Privacy Policy

1. Introduction

Welcome to Soma. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our services, including our web application and mobile app.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, display name, phone number (if provided), profile avatar/image
• Physical Profile & Health Data:
  • Age, birth year, birth month, birth day
  • Height (in cm or ft/inches)
  • Weight (in kg or lbs)
  • Gender
  • Activity level (sedentary, lightly active, moderately active, very active, extremely active)
  • Apple HealthKit data (if you connect your Apple Health account): weight, height, age, activity data, workout data
• Nutrition & Dietary Information:
  • Food logs (meals, calories, macronutrients: protein, carbs, fats)
  • Calorie goals and macro goals
  • Dietary preferences and restrictions
  • Allergies and food sensitivities
  • Cooking habits and preferences
  • Favorite cuisines
  • Portion size preferences
• Fitness & Activity:
  • Workout logs (workout type, duration, calories burned)
  • Exercise activities and notes
• Chat & Interaction Data:
  • Chat conversations and messages with our AI assistant
  • Chat attachments (images, PDFs, documents you upload)
  • AI-generated memories about your preferences and context
• Recipes:
  • Recipes you create, save, or modify
  • Recipe ratings and comments
  • Recipe folders and organization
• User Preferences & Settings:
  • Language preferences, timezone, time format (12h/24h)
  • UI preferences (layout, theme, color scheme)
  • Notification preferences (meal reminders, daily summaries, macro progress)
  • AI model preferences and favorite models
  • Developer settings and API keys (BYOK)
  • Haptic feedback preferences (mobile)
  • Speech language preferences
  • Analytics sharing consent preference
• Subscription & Payment Information:
  • Subscription status and plan
  • Payment method metadata (processed securely by Stripe)
  • Transaction history

2.2 Automatically Collected Information

• Device information and identifiers (device type, OS version, app version)
• Usage data and interaction patterns (features used, session duration)
• Technical logs and error reports
• IP address and location data (general location only, used for security and compliance)
• Authentication tokens and session data

3. How We Use Your Information

We use your information to:

• Provide and improve our services
• Personalize your experience
• Process your requests and transactions
• Send you important updates about our services
• Analyze usage patterns to improve our platform (anonymized)
• Ensure security and prevent fraud

4. Data Storage and Security

Your data is stored securely using industry-standard encryption and security practices. We use Supabase for data storage, which complies with GDPR, SOC 2, and other security standards. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party services that help us operate our platform (e.g., hosting, analytics)
• Legal Requirements: When required by law or to protect our rights
• With Your Consent: When you explicitly authorize us to share your data

6. Your Rights (GDPR & CCPA)

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("Right to be Forgotten")
• Portability: Export your data in a machine-readable format
• Object: Object to processing of your data for certain purposes
• Restrict Processing: Request limitation of how we process your data
• Withdraw Consent: Withdraw consent for data processing where applicable

To exercise these rights, contact us at ludvighedin15@gmail.comor use the data export feature in your account settings.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or security purposes.

8. Cookies and Tracking

We use cookies and similar technologies to improve your experience, analyze usage, and provide personalized content. You can control cookies through your browser settings.

9. Third-Party Services

Our services may integrate with third-party services (e.g., AI model providers, payment processors). These services have their own privacy policies. We encourage you to review their privacy practices.

10. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Controller Identity and Contact

Data Controller: Ludvig Hedin (Enskild Firma)
Swedish Sole Proprietorship

Contact Information:
Email: ludvighedin15@gmail.com
Phone: +46 708 359 161
For sole proprietorships and small businesses, email and phone contact details are sufficient to meet GDPR Article 13(1)(a) requirements.

If you have questions about this privacy policy, wish to exercise your rights (access, deletion, portability), or need to report a data breach, please contact us using the email or phone number above.

13. Lawful Bases for Processing (GDPR Article 6)

We process your personal data under the following lawful bases:

• Contract Performance: To provide our services (chat functionality, recipe management, nutrition tracking) as agreed in our Terms of Service.
• Legitimate Interests: To improve our services, ensure security, prevent fraud, and analyze usage patterns (anonymized).
• Consent: For optional features like analytics sharing, marketing communications, and third-party integrations (where applicable).
• Legal Obligation: To comply with applicable laws, regulations, and tax requirements.

Special Category Data (GDPR Article 9): If you connect Apple HealthKit or provide health-related information, we process such data based on your explicit consent and only to provide nutrition tracking services. We do not share health data with third parties without your explicit consent.

14. Data Processors and Subprocessors

We use the following third-party services that may process your personal data:

• Supabase (Database, Authentication, Storage)
  • Purpose: Core infrastructure for data storage, user authentication, and file storage
  • Data shared: Account information, chat messages, recipes, food logs, user preferences
  • Location: EU/US (Standard Contractual Clauses apply)
  • Privacy: https://supabase.com/privacy
• Vercel (Hosting & CDN)
  • Purpose: Application hosting, content delivery, and serverless functions
  • Data shared: IP addresses, request logs, performance metrics
  • Location: Global (primarily US/EU)
  • Privacy: https://vercel.com/legal/privacy-policy
• Stripe (Payment Processing)
  • Purpose: Secure payment processing and subscription management
  • Data shared: Payment method metadata, transaction history, subscription status
  • Location: US (Standard Contractual Clauses apply)
  • Privacy: https://stripe.com/privacy
• AI Model Providers (OpenAI, Google, Anthropic, Mistral, etc. via OpenRouter)
  • Purpose: Processing chat messages and generating AI responses
  • Data shared: Chat messages, user queries, context (when you use AI features)
  • Location: US (Standard Contractual Clauses apply)
  • Privacy: Varies by provider - see OpenRouter privacy policy
• Analytics Providers (OneDollarStats, Umami - if you opt in)
  • Purpose: Usage analytics and performance monitoring (only if you consent)
  • Data shared: Anonymized usage data, page views, interaction patterns
  • Location: EU/US
  • Opt-out: Available in account settings

All processors are bound by contractual obligations to protect your data and only process it as instructed. We regularly review our subprocessors and update this list as needed.

15. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA). When we transfer your personal data to processors in the United States or other countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with all non-EEA processors.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.
• Processor Agreements: All processors are contractually bound to protect your data in accordance with GDPR standards.

You can request information about the specific safeguards in place for your data by contacting us at ludvighedin15@gmail.com.

16. Contact Us

If you have questions about this privacy policy, wish to exercise your data protection rights, or need to report a data breach, please contact us:

Email: ludvighedin15@gmail.com
Phone: +46 708 359 161

Data Controller: Ludvig Hedin (Enskild Firma)
Swedish Sole Proprietorship

Last Updated: December 26, 2025