Legal

Privacy Policy

Last updated: 5 April 2025

We take your privacy seriously — especially because our app is used by children and their families. This policy explains what data we collect, why we collect it, and the choices you have.

1. Who we are

Mealtime Magic is a mobile application and marketing website operated from the United Kingdom. References to “we”, “us”, or “Mealtime Magic” in this policy refer to the data controller for the personal data described below.

You can contact us at any time at privacy@getmealtimemagic.com.

2. What we collect

Parent / carer accounts

DataWhy
Email addressAccount creation, login, and transactional emails
Display namePersonalising your experience
Profile picture (if using Google Sign-In)Displaying your avatar in the app
Subscription status & Stripe customer IDManaging your paid subscription
Push notification tokenSending you meal-choice notifications
App usage events (anonymised)Product analytics to improve the app
Crash & error reports (anonymised)Fixing bugs quickly

Child profiles

We collect the absolute minimum needed to make the app work. Child profiles contain only:

  • First name only (no surname)
  • Chosen emoji avatar (selected by parent)
  • Chosen colour theme (selected by parent)
  • Device-link PIN (stored as a bcrypt hash — never readable)
  • Firebase Cloud Messaging token (for push notifications)
  • Meal selections (mood, texture, category, chosen meal)

We do not collect a child's date of birth, surname, photograph, email address, or any identifying information beyond first name and avatar.

3. Google Sign-In

We offer Google Sign-In as a primary authentication method for parent and carer accounts. When you sign in with Google, we receive the following information from Google:

  • Your Google account email address
  • Your display name
  • Your Google profile picture URL
  • A unique Google user ID (used only to link your account)

We do not receive your Google password, payment information, contacts, calendar, or any other Google account data. The scope we request is limited to basic profile information and email only.

This data is stored securely in our Supabase-managed database and used solely to authenticate you and personalise your experience within Mealtime Magic.

Google Sign-In is governed by Google's Privacy Policy. You can revoke Mealtime Magic's access to your Google account at any time via your Google account security settings.

4. Children's data

Mealtime Magic is designed for use by children aged 4–14, supervised through a parent or carer account. We comply with the UK Children's Code (Age Appropriate Design Code) and the UK General Data Protection Regulation (UK GDPR).

Our commitments for children:

  • Children do not create accounts. Only adults (parents / carers) create accounts.
  • Children interact with the app only through a device linked by their parent.
  • We collect only what is strictly necessary for the app to function.
  • Child data is never used for advertising, profiling, or sold to third parties.
  • Meal history is automatically and permanently deleted after 12 months.
  • The child-mode interface contains no social features, links, or external content.

The child-facing portion of the app uses a separate, isolated authentication token that has no access to parent account data, billing information, or any other child's data. It can only read the linked child's own profile and submit meal selections.

5. How we use your data

PurposeLegal basis (UK GDPR)
Providing and maintaining the appContract performance
Authenticating your account (incl. Google Sign-In)Contract performance
Sending meal-choice push notifications to parentsContract performance
Processing subscription payments via StripeContract performance
Sending transactional emails (receipts, invites, summaries)Contract performance
Improving the app through anonymised analyticsLegitimate interest
Diagnosing and fixing bugs via crash reportsLegitimate interest
Complying with legal obligationsLegal obligation

We do not use your data for advertising, sell it to third parties, or use it for any purpose not listed above.

6. Third-party services

We use the following trusted third-party services to operate the app. Each is bound by its own privacy policy and, where applicable, a data processing agreement with us.

Supabase

Privacy policy ↗

Database, authentication, and backend (EU region)

Data shared: Account data, child profiles, meal history

Google (Firebase / FCM)

Privacy policy ↗

Push notifications to parent and child devices

Data shared: Device push tokens (no personal content)

Google (Sign-In)

Privacy policy ↗

OAuth authentication

Data shared: Email, display name, profile picture

Stripe

Privacy policy ↗

Subscription billing and payment processing

Data shared: Payment card data (handled entirely by Stripe — we never see raw card numbers)

PostHog

Privacy policy ↗

Privacy-first product analytics (GDPR-compliant, EU-hosted)

Data shared: Anonymised usage events (no PII)

Sentry

Privacy policy ↗

Crash and error reporting

Data shared: Anonymised stack traces (PII scrubbed before transmission)

Resend

Privacy policy ↗

Transactional email delivery

Data shared: Parent email address and email content

7. Data retention

Data typeRetention period
Child meal selections12 months from creation, then automatically and permanently deleted
Child profileUntil the parent deletes the child from their account
Parent accountUntil you request deletion or 24 months of inactivity
Billing records7 years (UK legal requirement for financial records)
Anonymised analyticsUp to 24 months (no personal data — cannot be linked to individuals)
Crash reports90 days

8. Your rights

Under UK GDPR you have the following rights regarding your personal data:

Access

Request a copy of the data we hold about you

Rectification

Ask us to correct inaccurate data

Erasure

Ask us to delete your data ("right to be forgotten")

Restriction

Ask us to pause processing while a dispute is resolved

Portability

Receive your data in a machine-readable format

Objection

Object to processing based on legitimate interests

To exercise any of these rights, email us at privacy@getmealtimemagic.com. We will respond within 30 days.

You also have the right to lodge a complaint with the UK's data protection authority: Information Commissioner's Office (ICO).

9. Security

We take appropriate technical and organisational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2 or higher
  • Database access is controlled by Row-Level Security (RLS) — each user can only access their own family's data
  • Child device PINs are stored as bcrypt hashes and are never readable, even by us
  • Child JWT tokens are isolated from parent tokens — they cannot access parent data
  • Payment card data is handled entirely by Stripe and never touches our servers
  • Our infrastructure is hosted in ISO 27001-certified data centres

10. Cookies & analytics

Our marketing website (getmealtimemagic.com) uses only essential session cookies required for the site to function. We do not use advertising cookies or third-party tracking pixels on the website.

The mobile app does not use cookies. We use PostHog for privacy-first product analytics. PostHog is configured to:

  • Anonymise all user identifiers before storage
  • Host data in the EU
  • Respect user opt-out preferences (configurable in app settings)
  • Not share data with advertising platforms

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of Mealtime Magic after the effective date of any changes constitutes your acceptance of the revised policy.

12. Contact us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Mealtime Magic

United Kingdom

privacy@getmealtimemagic.com
← Back to homeTerms of Service →