Legal
Privacy Policy
Last updated: 11 February 2026
Introduction
Brefast (“we”, “us”, or “our”) is a meal planning application operated from the United Kingdom. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.
We are the data controller for your personal data. If you have any questions about this policy or how we handle your data, please contact us at support@brefast.com.
Data We Collect
Account Data
When you create an account, we collect:
- Email address — Used for authentication (passwordless login via one-time codes)
Profile Data
You may optionally provide:
- Name — Your display name
- Avatar — A profile picture URL
Nutrition Data
To use the meal planning features, you configure:
- Daily calorie target — Your daily energy goal
- Macro percentages — Protein, carbohydrates, and fat distribution
Content Data
You create and store:
- Products — Food items with nutritional information
- Meals — Combinations of products
- Weekly plans — Your meal schedule
Feedback Data
When you submit feedback through the app, we collect:
- Message — The text of your feedback (up to 1,000 characters)
- Page path — The page you were on when you submitted feedback
- App version — The version of Brefast at the time of submission
Feedback is associated with your account and may be reviewed by our team alongside your email address and display name.
Technical Data
We automatically collect:
- Usage analytics — Page views and feature usage via Fathom Analytics (privacy-focused, no personal data)
How We Use Your Data
| Purpose | Data Used |
|---|---|
| Provide the service | Account, profile, nutrition, and content data |
| Authenticate you | Email (to send one-time login codes) |
| Improve the app | Anonymised usage analytics and user feedback |
| Respond to requests | Email (for support and deletion requests) |
Legal Basis for Processing
Under GDPR, we process your data based on the following legal grounds:
- Contract performance — Processing necessary to provide the meal planning service you signed up for
- Legitimate interest — Analytics to improve the service and security measures to protect it
- Legal obligation — When required by law
Third-Party Services
We use the following third-party services:
Supabase
- Purpose
- Authentication and database storage
- Data shared
- All user data
- Location
- European Union
- Privacy
- supabase.com/privacy
Open Food Facts
- Purpose
- Product data import (when you search for products)
- Data shared
- Search queries only
- Location
- European Union
- Privacy
- openfoodfacts.org/privacy
Fathom Analytics
- Purpose
- Privacy-focused usage analytics
- Data shared
- No personal data (Fathom does not use cookies or track individuals)
- Location
- European Union
- Privacy
- usefathom.com/privacy
When we introduce paid features in the future, we will update this policy to include our payment processor.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account and content data | Until you request deletion |
| Feedback data | 1 year from submission, or upon account deletion |
| Analytics data | Aggregated only, no personal data retained |
| Server logs | 30 days |
Your Rights
GDPR Rights (All Users)
Under the General Data Protection Regulation, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data (“right to be forgotten”)
- Portability — Receive your data in a portable format
- Object — Object to processing based on legitimate interest
- Complaint — Lodge a complaint with the UK Information Commissioner's Office (ICO)
CCPA Rights (California Residents)
Under the California Consumer Privacy Act, you have the right to:
- Know — What personal information we collect and how it's used
- Delete — Request deletion of your personal information
- Non-discrimination — We will not discriminate against you for exercising these rights
Note: We do not sell personal information, so the “opt-out of sale” right does not apply.
How to Exercise Your Rights
To exercise any of these rights, please contact us at support@brefast.com. We will respond to your request within 30 days.
Security
We protect your data through:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest (database-level encryption)
- Secure hosting infrastructure (Supabase, EU region)
- Passwordless authentication (reducing credential theft risk)
Age Requirement
Brefast is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from someone under 18, please contact us immediately at support@brefast.com.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email or an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.
Contact Us
For privacy-related questions or to exercise your rights, please contact us at: