← Home

Privacy policy

Last updated: May 14, 2026

Quoteal is operated by Seven Lambda, Inc., a Delaware corporation registered to do business in California. Seven Lambda, Inc. is the data controller for the information described below. This privacy policy explains what information we collect, how we use it, who we share it with, and the rights you have over it. We try to keep this as plain as possible. If anything is unclear, email hello@quoteal.com and we'll do our best to explain.

1. Information we collect

Account information

Email address and password (passwords are stored as one-way hashes by Supabase Auth; we never see the plaintext).

Onboarding profile

Age, sex, weight, height, activity level, primary goal, diet type, allergies, cooking skill, cook-time preference, weekly budget, foods loved and foods hated, and your preferred eating time. This is what powers the meal-planning logic.

Generated content

Your weekly meal plans, pantry items, shopping lists, and substitution history.

Bloodwork (Pro feature)

If you choose to use the Bloodwork feature, you may enter biomarker values from a lab panel (e.g. ferritin, vitamin B12, HbA1c). We store the numeric values, an optional draw date, and an optional free-text note. We do not collect your name, date of birth, the lab provider, insurance details, or any other identifying information from the panel. You can delete individual panels or all panels at any time from the Bloodwork screen.

Payment information

If you upgrade to Pro, billing is handled by Stripe. We never see, store, or process your card number, CVC, or bank details. Stripe shares your subscription status with us via webhook so we can grant access to Pro features.

Usage analytics

We use Umami, a privacy-first analytics tool, to count anonymous events like “plan generated” or “upgrade completed” so we know which features are used. Umami does not set cookies, does not fingerprint visitors, and does not collect personal data.

2. How we use your information

  • To generate meal plans, recipes, shopping lists, and nutrition coverage estimates.
  • To adjust nutrition targets based on biomarker values (if you provide them).
  • To process subscription payments and grant access to Pro features.
  • To send transactional emails (password resets, billing receipts).
  • To improve the product (for example, identifying meals that consistently fail validation).
  • To respond to support requests you send us.

We do not sell your data, ever. We do not use your health information for advertising. We do not train machine-learning models on your personal data.

3. Third-party processors

  • Supabase: stores your account, profile, meal plans, pantry, and bloodwork data in a Postgres database hosted in the United States. Row-level security ensures only you can read your rows.
  • Supabase Storage: hosts the public meal photos shown on the plan and recipe pages. No user data is stored in this bucket; the same photo set is shown to every user.
  • Stripe: processes payments and manages your subscription. Stripe's privacy policy governs payment data: stripe.com/privacy.
  • Anthropic (Claude API): generates recipe-card text and ranks ingredient substitutions. We send the meal name, ingredient list, and your allergen list to the model. We never send your name, email, payment data, or bloodwork values.
  • OpenAI (image generation): used once at seed time to generate the meal photo library. No user data is sent to OpenAI; the prompts contain only meal names, ingredient lists, and cuisine tags.
  • USDA FoodData Central: public nutrition database. We send ingredient names; we never send user data.
  • BLS Public Data API: provides national food price index data used to estimate meal cost drift. We send no user data; we receive a national CPI series.
  • Resend: sends transactional emails (password reset, account notifications). Receives your email address and the email body only.
  • Umami: privacy-first analytics. No cookies, no fingerprinting, no PII.
  • Vercel and Railway: host the website and API. Standard request logs (IP address, user agent, timestamp) are retained briefly for security and debugging.

4. Cookies and local storage

We use the minimum cookies and local-storage entries needed to run the app:

  • A Supabase Auth session cookie to keep you logged in.
  • A session-storage cache of your current meal plan and prep checklist (cleared on sign-out).
  • A Stripe checkout cookie set during the upgrade flow.

We do not use advertising or tracking cookies.

5. How long we keep your data

Your data is retained for as long as your account is active. You can delete your account at any time from Settings; the deletion is immediate and cascades to all your profile, meal plans, pantry items, bloodwork panels, and (if you have a Pro subscription) cancels your Stripe subscription. Some Stripe billing records are retained by Stripe under their own policy for tax and accounting reasons. Server logs are retained for up to 30 days for security and debugging.

6. Your rights

You have the right to:

  • Access: view your data in the app at any time.
  • Correct: update your profile, preferences, and bloodwork values from Settings.
  • Delete: remove your account in one click from Settings.
  • Export: request a copy of your data by emailing hello@quoteal.com.
  • Object: opt out of any non-essential processing by emailing us.

California residents have additional rights under the CCPA, including the right to know what categories of personal information are collected and the right to non-discrimination for exercising these rights. EU/UK residents have rights under GDPR, including the right to data portability and the right to lodge a complaint with a supervisory authority.

7. Children

Quoteal is intended for adults 18 and over. We do not knowingly collect data from anyone under 18. If we learn that we have collected data from a minor, we will delete it. Parents or guardians who believe their child has used Quoteal can email us at hello@quoteal.com.

8. Security

We use industry-standard practices to protect your data: TLS in transit, encryption at rest (provided by Supabase), strong password hashing, and row-level security on every database table. No system is perfectly secure. If you believe your account has been compromised, email us immediately.

9. Changes to this policy

We may update this policy from time to time. When we do, we'll update the “Last updated” date at the top of this page. Material changes will be announced by email to active subscribers. Continued use of Quoteal after a change constitutes acceptance of the updated policy.

10. Contact

Questions, requests, or concerns about your data? Email hello@quoteal.com. We aim to respond within 3 business days.