Privacy Policy – meala food diary

Table of Contents

  1. Privacy Policy
  2. Responsible Entity
  3. What Personal Data Is Collected?
  4. User Account
  5. Data Transfer Between the meala App and Other Apps
  6. App Access Permissions
  7. Meal Logging Feature
  8. Survey Feature
  9. Contact Form
  10. Newsletter Data
  11. Analytics Tools
  12. Encryption
  13. Your Rights
  14. RIGHT TO OBJECT TO DATA COLLECTION IN SPECIAL CASES AND TO DIRECT MARKETING (ART. 21 GDPR)
  15. Changes to This Privacy Policy
  16. Privacy Policy

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

This privacy policy applies to our mobile meala app (hereinafter referred to as “App”). It explains the type, purpose, and scope of data collection during app use.

Please note that when downloading our app from an app store, you must register or identify yourself with the respective store operator (e.g., via a Google or Apple ID). The privacy policies of the store operators apply, which may differ from EU privacy laws. We have no influence over these policies.

  1. Responsible Entity

The “Responsible Entity” is the body that collects, processes, or uses personal data (e.g., names, email addresses, etc.). The responsible entity for data processing in the context of this app is:

meala GmbH
c/o Kevin Röhl
Bänschstr. 45
10247 Berlin

Website: https://www.heymeala.com
Phone: +49 176 913 434 98
Email: kevin.roehl@heymeala.com

  1. What Personal Data Is Collected?

When you use this app, we process various categories of personal data. Personal data allows conclusions to be drawn about your person. The following personal data is collected when you install and use the app:

• UserID – usage as guest
• Email – optional for account creation

This data is collected to fulfill the user contract between us and app users (Art. 6(1)(b) GDPR). For voluntary information, data processing is also based on Art. 6(1)(f) GDPR, as we have a legitimate interest in collecting voluntarily provided data.

Additionally, we collect technical data:

• IP addresses
• Metadata
• Device identifiers

This data is necessary for the app’s operation, justifying collection based on Art. 6(1)(f) GDPR.

All app-related data is stored on a server in Germany, rented for this purpose. Hosting is provided by Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp. We have a data processing agreement with the provider.

Data is retained until the purpose of storage ceases or you request deletion. Usually, this is when you log out of the app. If statutory retention obligations exist, data is deleted after those periods (e.g., tax retention for billing data).

  1. User Account

To create a user account, we use Firebase Auth, an external tool. Only the email and password are processed by Firebase Auth. Operator: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. More: https://policies.google.com/privacy

  1. In-App Purchases and Subscriptions

The meala app offers premium subscriptions (“in-app purchases”) for additional features. Payment is processed via your device’s app store (Google Play or Apple App Store). We use RevenueCat for management and analysis of subscriptions. Operator: RevenueCat, Inc., 633 Tarava St. Suite 101, San Francisco, CA 94116, USA.
RevenueCat processes pseudonymized data such as store user IDs and subscription info. Data is processed in the USA and EU under GDPR-compliant agreements including standard contractual clauses. Certified under the EU-US Data Privacy Framework.
To view or delete your RevenueCat data, email us at mail@heymeala.com. Avoid in-app purchases if you don’t consent to this.
More info:
• Privacy: https://www.revenuecat.com/privacy
• Terms: https://www.revenuecat.com/terms
• DPA: https://www.revenuecat.com/dpa
Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interest).

  1. Data Transfer Between the meala App and Other Apps

You can transfer data from the following third-party apps/services to the meala app:

• Nightscout Link: carb, insulin, glucose data
• Apple Health Kit: steps, carbs, insulin, menstruation, pulse, glucose
• Dexcom: CGM glucose data
• FatSecret: user ID for food data access
• FreeStyle Libre: glucose data import

You can also send meala app data (e.g., carbs, insulin) to Apple Health Kit. Usage requires you have these apps and have enabled data sharing. We are not the operator of these apps.

Data is collected to fulfill the user contract (Art. 6(1)(b) GDPR). Voluntary data is also processed under Art. 6(1)(f) GDPR. Data is stored until the user deletes it or requests deletion.

  1. App Access Permissions

We require the following access permissions for full app functionality:

• Location (including GPS, Google Maps) – for logging functions
• Photos, Videos – for logging
• Camera – for logging
• Microphone – for logging

Legal basis: Your consent (Art. 6(1)(a) GDPR), given during installation.

  1. Meal Logging Feature

If you use the meal logging feature, we process:

• Eating location (with GPS and place ID)
• Consumed meal (with barcode, photo)
• Time of consumption
• Insulin value
• Carb amount
• Notes
• Tags and emojis

We use third-party tools for this feature:
• Barcode Database – only barcode is shared
• Google Maps (Android) – shares location data
• Apple Maps (iOS) – shares location data
• Clarifai.ai – meal photos only
• OpenAI – meal descriptions with consent; revocable at any time

Data is collected under Art. 6(1)(b) GDPR and, for voluntary data, under Art. 6(1)(f) GDPR.

  1. Survey Feature

We offer in-app surveys. Participation is voluntary and not required for app use. Data collected:
• Age, Gender, BMI
• Well-being
• Motivation
• Sustainability and Nutrition self-assessment
• Feedback
Purpose: app improvement and research. Shared pseudonymized with: Kevin Nils Röhl and Torben Ukena. Stored: 10 years. Legal basis: consent (Art. 6(1)(a) GDPR), revocable anytime.

  1. Data Processing for Research Purposes

We use anonymized data for statistical and research purposes. Shared with research partners, no personal identification possible. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). You may object at any time via mail@heymeala.com.

  1. Contact Form

Data from the contact form is used to respond to inquiries. Not shared without consent. Legal basis: consent (Art. 6(1)(a) GDPR), revocable anytime.

  1. Newsletter Data

To subscribe, we need your email and consent. Used only for newsletter delivery. You may unsubscribe at any time. Legal basis: consent. Data is stored until unsubscription.

  1. Analytics Tools

We analyze usage behavior using tools like Firebase Analytics (Google LLC). Data is used to improve the app and for market research. Contracts ensure GDPR compliance. More: https://policies.google.com/privacy

  1. Encryption

We use encryption to protect transmitted data (e.g., contact requests, user communication).

  1. Your Rights

You have the following rights: withdraw consent, data portability, access, correction, deletion, processing restriction, lodge a complaint. Contact details are in the imprint.

  1. RIGHT TO OBJECT TO DATA COLLECTION IN SPECIAL CASES AND TO DIRECT MARKETING (ART. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E OR F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. IF YOU OBJECT, YOUR DATA WILL NO LONGER BE PROCESSED UNLESS WE CAN PROVE COMPELLING LEGITIMATE GROUNDS.

IF YOUR DATA IS USED FOR DIRECT MARKETING, YOU CAN OBJECT AT ANY TIME. YOUR DATA WILL THEN NO LONGER BE USED FOR THIS PURPOSE.

  1. Changes to This Privacy Policy

We reserve the right to change this policy at any time in compliance with legal requirements.

Status: May 2025