Privacy Policy

This Privacy Policy (“Policy”) describes how Macromus and its affiliates (“Macromus,” “we,” “our,” or “us”) collect, use, disclose, and otherwise process your personal information when you use our website, mobile applications, and services (collectively, the “Services”). This Policy also describes your choices and rights regarding your personal information. This Policy forms part of our Terms of Service.

You must be at least 18 years old to use Macromus. Our Services are not designed for, nor intended for, children or anyone under 18. We implement technical measures to prevent individuals under 18 from creating an account. If we become aware that an individual under 18 may have provided us with personal information, we will investigate and take steps to remove the data and delete that individual’s account.

1. Personal Information We Collect

We collect personal information in the following ways:

Information You Provide Directly

Account and Profile Information. When you create an account and complete your profile, we collect:

• Name (first and last)
• Email address
• Phone number (for account verification via SMS/OTP)
• Authentication credentials (password or third-party login tokens)

Health and Fitness Profile Data. During onboarding and through your profile settings, we collect:

• Age, sex, height, and weight
• Activity level and fitness types (e.g., weightlifting, running, yoga)
• Training frequency and experience level
• Body composition information (body fat percentage, muscle level, fat level)
• Health and fitness goals (e.g., lose fat, build muscle, maintain weight)
• Goal weight and weekly rate targets
• Dietary restrictions and allergies
• Diet style preferences (e.g., keto, vegetarian, Mediterranean)
• Meal frequency and cooking preferences
• Macro priority preferences (e.g., high protein, balanced)

Health and Fitness Profile Data may include sensitive personal information when it indicates or allows someone to infer a health condition.

Food and Nutrition Data. Through your use of the Services, we collect:

• Food entries and meal logs (food names, quantities, calories, macronutrients)
• Meal drafts and AI-assisted meal logging data
• Stored meals and recipes you create
• Pantry items and ingredient preferences
• Quick-add calorie and macro entries
• Weight logs and body measurement history

AI Coach Interactions. When you use the AI Coach feature, we collect:

• Text messages and conversations with the AI Coach
• Photos submitted for food identification and nutritional analysis
• Voice transcriptions (your device transcribes audio locally; we receive only the text)
• AI memory notes that the Coach stores about your preferences and habits
• Conversation history and meal draft data associated with AI sessions

Feedback and Communications. We collect any information you provide when you contact us, submit feedback, or communicate with us through any channel.

Information We Collect Automatically

Usage and Device Data. We may automatically collect:

• Browser type, operating system, and device information
• IP address and general location information (inferred from IP)
• Pages visited, features used, and actions taken within the Services
• Date and time of access, session duration, and frequency of use
• Event tracking data (e.g., onboarding completion, feature usage patterns)
• Referring URLs and navigation paths

Information We Receive from Third Parties

• Authentication Providers: When you sign in via Google OAuth, we receive your name, email address, and profile information from Google.
• SMS/OTP Providers: We use third-party communication services (such as Twilio) to send verification codes to your phone number for account security.

2. How We Use Your Personal Information

We use your personal information for the following purposes:

Provide and Operate the Services. We use your information to create and manage your account, calculate personalized calorie and macro targets (using the Mifflin-St Jeor equation for BMR, TDEE multipliers, and your specified goals), display your journal and progress data, operate the AI Coach, and otherwise deliver the core functionality of the Services.

AI-Powered Features. We use your profile data, food logs, conversation history, photos, and voice transcriptions to power the AI Coach and related features. This includes sending your data to third-party AI providers (currently OpenAI) to generate responses, identify foods in photos, estimate nutritional content, provide coaching suggestions, generate weekly reports, and analyze dietary trends.

Personalization. We use your dietary preferences, goals, history, allergies, and AI memory notes to personalize your experience, including tailored meal suggestions, macro gap suggestions, trend alerts, and coaching responses.

Account Security. We use your phone number and email address to verify your identity, prevent unauthorized access, and protect your account through SMS/OTP verification.

Communications. We use your contact information to respond to your inquiries, send important account notifications, and provide customer support.

Analytics and Improvement. We use usage data and event tracking to analyze how the Services are used, identify issues, and improve the quality and functionality of the Services.

Legal Compliance. We use your information to comply with applicable laws, regulations, and legal processes, and to protect our rights and the rights of others.

3. How We Share Your Personal Information

We share your personal information with the following categories of recipients:

AI and Machine Learning Providers. We share your AI Coach conversations (text messages, photos, and transcribed voice input), along with relevant context (profile data, recent food logs, stored meals, and AI memory notes), with third-party AI providers (currently OpenAI) to generate AI-powered responses and features. OpenAI processes this data in accordance with its own privacy policy and data usage terms.

Cloud Infrastructure and Database Providers. We use Supabase as our cloud database and authentication provider. Your account data, profile information, food logs, conversations, and all other user data is stored on Supabase’s infrastructure. Supabase processes data in accordance with its own privacy policy.

Authentication Providers. When you sign in or link your account via Google OAuth, your authentication data is processed by Google in accordance with Google’s privacy policy.

Communication Service Providers. We use third-party services (such as Twilio) to send SMS verification codes to your phone number for account security purposes.

Image Storage. Photos submitted to the AI Coach for meal logging are stored in cloud storage (Supabase Storage) and are associated with your user account. These images are stored using unique, non-guessable URLs. While the storage bucket is publicly accessible by URL, images are not indexed, listed, or discoverable without knowing the specific URL. We do not share image URLs with any third parties other than AI providers for food analysis purposes.

