Privacy Policy

Last updated: March 3, 2026

This Privacy Policy describes how Matthias Colpaert, sole trader (hereinafter "we", "our", or "the Publisher"), collects, uses, stores, shares, and protects your personal data when you use the website myreciply.com (hereinafter "the Site") and the mobile application MyReciply (hereinafter "the Application"), collectively referred to as "the Services".

This policy is established in compliance with:

Regulation (EU) 2016/679 of 27 April 2016 — General Data Protection Regulation (GDPR)
French Act No. 78-17 of 6 January 1978, as amended — Data Processing, Files and Individual Liberties Act (Loi Informatique et Libertés)
Directive 2002/58/EC — "ePrivacy" Directive (cookies and electronic communications)
Recommendations and guidelines of the French Data Protection Authority (CNIL)
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), for California residents
Children's Online Privacy Protection Act (COPPA), for users in the United States

By using our Services, you acknowledge that you have read this policy. If you do not accept the terms of this policy, please do not use our Services.

1. Data Controller

The controller responsible for processing your personal data is:

Matthias Colpaert

Sole trader (auto-entrepreneur)

SIRET: 89986980400018

Address: Toulouse, France

Email: Contact@myreciply.com

For any questions relating to the protection of your personal data, you may contact us at the email address above.

2. Personal Data Collected

We collect the following categories of personal data depending on your use of the Services:

2.1. Identification and Account Data

First name and last name
Email address
Phone number (optional)
Username
Profile picture (optional)
Biography (optional)
Links to social media profiles (optional)
Password (stored in hashed form, never in plaintext)

2.2. Health and Nutritional Data

This data constitutes sensitive data within the meaning of Article 9 of the GDPR. Its processing is based on your explicit consent (Article 9.2.a of the GDPR).

Body weight (current, weight history)
Height
Date of birth
Gender (male/female)
Physical activity level
Dietary type (vegetarian, vegan, gluten-free, etc.)
Allergens and food intolerances
Food budget
Weight goals (loss, gain, maintenance) and associated data (starting weight, target weight, intensity, estimated duration)
Caloric and macronutrient targets (calories, protein, carbohydrates, fat)
Calculated maintenance calories
Before/after photos (body transformation) — optional

2.3. Food Diary and Tracking Data

Daily food diary (meals consumed, meal type, portions, calories and macronutrients per entry)
Quick meals entered manually or by scan (title, photo, ingredients, nutritional values)
Generated meal plans (day-by-day details)
Shopping lists generated from meal plans

2.4. User-Generated Content

Published recipes (title, description, instructions, ingredients, nutritional values, photos, video links)
Comments and replies to comments
Recipe ratings and reviews (0 to 5 stars)
Recipe folders (personal organization)
Feature requests and associated votes
Bug reports

2.5. Social Interaction Data

Likes on recipes
Recipes saved as favorites
Subscriptions (follows / followers)
Likes on comments
Blocked users
Content reports (recipes, comments, users)
Creator leaderboard (based on number of published recipes and number of followers)

2.6. Photos and Images

Profile pictures
Recipe photos
Scanned meal photos (sent temporarily for AI analysis then deleted — see section 5)
Before/after photos (body transformation)

2.7. Survey and Preference Data

Onboarding data: how you discovered the application, use of other nutrition apps, whether you are followed by a coach/nutritionist
Personal goals selected during registration
Identified obstacles
Food tag preferences
Theme preferences (light/dark)
Selected interface language

2.8. Usage and Technical Data

Weekly usage counters (number of AI scans, number of AI modifications)
Feed impressions (recipes viewed, interactions, timestamps)
Push notification tokens and associated platform (iOS / Android)
Account creation and update dates
Date of last username change

2.9. Payment Data

Payments are processed exclusively by the built-in purchase platforms (Apple App Store / Google Play Store) via our partner RevenueCat. We do not collect or store any banking data (card number, CVV, IBAN, etc.). We receive only:

Subscription management is handled entirely client-side by RevenueCat. We do not store any subscription data on our servers. RevenueCat manages all purchase state, entitlements, and transaction history directly on your device and within their platform.

