Privacy Policy
Last updated: 22 February 2026
1. Who we are
TinyPlates is operated by Evgeny Aseev, trading as TinyPlates, based in England. We (“TinyPlates”, “we”, “us”) are the data controller for the personal data we process under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
Contact: [email protected]
Data Protection Lead: Evgeny Aseev — [email protected]
2. What this policy covers
This privacy policy applies to:
- The TinyPlates website at tinyplates.co.uk (including the waitlist signup)
- The TinyPlates web application at tinyplates.app
- The TinyPlates mobile applications for iOS and Android
Together, these are referred to as the “Service”.
3. Data we collect
We collect the following categories of personal data:
Account information
- Email address (required for account creation and waitlist signup)
- Display name (optional)
- Authentication data from social login providers (Apple, Google, or Facebook) if you choose to sign in via a social account — we receive your name and email from the provider but never your password
Account authentication is managed by Firebase Authentication (Google). If you use email/password login, your password is handled and securely hashed by Firebase — we never see, store, or have access to your password.
Child profile data
- First name or nickname
- Date of birth
- Feeding stage (e.g., early weaning, progressing, family foods)
- Known allergies (e.g., milk, eggs, peanuts, tree nuts, wheat/gluten, soy, fish, shellfish, sesame)
- Dietary preferences (e.g., vegetarian, vegan, halal, kosher, dairy-free)
- Cultural cuisine preferences (e.g., British, Indian, Caribbean, Mediterranean, Middle Eastern)
- Number of meals and milk feeds per day
- Food preferences — likes, dislikes, and reintroduction tracking
- Meal ratings and feedback
Shopping preferences
- Preferred UK supermarkets (e.g., Tesco, Sainsbury’s, Aldi, Lidl, Waitrose, Asda)
Usage data
- Meal plans generated, recipes viewed, meals swapped, shopping lists created
- Feature interactions — including screen views, onboarding progress, button taps, and meal ratings
- Subscription status and entitlements
Technical data
- IP address, browser type, device type, operating system
- Push notification tokens (for meal prep reminders and service notifications)
- Crash reports and performance data
- Cookies and similar technologies (see section 13)
4. Children’s data
TinyPlates is designed for parents and guardians to plan meals for their children (aged 6 months to 3 years). The app’s users are adults — children do not use the app directly. However, we process data about children and take the protection of this data extremely seriously.
We comply with the ICO Age Appropriate Design Code (Children’s Code) and apply the following safeguards:
- We collect only the minimum data necessary about children to provide personalised, allergy-safe meal plans
- Child profile data is used solely to generate age-appropriate meal recommendations and track nutrition
- Child profile data is shared with AI providers (see section 5) only for the purpose of generating meal plans — it is not used to train AI models
- Allergy data is classified as special category health data under UK GDPR Article 9. We only process allergy data with your explicit consent (Article 9(2)(a)), which you provide during the child profile setup. You can withdraw this consent at any time via the app, which will immediately and permanently delete all allergy data for that child
- We never share children’s data with advertisers
- We use children’s dietary data for functional profiling only — tracking nutrition intake and food preferences to improve meal recommendations. This profiling is never used for marketing, advertising, or any purpose detrimental to your child
- Parents and guardians have full control to view, edit, and delete all child profile data at any time via the app
- When a child profile is deleted, all associated data (allergies, preferences, meal history, consent records) is permanently removed
5. How we use AI to generate meal plans
TinyPlates uses artificial intelligence to create personalised weekly meal plans. When we generate a meal plan for your child, we send the following data to our AI providers:
- Your child’s age and feeding stage
- Allergies and dietary requirements
- Cultural cuisine preferences
- Food likes and dislikes
- Number of meals per day
We do not send your name, email, or any data that directly identifies you or your child by name to AI providers.
AI providers we use
- Google Gemini (Google LLC, USA) — our primary AI provider for meal plan generation
- OpenAI (OpenAI, L.L.C., USA) — used as a fallback if our primary provider is unavailable
Important safeguards
- We use the AI providers’ API services, which are contractually prohibited from using your data to train their models
- Data sent to AI providers is processed in the United States (see section 9 on international transfers)
- Every AI-generated plan is validated server-side against allergen rules, nutrition targets, and age-appropriateness before being shown to you
- If both AI providers are unavailable, we serve pre-built template plans from our own database — no data is sent externally
6. Lawful basis for processing
Under UK GDPR, we rely on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Providing the TinyPlates service (meal plans, recipes, shopping lists) | Contract (Article 6(1)(b)) |
| Processing non-health child data (name, age, feeding stage, dietary and cuisine preferences) for personalised recommendations | Legitimate interest (Article 6(1)(f)), balanced with the child’s best interests |
| Processing allergy/health data about children | Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — collected in-app before allergy data is stored or processed |
| Sending non-health child data to AI providers for meal plan generation | Legitimate interest (Article 6(1)(f)) — necessary to deliver the core service with appropriate safeguards |
| Sending allergy data to AI providers for allergen-safe meal plans | Explicit consent (Article 9(2)(a)) — same consent covers both storage and AI transmission |
| Sending service-related emails (account, security) | Contract (Article 6(1)(b)) |
| Sending marketing emails (product updates, blog) | Consent (Article 6(1)(a)) |
| Product analytics to improve the service | Legitimate interest (Article 6(1)(f)) |
| Advertising measurement (Meta Pixel) | Consent (Article 6(1)(a)) — via cookie consent |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
7. How we use your data
We use your personal data to:
- Create and manage your account via Firebase Authentication
- Generate personalised, age-appropriate meal plans using AI, based on recipes sourced from NHS Start4Life and Gov.uk under the Open Government Licence v3.0 (see section 5)
- Produce shopping lists with UK supermarket price comparisons
- Track nutritional intake against NHS-recommended targets for your child’s age
- Manage allergy tracking and food reintroduction reminders
