§ 1. Data controller
- The controller of your personal data is:DATABEE Sp. z o.o.
Plac Bankowy 2, 00-095 Warsaw, Poland
KRS 0000895147 · NIP 5252858624 · REGON 388709924
Contact: team@heygavi.com - For all matters relating to the processing of personal data, please contact us at the email above.
§ 2. Categories of data processed
To provide the HEYGAVI service we process the following categories of data:
A. Account data
- Email address (with 6-digit code authentication)
- Display name
- Avatar (chosen from 8 predefined options)
- Language preference (auto-detect or English)
B. Health data — SENSITIVE DATA (Article 9 GDPR)
- Conditions (e.g. diabetes, IBS, PCOS) — optional
- Food allergies — optional
- Medications — optional
Important: providing this data is entirely voluntary. The Application also works without it; AI suggestions are simply less personalised. By providing health data you give explicit consent for its processing under Article 9(2)(a) GDPR.
C. Dietary preferences
- Diet (vegetarian, vegan, keto, paleo, Mediterranean, etc.)
- Avoided products
- Goals (weight loss, muscle gain, maintenance)
- Calorie and macronutrient targets
D. Activity data
- Physical activity level
- Sports practiced
E. Meal-logging data
- Text content of messages describing meals
- Meal photos — transmitted to LLM providers for analysis, not stored permanently on Application servers
- Voice-message transcriptions (original audio is not stored)
- AI-generated macronutrient and micronutrient figures
- Date, time, and meal type
F. Conversational data
- AI Coach chat history
- Saved conversations (retained until Account deletion)
G. Technical data
- Telegram ID (after the bot is connected)
- Time zone
- Notification preferences (hour, on/off)
- Error logs (Sentry — anonymised)
H. Weight data (optional)
- Weight measurements with date — only if the User provides them
§ 3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (logging, dashboard, AI coaching) | Art. 6(1)(b) GDPR (contract) |
| Personalising AI suggestions using health data | Art. 9(2)(a) GDPR (explicit consent) |
| Telegram and email notifications | Art. 6(1)(b) GDPR |
| Security (rate limiting, monitoring) | Art. 6(1)(f) GDPR (legitimate interest) |
| Administrative communication (complaints) | Art. 6(1)(c) GDPR (legal obligation) |
| Technical statistics (Sentry) | Art. 6(1)(f) GDPR |
§ 4. Recipients (processors)
Your data may be transferred to the following processors — entities processing personal data on the Controller's behalf:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting + authentication | USA |
| Vercel, Inc. | Application hosting | USA |
| OpenAI, Inc. | AI processing (meal analysis, coaching) | USA |
| Anthropic, PBC | Alternative AI processing | USA |
| Google LLC (Gemini) | Alternative AI + voice transcription | USA |
| Telegram FZ-LLC | Bot messaging | UAE |
| Functional Software, Inc. (Sentry) | Error monitoring | USA |
| Upstash, Inc. | Rate limiting + scheduled jobs (QStash) | USA |
During the beta phase, all queries to AI providers are made using the HEYGAVI system API key. The Controller bears responsibility for these data flows. After the beta phase, the Application will introduce a BYOK (Bring Your Own Key) option — at that point the relationship with the chosen AI provider will be established directly by the User.
§ 5. International transfers (outside the EEA)
- Some of our processors (Supabase, Vercel, OpenAI, Anthropic, Google, Sentry, Upstash) are located in the United States.
- Transfers occur on the basis of:
- Standard Contractual Clauses (SCCs) of the European Commission — Implementing Decision (EU) 2021/914;
- in the case of OpenAI, a Data Processing Agreement containing SCCs;
- where applicable, the EU-US Data Privacy Framework, to the extent the given entity is certified under it.
- Copies of relevant agreements are available on request to team@heygavi.com.
§ 6. Retention periods
| Data | Retention period |
|---|---|
| Account data (email, name, avatar) | Until Account deletion by the User |
| Meal data, AI conversations | Until Account deletion |
| Error logs (Sentry) | 30 days |
| Rate-limit cache (Redis) | 24 hours |
| Database backups (Supabase) | 7 days |
§ 7. Your rights
Under GDPR you have the following rights:
- Right of access (Art. 15) — see what data we process;
- Right to rectification (Art. 16) — correct inaccurate data in Settings;
- Right to erasure(Art. 17, “right to be forgotten”) — delete the Account in Settings → Account;
- Right to restriction (Art. 18);
- Right to object (Art. 21);
- Right to data portability (Art. 20) — request a copy of your data in a structured format (JSON);
- Right to withdraw consent (Art. 7) — withdraw consent for health-data processing in Settings → Personalization → Health (the data is removed from the database);
- Right to lodge a complaint with the Polish Data Protection Authority (UODO) — https://uodo.gov.pl — or your local supervisory authority within the EU/EEA.
§ 8. Cookies
- HEYGAVI uses only essential cookies necessary for service operation:
- Authentication session cookie (Supabase Auth)
- UI preferences cookie (light/dark theme)
- We do not use marketing, tracking, or analytics cookies that require consent. All cookies in use are essential to operating the service within the meaning of applicable telecommunications law (in Poland: Article 173(3) of the Telecommunications Act of 16 July 2004).
§ 9. Profiling and automated decisions
- HEYGAVI uses AI models to analyse your nutritional data and generate personalised suggestions. This constitutes profiling within the meaning of Article 22 GDPR.
- AI suggestions:
- are recommendatory in nature, not decision-making;
- do not produce legal effects nor significantly affect you in an automated manner;
- are always accompanied by a medical disclaimer;
- are subject to your acceptance — the Application takes no action on your behalf without your decision.
§ 10. Security
We apply the following security measures:
- Encryption of User API keys (AES-256-GCM)
- HTTPS connections (TLS 1.3)
- Row-Level Security (RLS) at the database level
- Multi-layered rate limiting and abuse protection
- Incident monitoring (Sentry + administrator alerts)
- Database backups (Supabase)
- Automatic security updates (Vercel deploys)
In case of a personal-data breach, you will be notified in accordance with Articles 33-34 GDPR.
§ 11. Changes to this Policy
- This Privacy Policy may be updated.
- Material changes will be communicated at least 7 days in advance through:
- email to the address bound to your Account;
- an in-Application notification requiring acknowledgement.
§ 12. Contact
For data-protection matters please contact us:
- Email: team@heygavi.com
- In writing: DATABEE Sp. z o.o., Plac Bankowy 2, 00-095 Warsaw, Poland.