3. Purposes and Legal Bases for Processing

Your data is processed for the following purposes, each based on a legal basis compliant with the GDPR:

Purpose	Legal basis (GDPR)	Data concerned
Creating and managing your user account	Performance of contract (Art. 6.1.b)	Identity, email, username, password
Providing the nutritional tracking and meal planning service	Performance of contract (Art. 6.1.b)	Nutritional profile, goals, food diary, plans
Processing health data (weight, height, body goals, allergens)	Explicit consent (Art. 9.2.a)	Health and nutritional data (section 2.2)
AI-based analysis of meal photos	Explicit consent (Art. 6.1.a)	Meal photos, analysis results
Social features (likes, follows, comments)	Performance of contract (Art. 6.1.b)	Social interactions, user content
Managing the Premium subscription	Performance of contract (Art. 6.1.b)	Subscription status, transaction identifier
Sending push notifications	Consent (Art. 6.1.a)	Push tokens, platform
Personalizing the recipe feed	Legitimate interest (Art. 6.1.f)	Impressions, interactions, preferences
Content moderation and security	Legitimate interest (Art. 6.1.f)	Reports, blocks, user content
Managing usage quotas (AI scans and AI modifications)	Performance of contract (Art. 6.1.b)	Weekly usage counters
Improving the Services and internal statistics	Legitimate interest (Art. 6.1.f)	Aggregated and anonymized usage data
Onboarding survey collection	Consent (Art. 6.1.a)	Survey data (section 2.7)
Compliance with legal obligations	Legal obligation (Art. 6.1.c)	Billing data, data required in the event of a judicial request

4. Protection of Minors

The Application is accessible to minors. In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, the processing of personal data of a child under 15 years of age (the age set by French law) is only lawful if consent is given or authorized by the holder of parental authority.

Accordingly:

Users aged 15 and over may register and use the Services independently.
Users under 15 years of age must obtain the consent of a parent or legal guardian before registering. We may request verification of parental consent.
The parent or guardian may at any time exercise the rights provided under the GDPR (access, rectification, deletion) on behalf of the child by contacting us at Contact@myreciply.com.

Warning regarding health data of minors

Features related to weight goals (loss, gain, maintenance), calorie tracking, and meal plans should be used with caution for minors. We recommend that the use of these features by a minor be supervised by a parent or guardian and, where appropriate, accompanied by a healthcare professional.

5. Recipients and Sub-processors

Your personal data may be communicated to the following service providers, acting as sub-processors within the meaning of Article 28 of the GDPR. We have entered into data processing agreements (DPA) with each of them.

Sub-processor	Role	Data	Location
Supabase Inc.	Backend, database, authentication, file storage	All account data, images, files	AWS infrastructure — Europe (eu-west)
OpenAI, L.L.C.	AI analysis of meal photos (Vision) and recipe generation	Meal photos (temporary signed URL, 5 min), text prompts	United States
RevenueCat Inc.	In-App Purchase subscription management	Anonymized user identifier, subscription status	United States
Apple Inc.	App Store distribution, In-App payments (iOS)	Transaction data managed by Apple	United States
Google LLC	Google Play distribution, In-App payments (Android)	Transaction data managed by Google	United States
Vercel Inc.	Hosting of the website	Connection logs, IP addresses	United States (global CDN)
Expo (EAS)	Push notifications, OTA updates	Push tokens, platform	United States

5.1. Details of Processing by OpenAI (AI Food Scan)

When you use the food scan feature:

Your meal photo is first uploaded to a secure temporary folder in our storage (Supabase Storage).
A time-limited signed URL (5 minutes) is generated and transmitted to the OpenAI Vision API for analysis.
OpenAI analyzes the image and returns nutritional estimates (calories, macronutrients, detected ingredients).
The temporary photo is automatically deleted from our storage after analysis.

In accordance with OpenAI's API terms of use, data sent via the API is not used by OpenAI to train its models. OpenAI may retain data for a maximum of 30 days for abuse monitoring purposes, after which it is deleted.

5.2. No Sale of Data

We do not sell, rent, or otherwise commercially exploit your personal data to third parties for advertising, commercial, or marketing purposes.

