Privacy Policy

1. Who we are

Grub is operated as a sole trader based in Dublin, Ireland. For the purposes of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018, the data controller is:

Grub
Dublin, Ireland
Email: getgrubie@gmail.com

We are subject to the supervision of the Data Protection Commission (DPC), Ireland's data protection supervisory authority.

2. Data we collect

Account data

When you create an account we collect:

Name and email address (from you directly, or from Apple / Google Sign-In)
Authentication provider identifier (Apple user ID or Google user ID)
Friend code (randomly generated, used to add friends in-app)

Profile & goal data

During onboarding and in your profile settings you may provide:

Date of birth, biological sex, height, and weight
Target weight, weekly weight-loss rate, and activity level
Dietary preferences (e.g. vegetarian, gluten-free)
Daily calorie and macro targets
How you heard about Grub (referral source)

Food & nutrition logs

Foods logged, including name, quantity, meal type, and nutritional data
Barcode scans and manual food entries
Recipes you create or save
Meals saved to your library
Hydration entries
Fasting timer sessions
Workout logs

Weight history

Weight entries you log manually or that are pulled from Apple Health, with timestamps.

Social data

Friend connections (friend codes used to add friends)
Recipes or meals shared with friends
Nudges and cheers sent to friends

Gamification data

Logging streaks, daily points, total points
Badges earned

Apple Health data (optional)

If you grant permission, Grub reads from Apple HealthKit:

Height and weight (to pre-fill your profile)
Steps and active energy burned (to adjust calorie targets)
Workouts

Grub also writes calorie and nutrition data back to Apple Health. HealthKit data is processed on-device and is never sent to our servers — it is only used locally to personalise your targets.

Usage & analytics data

We collect limited, anonymised analytics about how features are used (e.g. paywall impressions, feature interactions) to help us improve the app. This data does not identify you personally.

Technical data

App version and iOS version (for debugging)
Device type (inferred from StoreKit, not collected explicitly)

3. How we use your data

Purpose	Data used	Legal basis
Provide and personalise the app	Account, profile, food logs, goals	Contract performance
Sync your data across devices	Account, logs, recipes, weight	Contract performance
Calculate calorie & macro targets	Age, sex, height, weight, activity, goal	Contract performance
Enable friends & social features	Friend code, name, streak, points	Contract performance
Send push notifications	Notification token, meal reminders	Consent
Process subscription payments	Handled entirely by Apple — we never see payment data	Contract performance
Improve the app (analytics)	Anonymised feature usage events	Legitimate interests
Respond to support requests	Name, email, app data relevant to the issue	Legitimate interests
Comply with legal obligations	As required by applicable law	Legal obligation

4. Legal bases for processing

Under the GDPR, we rely on the following legal bases:

Contract performance (Article 6(1)(b)): Processing necessary to provide the Grub app and its features as described in our Terms of Service.
Consent (Article 6(1)(a)): Where you have given explicit consent — specifically for push notifications and, where applicable, for the processing of health data.
Legitimate interests (Article 6(1)(f)): For analytics and product improvement, where our interest in improving the app is balanced against your rights and does not override them.
Legal obligation (Article 6(1)(c)): Where processing is required by applicable law.

You may withdraw consent at any time. Withdrawing consent for push notifications can be done in your iPhone Settings. Withdrawing consent for health data can be done in the Health app under Sources. Withdrawal of consent does not affect the lawfulness of prior processing.

5. Health & sensitive data

Certain data we process — including health metrics (weight, calorie intake, nutrition information) and biometric data sourced from Apple Health — may constitute special category data under Article 9 of the GDPR.

We process this data only:

With your explicit consent, given when you grant HealthKit permissions or manually enter health data in the app
To the extent necessary to provide the core functionality of the Grub app (personalised nutrition tracking)

You can withdraw consent for health data at any time by revoking Grub's access in iPhone Settings → Privacy & Security → Health, or by deleting your account from within the app.

HealthKit data is processed locally on your device and is not transmitted to our servers.

6. Third parties

We share data with the following third-party service providers where necessary to operate Grub:

Supabase

Our backend database and API provider. Your account data, food logs, recipes, and social data are stored on Supabase servers. Supabase acts as a data processor on our behalf under a Data Processing Agreement. Servers are located in the EU (AWS eu-west-1, Ireland).

Supabase Privacy Policy

Apple

Sign in with Apple, Apple HealthKit, push notifications (APNs), and in-app purchases (StoreKit) are provided by Apple Inc. Apple processes authentication and payment data under its own privacy policy. We do not receive payment details — Apple handles all billing.

Apple Privacy Policy

Google

If you choose to sign in with Google, your name and email address are shared by Google with Grub for authentication purposes. This is governed by Google's privacy policy.

Google Privacy Policy

Open Food Facts

When you search for foods not in our local database, queries are sent to the Open Food Facts API. Search queries may include food names or barcodes. No personal data is sent.

Open Food Facts Privacy Policy

We do not sell, rent, or trade your personal data with any third parties for marketing purposes.

7. International transfers

Your data is stored on Supabase infrastructure in the EU (Ireland, AWS eu-west-1) and is not routinely transferred outside the European Economic Area (EEA).

Where data is processed by third parties (Apple, Google) outside the EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions. You can request more information about these safeguards by contacting us at getgrubie@gmail.com.

8. Data retention

We retain your personal data for as long as your account is active. When you delete your account from within Grub, we delete:

Your account and profile data
All food logs, recipes, weight entries, and social data
Any analytics events linked to your user ID

Deletion is processed within 30 days. Some data may be retained for a short period in backup systems before being permanently purged.

We may retain certain data for longer where required by law (e.g. financial records related to subscription transactions, which are retained by Apple).

9. Your rights

Under the GDPR, you have the following rights:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can correct inaccurate data directly in the app (Profile → Personal Details) or by contacting us.
Right to erasure ("right to be forgotten"): You can delete your account and all associated data from Profile → Settings → Delete Account.
Right to restriction of processing: You can ask us to restrict how we use your data in certain circumstances.
Right to data portability: You can request your data in a structured, machine-readable format.
Right to object: You can object to processing based on legitimate interests, including analytics.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at getgrubie@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Data Protection Commission (DPC) if you are unhappy with how we handle your data:

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
www.dataprotection.ie

10. Children

Grub is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at getgrubie@gmail.com and we will delete it promptly.

Users between 13 and 17 should use Grub only with parental or guardian consent.

11. Cookies & tracking

The Grub app does not use cookies. The Grub website (getgrub.ie) uses only technically necessary local storage and does not use advertising or tracking cookies.

We do not use cross-site tracking, fingerprinting, or advertising networks.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you via a notification in the app or by email.

Continued use of Grub after changes are posted constitutes acceptance of the updated policy.

13. Contact us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Grub
Email: getgrubie@gmail.com
Website: getgrub.ie

We aim to respond to all privacy-related queries within 5 business days.