Privacy Policy – meala food diary

Privacy Policy

1.     Data Protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations as well as this Privacy Policy.

This Privacy Policy applies to our mobile meala app, hereinafter referred to as the “App”. It explains the nature, purpose and scope of data collection in connection with the use of the App.

Please note that when downloading our App via an app store, you must register or identify yourself with the respective app store operator, for example using a Google or Apple ID. The privacy policies of the app store operators apply in this context and may differ from the data protection laws of the European Union. We have no influence over these privacy policies.

2.     Controller

The “controller” is the entity that collects, processes or uses personal data, for example names, email addresses or similar information. The controller responsible for data processing in connection with this App is:

meala GmbH
c/o Kevin Röhl
Bänschstr. 45
10247 Berlin

Website: https://www.heymeala.com

Email: kevin.roehl@heymeala.com
Tel.: +49 176 913 434 98

3.     Which Personal Data Is Collected?

When you use the App, we process, depending on the function used, in particular the following categories of personal data:

  • account and identification data, in particular user ID and, if you create an account, your email address
  • technical data, in particular IP address, device identifiers and app version
  • voluntary profile and health information, in particular age, gender, height and body weight
  • data that you enter yourself in the App, such as meals, nutritional values, insulin values, times, photos, barcodes, notes, tags and location information;
  • data from connected services or wearables, insofar as you activate and authorize a corresponding connection.

We process account and technical data for the performance of the user agreement or on the basis of our legitimate interest in providing the App securely and in a functional manner, Art. 6(1)(b) and Art. 6(1)(f) GDPR. We generally process voluntary profile, health, fitness and wellness data only on the basis of your consent; insofar as health data is involved, the processing is carried out on the basis of your explicit consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.

We process only the data that is necessary for the function requested by you in each case, in accordance with the principle of data minimization. As a rule, all data collected in connection with the App is stored only for as long as this is necessary for the respective purposes or until you delete data, disconnect a connection, withdraw consent or delete your user account. Mandatory statutory retention periods, for example for invoice data, remain unaffected.

All data collected in the context of the App is stored on a server in Germany that we rent specifically for this purpose. The server is hosted by Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp. We have concluded a data processing agreement with the hosting provider.

The data remains with us until the purpose for storage no longer applies or you request that we delete it. The purpose for storing data regularly ceases to apply when you log out of the App. However, if mandatory statutory retention periods apply, the relevant data will only be deleted after expiry of the statutory periods, for example tax-law retention periods for invoice data.

4.     User Account

Firebase Auth is used for the creation of a user account as part of the login and registration function. Firebase Auth is an external tool for creating user accounts. In this process, only the email address and password are processed by Firebase Auth. Firebase is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can find more information about data protection at Firebase at https://policies.google.com/privacy

Profile and Health Data

If you voluntarily create a personal profile in the App or use personalization functions, we may process in particular your age, gender, height and body weight. We use this information to provide functions within the App such as personalized calorie targets, meal and timing guidance, and nutrition- or recovery-related recommendations.

Providing this data is voluntary. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and, insofar as health data is involved, your explicit consent pursuant to Art. 9(2)(a) GDPR. You can change or delete this information in the App at any time and withdraw your consent with effect for the future.

5.     In-App Purchases and Subscriptions

The meala App offers the option to purchase paid premium subscriptions, “in-app purchases”, in order to unlock additional functions. Payment and billing are carried out exclusively via the provider of the respective app store of the device, Google Play for Android devices and the Apple App Store for iOS devices. For this purpose, the App uses the technical interface provided by the respective provider to determine whether a purchase has been made. In this context, communication takes place with the app store of the respective provider. The data transmitted in this process is processed in accordance with the privacy policy of the respective provider and is not accessible to us.

For the management and analysis of in-app purchases, we use the RevenueCat service, operated by RevenueCat, Inc., 633 Tarava St. Suite 101, San Francisco, CA 94116, USA, hereinafter referred to as “RevenueCat”.

RevenueCat processes pseudonymized data such as app store user IDs and information about subscriptions, for example purchase time, duration, price and cancellations, and makes this information available to us so that we can efficiently manage your subscriptions. RevenueCat processes this data in the USA and Europe and stores it in compliance with the GDPR pursuant to a data processing agreement concluded with us. In this agreement, RevenueCat undertakes to comply with European data protection requirements, including the use of EU Standard Contractual Clauses pursuant to Art. 46 GDPR. In addition, RevenueCat is certified under the EU-US Data Privacy Framework.

