Privacy Policy of e-dietetyk.com
Last updated: 23 March 2026
1. Data Controller
The controller of your personal data is:
Wirgiliusz Ładziński ul. Pod Brzozami 16/8a, 03-995 Warszawa, Poland
- E-mail: kontakt@e-dietetyk.com
- Additional e-mail: wirigiliusz@gmail.com
- Phone: +48 515-530-088
In the remainder of this document, the Data Controller is also referred to as the "Controller" or "we".
2. Data Protection Officer
The Controller has not appointed a Data Protection Officer (DPO). In accordance with art. 37 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR"), the appointment of a DPO is not required, as the Controller does not carry out large-scale data processing within the meaning of art. 37(1)(b) and (c) of the GDPR.
For all matters relating to the protection of personal data, you may contact the Controller directly using the details provided in section 1 above.
3. Scope of personal data collected
The Controller collects and processes the following categories of personal data:
| Data category | Examples | Source |
|---|---|---|
| Identification data | E-mail address, password (stored as a cryptographic hash) | Provided by the user during registration |
| Health data (special category of data — art. 9 GDPR) | Weight, height, food allergies, diseases and conditions, dietary goals, responses provided in the nutrition interview form, medical flags | Provided by the user in the interview form |
| Transaction data | Order identifier, product/plan type, amount, payment status, subscription identifier, invoice history | Generated as a result of order processing; payment card data is processed exclusively by Stripe |
| Technical data | IP address, browser type and version (user agent), login dates and times, access and event logs (audit log) | Collected automatically during use of the website |
| Cookie data | Session identifier, language preference (PL/EN), CSRF token, cookie consent status | Stored in the user's browser — details in the Cookie Policy |
Note: The Controller does not collect personal data of persons under 18 years of age. The website is intended exclusively for adult users.
4. Purposes and legal bases for personal data processing
| Purpose of processing | Legal basis | Retention period |
|---|---|---|
| Registration and maintenance of a user account | Art. 6(1)(b) GDPR — performance of a contract for the provision of services by electronic means | For the duration of the contract (account existence); after account deletion — up to 30 days (anonymisation period) |
| Provision of dietary services (collecting interviews, preparing nutrition plans) | Art. 6(1)(b) GDPR — performance of a contract; art. 9(2)(a) GDPR — explicit consent for the processing of health data | For the duration of the contract; health data — until consent is withdrawn or the account is deleted |
| Generating nutrition plans using artificial intelligence (AI) | Art. 6(1)(b) GDPR — performance of a contract; art. 9(2)(a) GDPR — explicit consent; art. 22(2)(c) GDPR — explicit consent for automated decision-making | For the duration of the contract; plans stored in encrypted form |
| Payment and subscription processing | Art. 6(1)(b) GDPR — performance of a contract; art. 6(1)(c) GDPR — legal obligation (accounting and tax regulations) | Transaction data: 5 years from the end of the calendar year in which the transaction was made (Polish Accounting Act — ustawa o rachunkowości) |
| Ensuring website security (logs, abuse detection, protection against attacks) | Art. 6(1)(f) GDPR — legitimate interest of the Controller | Technical logs: up to 12 months; audit logs: up to 5 years |
| Direct marketing (newsletter — optional, currently inactive) | Art. 6(1)(a) GDPR — user consent | Until consent is withdrawn |
| Fulfilment of legal obligations (accounting, taxes, potential claims) | Art. 6(1)(c) GDPR — legal obligation | Period required by law — generally 5 years (accounting) or 6 years (limitation of civil claims) |
5. Automated decision-making and profiling (art. 22 GDPR)
5.1. Description of the process
As part of the provision of services, e-dietetyk.com uses an artificial intelligence model (OpenAI GPT-4.1) to generate personalised nutrition plans based on health data provided by the user in the interview form. This process constitutes automated processing of data, including special category data (health data), within the meaning of art. 22 of the GDPR.
5.2. Role of human oversight
Every nutrition plan generated by AI is mandatorily reviewed by a qualified dietitian before being made available to the user. An AI-generated plan has the status of a "draft" (GENERATED) and is made available to the user only after approval by the dietitian (status REVIEWED). The dietitian may make changes, corrections, or reject the plan.
