Privacy Policy

AfriDish is operated by Vital Rise Health LLC, a company registered in Wyoming, USA. We provide personalised African meal planning and nutrition guidance through our website and mobile application.

Our Data Protection contact: privacy@afridish.co

For EU/EEA users, AfriDish acts as a Data Controller under the General Data Protection Regulation (GDPR).

•Account data: email address, display name, preferred language, and country of residence.

•Health profile: health conditions you disclose (e.g. diabetes, hypertension, kidney disease), dietary preferences, cuisine preferences, and household member profiles you create.

•Meal plan data: generated meal plans, saved dishes, grocery lists, and health reports.

•Payment data: Stripe processes your card details directly — AfriDish never stores raw payment card numbers. We store your Stripe customer ID and subscription tier.

•Usage data: pages visited, features used, session duration, and device/browser type for service improvement.

•Communications: emails or messages you send us for support or feedback.

•Contract performance: to provide the meal planning and health guidance services you subscribe to.

•Legitimate interests: to improve the app, prevent fraud, and maintain service security.

•Consent: for health condition data (special category under GDPR Article 9) — you provide explicit consent during onboarding. You may withdraw this consent at any time, which will delete your health profile.

•Legal obligation: to comply with applicable tax, financial, and regulatory requirements.

Health condition data is sensitive personal data under GDPR and similar laws. We collect it solely to generate meal plans tailored to your health needs.

Your health data is never sold, never shared with advertisers, and never used for any purpose other than generating your personalised meal plans and health reports.

Nutritionists you book consultations with through AfriDish receive only the health information necessary for your consultation, and only after you initiate the booking.

We process health data based on your explicit consent (GDPR Article 9(2)(a)). You can delete your health profile at any time from your account settings.

•Supabase (database and authentication) — EU West region (Ireland), SOC 2 compliant.

•OpenAI — your health profile and preferences are sent to GPT-4 to generate meal plans. No personally identifying information (name or email) is included in these prompts.

•Stripe — processes payments and manages subscriptions. Subject to Stripe's privacy policy.

•Resend — sends transactional emails (booking confirmations, payout notifications). Only your email address is shared.

•Nutritionists you book — receive your name and relevant health details only for the booked consultation.

•We do not sell your data. We do not share your data with advertisers, data brokers, or any third parties for marketing purposes.

•Active account data is retained while your account is active.

•Health profiles are retained for 7 years after account deletion — this aligns with medical and health data retention standards and legal obligations.

•Payment records are retained for 7 years for tax and financial compliance.

•You may request early deletion of your health profile at any time (see Your Rights section). Payment records required for legal compliance cannot be deleted early.

•Usage logs are retained for 12 months.

•Right of Access (Article 15): request a copy of all personal data we hold about you.

•Right to Rectification (Article 16): correct inaccurate or incomplete data.

•Right to Erasure (Article 17): request deletion of your account and personal data, subject to legal retention obligations.

•Right to Data Portability (Article 20): receive your data in a machine-readable format (JSON or CSV).

•Right to Restriction (Article 18): ask us to stop processing your data while a dispute is resolved.

•Right to Object (Article 21): object to processing based on legitimate interests.

•Right to Withdraw Consent: withdraw consent for health data processing at any time without affecting the legality of prior processing.

•To exercise any right, email privacy@afridish.co. We will respond within 30 days.

AfriDish uses only essential session cookies to keep you securely signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

See our Cookie Policy for full details.

Your data may be processed in the United States (Supabase US infrastructure, OpenAI, Stripe) and Ireland (Supabase EU West).

For EU/EEA users, transfers to the US rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Chapter V.

AfriDish is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.

Under the US Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it within 7 days and notify the child's parent or guardian where possible.

For the EU/EEA, our minimum age aligns with each member state's digital-consent age (13–16 under GDPR-K, Article 8). Children below that age in any jurisdiction must not use AfriDish.

Our Family Vault feature lets adult account holders create child profiles for meal-planning purposes only. Child profiles store only an age and dietary restrictions provided by the parent — never an email, name, photo, or independent login. The child does not access AfriDish directly.

Parents or guardians who believe their child has provided personal data to us can email privacy@afridish.co — we will delete the data and confirm in writing within 7 days.

•When you use the AfriDish mobile app (iOS / Android), the following device data may be processed locally on your device or transmitted to our servers only with your active consent:

•Camera and Photos: only when you tap "Scan food label" or "Upload lab result". Images are sent to our server, processed, and discarded — never stored beyond the immediate session unless you save the result to your profile.

•Push Notifications: only after you tap "Allow notifications". Used for meal-plan reminders, booking confirmations, and trial-end reminders. You can revoke at any time in your OS settings.

•Location: never collected automatically. The marketplace city filter uses an IP-based rough city approximation only when you visit /marketplace; no precise GPS is requested or stored.

•Health Kit / Google Fit: not integrated. AfriDish does not read or write to your phone's health data unless we explicitly request your permission in a future release.

•Identifiers for Advertisers (IDFA / Google Advertising ID): not collected. AfriDish does not run any advertising or behavioural-tracking SDKs.

•You can permanently delete your account at any time from Settings → Danger zone → Delete my account. You will be asked to type DELETE to confirm.

•Once you confirm, your auth record is removed within seconds and all linked data (health profile, meal plans, grocery lists, family member profiles, bookings, lab results, community posts) is cascaded immediately by the database.

•Any active Stripe subscription is cancelled in the same request — no further charges. You will not receive a prorated refund for the unused portion of the current billing period.

•Records we are legally required to keep (payment receipts for tax compliance, transaction records under financial regulations) are retained for 7 years in a separated billing archive that contains no health data.

•You can also request deletion by emailing privacy@afridish.co — we will action it within 30 days as required by GDPR Article 17.

We will notify you by email at least 30 days before making material changes to this policy. The updated policy will be posted here with a new effective date.