6. International Data Transfers

Some of our sub-processors are located in the United States. Data transfers to the United States are governed by the following safeguards:

EU-U.S. Data Privacy Framework (DPF): our US-based sub-processors (Vercel, OpenAI, RevenueCat) are certified under the EU-U.S. Data Privacy Framework, recognized as adequate by the European Commission (adequacy decision of 10 July 2023).
Standard Contractual Clauses (SCCs): in addition to, or in the absence of, DPF certification, Standard Contractual Clauses approved by the European Commission (Decision 2021/914) are incorporated into our data processing agreements.
Additional technical measures: encryption of data in transit (TLS 1.2+) and at rest, pseudonymization where possible, minimization of data transmitted.

You may obtain a copy of the appropriate safeguards by contacting us at Contact@myreciply.com.

7. Data Retention Periods

Your data is retained for the following periods:

Data category	Retention period
Account data	Duration of the account. All personal data (profile, food journal, scans, weight logs, goals, meal plans, comments, likes, favorites, ratings, follows, nutrition profile, onboarding survey, push tokens, folders) is deleted immediately upon account deletion. All associated photos (profile image, before/after progress photos, quick meal photos) are also permanently deleted from storage.
Health and nutritional data	Duration of the account. Deleted immediately upon account deletion request.
Food diary and meal plans	Duration of the account. Deleted immediately upon account deletion.
Food scan photos (temporary)	Deleted immediately after AI analysis (a few seconds). Storage is also fully cleaned upon account deletion.
Published recipes	Recipe content remains on the marketplace but is permanently anonymized upon account deletion (author set to "Deleted user", no personal link retained). Likes, comments, and ratings from other users on those recipes are preserved.
Subscription data	Managed entirely client-side by RevenueCat. No subscription data is stored on our servers. Deleted with the account.
Usage data (counters)	13 rolling months
Reports and moderation	1 year after resolution
Onboarding data (survey)	Duration of the account
Technical logs (web server)	12 months maximum

Upon expiry of these periods, data is deleted or irreversibly anonymized.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, in accordance with Article 32 of the GDPR:

Encryption in transit: all communications use the HTTPS / TLS 1.2 or higher protocol
Encryption at rest: data is encrypted at rest in the database (AES-256) via Supabase / AWS
Secure authentication: passwords hashed with bcrypt, JWT authentication tokens with expiration, secure storage via expo-secure-store (iOS Keychain / Android Keystore)
Row Level Security (RLS): each user can only access their own data in the database (Supabase RLS policies)
Temporary signed URLs: photos sent to AI use time-limited URLs (5 minutes)
Automatic deletion: temporary scan photos are deleted immediately after analysis
Access control: access to production systems is limited and logged
Backups: automatic daily database backups

9. Your Rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights over your personal data:

Right of access (Article 15 GDPR): obtain confirmation that data concerning you is being processed and obtain a copy.
Right to rectification (Article 16 GDPR): request the correction of inaccurate or incomplete data. You can also directly modify most of your data from the Application settings.
Right to erasure (Article 17 GDPR): request the deletion of your personal data. Deletion of your account results in the immediate and permanent deletion of all your personal data (profile, health data, food journal, meal plans, scans, photos, social interactions, push tokens, and folders). Published recipes are anonymized rather than deleted, so their content remains on the marketplace with no link to your identity.
Right to restriction of processing (Article 18 GDPR): request restriction of processing of your data in cases provided for by the GDPR.
Right to data portability (Article 20 GDPR): receive your data in a structured, commonly used, and machine-readable format (JSON) and transmit it to another data controller.
Right to object (Article 21 GDPR): object to the processing of your data based on legitimate interest.
Right to withdraw consent (Article 7 GDPR): withdraw your consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before the withdrawal.
Right to issue post-mortem instructions regarding the fate of your data after your death (Article 85 of the French Data Protection Act).

How to Exercise Your Rights

You may exercise your rights:

By email at Contact@myreciply.com, stating your first name, last name, the email address associated with your account, and the nature of your request.
Directly from the Application, in your profile settings (modification, account deletion).

We undertake to respond to your request within one (1) month of receipt. This period may be extended by two (2) months for complex requests or a high volume of requests, in which case you will be informed.

Complaint with the Supervisory Authority

If you believe that the processing of your personal data constitutes a violation of the GDPR or the French Data Protection Act, you have the right to lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr/fr/plaintes — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, Tel.: +33 1 53 73 22 22. If you are located in another EU/EEA country, you may also contact your local data protection authority.

