1. Who is responsible
The data controller is Om Fund Operations sp. z o.o., [adres], Poland ("Brontwell", "we"). Privacy contact: privacy@brontwell.app (we have not appointed a formal Data Protection Officer; this is reviewed as we grow). Our supervisory authority is the Polish data protection authority, UODO (Urząd Ochrony Danych Osobowych, uodo.gov.pl).
We apply the EU General Data Protection Regulation (GDPR) to all users worldwide. If your country gives you additional rights, Section 14 applies to you as well.
2. The short version
- Your health profiles live on your device, not on our servers.
- When you ask a question, only the data needed for that question is sent to our AI provider (OpenAI Ireland Ltd., EU) — under your explicit consent, which you can switch off anytime in Settings → Privacy.
- Your health data is never used by us to train AI models — and under our agreement with OpenAI, not by our AI provider either (on the BYO Key plan, your own OpenAI agreement governs — see Section 5). It is never sold.
- Analytics: PostHog, EU-hosted, [cookieless — wariant A cookie-policy] and never containing your questions or health data.
3. What we process, why, and on what basis
| Data | Purpose | Legal basis |
|---|---|---|
| Account data (e-mail, password hash) | Sign-in, security, service messages | Contract (Art. 6(1)(b)) |
| Profile & health data (dietary history, health conditions you record, allergies and intolerances, supplements, lab results, religious or worldview dietary considerations, life stage such as pregnancy) — for you and your subjects of care | Personalised AI nutrition guidance | Explicit consent (Art. 9(2)(a)) — separate consent step in onboarding; for an adult family member's profile, their own consent relayed through you (see Section 3a) |
| Meal photos, and the nutrition-related inferences our AI derives from your data and queries | AI analysis of the meal in your query; personalisation | Explicit consent (Art. 9(2)(a)) — photos may reveal health context; processed per query |
| Basic body details you provide (age, sex, height, weight) | Personalisation context for your queries | Explicit consent (Art. 9(2)(a)) — processed together with your health profile |
| Technical and diagnostic data (IP address, device/browser type, error logs after scrubbing) | Service operation, security, debugging | Legitimate interest (Art. 6(1)(f)) |
| Marketing e-mail (optional) | Product news and offers | Consent (Art. 6(1)(a)) — separate unchecked opt-in; withdraw anytime via the unsubscribe link or Settings |
| Pet profile data | Pet nutrition guidance | Contract (Art. 6(1)(b)) — information about your pet relates to you as its owner and is processed as part of your account |
| Payment data | Billing | Contract; processed by Stripe — we never see full card numbers |
| Usage analytics | Improving the product | Legitimate interest (Art. 6(1)(f)) — cookieless, aggregate-only, never health data or question content; objection toggle in Settings → Privacy |
| Support correspondence | Helping you | Legitimate interest (Art. 6(1)(f)); if you include health information in your message, we use it solely to resolve your request — your message is your explicit ask (Art. 9(2)(a)) — and delete it once resolved |
| Billing and accounting records | Tax and accounting obligations | Legal obligation (Art. 6(1)(c)) — retained for the statutory period (Poland: 5 years) |
Religious or worldview dietary preferences are also special-category data (Art. 9) — covered by the same explicit consent step, named there.
Is providing data required? Account and payment data are needed to create an account and buy a subscription — without them we cannot provide the service. All health-profile data is voluntary: without your consent the AI features simply remain unavailable, and you can still use the non-AI parts of the app. Nothing you provide is required by law.
Profiling note: Brontwell's guidance is produced by automated processing (profiling) of the data you provide — that is the service you request. It produces no decision with legal or similarly significant effects about you, and you can always ask a person to review any concern at privacy@brontwell.app.
3a. Profiles for other adults
When you create a profile for another adult (for example a partner or parent), their health data belongs to them. You may only create such a profile if that person has seen our short notice for family members and agreed; we ask you to confirm this at profile creation, and we record that confirmation like any other consent. The person concerned can at any time contact us at privacy@brontwell.app to access the data held about them, object, or have the profile deleted — we honour such requests directly, without needing the account holder's approval.