5.3. User rights
In accordance with art. 22(3) of the GDPR, in connection with automated data processing, you have the following rights:
- the right to obtain human intervention from the Controller (every plan is reviewed by a dietitian);
- the right to express your point of view regarding the generated nutrition plan;
- the right to contest the decision made by automated means.
To exercise the above rights, contact the Controller using the details provided in section 1.
5.4. Legal basis
Automated processing of health data is carried out on the basis of art. 22(2)(c) of the GDPR — the user's explicit consent, given before commencing the health interview and before generating the nutrition plan.
6. Data recipients and sub-processors
The Controller may transfer your personal data to the following categories of recipients:
| Recipient | Location | Purpose of data transfer | Safeguards |
|---|---|---|---|
| OpenAI, LLC | San Francisco, USA | Generating nutrition plans by the AI model (GPT-4.1) based on anonymised/encrypted interview data | Standard Contractual Clauses (SCCs) in accordance with art. 46(2)(c) GDPR; OpenAI Data Processing Addendum (DPA) |
| Stripe, Inc. | San Francisco, USA / Dublin, Ireland (EU) | Processing card payments, subscription management | PCI DSS Level 1 certification; SCCs; Stripe processes card data — the Controller does not have access to full card numbers |
| UAB Hostinger | Vilnius, Lithuania (EU) | Website hosting (VPS server) and database | Processing within the European Economic Area (EEA); data processing agreement |
| Resend, Inc. | USA | Sending transactional e-mails (password reset, confirmations, plan notifications) | SCCs; DPA |
The Controller does not sell users' personal data to third parties.
The Controller does not share personal data for marketing purposes with third parties.
7. Data transfers to third countries
In connection with the use of sub-processor services listed in section 6, your personal data may be transferred to the United States of America (USA), which does not ensure an adequate level of personal data protection within the meaning of a European Commission decision.
7.1. Transfer safeguards
The transfer of personal data to the USA is carried out on the basis of:
- Standard Contractual Clauses (SCCs) approved by the European Commission Implementing Decision 2021/914 of 4 June 2021 — in accordance with art. 46(2)(c) of the GDPR;
- Additional technical and organisational safeguards, including:
- encryption of health data using the AES-256-GCM algorithm before transfer to the sub-processor (OpenAI);
- data transmission exclusively via encrypted connections (HTTPS/TLS);
- minimisation of the scope of data transferred to sub-processors.
7.2. Providers based in the USA
- OpenAI, LLC — data processing for the purpose of generating nutrition plans;
- Stripe, Inc. — payment processing (transaction data; Stripe also has infrastructure in the EU);
- Resend, Inc. — sending transactional e-mails.
A copy of the applicable Standard Contractual Clauses can be obtained by contacting the Controller.
8. Data retention period
| Data category | Retention period | Notes |
|---|---|---|
| User account data (e-mail, password hash) | For the duration of the contract (account existence); after deletion — anonymisation within 30 days | Soft delete + PII anonymisation |
| Health data (interviews, nutrition plans) | For the duration of the contract or until consent is withdrawn; after account deletion — deleted/anonymised | Stored in encrypted form (AES-256-GCM) |
| Transaction data (orders, invoices) | 5 years from the end of the calendar year in which the transaction was made | Obligation under the Polish Accounting Act (ustawa o rachunkowości) |
| Technical data (server logs, access logs) | Up to 12 months | Purpose: security and diagnostics |
| Audit logs (login, data viewing, plan generation) | Up to 5 years | Purpose: accountability, security, potential claims |
| Cookie data | In accordance with the validity period of the respective cookie (see: Cookie Policy) | Session-based or up to 1 year |
| Marketing consents | Until consent is withdrawn | — |
After the retention period expires, data is permanently deleted or anonymised in a manner that prevents identification of the individual.
9. Rights of the data subject
Under the GDPR, you have the following rights:
9.1. Right of access (art. 15 GDPR)
You have the right to obtain from the Controller confirmation as to whether your personal data is being processed, and if so, to access the data and information about the purposes of processing, categories of data, recipients, the planned retention period, your rights, the source of data, and automated decision-making.
9.2. Right to rectification (art. 16 GDPR)
You have the right to request the immediate rectification of inaccurate personal data or the supplementation of incomplete data.