10. Cookies and Similar Technologies

10.1. Website

The Site may use cookies. A cookie is a small text file placed on your browser by the server of the site visited.

Strictly necessary cookies: essential for the operation of the Site (exempt from consent).
Analytics cookies: anonymized audience measurement to improve the Site (subject to consent).

In accordance with the CNIL guidelines of 1 October 2020, your consent is collected before placing non-essential cookies. You may modify your preferences at any time.

10.2. Mobile Application

The mobile Application does not use cookies in the traditional sense. It uses secure local storage mechanisms (expo-secure-store for authentication tokens, AsyncStorage for non-sensitive preferences) that are not subject to the ePrivacy Directive.

10.3. App Tracking Transparency (ATT) — iOS

On iOS devices, Apple requires apps to request explicit user permission before accessing the device's advertising identifier (IDFA) under Apple's App Tracking Transparency (ATT) framework (AppTrackingTransparency framework, iOS 14.5+). The Application will display an ATT permission prompt before any use of the IDFA. If you decline, the IDFA will not be accessed or used for tracking purposes. You may change this preference at any time in your device's Settings > Privacy & Security > Tracking.

11. California Privacy Rights (CCPA / CPRA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section describes those rights and how to exercise them.

11.1. Categories of Personal Information Collected

Under the CCPA, we collect the following categories of personal information (as described in full detail in section 2 above):

Identifiers: name, email address, username, user ID, push notification tokens, IP address
Personal information categories listed in the California Customer Records statute: name, email, phone number
Protected classification characteristics: date of birth, gender
Internet or other electronic network activity: usage data, feed impressions, usage counters
Health and medical information: weight, height, dietary type, allergens, caloric goals (collected with your explicit consent)
Geolocation data: general location inferred from IP address (website only; the Application does not collect GPS location)
Audio, electronic, visual, or similar information: profile photos, recipe photos, meal scan photos, before/after transformation photos
Inferences drawn from personal information: recipe preferences, feed personalization data

11.2. Your Rights as a California Resident

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions (e.g., where retention is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or for other purposes permitted by the CCPA).
Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. MyReciply does not sell your personal information and does not share your personal information for cross-context behavioral advertising purposes. No opt-out action is required.
Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit our use of sensitive personal information (such as health data) to purposes necessary to provide the Services. We do not use sensitive personal information for purposes beyond providing the Services without your explicit consent.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you will receive a different price or quality because you exercised your rights.

11.3. How to Submit a CCPA Request

To submit a verified request to know, delete, or correct your personal information, you may:

Send an email to Contact@myreciply.com with the subject line "California Privacy Request", including your name, the email address associated with your account, and the specific right you wish to exercise.
Use the account deletion feature directly in the Application settings (for deletion requests).

We will verify your identity before processing your request. We will respond within 45 days of receiving a verifiable request. We may extend this period by an additional 45 days where necessary, with prior notice. We do not charge a fee for processing your request unless it is excessive, repetitive, or manifestly unfounded.

Authorized agents may submit requests on your behalf. We may require written authorization or proof of power of attorney before processing a request submitted by an authorized agent.

12. Children's Privacy (COPPA — United States)

The Services are not directed to children under the age of 13 in the United States. We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 years of age.

We do not knowingly collect, use, or disclose personal information from children under 13 in the United States without verifiable parental consent.
If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as quickly as possible.
If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us immediately at Contact@myreciply.com with the subject line "COPPA — Child Data Deletion Request". We will promptly review and delete the data concerned.
Children under 13 in the United States must not create an account or use the Services without verifiable parental consent.

For users aged 13 to 17 in the United States, we encourage parental involvement and supervision, particularly regarding the use of health and weight-tracking features.

13. Policy Modifications

We reserve the right to modify this Privacy Policy at any time. In the event of a material change, we will notify you by:

Push notification in the Application
An information banner at your next login
Email to the address associated with your account (where applicable)

The date of the last update is shown at the top of this page. Continued use of the Services after notification constitutes acceptance of the changes.

14. Contact

For any questions regarding this Privacy Policy or the exercise of your rights:

Matthias Colpaert

Email: Contact@myreciply.com

Address: Toulouse, France