Privacy Policy

Last updated: March 17, 2026

RoastMyDiet ("the Service", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your data.

1. Data We Collect

Profile Information

When you sign in with Google, we receive and store:

Name (your Google display name)
Email address (your Google email)
Profile image (your Google profile photo URL)

We do not receive or store your Google password.

Meal Data

When you log a meal, we store:

Meal description (what you typed)
Meal photos (uploaded to Cloudflare R2 cloud storage)
AI-estimated nutritional data: calories, protein, carbohydrates, fat (all approximate)
Meal type (breakfast, lunch, dinner, or snack)
Timestamp of when the meal was registered
Additional details you optionally provide: servings, portion size, cooking method, known calories, notes

Roast & Chat History

AI-generated "roast" messages linked to your meals, including the severity score (1-5) and type (roast, compliment, tip, notification)
Your conversations with the AI assistant ("Chad"), including your messages and AI responses
Chart data generated from your meal history (e.g., macro breakdowns, calorie trends)

Teams

Team membership information (which teams you've joined)
Meals shared with your team are visible to other team members

Preferences & Settings

Daily calorie goal
Notification preferences (push notifications, email notifications)
Sound effect preferences (on/off)
Timezone (auto-detected from your browser)
Onboarding and tour completion status

Payment Information

Stripe customer ID and subscription ID (for Pro subscribers)
Subscription status and plan type
We do NOT store credit card numbers, bank account details, or other payment credentials. All payment processing is handled entirely by Stripe.

Device & Notification Data

Web Push subscription information: endpoint URL, encryption keys (p256dh, auth). This is required to send you push notifications.

Analytics Data

Page views, clicks, and feature usage (collected via PostHog)
IP addresses are NOT collected. We have disabled IP collection in our PostHog configuration.
User identification in analytics is linked to your account for product improvement purposes

2. How We Use Your Data

We use your data to:

Provide the Service

Analyze your meals using AI (sending meal data and photos to Google Gemini)
Generate personalized roasts, compliments, and dietary observations
Calculate and display nutritional summaries, charts, and trends
Enable team features (sharing meals with team members)
Send notifications (push and email) based on your preferences

Improve the Service

Analyze aggregate usage patterns to improve features (via PostHog)
Identify and fix bugs, performance issues, and errors
Understand which features are most valuable to users

Communicate with You

Send proactive check-in notifications (morning, afternoon, evening) if you have notifications enabled
Send weekly email reports summarizing your progress (Pro users only)
Notify you of important changes to the Service or these policies

We do not sell your personal data to third parties. We do not use your data for advertising or ad targeting. We do not share your data with third parties except as described in the Third-Party Services section below.

3. Third-Party Services

RoastMyDiet uses the following third-party services to provide its functionality. Each service receives only the data necessary for its specific purpose:

Google Gemini (AI Processing)

Provider: Google LLC

Data shared: Meal descriptions, meal photos, recent meal history, and user preferences (calorie goal, roast intensity). This data is sent to Google's Gemini API for meal analysis, roast generation, and chat responses.

Subject to Google Gemini API Terms

Cloudflare R2 (Photo Storage)

Provider: Cloudflare, Inc.

Data shared: Meal photos you upload. Photos are stored in Cloudflare R2 object storage and served via Cloudflare's CDN.

PostHog (Analytics)

Provider: PostHog, Inc.

Data shared: Page views, feature usage events, and user identification. IP addresses are NOT collected (IP collection is disabled in our PostHog configuration).

Stripe (Payments)

Provider: Stripe, Inc.

Data shared: Your email address and subscription plan information for billing purposes. You enter payment details directly into Stripe's secure checkout form. We never have access to your card number, CVV, or other card details, ensuring PCI compliance.

Data retained by Stripe: When you delete your account, your subscription is cancelled, but Stripe retains customer records and billing history per their retention policy for tax and legal compliance.

Subject to Stripe Privacy Policy

Resend (Email)

Provider: Resend, Inc.

Data shared: Your email address and email content (notifications, weekly reports). Used for sending transactional emails only.

Vercel (Hosting)

Provider: Vercel, Inc.

Data shared: All web requests pass through Vercel's infrastructure for hosting and serverless function execution.

4. Data Retention

Active accounts: Your data is retained for as long as your account is active and you continue using the Service.
Inactive accounts: If you stop using the Service entirely, we may mark your account as inactive. We retain inactive account data for a reasonable period (up to 12 months) to allow you to return and resume use.
Account deletion: Upon your request, we will delete your account and all associated data (profile, meals, roasts, chat history, team memberships, photos, push subscriptions) within 30 days. Some data may persist in backups for up to 90 days before being permanently removed.
Analytics data: Anonymized, aggregate analytics data may be retained indefinitely for product improvement.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access

You can request a copy of all personal data we hold about you. We will provide it in a commonly used, machine-readable format (e.g., JSON or CSV).

Correction

You can update your profile information through the app settings. For corrections to other data, contact us.

Deletion

You can request deletion of your account and all associated data by contacting us at the email address below.

Export

You can request a full export of your data (meals, roasts, chat history) by emailing us. We will provide the export within 30 days.

Objection & Restriction

If you are in the EU/EEA, you may object to certain processing activities or request restriction of processing. Contact us to exercise these rights.

To exercise any of these rights, email us at privacy@roastmydiet.com. We will respond within 30 days.

6. Children's Privacy

RoastMyDiet is not intended for children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children under these ages.

If we discover that we have inadvertently collected data from a child under the applicable minimum age, we will promptly delete their account and all associated data. If you believe a child has created an account, please contact us at privacy@roastmydiet.com.

7. International Data Processing

Your data may be processed and stored in various locations globally, including:

United States: Vercel hosting, PostHog analytics, Resend email
Global CDN: Cloudflare R2 (photos served from nearest edge location)
Google data centers: Gemini AI processing

If you are located in the European Union, European Economic Area, or United Kingdom, your data may be transferred to and processed in countries outside your jurisdiction. We rely on the standard contractual clauses and data processing agreements provided by our service providers to ensure appropriate safeguards for international data transfers.

8. Cookies & Local Storage

Cookies

Session cookie (NextAuth JWT): An encrypted cookie containing your authentication session. Essential for keeping you signed in. Expires when you sign out or the session expires.
Analytics cookies (PostHog): Used to distinguish users and track feature usage. These help us understand how people use the app.
Theme preference: A cookie storing your light/dark mode preference.

Local Storage

We use browser local storage to remember:

Your preferred meal type (last selected)
Desktop intro animation skip preference
Other minor UI preferences

Local storage data stays on your device and is not transmitted to our servers.

9. Security

We take reasonable measures to protect your data, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS (TLS).
Encrypted storage: Our database provider encrypts data at rest.
Authentication: We use Google OAuth 2.0, delegating credential management to Google. We never see or store your password.
Signed sessions: Session tokens are signed JWTs stored in HTTP-only cookies, protecting against XSS attacks.
Webhook verification: Payment webhooks from Stripe are verified using cryptographic signatures.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please contact us responsibly at security@roastmydiet.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will notify you via the email address associated with your account
We will update the "Last updated" date at the top of this page
Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:

General privacy questions: privacy@roastmydiet.com
Security concerns: security@roastmydiet.com
General inquiries: legal@roastmydiet.com

Disclaimer: This Privacy Policy is provided for informational purposes and represents how RoastMyDiet handles your data to the best of our ability. It does not constitute legal advice. If you have specific legal concerns about your privacy rights, we recommend consulting a qualified attorney in your jurisdiction.