Privacy Policy — TastyPlan

Last updated: March 19, 2026

This Privacy Policy explains how the mobile application TastyPlan, operated by Kwargs, s.r.o., collects, uses, and protects your personal data in accordance with the GDPR and Act No. 18/2018 Coll.

1. Data Controller

Kwargs, s.r.o.
Registered office: Tallerova 2/4, 811 02 Bratislava - mestská časť Staré Mesto
Company ID (IČO): 48136484
Application: TastyPlan
Email: info@kwargs.sk
Web: www.tastyplan.app

Note: The company has not appointed a Data Protection Officer (DPO), as the scope of processing is proportionate to the operation of a mobile application.

2. What Data We Process

a) Personal data

Email address (registration and login).

b) Health and nutrition data (special category)

Body weight, height, age, goals, nutrition plan, daily food and drink records, food photographs (AI analysis), physical activity data, fluid intake.

c) Google Health Connect data (Android)

If the user chooses to connect the application to Google Health Connect, we process the following data:

  • Read: active calories burned, step count, body weight (from a smart scale or another connected application).
  • Write: nutritional data (calories, protein, fat, carbohydrates from each logged meal), fluid intake (water tracking), body weight (from weight log entries).

This data is processed exclusively on the user's device via the Google Health Connect API. Data from Health Connect is not transferred to our servers — reading is used to display activity in the application, and writing enables synchronization with other health applications. Connecting to Health Connect is voluntary and can be disabled at any time in the application settings.

d) Technical data

Device identifiers, OS information, anonymized usage data, push notification tokens, error reports, and performance data.

3. Purposes and Legal Bases for Processing

PurposeLegal Basis
Registration and provision of application servicesArt. 6(1)(b) GDPR — performance of a contract
Processing of health data (e.g., weight, meal plan)Art. 9(2)(a) GDPR — explicit consent
Personalized recommendations and AI data processingArt. 6(1)(a) / Art. 9(2)(a) — consent
Push notifications (reminders, daily recommendations)Art. 6(1)(a) GDPR — consent
Analytics and service improvementArt. 6(1)(a) GDPR — consent (cookie banner)
Fulfillment of legal obligationsArt. 6(1)(c) — legal obligation
Marketing communication (newsletter, news, promotions)Art. 6(1)(a) GDPR — consent
Communication with Users

The email address you provide during registration is also processed for the purpose of sending important service messages (e.g., onboarding emails, notifications related to the trial version, or alerts concerning application usage). These messages do not constitute marketing communications but help ensure the proper functioning and use of the application.

The legal basis for sending service / informational emails is the performance of the service or the legitimate interest of the controller to ensure that the user receives important information necessary for using the application.

Marketing Communication

During registration, you have the option to give consent to receive marketing communications to your email address. Marketing communications may include information about new features in the application, promotions, healthy eating tips, and other services of TastyPlan.

The legal basis for sending marketing communications is your explicit consent pursuant to Art. 6(1)(a) GDPR. You may withdraw this consent at any time by clicking the "Unsubscribe" link in any marketing email or by sending a request to info@kwargs.sk. After withdrawing consent, we will no longer send you marketing messages.

Consent to the processing of health data may be withdrawn by the user at any time by email to info@kwargs.sk.

4. How We Use Data

  • tracking nutritional intake and progress,
  • generating personalized recommendations and meal plans,
  • AI analysis of food photographs and text descriptions of meals,
  • sending push notifications (reminders, daily recommendations, motivational messages),
  • storing data on secure servers,
  • improving service quality based on anonymized statistics.

5. AI Data Processing

The application uses artificial intelligence (provider: OpenAI) for the following purposes:

  • analysis of food photographs — estimation of nutritional values,
  • analysis of text descriptions of meals,
  • generation of personalized meal plans and recipes,
  • daily and weekly nutritional recommendations (AI coach "Chris"),
  • meal suggestions based on the user's nutritional profile,
  • import of recipes from URLs and photographs.

During AI processing, only nutritional data, food photographs, and text descriptions are sent to OpenAI servers — without direct user identifiers (name, email). OpenAI does not use data from API calls to train its models. Data transfer to the USA is protected by Standard Contractual Clauses (SCC).

6. Who Has Access to Data / Sharing

We share personal data only with trusted service providers necessary for the operation of the application:

  • Google Firebase — user authentication,
  • Vercel — website hosting and database (Vercel KV),
  • OpenAI — AI analysis and content generation (see section 5),
  • RevenueCat — subscription and payment management,
  • Brevo — email delivery (service and marketing emails),
  • PostHog — application and website usage analytics (EU servers),
  • Meta (Facebook Pixel) — advertising effectiveness measurement on the website (with consent only),
  • Expo — push notification delivery,
  • Google Health Connect — health data synchronization on the device (data is not transferred to our servers).

Some of these services may transfer data to third countries (e.g., the USA). Such transfers are protected by Standard Contractual Clauses (SCC) or other appropriate safeguards under the GDPR.

7. Data Retention

We retain data only for the period necessary for the purposes of processing:

  • for the duration of the active user account,
  • personal data is deleted within 30 days after account cancellation,
  • anonymized data may be retained for analytical purposes,
  • backup copies are automatically deleted within 90 days.

8. Security

We implement appropriate technical and organizational measures to protect data, including:

  • transport encryption (TLS/SSL),
  • access control and authentication (JWT tokens),
  • secure API access.

9. Your Rights

You have the right to access your data, rectify it, erase it, restrict processing, data portability, object to processing, and withdraw consent. To exercise your rights, send a request to info@kwargs.sk.

If you believe that processing violates the GDPR, you have the right to lodge a complaint with:

Úrad na ochranu osobných údajov SR (Office for Personal Data Protection of the Slovak Republic)
Hraničná 12, 820 07 Bratislava 27
Web: www.dataprotection.gov.sk

10. Cookies and Tracking

The website uses the following types of cookies and tracking technologies:

  • Essential: technical cookies necessary for the operation of the website (consent not required).
  • Analytical (PostHog): website traffic and usage tracking. Activated only after consent is given via the cookie banner.
  • Marketing (Meta/Facebook Pixel): advertising campaign effectiveness measurement. Activated only after consent is given.

You may withdraw or change your consent to analytical and marketing cookies at any time by clicking the "Cookie Settings" link in the website footer.

The mobile application uses PostHog for anonymized usage analytics and local storage for offline functionality.

11. Minors

The application is not intended for persons under the age of 18. If we discover that we have inadvertently collected data from a minor, we will delete it without delay.

12. Changes to the Policy

We may update this Policy. We will notify you of significant changes in the application or on the website. By continuing to use the service after changes are published, you agree to the updated version.

Kwargs, s.r.o. — TastyPlan · Version of March 19, 2026