Romby Privacy Policy
Last updated 7 July 2026
Romby ([COMPANY NAME] — to be updated upon incorporation) takes your health data seriously. This policy explains what we collect across both of our apps — the Romby eater app at app.romby.co and the Romby Coach coach dashboard at dashboard.romby.co — why we collect it, who we share it with, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and equivalent laws.
1. Who we are (the data controller)
Romby is operated by Evgeny Klimenchenko ([COMPANY NAME], [REGISTERED ADDRESS] — to be updated upon incorporation), currently as a sole operator while a company is being formed to take over operation of the service. For all data-protection purposes, Evgeny Klimenchenko is the data controller for the eater app and the base platform. You can reach us at hello@romby.co for anything in this policy, including exercising your rights below.
2. What data we collect
Depending on how you use Romby, we collect:
- Account data — name, email address, a securely hashed password, and (for coaches) professional profile details you add.
- Health & body data (special category, GDPR Art. 9) — body weight, body-fat %, goal weight, and any notes you log about how you're feeling. This is special category health data and we only process it on the explicit-consent basis described in §3.
- Food data — photos of meals you snap, barcode scans, and the calorie/macro estimates derived from them.
- Activity & usage data — water logging, streaks, app opens, device/browser type, and coarse timestamps needed to run the service and keep it secure.
- Coach-relationship data — if you connect with a coach: the invite link/status, the coach's plan and private notes about you, and any push nudges they send. If you are a coach: your clients' shared health data (above) for as long as they've accepted your link.
- Family-sharing data — if you invite a household member (or accept their invite), the access level you both configure — view-only or edit — lets them see your logged data through the app, and you theirs. Either side can revoke this access at any time from Settings.
- Payment data — Romby is a marketplace: a client who subscribes to a coach pays through Romby-hosted Stripe Checkout, and Stripe handles the card directly — we never see or store your full card number, only the card brand and last 4 digits (shown on the client's membership screen). Romby takes a 15% platform fee from each charge; the rest is paid to the coach via their own Stripe Connect Express account.
- Support communications — anything you send to hello@romby.co.
3. Our legal basis for processing
- Performance of a contract (Art. 6(1)(b)) — account creation, storing your logs, and running the core app.
- Explicit consent (Art. 9(2)(a)) — for the special-category health data in §2 (weight, body-fat %, food photos, macros, goal weight). We ask for this consent when you set up your profile and start logging, and every subsequent log is a fresh, voluntary act of providing that data. You can withdraw consent at any time by deleting your account and data (§6); this does not affect the lawfulness of processing before withdrawal.
- Consent (Art. 6(1)(a)) — connecting to a coach and sharing your health data with them (§7) is a separate, specific consent you give when you accept a coach's invite link, on top of the consent in the point above.
- Legitimate interests (Art. 6(1)(f)) — keeping the service secure, preventing abuse, and rate-limiting login attempts.
- Legal obligation (Art. 6(1)(c)) — where we must keep billing records for tax purposes.
4. AI processing — photos, typed meals, and coach nudges
Romby sends certain data to third-party AI providers to power its core features:
- Meal photos — when you snap a meal, the photo is uploaded to our server and forwarded to a third-party AI vision provider ([AI PROVIDER NAME]) purely to estimate calories and macros from the image.
- Typed food descriptions — when you type a meal instead of taking a photo ("quick add"), the text you type is sent to a third-party AI language model to break it into ingredients and estimate quantities; the actual calorie/macro numbers are then looked up in our own nutrition database, not invented by the model.
- AI Coach nudges — to generate your daily in-app coaching message, we send an AI language model a compact data summary: your calorie/ protein goals, a rolling 7-day history of your logged calories and protein, yesterday's logged meals (the food names and their calories/protein), and, if you log your weight, a smoothed weight trend and rate of change. This is a text summary of your data, not photos, used only to generate that one message.
In every case, the estimate or message is returned to Romby and stored on your account so you (and, if you've connected one, your coach) can see it. We do not use this data to train our own models. We're working to ensure our contracts with these AI providers reflect that they don't retain or train on your data beyond what's needed to serve the request, and we'll update this section once that's finalised.
