Privacy Policy
Last Updated: May 7, 2026 — Open beta phase.1. Introduction
This Privacy Policy explains how Mamaglu ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Mamaglu application and related services (the "Service"), available through:
- Mobile applications (Android and iOS)
- Web application at mamaglu.com and mamaglu.online
- Telegram Bot and Telegram Mini App
We are committed to protecting your privacy and handling your data transparently. This policy describes your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Data Controller
Mamaglu- Email: support@mamaglu.com
- Website: https://mamaglu.com
Governing law: Republic of Cyprus. For users in the European Economic Area, the lead supervisory authority is the Office of the Commissioner for Personal Data Protection, Republic of Cyprus.
2. What Data We Collect
2.1 Data You Provide Directly
Account data:- Email address (encrypted at rest)
- Password (hashed, never stored in plain text)
- First name, last name, patronymic (encrypted at rest)
- Date of birth (encrypted at rest)
- Height, initial weight
- Blood glucose measurements (value, measurement type, timestamp)
- Body weight measurements
- Food intake descriptions and meal photos
- Pregnancy-related information (LMP date, embryonic weeks/days, pregnancy term)
- AI assistant conversation history
- Glucose threshold preferences (target ranges)
- Measurement reminder schedules
- Weekly report preferences (day of week, time)
- Push notification and Telegram notification settings
2.2 Data Collected Through Authentication Providers
When you link your account to third-party authentication services, we receive:
- Google: email address, Google account identifier
- Apple: Apple account identifier, email (may be a private relay address)
- Telegram: Telegram user ID, username
2.3 Data Collected Automatically
- Authentication tokens: JWT access and refresh tokens stored in HttpOnly cookies
- Device information: push notification tokens (for web and iOS), device type for sync functionality
- Server logs: request path, status code, response time (no personal data is logged)
We do not use web analytics, tracking pixels, or third-party analytics services.
3. How We Use Your Data
We process your data for the following purposes:
| Purpose | Data Categories Used |
|---|---|
| Account creation, authentication, and security | Email, password, OAuth identifiers |
| Glucose and weight tracking and visualization | Glucose records, weight records, profile data |
| AI-powered food recognition | Food photos, food descriptions |
| AI-generated health insights | Glucose records, weight records, food records, profile data |
| AI assistant conversations | Profile data, glucose records, food records (as context for responses) |
| Measurement reminders and notifications | Reminder preferences, push tokens, Telegram user ID |
| Data synchronization across your devices | All health and profile data |
| CSV data export | Glucose records, weight records |
| Email communication (verification, password reset) | Email address |
| Subscription management and payment processing | Account data, payment identifiers |
| Service improvement and debugging | Anonymous usage patterns, error logs (no health data) |
4. Legal Basis for Processing
4.1 Standard Personal Data (Art. 6 GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account management and authentication | Performance of a contract (Art. 6(1)(b)) |
| Providing core tracking features | Performance of a contract (Art. 6(1)(b)) |
| Sending service-related emails (verification, password reset) | Performance of a contract (Art. 6(1)(b)) |
| Push notifications and reminders (as configured by you) | Performance of a contract (Art. 6(1)(b)) |
| Subscription and payment processing | Performance of a contract (Art. 6(1)(b)) |
| Service improvement and debugging | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4.2 Special Category Data — Health Data (Art. 9 GDPR)
Health data receives heightened protection under Art. 9 GDPR. Processing is prohibited by default and permitted only under specific conditions. We process your health data based on:
Explicit Consent (Art. 9(2)(a))When you create an account, you are asked to provide explicit consent for the processing of your health data. This consent is:
- Specific: you consent to processing of health data for the purposes listed in Section 3
- Informed: this policy explains what data we process, why, and how
- Freely given: you are not required to consent to use the basic features; however, health tracking is the core purpose of the Service
- Revocable: you may withdraw consent at any time (see Section 9.7). Withdrawal does not affect the lawfulness of processing before withdrawal
We do not use your health data for:
- Automated decision-making that produces legal effects
- Marketing or advertising purposes
- Sale to third parties
- Profiling for purposes unrelated to the Service
5. Data Retention
We retain your data only as long as necessary for the purposes stated in this policy:
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data (email, password) | Duration of account + 30 days after deletion request | Account deletion triggers cascade removal |
| Profile data | Duration of account + 30 days after deletion request | |
| Glucose records | Duration of account + 30 days after deletion request | |
| Weight records | Duration of account + 30 days after deletion request | |
| Food records and photos | Duration of account + 30 days after deletion request | |
| AI conversation history | Duration of account + 30 days after deletion request | |
| OAuth tokens | Until revoked or account deleted | |
| Push notification tokens | Until account deleted or token invalidated | |
| Server logs | 30 days | No personal data in logs |
| Payment records | As required by applicable tax law | Typically 5-7 years |
| Consent records | Duration of account + 3 years after account deletion | Required for compliance demonstration |
6. Data Sharing and Third-Party Recipients
We do not sell your personal data to third parties. We share data only as described below:
6.1 Service Providers (Data Processors)
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenRouter | AI food recognition, AI health insights, AI assistant | Food photos, glucose records, weight records, profile data, conversation history | United States |
| OpenAI (Whisper API) | Speech-to-text for AI assistant voice messages | Audio recordings | United States |
| OAuth authentication | Email, Google account ID | United States | |
| Apple | Sign In with Apple authentication | Apple account ID, email (private relay) | United States |
| Telegram | Bot and Mini App authentication, notifications | Telegram user ID, username, notification content | Global (Telegram servers) |
| Hetzner | Server hosting (VPS) | All application data | Germany / Finland |
| Stripe / YooKassa | Payment processing | Payment identifiers, transaction amounts | United States / Russia |
| Apple App Store / Google Play | In-app purchase processing | Purchase tokens | United States |
| SMTP server | Email delivery | Email address, email content | Germany (Hetzner VPS) |
6.2 Data Processors Under GDPR
All service providers that process personal data on our behalf are bound by Data Processing Agreements (DPAs) that comply with Art. 28 GDPR.
