Privacy Policy

Last updated: April 29, 2026

Swoodie (“we”, “our”, “us”) operates the Swoodie mobile application and the website swoodie.app (the “Service”). This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

Data Controller

The controller of your personal data is Daniel Gruchociak QA, registered at Pionierska 9, 63-800 Gostyń, Poland (NIP: 6961894332).

For any privacy-related questions, requests, or to exercise your rights described below, contact us at privacy@swoodie.app.

By using our Service, you agree to the collection and use of information as described in this policy.

1. Information We Collect

a) Information You Provide

Waitlist sign-up: When you join our waitlist, we collect your email address.
Subscription purchases: When you subscribe to Swoodie Premium, payment is processed by the Apple App Store or Google Play Store. We do not directly collect or store your payment card details.

b) Automatically Collected Data

When you use Swoodie, we automatically collect:

Usage data: Swipe history, saved favorites, ratings, comments, features used (such as Swipe Together sessions and Chef AI queries), and navigation patterns.
Device information: Device type, operating system version, unique device identifiers, and IP address.
Anonymous authentication: We create an anonymous account for you automatically — no email or password is required. This account is used to sync your data across sessions.

c) AI Feature Data

When you use our AI-powered features (Chef AI, recipe variations, nutrition estimation, Swoodie Scan photo analysis, meal planning), the text and images you submit (such as ingredient lists, recipe prompts, dietary preferences, or meal photos) are sent to our AI service providers for processing. Meal photos submitted via Swoodie Scan are processed in real-time and are not permanently stored on our servers. AI-generated meal plans, recipes, and nutritional estimates are for informational purposes only. We do not use this data to train AI models.

d) Photo Data

When you use Swoodie Scan, photos you take or select are:

Converted to base64 format and sent to our secure backend for AI analysis
Processed in real-time by our AI service providers (see Section 3 for the current list)
Not permanently stored — photos are discarded after analysis is complete
Never shared with third parties beyond the AI processing provider

2. How We Use Your Information

We use collected information to:

Provide, maintain, and improve the Service
Personalize your recipe recommendations
Facilitate Swipe Together partner sessions
Process subscription purchases
Translate recipe content into your preferred language
Analyze usage patterns and fix bugs
Detect fraud, abuse, and enforce our Terms of Service

2b. How We Process Your Data

We process your personal data only when we have a lawful basis under the GDPR. Below is what we collect, why, the legal basis, and how long we keep it.

Data	Purpose	Legal basis	Retention
Anonymous device/account ID	Identify your account, sync favorites and meal logs across sessions	Art. 6(1)(b) GDPR — performance of contract	Until account deletion
Meal photos submitted to Swoodie Scan	Real-time AI nutrition estimation	Art. 6(1)(b) GDPR — performance of contract	Not retained (processed in real time and discarded)
Meal logs and nutrition history	Provide your personal nutrition tracking and history features	Art. 9(2)(a) GDPR — explicit consent (special category: health data)	Until account deletion
Allergen and dietary preferences	Filter recipes and warn you of allergens	Art. 9(2)(a) GDPR — explicit consent	Until account deletion or you change preferences
Subscription status and purchase history	Manage your Premium subscription	Art. 6(1)(b) GDPR — performance of contract	5 years (Polish accounting law)
Diagnostic and crash logs	Detect bugs and prevent abuse	Art. 6(1)(f) GDPR — legitimate interest	30 days (`app_logs`); 7 days (rate-limit records)
Push notification tokens	Send you reminders and notifications you opted into	Art. 6(1)(a) GDPR — consent	Until you disable notifications or delete the account
Advertising identifiers and app events (Free tier only)	Measure advertising effectiveness; serve ads in the Free tier	Art. 6(1)(a) GDPR — consent (via App Tracking Transparency on iOS / consent banner on Android)	Per the third-party SDK’s policy (see Advertising & Measurement section below)

Health data note. Meal logs, nutrition tracking, and dietary preferences may qualify as health data under Art. 9 GDPR. We process this data only with your explicit consent, given when you create a profile and select your goals. You can withdraw consent at any time by deleting your account.

You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

3. Third-Party Services

We use third-party service providers to operate and improve the Service. These providers may process your data in the following capacities:

Supabase (cloud infrastructure and database) — to store and manage your account data, favorites, ratings, meal plans, and usage data.
OpenAI (AI service provider) — to power Chef AI recipe generation, recipe variations, nutrition estimation, and Swoodie Scan photo analysis. Text and images you submit to AI features are sent to OpenAI for processing.
Google Gemini (AI service provider) — to power the AI Meal Planner feature. Dietary preferences and recipe data are sent to Google for processing.
DeepL (translation service provider) — to translate recipe content into supported languages (currently German, Polish, French, Italian, Spanish, Portuguese, and Thai). Recipe text is sent to DeepL for translation.
Spoonacular (recipe data provider) — to provide recipe data, nutritional information, and ingredient details.
TheMealDB (recipe data provider) — to provide additional recipe content.
RevenueCat (subscription management) — to process and manage premium subscriptions, including purchase data, device identifiers, and subscription status.
Vercel — hosts our website and provides anonymized performance analytics via Speed Insights.
Apple App Store / Google Play — for app distribution and payment processing, subject to their own privacy policies.

We do not sell your personal information to third parties.

