Privacy Policy
This Privacy Policy explains what personal data Brunt collects when you use the service at brunt.care, why we collect it, how long we keep it, and what choices you have. We try to use plain English. If anything is unclear, write to hello@brunt.care.
1. Who is the data controller?
The data controller is the individual operating Brunt as a sole contributor at the time of writing (see the Legal notice for full contact details). Contact for any privacy matter: hello@brunt.care.
2. What we collect
2.1 Account data
- Your e-mail address (used to sign in and receive service notices).
- A hash of your password (we never store the password itself).
- The country you select at signup (used to localise units and ingredients).
2.2 Family profile data
For each family member you create, you may enter:
- A name or nickname.
- An age band, sex, height and weight.
- A nutritional goal (maintain, lose, gain) and an activity level.
- Dietary preferences or restrictions (e.g. vegetarian, no pork).
These data points are used to compute indicative energy needs (Mifflin-St Jeor formula) and to tailor the suggested meals. They are entered by you, on a voluntary basis. Brunt does not record or store any medical diagnosis, pathology, or treatment.
2.3 Planning & activity data
- Pantry items you tell Brunt you have on hand.
- Generated menus, grocery lists, and recipes.
- Optional activity sessions (type, duration, perceived effort).
2.4 Technical data
- Standard server logs (IP address, request path, user agent) kept for up to 30 days for security and abuse mitigation.
- A session cookie (signed with an HMAC, no third-party tracker).
2.5 Waitlist signup
If you register on the public waitlist at brunt.care, we store your e-mail address, the language you submitted the form in, an optional country code, and a timestamp. We use this data to invite you into the private beta and to send the welcome reply by hand. You can ask for your address to be removed at any time by writing to hello@brunt.care.
2.6 Payment data
Brunt does not collect payment data today. The service is offered free of charge during the private beta. When paid plans are introduced, this section will be updated and existing users will be notified before any change.
3. Why we use it (lawful bases under GDPR)
| Purpose | Data used | Lawful basis |
|---|---|---|
| Provide the service (account, planning, history) | Account + family profile + planning data | Contract (Art. 6(1)(b)) |
| Compute energy estimates and tailor suggestions | Profile data you entered | Contract + your input |
| Operate the waitlist and onboard you to the private beta | E-mail address (+ optional country / language) | Consent (Art. 6(1)(a)) |
| Keep the service secure (rate limits, logs) | IP, request metadata | Legitimate interest (Art. 6(1)(f)) |
| Service e-mails (welcome, password resets) | E-mail address | Contract |
| Manage Premium subscriptions and billing (via Lemon Squeezy) | E-mail address, subscription status, billing country | Contract (Art. 6(1)(b)) + legal obligation (accounting) |
4. Sharing with third parties
Brunt uses a small, fixed list of sub-processors:
- Fly.io (US / EU) — application hosting. We run in the
fra(Frankfurt) region. - OVH (France) — domain, transactional e-mail (Zimbra SMTP) and DNS.
- OpenRouter / Anthropic (US) — routing of LLM prompts to generate meal plans. The prompt includes profile and pantry data. Prompts are not used to train any model under our routing contract.
- Neon (EU region, planned) — managed PostgreSQL database. Until then, data is stored on a Fly persistent volume.
- Plausible Analytics (EU) — privacy-friendly traffic analytics on the marketing landing only (not on the app). No cookies, no cross-site tracking, no personal data collected. Only aggregate page counts, referrers and approximate countries.
- Lemon Squeezy, LLC (US) — payment processing for Premium subscriptions, acting as reseller and Merchant of Record. It receives your e-mail address and billing details when you subscribe; your card data is handled entirely by Lemon Squeezy and its payment providers and never reaches our servers. See the Lemon Squeezy privacy policy.
We do not share your data with advertisers. We do not sell it. We do not operate any tracking pixels, ad networks, or third-party analytics on the application surface beyond what is strictly necessary to operate the service.
5. International transfers
OpenRouter, Anthropic, Fly.io and Lemon Squeezy are based in the United States. Where data leaves the EU it does so under the EU Standard Contractual Clauses (or the equivalent Data Privacy Framework where applicable). You can request a copy of the relevant clauses at hello@brunt.care.
6. How long we keep it
- Account & profiles: as long as the account is active. Deleted within 30 days of account deletion.
- Generated menus & lists: same as the account (or until you delete them individually).
- Waitlist e-mail: until you ask us to remove it, or 24 months without us inviting you in (whichever comes first).
- Server logs: 30 days maximum.
7. Your rights
Under the GDPR you have the right to:
- Access the data we hold about you.
- Correct or update it.
- Delete your account and personal data.
- Export your data in a portable format (JSON).
- Restrict or object to certain processing.
- Lodge a complaint with your local data-protection authority (in France: the CNIL).
To exercise any of these rights, write to hello@brunt.care. We respond within 30 days.
8. Children
Brunt is not directed at children under 16. Parents may add a child's profile to a family account, but the parent is the controller of that profile's data and remains responsible for any sensitive information entered.
9. Security
Brunt uses HTTPS everywhere (Let's Encrypt), HMAC-signed session cookies, rate limiting on authentication, and EU-region hosting. Backups of the database are encrypted at rest. Despite these measures no service can guarantee perfect security; please use a strong, unique password.
10. Changes to this policy
We may update this policy as the service evolves. Material changes are announced by e-mail or by a banner on the application. The date at the top of this page always reflects the latest revision.
11. Contact
Anything privacy-related, just write: hello@brunt.care.