Privacy Policy

Last updated: April 20, 2026 · Effective immediately

Plain-English summary: Platito is built for parents of children aged 1–12. We only collect what's needed to plan meals — a child's first name, age, allergies, and food preferences — and we don't sell it. Analytics are cookieless and consent-gated. You can export or delete everything at any time. Questions: [email protected].

1. Who we are

Platito ("we", "us", "the app") is a weekly meal-planning app for families with children aged 1–12. The service is operated by the Platito team. For privacy matters, contact us at [email protected]. If you are in the EU/UK, you may also contact our designated representative at the same address.

2. What we collect

We try to collect the minimum data required to make the app useful. This includes:

When you use Platito without an account

Local device data only: your child's first name, age (as a range), allergies, cooking-style preference, preferred supermarket, saved menus, recipe ratings, and Chef AI memory notes. All of this stays on your device in browser storage (localStorage). We cannot see it.
Anonymous technical data: an anonymized session identifier; the app version; browser type; general region (country-level) for localization; referral source if provided via URL.

When you create a Platito account

Email address — for login and service notifications.
Profile data — the same fields as above, synced to our database so you can use Platito from multiple devices.
Authentication metadata — last-login timestamp, session tokens. Managed by our auth provider (Supabase).

Chef AI conversations

When you chat with Chef AI, the message text is sent to our servers and to our AI provider (Anthropic) to generate a response. We do not store chat history on our servers beyond the session required to generate the response. Anthropic processes the request under their Commercial Privacy Policy and does not train their models on your conversations.

3. Why we collect it

We use your data for these purposes only:

To generate personalized weekly meal plans and grocery lists.
To remember your preferences across devices (if you have an account).
To answer your Chef AI questions.
To provide you with a nutrition summary of your week.
To measure whether the product is working (aggregated, cookieless analytics) — but only after you accept the privacy notice.
To contact you about service-critical issues (account-related emails only; no marketing without separate consent).

We do not: sell your data, rent your data, use your data to train AI models, build advertising profiles, or share data with advertisers.

4. Children's data (COPPA)

Platito is designed for parents. The parent is always the account holder and the legal user. We never knowingly collect data directly from a child under 13. However, the parent inputs information about their child — the child's first name, age, allergies, and food preferences. This data:

Is treated with the same protections as adult personal data under GDPR/CCPA.
Is used only to personalize meal planning — never for advertising, analytics, or external sharing.
Is never used as an input to third-party AI training pipelines. We send only the minimum necessary context (e.g. age range and allergies) to the AI model during meal generation, never the child's real name.
Is automatically deleted when the parent deletes their account. Local data can be wiped at any time with "Reset app data" in Settings.

If you are a parent in the United States and have concerns about COPPA compliance, contact [email protected].

We share data with a small number of service providers, only as needed to operate Platito:

Supabase (authentication + database) — stores your account + synced profile if you sign up. Privacy policy.
Cloudflare (hosting + CDN + AI proxy workers) — serves the app and routes Chef AI requests. Privacy policy.
Anthropic (Chef AI provider) — processes your chat messages to generate meal suggestions. Privacy policy.
Plausible Analytics (usage measurement) — cookieless, privacy-first analytics. We do not send personal data as event properties. Privacy policy.

We do not share your data with advertisers, data brokers, or third parties outside of the list above.

6. Cookies & tracking

Platito uses no tracking cookies. We set one strictly-necessary cookie for authentication session management (when you sign in), and we store your preferences locally on your device (browser localStorage). Our analytics provider, Plausible, is cookieless by design and does not track you across other sites.

Analytics only load after you accept the privacy notice. You can refuse at any time by clearing site data in your browser or tapping "Reset app data" in Settings.

7. Your rights (GDPR, UK GDPR, CCPA/CPRA)

Wherever you live, you can always:

Access the data we hold about you — email [email protected].
Export it in a machine-readable format (JSON).
Correct or delete it — you can delete most data yourself in Settings, and we'll honor a full account deletion within 30 days.
Object to processing, or withdraw consent at any time.
Lodge a complaint with your local data protection authority (EU), the ICO (UK), or the California Attorney General's office (CA).

If you are a California resident, you have additional rights under the CCPA/CPRA to know what personal information is collected, to request deletion, and to opt out of any sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising.

8. Data retention

Account data: retained until you delete your account. After deletion, we fully purge within 30 days.
Local device data: stays on your device until you clear it or reset the app.
Chef AI conversations: not stored on our servers beyond the request lifecycle.
Anonymous analytics: retained in aggregate for up to 24 months.

9. Security

We use TLS encryption in transit, Supabase row-level security on every table, environment-isolated production secrets, and no secrets in the client bundle. No method is 100% secure, but we aim to meet SOC 2 practices where our providers support them (Supabase, Cloudflare, Anthropic all hold SOC 2 Type II).

If we ever suffer a breach affecting your personal data, we will notify affected users within 72 hours as required by GDPR Art. 33 / CCPA §1798.82.

10. International transfers

Platito is operated globally. Data may be processed in the United States (Cloudflare, Anthropic) and the European Union (Supabase). We rely on the Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework for transfers out of the EEA/UK.

11. Changes to this policy

If we make material changes, we will notify account holders by email at least 14 days before they take effect. For non-material changes, we'll update the "Last updated" date at the top. Continued use after updates signals acceptance.

12. Contact

Privacy questions, data requests, or complaints:
[email protected]

We respond within 5 business days.

Privacy Policy

1. Who we are

2. What we collect

When you use Platito without an account

When you create a Platito account

Chef AI conversations

3. Why we collect it

4. Children's data (COPPA)

5. Who we share with

6. Cookies & tracking

7. Your rights (GDPR, UK GDPR, CCPA/CPRA)

8. Data retention

9. Security

10. International transfers

11. Changes to this policy

12. Contact