Privacy Policy
Last updated: April 30, 2026
1. Data controller
DOMYLI (“we”, “us”) is the data controller for all personal data processed through the DOMYLI web and mobile applications. Contact: privacy@domyli.com.
2. Data we collect
Account data
Email address — used to authenticate you via a magic link. We do not store passwords.
Household data
Household name, display names of members, meal plans, stock inventory, shopping lists and chore schedules.
Health data (Art. 9 GDPR)
When you voluntarily provide them: biological sex, date of birth, height, weight, activity level, nutritional goal, medical conditions, allergens and dietary preferences. This data is visible only to you and processed exclusively to personalise portion sizes and meal recommendations.
We collect health data only with your explicit consent, which you can withdraw at any time from your profile.
Device & usage data
Push notification tokens (mobile only), app logs and error reports. We do not use analytics cookies or third-party tracking.
Payment data
Billing is handled entirely by Stripe. We never store card numbers. We retain only the Stripe customer ID and subscription status.
3. Legal basis
- Contract performance — account, household, and subscription data needed to provide the service.
- Explicit consent — health data (Art. 9 GDPR).
- Legitimate interest — security logs, abuse prevention.
4. How we use your data
- Provide and improve the DOMYLI service.
- Send transactional emails (magic links, invitations, billing receipts).
- Send push notifications you have opted into.
- Calculate nutritional recommendations (on-device, not shared).
We do not sell your data. We do not use it for advertising profiling.
5. Data sharing
We share data only with:
- Supabase (database hosting, EU region) — data processor under DPA.
- Stripe (payment processing) — for billing only.
- Expo / EAS (mobile build infrastructure) — push token delivery only.
6. Data retention
- Account data: retained while your account is active, then deleted within 30 days of account deletion.
- Health data: deleted immediately when you withdraw consent or delete your account.
- Billing records: 10 years (legal obligation in France).
- Push tokens: deleted when you sign out or revoke notification permission.
7. Your rights (GDPR)
Under GDPR you have the right to access, rectify, erase, restrict and port your data, and to object to its processing. For health data you also have the right to withdraw consent at any time without affecting prior processing.
To exercise these rights, email privacy@domyli.com. We respond within 30 days. You may also lodge a complaint with your national data protection authority (France: CNIL — www.cnil.fr).
8. Cookies
We use a single session cookie required for authentication. No third-party tracking or advertising cookies are placed. No cookie consent banner is required for strictly necessary cookies.
9. Security
Data is encrypted in transit (TLS 1.2+) and at rest. Health data is protected by row-level security policies: only you can read your own health records. We perform regular security reviews.
10. Children
DOMYLI is not directed at children under 13. Users must be at least 13 to create an account. Household “child” members are managed by an adult account holder and cannot directly submit health data.
11. Changes to this policy
We will notify you by email before making material changes. Continued use after the change date constitutes acceptance.