- Send push notifications (e.g., meal prep reminders, defrost reminders)
- Send service-related emails (e.g., password resets, security alerts)
- Send marketing communications where you have opted in
- Analyse usage patterns to improve the service (using aggregated and anonymised data where possible)
- Measure advertising effectiveness on our website
8. Data sharing & third-party processors
We do not sell your personal data. We share data with the following categories of third-party processors, all of whom are bound by data processing agreements:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Firebase Authentication (Google) | User sign-up, login, social logins, password management | Email, authentication tokens, social login profile | USA |
| Firebase Crashlytics (Google) | Crash reporting and app stability monitoring | Device info, crash logs, anonymised user identifiers | USA |
| Firebase Cloud Messaging (Google) | Push notifications | Device tokens | USA |
| Google Gemini (Google) | AI meal plan generation (primary) | Child profile data (anonymised — no names or emails) | USA |
| OpenAI | AI meal plan generation (fallback) | Child profile data (anonymised — no names or emails) | USA |
| Mixpanel | Product analytics | Usage events, screen views, anonymised user ID | USA |
| Google Analytics (Firebase) | App analytics (mobile app only) | Usage patterns, session data, acquisition channels, anonymised user ID | USA |
| Sentry | Backend error tracking | Error logs, request context | USA |
| Hetzner | Server hosting (VPS) | All application data (stored in our database) | Nuremberg, Germany |
| Cloudflare | Website hosting, DNS, email routing | Website traffic data, email forwarding | Global (EU/US) |
| RevenueCat | Subscription and payment management (mobile) | User ID, subscription status, purchase receipts | USA |
| Meta (Facebook/Instagram) | Advertising measurement on tinyplates.co.uk | Website browsing activity (via Meta Pixel, with consent) | USA |
We may also share data with law enforcement or regulators where we are legally required to do so.
9. International data transfers
Some of our third-party processors are based outside the UK, primarily in the United States and the European Economic Area (Germany). When your data is transferred outside the UK, we ensure appropriate safeguards are in place:
- EU/EEA transfers (Hetzner, Germany) — covered by the UK adequacy decision for the EEA
- US transfers (Google/Firebase, OpenAI, Mixpanel, Sentry, RevenueCat, Meta) — protected by Standard Contractual Clauses (SCCs) and, where applicable, the UK Extension to the EU-US Data Privacy Framework
You can request a copy of the relevant safeguards by contacting us at [email protected].
10. Data retention
We retain your data for as long as you maintain an active account. If you delete your account:
- Account and child profile data is permanently deleted within 30 days
- A minimal deletion audit log is retained for compliance purposes, containing only your email address, internal user ID, and the date of deletion. This log does not include child profiles, preferences, or any other account data. It is retained to ensure that if a database backup is restored, your deletion is re-applied automatically — as required by ICO guidance on the right to erasure and backup systems
- Anonymised, aggregated analytics data may be retained indefinitely (this data cannot identify you)
- Data required for legal or regulatory purposes may be retained for up to 6 years
Waitlist email addresses are retained until the service launches, at which point you will be given the option to create an account or unsubscribe. If you unsubscribe, your email is deleted within 30 days.
11. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — correct any inaccurate or incomplete data
- Right to erasure — request deletion of your data (“right to be forgotten”)
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a machine-readable format (JSON)
- Right to object — object to processing based on legitimate interests or direct marketing
- Right to withdraw consent — where processing is based on consent (e.g., marketing emails, Meta Pixel tracking, allergy data processing), you may withdraw at any time. If you withdraw consent for allergy data, all stored allergy information for that child will be immediately and permanently deleted
To exercise any of these rights, email us at [email protected]. We will respond within one month.
12. Automated decision-making
TinyPlates uses AI to automatically generate meal plans based on your child’s profile. This is a form of automated processing, but it does not produce legal or similarly significant effects — it generates meal suggestions that you are free to accept, swap, or ignore.
The app also provides AI-generated nutrition insights (for example, noting when a nutrient appears low in recent meals). These are informational suggestions to help you plan — they are not medical advice and do not replace professional guidance. You always make the final decision about what your child eats.
Every AI-generated plan is validated against safety rules (allergen filtering, age-appropriate textures, nutrition targets) before being shown to you. You always have the ability to modify any meal in your plan.
13. Cookies & tracking
We use cookies and similar technologies on our website and app. These include:
- Essential cookies — required for the website and app to function (authentication, session management)
- Analytics cookies — to understand how our service is used (Mixpanel)
- Advertising cookies — to measure the effectiveness of our advertising campaigns (Meta Pixel)
Analytics and advertising cookies are only set with your consent. You can manage your cookie preferences at any time via our cookie consent banner or by visiting our Cookie Policy.
The Meta Pixel on tinyplates.co.uk sends browsing data (page views, waitlist signups) to Meta Platforms, Inc. (USA) for advertising measurement. This data may be used by Meta to show you relevant ads on Facebook and Instagram. You can opt out via our cookie consent banner, your browser settings, or Meta’s ad preferences.
14. Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Authentication managed by Firebase (industry-standard secure hashing — we never store passwords ourselves)
- Database access restricted to authenticated API requests validated via Firebase JWT tokens
- Automated daily database backups with a post-restore procedure that re-applies any account deletions before the system serves traffic
- Error monitoring via Sentry with structured logging
- Incident response procedures for data breaches, including notification to the ICO within 72 hours where required
15. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through the app. The “last updated” date at the top of this page indicates when the policy was last revised.
16. Contact & complaints
If you have any questions about this policy or how we handle your data, please contact our Data Protection Lead:
- Evgeny Aseev — [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113