4. Health data and explicit consent
We process health data as defined in Art. 9(1) GDPR only on the basis of your explicit consent (Art. 9(2)(a)), collected in a dedicated onboarding step, separate from these terms and from any marketing consents. The consent names the data categories, the purpose (AI-generated nutritional guidance), the recipient (OpenAI Ireland Ltd.), and the principal consequences of the processing — including that AI-generated guidance can be incomplete or incorrect and that health data is transferred to our AI provider with each query.
You can withdraw consent at any time: Settings → Privacy → AI Health Data Processing → Disable. Withdrawal is immediate: no further health data leaves your device, AI features pause, and your local data stays on your device. Withdrawal does not affect the lawfulness of prior processing (Art. 7(3)).
We record consent events (user ID, consent version, timestamp, categories) to meet our accountability obligations (Art. 7(1)); retention: [X lat — decyzja prawnika].
5. AI processing — what leaves your device
When you ask a question, we assemble a prompt containing only what that question needs: relevant profile attributes (e.g. allergen list for a meal question; the specific lab value for a lab question — except for users in Australia, see Section 14.3), the question itself, and the photo if you attached one. We never include your name, e-mail, or device identifiers in prompts.
The prompt is sent to OpenAI Ireland Ltd. (Dublin, Ireland — an EU entity subject to GDPR), acting as our processor under a Data Processing Agreement. OpenAI does not use API data to train its models and does not retain it beyond short-term operational windows.
On the BYO Key plan, the app assembles your prompts the same way, but sends them to OpenAI under your own OpenAI account and API agreement — OpenAI acts there as a recipient based on your direct relationship with them, not under our processor agreement. We tell you this, and ask you to confirm it, when you connect a key; OpenAI's API terms (including no-training commitments) apply to that traffic.
6. Our processors and recipients
| Recipient | Role | Location | Safeguard |
|---|---|---|---|
| OpenAI Ireland Ltd. | AI processing per query | EU (Ireland) | DPA [+ Healthcare Addendum — W TOKU] |
| Stripe | Payments | [EU entity — Stripe Payments Europe] | Own controller for payment processing |
| PostHog | Product analytics | EU Cloud | DPA [zweryfikować podpisanie] |
| Sentry | Error monitoring | [region — ZWERYFIKOWAĆ; czy errory zawierają dane zdrowotne? — task GH#331] | DPA [status?] |
| Langfuse | LLM quality monitoring — receives pseudonymised query logs: your question, the answer, and your meal photo (with location metadata removed) — never your profile data or your identity; retained 30 days | EU Cloud | DPA — podpisać (self-serve) |
| [E-mail provider — SendGrid/Resend TBD] | Transactional e-mail | [—] | DPA [status?] |
| [Hosting — DigitalOcean?] | Infrastructure | [region] | DPA [status?] |
Current list also at: brontwell.app/subprocessors. We give at least [30] days' notice of changes via in-app notification and e-mail.
We do not sell personal data, and we do not share it with advertisers or data brokers.
7. International transfers
We keep processing in the EU/EEA wherever possible (OpenAI Ireland, PostHog EU). If any provider processes data outside the EEA, we rely on adequacy decisions or Standard Contractual Clauses; details available on request at privacy@brontwell.app.
8. Retention
- On-device data (profiles, health records): under your control; deleted when you delete profiles, clear app data, or delete the account.
- Server-side account data: for the life of the account + [X] days after deletion.
- Per-query AI data: not retained by us beyond the response, except masked, pseudonymised operational traces (below); OpenAI per its API data-handling policy [short operational window].
- Consent records: [X lat] after account deletion (accountability, Art. 7(1)).
- Analytics: [okres — PostHog project setting; ZWERYFIKOWAĆ].
- Pseudonymised quality logs (Langfuse): 30 days.
- Billing and accounting records: statutory retention period (Poland: 5 years).
9. Your rights
You have the right of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw any consent at any time. Exercise them in-app (Settings → Privacy / Account) or via privacy@brontwell.app; we respond within one month. You may complain to UODO (Poland) or your local supervisory authority.
Most data lives on your device, so access/erasure of profile data is instant and in your hands; server-side we hold account data, consent records, and analytics.
10. Children
Brontwell accounts are for adults (18+). Child profiles are created and managed by a parent or legal guardian — children do not use Brontwell themselves, and we collect no data directly from children. The account holder controls the child's profile data and can delete it at any time.
