Back

Privacy Policy

Last updated · 27 June 2026

1. Who we are

PeakPlate ("we", "us") is operated by the sole trader behind kaigalb30@gmail.com. We are the data controller for the personal data you give us.

2. What we collect

  • Account: email, name and profile picture from your Google sign-in.
  • Onboarding answers: age, bodyweight, height (if given), sport, training frequency, goal.
  • Meal photos & analyses: the images you upload, plus the AI-generated items, macros and flags.
  • Usage: daily check-ins, basic logs needed to keep the service working (e.g. scan counts).
  • Payment metadata: Stripe customer ID, subscription ID, subscription status. We never see or store your card number.

3. Why we collect it (lawful basis)

  • Contract: to deliver the Service you signed up for (account, photo analysis, history, trends).
  • Legitimate interest: to keep the Service secure and improve it.
  • Consent: for any optional features you opt into.
  • Legal obligation: retaining payment records as required by HMRC.

4. Who we share it with

We use the following sub-processors strictly to deliver the Service:

  • Google — sign-in only.
  • OpenAI — your meal photo + a short prompt are sent for the vision analysis. OpenAI does not train on this data per their API terms.
  • Stripe — payment processing. Your card details go directly to Stripe, never to us.
  • MongoDB Atlas (or equivalent hosting) — encrypted-at-rest database for your account, meals and analyses.

We do not sell your data. We do not run advertising on PeakPlate.

5. How long we keep it

Account, meal photos and analyses: while your account is active, plus 30 days after closure to allow recovery. Payment records: retained per UK accounting law (currently 6 years). Logs: 30 days.

6. Your rights (UK / EU GDPR)

You can ask us to: access your data, correct it, export it, delete it, restrict our processing of it, or object to processing. Email kaigalb30@gmail.com — we'll respond within 30 days. You can also complain to the UK ICO (ico.org.uk).

7. International transfers

Some sub-processors (OpenAI, Stripe) process data in the US under appropriate safeguards (Standard Contractual Clauses / UK IDTA).

8. Security

HTTPS in transit, encrypted at rest, scoped credentials, session-based auth. No security is perfect — we recommend a strong unique Google password and 2FA on your account.

9. Children

PeakPlate is not directed at children under 13. We do not knowingly collect data from anyone under 13.

10. Cookies

We use a single secure HTTP-only cookie to keep you signed in. No tracking cookies, no third-party analytics tags.

11. Changes

We'll update this page when our practices change and notify material changes in the app.

12. Contact

Email kaigalb30@gmail.com for anything privacy-related.