Privacy Policy

Last updated: May 2026

1. Who we are

GainsMeal is operated by Kristaps Goncarovs, a self-employed individual registered in Latvia. For questions about this policy, contact us at privacy@gainsmeal.com.

2. What data we collect and why

We collect the following categories of personal data:

Account data

  • Email address, username — to create and manage your account
  • Password (stored as a one-way hash) — for authentication

Health and biometric data (Article 9 GDPR)

  • Body weight, height, date of birth, sex — to calculate your TDEE and macros
  • Activity level, fitness goal, body fat percentage — to personalise your meal plans
  • Dietary preferences and allergens — to generate safe, suitable meal suggestions
  • Daily food log and body weight entries — to track your progress over time

We process this data only on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you grant at registration. You may withdraw this consent at any time by deleting your account.

Payment data

Payments are handled by Stripe (Stripe, Inc.). We store only your Stripe customer ID and subscription status. We do not store credit card numbers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

Usage data

  • Timestamps of logins and account actions — for security and fraud prevention
  • AI feature usage counts — to enforce trial quotas

3. AI features

GainsMeal uses the Anthropic Claude APIto generate meal plans and nutritional insights. When you use these features, anonymised nutritional data (not your name or email) is sent to Anthropic's servers for processing. Anthropic acts as a data processor under a Data Processing Agreement. See Anthropic's Privacy Policy.

4. Authentication with Google

If you sign in with Google, we receive your email address and name from Google to create your account. We do not receive or store your Google password. Google acts as an independent data controller for your Google account data.

5. Cookies

Strictly necessary cookies

We use strictly necessary cookies to maintain your authenticated session (JWT tokens). These do not require consent under ePrivacy Directive Recital 66.

Analytics (cookie-free)

We use Microsoft Clarity to collect anonymised data about how visitors use the site (pages visited, session duration, device type, approximate country). Clarity does not use cookies and does not collect personally identifiable information. No consent is required. See Microsoft's Privacy Statement for details.

6. Data sharing

We share your data only with the following processors:

  • Stripe — payment processing (USA, Standard Contractual Clauses apply)
  • Anthropic — AI meal plan generation (USA, Standard Contractual Clauses apply)
  • Resend — transactional email delivery (confirmation, password reset)
  • Microsoft Corporation — anonymous analytics (Microsoft Clarity), no personal data transferred (USA, Standard Contractual Clauses apply)
  • Hosting provider — infrastructure and database hosting

We do not sell your personal data to third parties.

7. Data retention

We retain your data for as long as your account is active. Accounts with no login activity for 2 years are automatically deleted. If you delete your account, all personal data is permanently deleted immediately, except where we are legally required to retain records (e.g., financial records for 5 years under Latvian law).

8. Your rights (GDPR)

As a data subject you have the following rights:

  • Right of access — download all your data via Settings → Your data → Download my data
  • Right to erasure — delete your account and all associated data via Settings → Your data → Delete account
  • Right to rectification — update your profile data at any time via the Profile page
  • Right to withdraw consent — deleting your account withdraws all consent
  • Right to data portability — export your data as JSON via Settings
  • Right to lodge a complaint — with the Latvian Data State Inspectorate (Datu valsts inspekcija, dvi.gov.lv)

9. Security

All data is transmitted over HTTPS. Passwords are stored using one-way hashing. Access tokens are short-lived (15 minutes) and refresh tokens are rotated and blacklisted on use. We apply the principle of least privilege to internal data access.

10. Contact

For any privacy-related requests, contact: privacy@gainsmeal.com

Postal address: Latvia (full address available on request).