11. Security
Your health profiles are stored only on your device — they are not kept on our servers, which removes the most common breach scenario at its source. Data in transit is protected with TLS. When you ask a question, only the minimum data needed for that answer leaves your device, and our analytics and error-monitoring tools are configured not to receive health data or question content. Server-side account data is protected with access controls, and we run a continuing security program (independent code audits, dependency monitoring, and hardening of our infrastructure). No system is perfectly secure: protect your device with a passcode and keep your sign-in e-mail account secure, since on-device data is only as safe as the device it lives on.
12. DPIA
Processing of health data with AI is high-risk processing; we [have completed / are completing] a Data Protection Impact Assessment under Art. 35 GDPR.
13. Changes
We will post changes here, update the version and date, and announce material changes in-app [30] days ahead. Where a change requires new consent (e.g. a new health-data purpose), we will ask for it — we never widen consent silently.
14. Country supplements
14.2 United States
If you are in the United States, this section and our separate Consumer Health Data Privacy Policy (linked prominently on our homepage) apply to you.
We collect the categories of information described in Section 3 for the purposes stated there. We share personal information only with the service providers and the payment processor listed in Section 6 — service providers under contracts restricting their use of it to serving us, and Stripe as an independent payment processor. We do not sell your personal information or your consumer health data, and we do not share it for targeted advertising. Our service does not respond to browser "Do Not Track" or Global Privacy Control signals, because we do not track our users over time or across third-party websites and do not sell or share personal information within the meaning of those signals; this notice itself satisfies our disclosure obligation. Third parties do not collect personal information about your online activities over time and across different websites through our service.
Consumer health data (Washington, Nevada, Connecticut residents): we collect your health data only with your opt-in consent, given in a dedicated in-app step separate from accepting our terms. When you create a profile for your child, you provide that consent on the child's behalf as their parent or legal guardian. You may withdraw consent, request access (including a list of third parties with whom data was shared), and request deletion at any time — in-app or via privacy@brontwell.app; we respond within 45 days. Details and the full notice: Consumer Health Data Privacy Policy.
14.3 Australia
If you are in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information — we provide what Australian law calls a "health service", so we comply with the Privacy Act in full, regardless of our size.
Health information (allergies, dietary history, lab results, life stage, and related inferences) is collected only with your express consent, given in a dedicated step separate from our terms and from any marketing choices (Section 4). When you create a profile for your child, you give this consent on the child's behalf as their parent or legal guardian; for another adult's profile, Section 3a applies. We do not use your health information for direct marketing.
Overseas handling: your personal information is processed in Poland and Ireland (European Union) [oraz — po weryfikacji Sentry/e-mail — United States]. Our service providers are bound by contracts requiring them to handle it consistently with the Australian Privacy Principles, and we remain accountable to you for their handling; Stripe processes payments as an independent payment processor under its own privacy policy.
Automated processing: Brontwell's nutrition guidance is generated by computer programs (AI models) using the kinds of information described above (your profile, health information, and questions); the kinds of outputs made this way are personalised nutrition and lifestyle suggestions. You can raise any concern with a person at privacy@brontwell.app.
Lab results (Australia): any lab results you record are stored for your own reference and display only — they are not used by, or sent to, our AI features.
Data breaches: we assess suspected breaches within 30 days and notify you and the Office of the Australian Information Commissioner where a breach is likely to result in serious harm.
Complaints and access: you may access and correct your information (Section 9) and complain to us at privacy@brontwell.app — we acknowledge within 7 days and give a substantive response within 30 days; if you are not satisfied, you may complain to the OAIC (oaic.gov.au).
14.4 Canada
If you are in Canada, PIPEDA applies to our handling of your personal information, and we treat your health information as sensitive, processed only with your express consent (the consent step described in Section 4).
Processing outside Canada: your personal information is processed in the European Union (and, where noted in Section 6, other locations) by us and our service providers, and may be accessible to law enforcement and other authorities in those jurisdictions under their laws.
We remain responsible for personal information we transfer to our service providers for processing, wherever they are located. If a breach of our safeguards creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada.
Our accountable privacy contact is [imię/rola] — privacy@brontwell.app. You may also contact the Office of the Privacy Commissioner of Canada (priv.gc.ca).
Quebec: Brontwell is currently not offered to residents of Quebec (see our Terms, Section 15.5).
15. Contact
Om Fund Operations sp. z o.o. · [adres] · privacy@brontwell.app