6.3 Legal Disclosures
We may disclose your data if required by law, court order, or governmental regulation.
7. AI Data Processing
The Service uses artificial intelligence for several features:
7.1 Food Recognition
When you take a photo of your meal:
1. The image is encrypted in transit (HTTPS) and sent to our backend
2. It is forwarded to OpenRouter's API for analysis
3. The AI returns a description and nutritional estimates
4. The food description and AI response are encrypted at rest in our database
7.2 Health Insights
AI-generated insights analyze your glucose and food data to provide personalized observations. Data is sent in each API request; we do not fine-tune models on your data.
7.3 AI Assistant
The conversational AI assistant has access to your profile, glucose history, food records, and pregnancy data as context. Voice messages are sent to OpenAI Whisper for transcription. Conversation history is stored encrypted at rest.
7.4 AI Provider Safeguards
We have configured our AI provider integrations to use zero-retention API endpoints where available, exclude your data from provider training datasets via opt-out where supported, and transmit only the minimum data necessary.
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:
8.1 Right of Access (Art. 15)
You may request a copy of the personal data we hold about you. You can access most of your data directly through the Service.
8.2 Right to Rectification (Art. 16)
You may correct inaccurate or incomplete personal data. Most profile and health data can be edited directly in the Service.
8.3 Right to Erasure — "Right to be Forgotten" (Art. 17)
You may request deletion of your personal data. You can delete your account and all associated data using the "Delete Account" feature in the Service settings.
8.4 Right to Restriction of Processing (Art. 18)
You may request that we restrict processing of your data in certain circumstances.
8.5 Right to Data Portability (Art. 20)
You may request your data in a structured, commonly used, machine-readable format. Glucose and weight data can be exported as CSV from the Service.
8.6 Right to Object (Art. 21)
You may object to processing based on legitimate interests.
8.7 Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (including health data), you may withdraw consent at any time. To withdraw consent, contact us at support@mamaglu.com.
8.8 Right to Lodge a Complaint (Art. 77)
You have the right to lodge a complaint with a supervisory authority in your EU member state of residence. We encourage you to contact us first at support@mamaglu.com.
9. International Data Transfers
Your data is stored on servers located in the European Union (Germany and Finland, via Hetzner). We do not transfer your data outside the EU/EEA except:
- AI processing (OpenRouter, OpenAI): data is transmitted to US-based providers. These transfers are safeguarded by Standard Contractual Clauses (SCCs) where applicable, the provider's participation in the EU-US Data Privacy Framework (where certified), and your explicit consent for health data processing.
- Telegram services: if you use Telegram Bot or Mini App features, your Telegram user ID and notification data are processed by Telegram (global infrastructure).
- Payment processing: purchase tokens through App Store or Google Play are processed according to the respective platform's terms.
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
Encryption:- All data in transit: TLS 1.3 (HTTPS)
- Personal data at rest: AES-256-GCM (email, names, birth date, pregnancy dates)
- Food descriptions and AI responses: encrypted at rest
- Passwords: bcrypt
- Email lookups: Argon2id blind indexing
- JWT access tokens (60 minutes, HttpOnly cookies)
- Two-factor authentication (TOTP) available
- Admin endpoints: IP whitelist and separate authentication
- Regular security updates and dependency patches
- Rate limiting on authentication endpoints
- CSRF protection, input validation
- AI prompt injection detection
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
11. Cookies and Similar Technologies
11.1 Essential Cookies
We use the following strictly necessary cookies (no consent required under ePrivacy Directive):
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
access_token | Authentication | 60 minutes | HttpOnly, Secure, SameSite |
refresh_token | Session renewal | 30 days | HttpOnly, Secure, SameSite |
gsd_authenticated | Client-side auth state hint | 30 days | Secure |
11.2 No Tracking Cookies
We do not use third-party tracking cookies, analytics cookies, advertising or retargeting cookies, social media tracking pixels, or fingerprinting techniques.
11.3 No Cookie Banner Required
Because we use only strictly necessary (essential) cookies, we do not display a cookie consent banner.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@mamaglu.com.
13. Data Protection Officer
- Email: support@mamaglu.com
- Subject line: Attn: Data Protection Officer
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the Service and sending an email notification. The "Last Updated" date indicates when it was last revised.
15. Contact Us
- Email: support@mamaglu.com
- Website: https://mamaglu.com
We will respond to all legitimate requests within 30 calendar days.
16. Supervisory Authority
Office of the Commissioner for Personal Data Protection, Republic of Cyprus- Website: https://www.dataprotection.gov.cy
Alternatively, you may contact the supervisory authority in your EU member state of residence.
This Privacy Policy was last reviewed and updated on May 7, 2026.