Privacy policy

Who we are

Platepace is operated by Peter Kagan, trading as Platepace, based in the United Kingdom. Registered with the Information Commissioner's Office (ICO). Contact privacy@platepace.com for any privacy question or request.

What we collect

• Your email address (for sign-in and account communication).
• Your display name, unit preferences, and daily macro targets that you enter yourself.
• Every food, meal, weight, and water entry you log.
• Photo-derived food identifications (we keep the identification + grams, not the photo pixels).
• Usage metadata: sign-in timestamps, AI calls made on your behalf, device/browser for security logging.
• If you pay: Stripe customer ID and subscription status. We never see your card number.

Special-category (health) data

Nutritional information about what you eat can reveal information about your health. Under UK GDPR Article 9 this is special-category data. Our lawful basis for processing it is your explicit consent, recorded at onboarding. You can withdraw that consent at any time by deleting your account — see Your rights below.

Why we process it (lawful bases)

• Contract (Art. 6(1)(b)) — to provide the service you signed up for.
• Explicit consent (Art. 9(2)(a)) — for health-related food data.
• Legal obligation (Art. 6(1)(c)) — to retain audit records for dispute evidence and regulatory compliance.
• Legitimate interest (Art. 6(1)(f)) — for security logging and fraud prevention; balanced against your rights, not used for profiling or marketing.

Who we share it with

Only the sub-processors we need to run the service. Full list with purpose and location at /trust. We do not sell, rent, or share your data for advertising, analytics profiling, or any marketing purpose.

How long we keep it

Account data and logs: as long as your account is active. Audit log: 7 years after account deletion for evidentiary purposes (sign-ins, consent grants, subscription changes). AI usage rows: 12 months rolling. Full retention table at /trust.

Where it lives

Our primary servers are in the United Kingdom. Some sub-processors (Anthropic, Google, OpenAI, Cloudflare) are US-based; transfers to them rely on the UK International Data Transfer Addendum to the EU SCCs. Our DPA obligations with each are on file.

Your rights

Under UK GDPR you have the right to:

• Access the data we hold on you — self-serve via GET /v1/me/export from your settings page. Returns a full JSON bundle.
• Correct it — edit your profile + entries directly in the app.
• Delete it — self-serve via the delete button on your settings page.
• Port it — the export is machine-readable JSON + CSV.
• Object to processing or restrict it — email privacy@platepace.com.
• Withdraw consent — deletes the associated data where consent was the lawful basis.
• Complain to the ICO: ico.org.uk/make-a-complaint.

Security

We use HTTPS everywhere, encrypted database connections, magic-link authentication (no passwords to breach), row-level security to isolate tenants, and daily encrypted backups. Full security detail and incident procedures on request.

Data Protection Impact Assessment (DPIA)

Because we process health-related dietary data and use AI vision to identify food in photos, we maintain a DPIA under UK GDPR Article 35. It records how we assessed the risks, the mitigations we apply, and the residual risk level. Available on request from privacy@platepace.com.

Automated decisions and profiling

We do not make any decisions that produce legal or similarly significant effects on you using automated means alone. Our AI identifies food in photos and calculates macros; it does not evaluate your behaviour, set your targets, or take any action on your behalf.

Children

Platepace is not for anyone under 18. We verify age at sign-up and will close accounts that misrepresent their age.

Changes to this policy

We will email you before any material change takes effect. You can always see the last-updated date at the top of this page.