1. Who we are
This app ("the App") is operated by Aibomi ApS, a company registered in Denmark.
- Address: Solvænget 24, 2960 Rungsted Kyst, Denmark
- CVR (Danish business registration number): 46102975
- Contact email: hey.you@aibomi.eu
- Data Controller: Aibomi ApS
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Danish Data Protection Act (Databeskyttelsesloven), we are the data controller of the personal data described in this Privacy Policy.
If you have questions about this policy or your data, contact us at hey.you@aibomi.eu.
2. About the App
The App is an AI-powered personalised meal planning and nutrition assistant. Based on profile information you provide (such as goals, dietary preferences, allergies and budget), the App generates personalised meal plans, recipes, shopping lists, and potentially nutrition guidance, and lets you track meals and progress over time. Premium features are available via auto-renewing subscriptions.
3. Data we collect
We only collect data we actually need to operate the App. We do not collect images from your camera, photos, microphone audio, or precise location.
3.1 Account data
- Email address
- Authentication identifier (provided by our authentication provider)
- Account creation date, last sign-in date
3.2 Profile and onboarding data
- Name or display name (optional)
- Dietary preferences (e.g. vegetarian, vegan, halal, keto)
- Allergies and food restrictions
- Cuisine preferences
- Family size
- Language
3.3 App usage data
- Generated meal plans, recipes, shopping lists, and saved favourites
- Progress entries
- In-app preferences and settings
3.4 Subscription and trial data
- Trial start date and trial state (stored on your user profile so the trial cannot be reset by reinstalling the app)
- Subscription status, entitlement state, and product identifier (provided by RevenueCat)
- Anonymised RevenueCat user identifier
- Receipt validation events (we do not store full payment card data — payments are handled by Apple or Google)
3.5 Device and technical data
- Device model, OS version, app version, language, timezone
- Anonymous installation identifier
- Crash logs and diagnostic events
- IP address (processed transiently by our hosting and auth providers; not stored long-term by us)
3.6 Notifications
- Push notification token (only if you grant permission)
- Notification preferences and engagement events (e.g. opened/dismissed) used to deliver and tune day-5 / day-7 trial reminders
3.7 Communications
- Support requests and any information you choose to include in them
We do not knowingly collect data from children under 13 (or under the applicable age of digital consent in your country, which is 13 in Denmark under the Danish Data Protection Act).
4. Legal bases for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Generating meal plans and providing core App features | Performance of a contract (Art. 6(1)(b)) |
| Processing subscriptions, trials, receipts | Performance of a contract (Art. 6(1)(b)) |
| Sending push notifications about your trial and plan | Consent (Art. 6(1)(a)) — you can withdraw at any time in OS settings |
| Crash reporting, diagnostics, security | Legitimate interests (Art. 6(1)(f)) — keeping the App stable and secure |
| Anonymous/aggregated analytics | Legitimate interests (Art. 6(1)(f)) |
| Customer support | Performance of a contract / legitimate interests |
| Complying with legal obligations (tax, consumer law) | Legal obligation (Art. 6(1)(c)) |
For data falling under GDPR Art. 9 (special category data), note: dietary preferences and allergies may be considered health-related data. We process this data only with your explicit consent (Art. 9(2)(a)), which you provide by entering it into the App during onboarding for the purpose of generating your meal plan. You can delete this data at any time.
5. How we use your data
- Create your account and authenticate you
- Generate personalised meal plans, recipes, and recommendations
- Track meals, nutrition, and progress
- Manage your subscription, trial, and entitlements
- Send transactional and (with consent) reminder notifications
- Respond to support requests
- Detect, prevent, and address fraud, abuse, and security issues
- Improve the App via aggregated, non-identifying analytics
- Comply with legal obligations
We do not sell your personal data. We do not use your personal data to train third-party AI models.
6. AI processing
To generate meal plans and recipes, the App sends a subset of your profile (e.g. goals, allergies, dietary preferences, target calories) to AI model providers via our backend proxy. Requests are sent without your name or email and are not used by these providers to train their models, in line with their enterprise/API terms.
7. Sub-processors and third parties
We share data only with vetted sub-processors who help us run the App. Each processes data under a Data Processing Agreement.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, edge functions | EU (Ireland) where available |
| RevenueCat | Subscription and entitlement management | USA |
| Apple App Store / Google Play | Payment processing and receipts | Global |
| AI model providers (e.g. OpenAI, Anthropic, Google) via Vercel AI Gateway | Generating meal plans and recipes | USA / EU |
| Push notification services (APNs, FCM) | Delivering notifications | Global |
| Crash and diagnostic tooling | Stability monitoring | EU / USA |
We may also disclose data when required by law, to enforce our Terms, or to protect the rights, safety, and property of users or the public.
8. International data transfers
Some of our sub-processors are located outside the EU/EEA (primarily the USA). When personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under GDPR Chapter V, including:
- Standard Contractual Clauses (EU Commission Decision 2021/914), and
- Supplementary measures such as encryption in transit (TLS) and at rest, and access controls.
9. Data retention
- Account and profile data: kept while your account is active. Deleted within 30 days of account deletion.
- Meal logs, plans, history: kept while your account is active, deleted with the account.
- Subscription / trial records: kept for up to 5 years after the last transaction, to comply with Danish bookkeeping rules (Bogføringsloven).
- Support correspondence: kept up to 3 years after the last interaction.
- Backups: purged on a rolling basis, no longer than 35 days after deletion.
- Crash logs / diagnostics: typically 90 days, anonymised earlier where possible.
10. Your rights (GDPR)
As a data subject in the EU/EEA, you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where processing is based on consent (Art. 7(3))
- Not be subject to purely automated decisions with legal or similarly significant effects (Art. 22). Our meal plan generation is automated but does not produce legal or similarly significant effects on you.
You can exercise most of these rights directly inside the App (Settings → Account → Export data / Delete account) or by emailing hey.you@aibomi.eu. We respond within one month as required by GDPR.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority in Denmark is:
Datatilsynet (Danish Data Protection Agency)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
You may also complain to the supervisory authority in the EU country where you live or work.
11. Security
We use industry-standard measures including TLS in transit, encryption at rest, scoped access tokens, row-level security on our database, and least-privilege access for our team. No system is 100% secure, but we work hard to protect your data and will notify you and Datatilsynet of a personal data breach where required by GDPR Art. 33–34.
12. Push notifications
You will be asked for notification permission after onboarding, when we explain the trial reminders we send (e.g. day 5 and day 7 of your trial). You can revoke this at any time in your device settings; the App will continue to work without notifications, though trial reminders will not be delivered.
13. Children
The App is not directed to children under 13. If we learn that we have collected data from a child under the applicable age of digital consent without verifiable parental consent, we will delete it.
14. Changes
We may update this Privacy Policy. Material changes will be notified in-app or via email at least 14 days before they take effect. The "Last updated" date at the top reflects the latest revision.
15. Contact
Aibomi ApS
Solvænget 24, 2960 Rungsted Kyst, Denmark
CVR: 46102975
Email: hey.you@aibomi.eu