Privacy policy.

01Our commitment

Shape Me Up handles sensitive data: conditions, allergies, measurements, weigh-in photos, mood logs. This data stays with you, encrypted, hosted in the European Union, never resold to a third party.

In 4 lines: strict GDPR, EU-only hosting (Azure West Europe), encryption in transit (TLS 1.3) and at rest (AES-256), no reselling. You can export everything or delete everything at any time, without asking our permission.

02Data controller

The controller of your personal data is:

• <Brand> SAS — RCS Paris <numéro TBD>
• Office: <adresse légale TBD>
• General contact: contact@<domain>
• DPO contact: dpo@<domain>

03Data collected

We collect only what we need to run the app and keep our commitments. Here is the exhaustive list, by category:

• Identity — Email, first name, password (hashed). Basis: non-sensitive.
• Health profile — Conditions, allergies, intolerances, chosen diets. Basis: sensitive (GDPR art. 9).
• Measurements — Weight, height, waist circumference, body fat %, weigh-in photos. Basis: sensitive.
• Sport profile — Level, equipment, off days, injuries. Basis: non-sensitive.
• Cooking profile — Equipment, household, budget, typical week. Basis: non-sensitive.
• App activity — Recipes viewed, sessions completed, meals validated, glucose readings logged. Basis: sensitive.
• Technical logs — IP, user-agent, connection timestamps (anonymised after 30 days). Basis: non-sensitive.

At this stage (pre-launch waitlist phase), only the email is collected via the waitlist form. The rest applies to the app once launched.

04Purposes

For each data category we have defined a clear purpose. If a purpose does not appear here, we do not process your data for it.

• Waitlist enrolment: send you a launch invitation email with your "3 months Premium free" code.
• Personalisation: compose your menu, your groceries, your sessions calibrated on your health + sport profile.
• Tracking: display your trend charts (weight, measurements, glucose, sleep).
• Adaptation: adjust your plan based on context (weather, travel, dietary deviation).
• Security: prevent abuse, detect suspicious logins, protect your account.
• Support: answer your questions, handle bugs and help requests.
• Product improvement: aggregated, anonymised statistics on feature usage. No identifying data is used.

05Legal basis (GDPR art. 6 and 9)

• Account creation + Free access — Contract performance (art. 6.1.b).
• Health data (conditions, glucose…) — Explicit consent (art. 9.2.a).
• Analytics + preferences cookies — Consent (art. 6.1.a).
• Essential cookies (session, security) — Legitimate interest (art. 6.1.f).
• Waitlist enrolment — Explicit consent on signup (art. 6.1.a).
• Newsletter, marketing communications — Consent (art. 6.1.a), separate opt-in, revocable at any time.

06Retention

• Waitlist email: until launch + 12 months, then deletion.
• Active account: as long as you use the app.
• Inactive account: 12 months after last login, reactivation email, then deletion.
• Health profile after account deletion: immediate, irreversible deletion.
• Billing data: 10 years (FR legal obligation), then automatic deletion.
• Security logs: 12 months, then anonymisation and deletion.
• Analytics cookies (consented): 13 months maximum, then automatic deletion.

07Sub-processors

Your data does not leave the Shape Me Up perimeter, except for the following sub-processors — all bound by a GDPR processing agreement (art. 28):

• Microsoft Ireland Operations Limited — Application + database hosting (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Irlande, Ireland EU).
• Plausible Analytics — Cookieless web analytics, aggregated (Germany EU).

This list will be updated when we enter the transactional phase: at that point, we will add the sub-processors needed for payment processing, transactional emails and error monitoring. You will be notified by in-app notification and by an update to this document.

None of your medical data leaves Azure West Europe.

08Transfers outside the EU

No transfer outside the EU is performed for user data. All our sub-processors are located in the European Economic Area (EEA) or in a country covered by an adequacy decision of the European Commission.

If, in the future, a transfer outside the EU were to be necessary (extremely rare), it would be governed by the Standard Contractual Clauses (SCCs) of the European Commission (decision 2021/914) and you would be informed in advance with the possibility to object.

09Your rights (GDPR art. 15-22)

• Right of access — Get a copy of all data we hold about you, in a readable format.
• Right of rectification — Correct any inaccurate or incomplete data about you.
• Right to erasure — Request the permanent deletion of your account and all your data.
• Right to portability — Retrieve your data in a structured, machine-readable format (JSON).
• Right to restriction — Request the suspension of processing of your data.
• Right to object — Object to the processing of your data on legitimate grounds (in particular marketing).

How to exercise your rights? Email to dpo@<domain> with a copy of an ID for verification. Reply within 30 days (GDPR art. 12), free of charge, never conditional.

You can also exercise most of these rights directly in the app settings: "Export my data", "Delete my account".

10DPO + CNIL recourse

Data Protection Officer (DPO)

<Brand> SAS has designated a Data Protection Officer to handle any GDPR question:

• Email: dpo@<domain>
• Postal: <Brand> SAS — DPO, <adresse légale TBD>

CNIL recourse

If you believe the processing of your data violates regulations, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

• 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
• +33 (0)1 53 73 22 22
• www.cnil.fr · online complaint form

We'd prefer to talk first — write to us at dpo@<domain>, we commit to a human reply within 48 working hours.