Back

Privacy Policy

Last updated: January 29, 2026

1. Introduction

Welcome to Symptly ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our food and allergy reaction tracking application.

Important: Symptly collects health-related data, including information about your meals, allergic reactions, and symptoms. This is considered sensitive personal data under GDPR and similar regulations.

2. Information We Collect

2.1 Account Information

  • Email address
  • Display name
  • Profile picture (if using Google sign-in)
  • Account creation and update timestamps

2.2 Health and Dietary Data

  • Meal information: Foods consumed, meal times, meal categories (breakfast, lunch, dinner, snack), and notes
  • Reaction data: Allergic reaction severity (1-5 scale), symptoms experienced, body locations affected, when reactions occurred, and notes
  • Ingredients: Custom ingredients you create and their categories
  • Saved meals: Meal templates you save for quick logging

2.3 Derived Data

  • Food-symptom correlations automatically calculated from your logged data
  • Reaction frequency analysis

2.4 Technical Data

  • IP address and approximate location (country/region)
  • Browser type and version
  • Device information
  • Pages visited and features used (if you consent to analytics)

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Symptly service
  • Create and manage your account
  • Track your meals and allergic reactions
  • Calculate food-symptom correlations to help identify potential triggers
  • Send you important service updates (e.g., password reset emails)
  • Improve our service (only with your consent for analytics)

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Consent: You explicitly consent to the processing of your health data when you create an account and accept this policy
  • Contract: Processing is necessary to provide you with the Symptly service
  • Legitimate interests: For security, fraud prevention, and service improvement (where your rights don't override these interests)

5. Data Sharing and Third Parties

We share your data with the following third-party services:

5.1 Supabase (Database Provider)

All your data is stored on Supabase servers. Supabase acts as a data processor on our behalf. View Supabase Privacy Policy

5.2 Google (OAuth Authentication - Optional)

If you choose to sign in with Google, Google receives your authentication request. View Google Privacy Policy

5.3 Umami (Analytics - Optional)

If you consent to analytics, we use Umami Analytics, a privacy-focused analytics tool that collects anonymized usage data. Umami does not use cookies and does not collect personal data. View Umami Privacy Policy

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all your data is permanently deleted, including:

  • Your profile information
  • All meals and meal ingredients
  • All reactions, symptoms, and body locations
  • All custom ingredients
  • All saved meal templates

7. Your Rights

Under GDPR and similar regulations, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Data Portability: Receive your data in a machine-readable format
  • Withdraw Consent: Withdraw consent at any time (this doesn't affect prior processing)
  • Object: Object to processing based on legitimate interests
  • Restriction: Request restricted processing of your data

You can exercise most of these rights directly in the Settings page of the application. For other requests, please contact us.

8. Data Security

We implement appropriate security measures including:

  • Encryption in transit (HTTPS/TLS)
  • Row-level security ensuring you can only access your own data
  • Secure authentication via Supabase Auth
  • Content Security Policy headers
  • Regular security reviews

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States (where Supabase servers may be located). We ensure appropriate safeguards are in place for such transfers.

10. Cookies

We use the following cookies:

  • Essential cookies: Authentication session cookies (required for the service to function)
  • Analytics cookies: Only set if you consent to analytics
  • Preference cookies: Store your cookie consent preferences

11. Children's Privacy

Symptly is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Email: privacy@symptly.app

14. Supervisory Authority

If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.