Privacy Policy
Last updated: 14 April 2026
1. Who We Are
Spoonful ("we", "us", "our") is the data controller responsible for your personal data. We operate the Spoonful web application available at thespoonfulapp.com and any associated mobile applications (collectively, the "Service").
To contact us about privacy matters, please write to: [email protected]
2. Data We Collect
We collect the following categories of personal data:
| Account data | Name, email address, authentication identifiers provided via Manus OAuth. |
| Profile data | Date of birth, sex, weight, height, neurotype information you choose to share. |
| Health & wellness data | Meal logs, plate scan results, safe foods, medication records, cycle tracking data, fasting sessions, body goal entries, daily check-ins, sensory profiles. This constitutes special category data under GDPR Article 9. |
| Usage data | Pages visited, features used, device type, browser, IP address, timestamps. |
| Communications | Messages you send to our support team. |
| Payment data | Stripe processes payments on our behalf. We store only a Stripe customer ID; we never see or store full card details. |
3. Legal Basis for Processing (GDPR / UK GDPR)
| Providing the Service | Performance of a contract (Article 6(1)(b)). |
| Health & wellness data | Your explicit consent (Article 6(1)(a) and Article 9(2)(a)). You may withdraw consent at any time by deleting your data or closing your account. |
| Security & fraud prevention | Legitimate interests (Article 6(1)(f)). |
| Legal obligations | Compliance with applicable law (Article 6(1)(c)). |
| Marketing (if applicable) | Consent (Article 6(1)(a)). You can unsubscribe at any time. |
4. How We Use Your Data
- To create and maintain your account.
- To provide personalised meal suggestions, recipe recommendations, and cycle insights.
- To analyse plate scans using AI vision models and return nutritional estimates.
- To process subscription payments via Stripe.
- To send transactional emails (account confirmations, receipts).
- To improve the Service through aggregated, anonymised analytics.
- To comply with legal obligations and enforce our Terms of Service.
5. Special Category (Health) Data
Cycle tracking data, medication records, meal logs, and sensory profiles are classified as special category health data under GDPR Article 9. We process this data solely on the basis of your explicit consent and only to provide the features you have actively chosen to use. You may delete any or all of this data at any time from within the app or by contacting us.
We do not sell, share, or use your health data for advertising, insurance, employment, or any purpose other than operating the Service for you.
6. Data Sharing & Third Parties
| Manus (authentication) | OAuth login provider. Governed by Manus's own privacy policy. |
| Stripe | Payment processing. Stripe is PCI-DSS Level 1 certified. We share only the minimum data required to process your subscription. |
| OpenAI / AI providers | Plate scan images are sent to an AI vision API for analysis. Images are not retained by the AI provider beyond the API call. |
| Hosting & infrastructure | Cloud infrastructure providers under data processing agreements. |
| Analytics | Anonymised, aggregated usage data only. No personal identifiers are shared. |
We do not sell personal data to third parties. We do not share your data with advertisers.
7. International Transfers
Our infrastructure is primarily located in the United States. If you are located in the European Economic Area (EEA) or the United Kingdom, your data may be transferred to and processed in the US. Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), as applicable, to ensure an adequate level of protection.
8. Data Retention
| Account & profile data | Retained for the duration of your account. Deleted within 30 days of account closure. |
| Health & wellness data | Retained while your account is active. You may delete individual entries at any time. Deleted within 30 days of account closure. |
| Payment records | Retained for 7 years to comply with financial regulations. |
| Usage logs | Retained for up to 12 months, then anonymised or deleted. |
| Backups | Encrypted backups are purged within 90 days of the original deletion. |
9. Your Rights
Under GDPR and UK GDPR, you have the following rights:
| Right of access | Request a copy of the personal data we hold about you. |
| Right to rectification | Ask us to correct inaccurate or incomplete data. |
| Right to erasure | Request deletion of your personal data (right to be forgotten). |
| Right to restriction | Ask us to pause processing your data in certain circumstances. |
| Right to data portability | Receive your data in a structured, machine-readable format. |
| Right to object | Object to processing based on legitimate interests. |
| Right to withdraw consent | Withdraw consent for health data processing at any time, without affecting prior processing. |
| Right to lodge a complaint | Complain to your national supervisory authority (e.g. ICO in the UK, or your local DPA in the EU). |
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
10. Cookies
We use essential cookies to keep you logged in and to remember your preferences. We do not use third-party advertising cookies. For full details, see our Cookie Policy.
11. Children's Privacy
The Service is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Security
We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews. No system is completely secure; if you become aware of any security issue, please contact us immediately at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the app at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions or requests, contact our privacy team at [email protected].
If you are in the UK, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.