9.3. Right to erasure — "right to be forgotten" (art. 17 GDPR)
You have the right to request the erasure of your personal data. The Controller shall erase the data without undue delay, unless processing is necessary for:
- compliance with a legal obligation requiring processing (e.g., accounting obligations — transaction data for 5 years);
- the establishment, exercise, or defence of legal claims.
On e-dietetyk.com, you can independently delete your account. Account deletion results in:
- immediate blocking of access;
- cancellation of active subscriptions in Stripe;
- anonymisation of personal data (soft delete + removal of PII).
9.4. Right to restriction of processing (art. 18 GDPR)
You have the right to request the restriction of data processing in the cases specified in art. 18 of the GDPR, in particular when you contest the accuracy of the data, the processing is unlawful, or you have objected to processing.
9.5. Right to data portability (art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON) and to transmit that data to another controller. This right applies to data processed on the basis of consent or a contract, by automated means.
9.6. Right to object (art. 21 GDPR)
You have the right to object at any time to the processing of personal data based on art. 6(1)(f) of the GDPR (legitimate interest), including profiling. The Controller shall cease processing unless it demonstrates compelling legitimate grounds for processing that override your interests, rights, and freedoms.
9.7. Right to withdraw consent (art. 7(3) GDPR)
To the extent that data processing is based on consent (in particular, consent to the processing of health data), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.
Withdrawal of consent to the processing of health data may result in the inability to continue providing dietary services.
9.8. Right to lodge a complaint with a supervisory authority
If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with the supervisory authority:
President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO) ul. Stawki 2, 00-193 Warszawa, Poland www.uodo.gov.pl
9.9. How to exercise your rights
To exercise your rights, contact the Controller:
- E-mail: kontakt@e-dietetyk.com
- By post: Wirgiliusz Ładziński, ul. Pod Brzozami 16/8a, 03-995 Warszawa, Poland
The Controller shall respond to the request without undue delay, no later than within one month from the date of receipt of the request. In the case of complex or numerous requests, this period may be extended by an additional two months, of which you will be informed.
Exercise of rights is free of charge. In the case of manifestly unfounded or excessive requests, the Controller may charge a reasonable fee or refuse to act in accordance with art. 12(5) of the GDPR.
10. Data security
The Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or disclosure, in particular:
10.1. Technical measures
- Encryption of health data using the AES-256-GCM algorithm (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) — health interview data, medical flags, and nutrition plan content are stored in the database exclusively in encrypted form;
- Transmission encryption — all communication between the user and the website is conducted via the HTTPS protocol with a TLS certificate;
- Password hashing — user passwords are not stored in plain text but in the form of a cryptographic hash (bcrypt);
- CSRF protection — CSRF tokens in every session;
- Rate limiting — limiting the number of API requests to protect against brute force and DDoS attacks.
10.2. Organisational measures
- Access control — access to personal data is limited to authorised persons, to the extent necessary for the performance of their duties;
- Audit logs — recording events such as login, interview viewing, plan generation, plan viewing, account deletion;
- Data minimisation — collecting only the data necessary for the specific purpose;
- Regular security reviews — periodic verification of the security measures in place.
11. Changes to the Privacy Policy
The Controller reserves the right to make changes to this Privacy Policy. Changes may result in particular from changes in legal provisions, changes in the scope of services provided, changes in sub-processors, or changes in the technologies used.
Users will be informed of significant changes to the Privacy Policy by:
- displaying an appropriate notice on the website;
- sending an e-mail to the address associated with the user's account (in the case of changes to the legal bases for processing or the scope of data processed).
The date of the last update is indicated at the beginning of this document.
Continued use of the website after changes are introduced constitutes acceptance of the updated Privacy Policy. If you do not accept the changes, you have the right to delete your account.
12. Contact
For matters related to the protection of personal data and the exercise of your rights, contact the Controller:
- E-mail: kontakt@e-dietetyk.com
- Additional e-mail: wirigiliusz@gmail.com
- Phone: +48 515-530-088
- Postal address: Wirgiliusz Ładziński, ul. Pod Brzozami 16/8a, 03-995 Warszawa, Poland
This Privacy Policy is effective from 23 March 2026.