5. Who we share data with (sub-processors)
We use a small number of vetted service providers to run Romby. We don't sell your data, and we don't share it with advertisers.
| Provider | Purpose | Location / processing |
|---|---|---|
| Netcup | Application hosting (the server your data lives on) | Germany, EU |
| Cloudflare, Inc. (R2) | Encrypted, continuous off-site database backups | EU region processing |
| Resend | Transactional email (invites, notifications) — being wired in | EU/US, standard contractual clauses where applicable |
| Stripe | Payment processing for coach subscriptions (Stripe Connect marketplace — client payments, coach payouts) | EU/US, PCI-DSS compliant |
| [AI PROVIDER NAME] | AI estimation of calories/macros from meal photos and typed food descriptions; AI Coach nudges (a summary of your weight and recent nutrition) | [TBD] |
6. How long we keep your data
We keep your data for as long as your account is active. If you delete your account (via Settings, once export/delete is available there, or by emailing hello@romby.co), we delete your personal data from our live database. It is then purged from our continuously-replicated off-site backups (Litestream, streamed to Cloudflare R2) within a further ~30-day retention window, and from our on-box daily snapshot backups within 14 days (we keep the 14 most recent daily snapshots and roll off older ones). Billing records are kept longer where the law requires it.
7. The coach-access model
Romby Coach lets a human coach see a client's real logged data — but only after an explicit opt-in:
- A coach sends you an invite link (email or shareable link).
- Nothing is shared until you accept it — a separate, specific consent from the one in §3.
- Once accepted, your coach can see your food logs, weight/body-fat trend, goals, and adherence — computed live from your real data — plus write private coaching notes and a plan for you.
- You can revoke the link at any time from your account. This immediately cuts off the coach's ongoing access to your data going forward. Our Coach Data Processing Agreement separately requires any coach who exported or noted down your data to delete it after a link ends.
8. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time, without affecting past processing.
These rights cover everything we hold about you — including, if you've connected a coach, the plan, notes, and check-ins your coach keeps about you inside Romby.
How to exercise these: the Settings screen in both apps is gaining self-serve export and delete-my-account tools (in progress on a parallel branch) — once live, that's the fastest way. Until then, or for anything else, email hello@romby.co and we'll action it within 30 days.
9. International data transfers
Our hosting and backups are EU-based (Germany / EU region). Where a sub-processor operates outside the EU/EEA, we rely on the EU Standard Contractual Clauses or an adequacy decision to ensure your data stays protected to GDPR standards.
10. Security
We protect your data with, among other things:
- Encryption in transit (HTTPS/TLS) for every connection to Romby.
- Salted, hashed password storage — we never store plaintext passwords.
httpOnly,Securesession cookies (see §11).- Continuous encrypted off-site backups with point-in-time restore.
- Per-handler access controls so a coach can only ever read a client who explicitly accepted their link.
11. Cookies & analytics
Romby uses a single first-party session cookie to keep you logged in. We also run self-hosted, cookieless analytics (Umami, on our own infrastructure at analytics.romby.co) in both apps and on our marketing sites, to understand product usage — page views, coarse device/browser info, and in-app product events (e.g. which screens get used). This runs on our own servers; nothing is shared with third-party advertisers or ad networks, and we don't use any third-party or cross-site advertising trackers.
12. Children
Romby is not directed at, and may not be used by, anyone under 16 years old.
13. Invite-only accounts
Account creation on Romby is currently invite-only — you can't self-register. This is a product decision, not a data-protection one, but it does mean every account starts from a known, deliberate signup rather than open self-service.
14. Changes to this policy
If we make material changes, we'll update the "last updated" date above and, where the change is significant, notify you in-app or by email.
15. Complaints
If you think we've mishandled your data, please tell us first at hello@romby.co — we'll want to fix it. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or where the alleged infringement occurred (for our German hosting, that includes the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)).
16. Governing law
This policy is governed by [GOVERNING LAW / JURISDICTION], alongside applicable EU/GDPR rules.
17. Contact
Questions about this policy or your data: hello@romby.co.