share your data only where necessary:
- Apple / Google: subscription management through the respective app store, subject to their privacy policies
- Cloud infrastructure provider: data hosting and backup; governed by a Data Processing Agreement
- Analytics provider: anonymised, aggregated usage statistics; no personal identifiers are shared
- Google Generative AI: for recipe recommendations only; we transmit anonymised recipe and preference data — no personal identifiers
- Competent authorities: when required by Swiss law or a legally binding order
We never sell your personal data.
5. Cross-Border Data Transfers
Your data may be processed outside Switzerland. Where the recipient country is not recognised by the FDPIC as providing adequate protection, we rely on standard contractual clauses (Art. 16 para. 2(d) FADP) to ensure your data remains protected. A copy of the applicable safeguards is available on request at privacy@mealisto.com.
6. Retention Periods
- Account and profile data: retained for the duration of your account; deleted within 30 days of account deletion
- Meal plans and shopping lists: retained for the duration of your account; deleted within 30 days of account deletion
- Usage logs and error reports: 90 days (anonymised)
- Billing and transaction records: 10 years (Swiss commercial law obligation)
- Security logs: 12 months
7. Your Rights
Under the FADP, you have the following rights:
- Right of access (Art. 25 FADP): obtain a copy of your personal data
- Right to rectification (Art. 32 FADP): correct inaccurate data
- Right to erasure (Art. 32 FADP): request deletion of your data (subject to legal retention obligations)
- Right to data portability (Art. 28 FADP): receive your data in a structured, machine-readable format
- Right to restriction (Art. 25 FADP): limit certain processing activities
- Right to object to automated decisions (Art. 21 FADP): where decisions are based solely on automated processing
To exercise any of these rights, email privacy@mealisto.com. We will respond within 30 days. In complex cases we may extend this by up to 60 days and will notify you accordingly.
If you believe your data protection rights have been violated, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Transport Layer Security (TLS 1.2+) for all data in transit
- Secure password hashing (bcrypt)
- Short-lived JWT tokens for API authentication
- Role-based access controls
- Regular security reviews
9. Children's Privacy
The Service is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you believe a child's data has been submitted without parental consent, contact privacy@mealisto.com and we will delete it promptly.
10. Cookies and Tracking
We use only technically necessary session cookies for authentication. We do not use tracking or advertising cookies. Our analytics are anonymised and do not use cookies. For more information, see our Cookie Policy.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via the app or by email. The date at the top of this page indicates when this policy was last updated. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact
For any privacy-related questions or to exercise your rights:
Mealisto — Privacy Contact
Email: privacy@mealisto.com