You can view and request deletion of the data stored by RevenueCat and prepared for analysis at any time by contacting us at kevin.roehl@heymeala.com and informing us that you would like your data at RevenueCat to be deleted.

If you do not want your data to be transferred to RevenueCat, please refrain from using in-app purchases, namely premium subscriptions.

Further information can be found at:

The legal basis for processing by RevenueCat is Art. 6(1)(b) GDPR, performance of a contract, and Art. 6(1)(f) GDPR, legitimate interest in the efficient management of our premium subscriptions.

6.     Data Transfer Between the meala App and Other Apps

As a user, you can transfer your data from other apps that you use into the meala App. This function exists for the following apps/services and relates to the data listed below:

  • Garmin Connect , operated by Garmin Deutschland GmbH, Parkring 35, 85748 Garching; more information about data protection at Garmin can be found at https://www.garmin.com/de-DE/privacy/connect/policy: depending on the connected API, device support and the authorization granted by you, in particular everyday, fitness and wellness data such as heart rate, sleep, steps, calories, stress, Body Battery or comparable recovery/rest metrics as well as detailed activity, workout or activity files.
    No Disclosure or Processing by Third-Party Providers / External AI Providers
    Data that we receive via Garmin Connect is not disclosed to third parties, is not processed by third parties and, in particular, is not made accessible to external AI providers, external AI systems or other external data processing services. Garmin Connect data is processed exclusively within the meala App and only for the functions activated by the user.
  • Nightscout Link , open-source system: carbohydrate values, insulin values, glucose values
  • Apple Health Kit , operated by Apple Inc., 1 Apple Park Way, Cupertino 94087, USA; more information about data protection at Apple can be found at: https://www.apple.com/de/legal/privacy/de-ww/: step counts, carbohydrate values, insulin values, menstruation data, pulse values, glucose values
  • Dexcom , operated by DexCom Inc., 6340 Sequence Dr, San Diego 92121, USA; more information about data protection at DexCom can be found at: https://www.dexcom.com/de-DE/linked/documentservice/PrivacyPolicy: CGM data from the Dexcom account for glucose data
  • FreeStyle Libre , operated by Abbott GmbH, Max-Planck-Ring 2, 65205 Wiesbaden; more information about data protection at Abbott can be found at: https://www.freestylelibre.de/datenschutzerklaerung.html: users can import glucose data into the meala App via the FreeStyle Libre App.

If you activate the data transfer, the following data may also be transferred from the meala App to the following apps/services:

  • Apple Health Kit: carbohydrate values and insulin values entered by the user in the meala App

The transfer of data from the above-mentioned apps requires that the user has the respective app and has activated the data transfer. The terms of the respective operators apply to the above-mentioned apps. The respective operators are solely responsible for data processing by the above-mentioned apps. We are not the operator of the above-mentioned apps.

This data is collected for the performance of the user agreement between us and the App users, Art. 6(1) sentence 1 lit. b GDPR. With regard to voluntary information, data processing is also carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR. We have a legitimate interest in collecting voluntarily provided data from our users. The data is stored until the user deletes the data, requests that we delete it or deletes their user account for the meala App.

AI-Supported Processing / AI Transparency

Insofar as you activate corresponding functions, we may process meal-, profile- and context-related data as well as, insofar as expressly authorized by you, data from connected services using algorithmic or AI-supported systems in order to provide personalized analyses and recommendations within the App regarding nutrition, meal timing and wellness topics.  Data that we receive via Garmin Connect or via the Garmin Connect API is expressly excluded from processing by external AI service providers. Garmin Connect data is not transmitted to, or made accessible to, external AI providers, external AI systems or other external data processing services. If external AI service providers are used, we limit the transfer to the data required for the respective function. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and, insofar as health data is involved, your explicit consent pursuant to Art. 9(2)(a) GDPR. You can withdraw consent that you have given at any time with effect for the future. The lawfulness of processing already carried out remains unaffected by this.

7.     App Access Rights

In order to provide our services via the App, we require the access rights listed below, which enable us to access certain functions of your device.

  • Photos, videos. Collection takes place for the following purpose: use of the logging functions
  • Camera. Collection takes place for the following purpose: use of the logging functions
  • Microphone. Collection takes place for the following purpose: use of the logging functions

The access rights are required in order to be able to use all available functions of the App in full.  