3b. Advertising & Measurement

We use the following third-party SDKs in the mobile app for advertising, conversion measurement, and analytics. These providers may receive your device’s advertising identifier (Apple IDFA on iOS, Google Advertising ID on Android) and app events (such as installs, sessions, and in-app actions like saved recipes or completed scans):

Meta Platforms, Inc. (Facebook SDK / App Events) — measures conversions for Meta-served advertising and supports analytics. See Meta’s Privacy Policy.
TikTok Pte. Ltd. / ByteDance Ltd. (TikTok Business SDK) — measures conversions for TikTok-served advertising. See TikTok’s Privacy Policy.
Google LLC (AdMob) — serves advertising in the Free tier of Swoodie. See Google’s Privacy Policy.

Advertising identifier. On iOS, we request your consent through the system App Tracking Transparency prompt before any advertising identifier is shared with the SDKs above. You can reset or disable the advertising identifier in your device settings at any time:

iOS: Settings → Privacy & Security → Tracking
Android: Settings → Privacy → Ads

No sale of personal information. Swoodie does not sell your personal information. Data shared with the SDKs above is limited to advertising-measurement events and device-level identifiers, and does not include directly identifying information such as your email address or name.

4. Cookies and Tracking Technologies

Our website (swoodie.app) uses the following technologies:

Essential

Language preference storage (localStorage)
Consent preference cookie (swoodie_consent)

Analytics

Vercel Speed Insights — collects anonymized page performance data, device type, browser version, page load times. No personally identifiable information is collected. Data is processed by Vercel Inc. (USA). Privacy: https://vercel.com/legal/privacy-policy

Mobile App

Local device storage — preferences, cached recipes, and offline data. This data never leaves your device unless synced to your account.
Anonymous authentication — creates a unique anonymous identifier for data synchronization. No personal information is collected.

You can manage cookie preferences at any time via the cookie settings link in the website footer.

5. Data Retention

Account data: Retained while your account is active.
Application logs: Automatically deleted after 30 days.
Cached recipe data: Automatically expires after 2 hours.
Meal plans: Retained until deleted by the user.
Swoodie Scan photos: Processed in real-time and not permanently stored.
AI Cookbook recipes: Retained until deleted by the user (soft-delete supported).

You may request deletion of your data at any time by contacting us.

6. Data Security

We implement appropriate technical measures to protect your data, including:

Encryption in transit (HTTPS/TLS)
Row-level security on all database tables
Server-side API key storage (no API keys stored on your device)
Rate limiting on all backend services

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6b. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
Document all breaches, including their effects and remedial actions taken

Notification will be sent via the email address associated with your waitlist registration (if provided) or through an in-app notice.

6c. International Data Transfers

Several of the providers listed above (Supabase, OpenAI, Google, Meta, TikTok, Vercel) are located in or transfer data to the United States. We transfer your personal data outside the European Economic Area on the basis of:

Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914 of 4 June 2021), and
where applicable, the EU–U.S. Data Privacy Framework for providers self-certified under it.

You can request a copy of the transfer safeguards in place by emailing privacy@swoodie.app.

Our service providers and their locations:

Provider	Location	Safeguards
Supabase	USA	SOC 2 Type II certified
OpenAI	USA	DPA, SCCs
Google (Gemini)	USA	EU SCCs, DPA
DeepL	Germany	EU-based, GDPR-native
Spoonacular	USA	Data Processing Agreement
RevenueCat	USA	SOC 2, DPA
Vercel	USA	DPA, SOC 2

For EU/EEA users, transfers to the US are protected by Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.

7. Your Rights

Under the GDPR you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) — delete your data; you can do this directly in the app via Settings → Delete My Data, or by emailing privacy@swoodie.app.
Right to restriction of processing — limit how we use your data in specific situations.
Right to data portability — receive your data in a machine-readable format.
Right to object — object to processing based on legitimate interests, including profiling.
Right to withdraw consent — withdraw any consent you have given at any time, without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint — lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

To exercise any of these rights, email privacy@swoodie.app. We will respond within 30 days as required by GDPR.

7b. Automated Decision-Making

Swoodie uses automated processing in the following ways:

Recipe recommendations: Based on your swipe history, dietary filters, and allergen preferences. No profiling for marketing.
AI meal planning: Generates meal plans based on your calorie target, goal mode, and favorite recipes.
Nutrition estimation: AI estimates nutritional content from food photos and recipe data. These are estimates only and should not replace professional dietary advice.
Allergen detection: Keyword-based ingredient scanning to flag potential allergens. May produce false positives — always verify ingredients yourself.

None of these automated processes produce legal effects or similarly significant effects on you. You may contact us to request human review of any automated decision.

8. Children’s Privacy

Swoodie is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such data, we will delete it promptly.

8b. Deleting Your Account

You can delete your Swoodie account at any time:

In the app: Settings → Delete My Data
By email: privacy@swoodie.app

When you delete your account, we permanently remove your meal logs, favorites, profile data, and any associated identifiers. Some data may be retained for limited periods where required by law (e.g., subscription invoices retained for 5 years under Polish accounting law) or in anonymized form for analytics.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page.

10. Contact Us

For general questions: support@swoodie.app

For data protection inquiries, data access requests, or to exercise your GDPR/CCPA rights:

Data Protection Contact: privacy@swoodie.app
Response time: Within 30 days of receiving your request

If you are located in the EU/EEA and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

For users in Poland: Urząd Ochrony Danych Osobowych (UODO)
Website: https://uodo.gov.pl

See also: Terms of Service | Cookie Policy