Privacy Policy

1. Who we are

The Dietary Edit (the “Service”, “we”, “us”) is operated by Nichola Williams, based in the United Kingdom. We are the data controller for personal data processed through the Service. For any privacy question, contact hello@thedietaryedit.com.

2. What data we collect

• Account data: email, password (hashed), display name.
• Health-related data (special category, Art. 9 UK GDPR): food diary entries, symptoms, severity, cycle entries, lifestyle (sleep, stress, exercise), medication, environmental triggers, outcome check-ins, photos of meals.
• Billing data: handled by Stripe — we receive subscription status only, not card details.
• Technical: browser/device user-agent, IP address (transiently, for security and abuse prevention).

3. Why we process it (legal bases)

• Contract (Art. 6(1)(b)): to provide the diary, insights and dietitian features you signed up for.
• Explicit consent (Art. 9(2)(a)): for all health-related data. You give this at signup and can withdraw it any time from Settings → Privacy.
• Consent (Art. 6(1)(a)): for marketing emails.
• Legitimate interests (Art. 6(1)(f)): aggregated, anonymised analytics to improve the Service.

4. Who we share data with

We use the following processors, each under a Data Processing Agreement:

• Supabase / Lovable Cloud — hosting and database (EU region).
• Stripe — payments.
• Kit (ConvertKit) — marketing emails (only if you opt in).
• ElevenLabs — text-to-speech for hypnotherapy audio (no personal content sent).

We do not sell your data. We do not share health data with advertisers.

5. International transfers

Some processors (Stripe, Kit, ElevenLabs) may transfer data outside the UK/EEA. Transfers are covered by Standard Contractual Clauses or UK-IDTA equivalents.

6. How long we keep it

• Account and diary data: while your account is active.
• On account deletion: erased immediately from live systems; encrypted backups age out within 30 days.
• Consent records: kept for 6 years to evidence compliance.

7. Your rights

You have the right to:

• Access your data — use Settings → Privacy → Export my data.
• Rectify inaccurate data — edit directly in the app.
• Erase your account and data — Settings → Privacy → Delete account.
• Withdraw consent for health-data processing or marketing — same page.
• Object to processing or request restriction — email us.
• Complain to the UK ICO (ico.org.uk) if you believe we've mishandled your data.

8. Security

Data is encrypted in transit (TLS) and at rest. Access is restricted to authenticated users via row-level security; admin access is logged.

9. Cookies & local storage

We use essential browser storage only — see our Cookie & Storage Notice.

10. Changes

We'll notify you of material changes by email and update the “Last updated” date above.