Last updated: 2026-05-08
The data controller within the meaning of GDPR (Regulation (EU) 2016/679, "RODO") is YesWas | Paweł Orzech (Polish jednoosobowa działalność gospodarcza, sole proprietorship), NIP PL8741734171, registered in CEIDG, Republic of Poland. Data-protection contact: [email protected]. We have not appointed a Data Protection Officer — our processing scale and the limited subset of special-category data we handle do not meet the criteria of GDPR art. 37 (no large-scale systematic monitoring; health-data processing is voluntary, opt-in, and confined to the data the user actively enters or syncs).
/weight or auto-synced from Withings if you connect it), activity level, weight goal (lose / maintain / gain), and a derived daily calorie target. Used to compute the Mifflin-St Jeor TDEE estimate, the adaptive TDEE refinement (Pro), and the daily-budget views. We do not collect medical diagnoses, conditions, medications, allergies, or genetic data.bn_visitor): a random 16-byte token stored in a first-party cookie and/or local storage on bitenote.eu, with a 30-day TTL, used to keep your landing-page variant stable across visits. The token contains no personal information by itself and is not joined with your Telegram account or payment records.| Purpose | Legal basis |
|---|---|
| Delivering meal estimates, processing payments, customer support | GDPR art. 6(1)(b) — performance of contract |
| Health and profile data (weight, height, goals, Withings sync) — calorie target computation, adaptive TDEE, weight-trend views | GDPR art. 9(2)(a) — explicit consent, taken in a dedicated screen during onboarding; combined with art. 6(1)(b) for the underlying contract performance |
| Issuing VAT invoices, accounting, tax record-keeping | art. 6(1)(c) — legal obligation (PL Ordynacja podatkowa art. 86; Ustawa o VAT) |
| Security logs, fraud prevention, A/B variant assignment | art. 6(1)(f) — legitimate interests (running and improving the service) |
| Aggregate landing analytics (self-hosted Umami, no cookies) | art. 6(1)(f) — legitimate interests; data is anonymous |
Consent under art. 9(2)(a) is freely given and can be withdrawn at any time via /account → Delete my data or by emailing [email protected]. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
/account → delete, or 24 months after your last active session — whichever comes first./account → delete, withdraw the art. 9 consent, or 24 months after your last active session — whichever comes first.We share personal data only with the following processors, under data-processing terms or equivalent safeguards. Contractual terms with each processor restrict data use to providing the contracted service.
| Processor | Role | Jurisdiction | Transfer mechanism / safeguard |
|---|---|---|---|
| Google LLC (Gemini API) | AI estimation — photo and voice processing | USA | EU-U.S. Data Privacy Framework + Standard Contractual Clauses |
| Telegram FZ-LLC | Bot messaging + Telegram Stars payments | UAE / global | Telegram's own DPA; user enters Telegram independently |
| Stripe Payments Europe Ltd (EEA) / Stripe Inc. (USA) | Card payments + subscription management | Ireland (EU) / USA | EU entity for processing; US transfers under DPF + SCC |
| infakt sp. z o.o. | VAT invoice issuing | Kraków, Poland | EU-based processor under Polish law |
| Contabo GmbH | VPS hosting (application + PostgreSQL) | Munich, Germany | EU hosting |
| BunnyWay d.o.o. (Bunny.net) | DNS and CDN for bitenote.eu | Ljubljana, Slovenia | EU processor |
| Self-hosted Umami (operated by the controller) | Aggregate landing analytics, cookieless | Hetzner, Germany | Same controller; no third party |
| Withings SAS | OAuth2 sync of body-weight measurements (Pro feature, opt-in) | Issy-les-Moulineaux, France (EU) | EU processor; user authorises each connection via OAuth and can revoke at withings.com |
Some processing involves transfers outside the EEA: Google LLC (USA) for Gemini API estimation, Groq, Inc. (USA) when used for voice transcription fallback, and Stripe Inc. (USA) as a sub-processor for card payment processing. These transfers rely on the EU-U.S. Data Privacy Framework adequacy decision and Standard Contractual Clauses (Commission Decision 2021/914) as additional safeguards. Telegram FZ-LLC operates global infrastructure; Telegram's own privacy policy applies to platform-level data.
No third-party advertising networks. We do not embed Google Analytics, Meta / Facebook Pixel, TikTok Pixel, or any comparable third-party ad-tech tag on the landing or in the bot flow. Landing analytics is self-hosted Umami running in cookieless mode (aggregate counts only). The bot does not load any third-party SDK at all.
You have the right to: access your data (art. 15), rectify inaccurate data (art. 16), have it erased (art. 17), restrict processing (art. 18), receive it in a portable format (art. 20), object to processing based on legitimate interests (art. 21), and not be subject to solely automated decisions with legal or similarly significant effects (art. 22 — none are made here). Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
How to exercise: use /account in @bitenotebot for self-service data export and account deletion, or email [email protected]. We respond within 30 days (extendable by two months for complex requests, with notice — GDPR art. 12(3)).
Right to lodge a complaint: with the Polish supervisory authority — Prezes Urzędu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl; or with the supervisory authority in your EU country of habitual residence.
The public landing page uses one first-party identifier — the bn_visitor cookie / localStorage entry described above — for A/B testing of the landing page. It is not used for advertising or cross-site tracking. We do not use third-party advertising cookies. Web analytics is provided by self-hosted Umami in cookieless mode (aggregate counts only). If you object to bn_visitor, contact [email protected] — we will exclude you from variant assignment.
BiteNote is for users aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has used the service, contact [email protected] and we will delete the relevant records.
Calorie tracking can be harmful for individuals with or at risk of eating disorders. The bot displays a content warning and requires explicit acknowledgment before first use, and a separate explicit consent before any health data is collected. If your use of the service is negatively affecting your wellbeing, please contact a qualified healthcare professional.
BiteNote processes a limited subset of health data — your weight, height, biological sex, year of birth, activity level, and weight goal — to compute a daily calorie target. Under GDPR art. 9(1) this is a special category of personal data, and we rely on your explicit consent under art. 9(2)(a), taken in a dedicated screen during onboarding (separate from the 18+/ED warning and from the Terms of Service). We do not process medical diagnoses, conditions, medications, allergies, genetic data, or biometric identifiers. You can withdraw consent and erase the health data at any time via /account → Delete my data; withdrawal stops further processing immediately and does not affect the lawfulness of processing before withdrawal.
BiteNote does not make automated decisions producing legal or similarly significant effects on you. A/B testing uses statistical aggregates and does not score or profile individuals. Daily caps are applied uniformly by account status, not by individual profiling.
All traffic uses HTTPS/TLS. Database access is restricted to scoped application credentials. The hosting provider applies disk-level encryption at rest. We do not store payment card numbers or authentication credentials. Security practices are reviewed periodically.
Hosting location. The application and its PostgreSQL database run on a Coolify-managed EU server (Contabo, Germany). Encrypted off-site backups are stored on Backblaze B2's EU region. Apart from the third-country processors listed in §5–6 (Gemini, Stripe, optionally Groq), your meal log, weight log, and profile data stay inside the European Union.
If we make material changes, we will update the date above and notify users via @bitenotebot at least 30 days before the changes take effect. Continued use after the effective date constitutes acceptance.