Legal Requirements. We may disclose your information to comply with applicable laws, respond to legal process (such as subpoenas or court orders), enforce our Terms of Service, and protect the rights, property, or safety of Macromus, our users, or others.

Business Transfers. In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity.

We do not sell your personal information. We do not share your personal information with advertisers or advertising networks. We do not use your data for targeted advertising.

4. Data Security

We implement reasonable technical, organizational, and administrative safeguards designed to protect your personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Row-Level Security (RLS) policies ensuring users can only access their own data
• Secure authentication using industry-standard protocols (PKCE OAuth flow, OTP verification)
• Service-role key separation (admin operations vs. user-scoped operations)
• Secure session management with automatic token refresh

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law. Where required by law (including under the EU General Data Protection Regulation), we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach. We will also notify affected users without undue delay through the contact information associated with your account (email and/or phone number), or through a prominent notice on the Services if individual notification is not feasible. Our notification will describe, to the extent possible, the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take to address the breach.

5. Data Retention

We retain your personal information for as long as your account is active and as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data: Retained for the duration of your account. When you delete your account, your profile, food logs, conversations, meal drafts, stored meals, weight logs, and all associated data are permanently deleted.
• AI Conversation Data: Retained for the duration of your account. You can delete individual conversations at any time through the AI Coach interface.
• Uploaded Photos: Stored in cloud storage for the duration of your account. Deleted when your account is deleted.
• Event/Analytics Data: May be retained in aggregated or de-identified form after account deletion for analytical purposes.

6. Your Privacy Rights

Depending on where you live, you may have certain rights over your personal information, including:

Right to Access. You can access your personal information through your profile settings, food journal, AI Coach conversations, and other features of the Services. You may also request a copy of your data by contacting us.

Right to Correction. You can update your profile information, food logs, and other data directly through the Services at any time.

Right to Deletion. You can delete your account at any time through the Settings menu, which will permanently remove your data. You can also delete individual food entries, conversations, stored meals, weight logs, and AI memory notes at any time.

Right to Data Portability. You may request a copy of your personal information in a portable format by contacting us.

Right to Opt Out of Data Sharing. We do not sell your personal information or share it for targeted advertising purposes. If this changes, we will update this Policy and provide you with the ability to opt out.

Right Against Discrimination. We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within the timeframe required by applicable law.

7. Third-Party AI Data Processing

This section provides additional detail about how your data is processed by our AI providers, which is important for transparency.

OpenAI. We use OpenAI’s API to power our AI Coach features. When you interact with the AI Coach, the following data may be sent to OpenAI for processing:

• Your text messages to the AI Coach
• Photos you submit for food identification
• Your profile context (age, sex, goals, dietary restrictions, allergies, macro targets)
• Recent food journal entries (up to 7 days of history)
• Current meal draft items
• AI memory notes about your preferences
• Your stored meals list

OpenAI processes this data according to its API data usage policy. As of the effective date of this Policy, OpenAI does not use API data to train its models. However, we encourage you to review OpenAI’s current privacy policy and data usage terms for the most up-to-date information.

Voice Processing. Voice input is transcribed locally on your device using the Web Speech API (a browser-native feature). The audio recording itself is not transmitted to our servers or any third party. Only the resulting text transcription is sent to our servers and then to OpenAI for processing.

8. International Data Transfers

Macromus is based in the United States. Your personal information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

By using the Services, you consent to the transfer of your information to the United States and other countries as described in this Policy. We take appropriate steps to ensure your information is protected in accordance with applicable law, but please note that while outside your country of residence, your information may be subject to applicable local laws.

9. Children’s Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe that a child under 18 has provided us with personal information, please contact us immediately.

10. Cookies and Tracking Technologies

We may use cookies and similar tracking technologies to collect usage data and improve the Services. These may include:

• Essential Cookies: Required for the Services to function properly, including authentication session cookies.
• Analytics Cookies: Used to understand how users interact with the Services and to improve functionality.

We do not use advertising or marketing cookies. We do not engage in cross-site tracking or targeted advertising. You can manage cookie preferences through your browser settings.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by posting the updated Policy on the Services with a new effective date. We encourage you to review this Policy periodically.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

privacy@macromus.app

We will respond to your inquiry as promptly as possible and within the timeframes required by applicable law.

13. Additional Information for California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, and disclose about you.
• The right to request deletion of your personal information.
• The right to opt out of the “sale” or “sharing” of your personal information. As stated above, we do not sell or share your personal information for advertising purposes.
• The right to non-discrimination for exercising your privacy rights.
• The right to limit the use of sensitive personal information. We use sensitive personal information (health and dietary data) only as necessary to provide the Services you have requested.

To exercise these rights, please contact us at the email address above.

14. Additional Information for EEA, UK, and Swiss Residents

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the following additional provisions apply:

Legal Basis for Processing. We process your personal information based on the following legal bases:

• Contract: Processing necessary to perform our contract with you (the Terms of Service), including providing the Services, managing your account, and delivering AI Coach features.
• Consent: Processing based on your explicit consent, including the processing of health-related data and the use of AI services. You may withdraw your consent at any time by deleting your account.
• Legitimate Interests: Processing necessary for our legitimate interests, including improving the Services, ensuring security, and conducting analytics, provided these interests do not override your fundamental rights.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

Additional Rights. In addition to the rights described in Section 6, you may also have the right to:

• Restrict the processing of your personal information in certain circumstances.
• Object to the processing of your personal information based on legitimate interests.
• Lodge a complaint with your local data protection authority.

© 2026 Macromus. All rights reserved.