The legal basis for access is your consent, which you gave during installation, Art. 6(1)(a) GDPR.

8.     Meal Log Function

If you use the “logging meals” function, the following data is processed:

  • meal consumed, including barcode and photo where available
  • time of consumption
  • insulin value, including time of recording of the value
  • amount of carbohydrates consumed
  • notes on the entry

In this context, we use tools/modules from external providers in the App, namely:

  • Barcode Database: Only the scanned barcode is transmitted to Barcode Database; no personal data is transmitted.
  • Clarifai.ai: Only photos of meals are transmitted to Clarifai.ai; no personal data is transmitted.
  • OpenAI: After consent has been given, a description of the meal is transmitted to OpenAI. Consent may be withdrawn at any time. OpenAI is operated by: OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.
    More information about data protection at OpenAI can be found at: https://openai.com/policies/privacy-policy

This data is collected for the performance of the user agreement between us and the App users, Art. 6(1) sentence 1 lit. b GDPR. With regard to voluntary information, data processing is also carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR. We have a legitimate interest in collecting voluntarily provided data from our users.

9.  Data Processing for Research Purposes

We may use datasets, after complete and irreversible anonymization, for internal statistical analyses and scientific research purposes or disclose them in this anonymous form to selected research partners. Purely anonymous data is not subject to the GDPR. Personal data or merely pseudonymized data is processed for research or product improvement purposes only if a separate legal basis exists for this and appropriate technical and organizational safeguards have been implemented. The legal basis for this data processing is Art. 6(1)(f) GDPR, “legitimate interest” in scientific research and the further development of our App.

10.  Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not disclose this data without your consent.

The processing of the data entered into the contact form requires your consent. You may withdraw consent that you have given at any time. The lawfulness of data processing operations already carried out remains unaffected by the withdrawal.

11.  Newsletter Data

If you would like to subscribe to the newsletter offered in our App, we require your email address as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. No further data is collected. We use this data exclusively to send the requested information and do not disclose it to third parties.

You may withdraw the consent you have given to the storage of the data, the email address and its use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The lawfulness of data processing operations already carried out remains unaffected by the withdrawal.

The data that you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe.

12.  Encryption

For security reasons and to protect the transmission of confidential content, such as inquiries that you send to us as the App operator or communication between App users, this App uses encryption. This encryption prevents the data you transmit from being read by unauthorized third parties.

13.  Your Rights

You have the following data protection rights:

Withdrawal of Your Consent to Data Processing

Many data processing operations are possible only with your consent. We will obtain this consent from you expressly before beginning data processing. You may withdraw this consent at any time. An informal notification to us by email is sufficient for this purpose. The lawfulness of data processing operations carried out up to the time of withdrawal remains unaffected by the withdrawal.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract provided to you or to another controller in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place insofar as it is technically feasible.

Access, Deletion, Rectification

You have the right at any time to receive free information about your stored personal data, its origin and recipients and the purpose of data processing, as well as a right to rectification or deletion of this data. For this purpose, and for further questions regarding personal data, you may contact us at any time using the address provided in the legal notice.

Restriction of Processing

You have the right to request that we restrict the processing of your personal data. For this purpose, you may contact us at any time using the address provided in the legal notice. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the verification, you have the right to request restriction of the processing of your personal data.
  • If the processing of your personal data was or is unlawful, you may request restriction of data processing instead of deletion.
  • If we no longer need your personal data, but you need it for the establishment, exercise or defense of legal claims, you have the right to request restriction of the processing of your personal data.
  • If you have objected pursuant to Art. 21(1) GDPR, a balancing of your interests and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request restriction of the processing of your personal data.

If the processing of your personal data has been restricted, this personal data may, apart from being stored, be processed only with the consent of the data subject or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Right to Lodge a Complaint with the Competent Supervisory Authority

We inform you that, in the event of violations of data protection law, you have the right to lodge a complaint with the competent supervisory authority.

14.  RIGHT TO OBJECT TO DATA COLLECTION IN SPECIAL CASES AND TO DIRECT MARKETING, ART. 21 GDPR

IF DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6(1)(E) OR ART. 6(1)(F) GDPR, YOU HAVE THE RIGHT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO OBJECT TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY.

IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL THEREAFTER NO LONGER BE USED FOR DIRECT MARKETING PURPOSES.

15.  Amendment of This Privacy Policy

We reserve the right to amend these data protection provisions at any time in compliance with statutory requirements.

Last updated: May 2026