Slimbo

Slimbo Privacy Policy

Effective Date: April 1, 2025 Version: 1.0

1. General Provisions

This Privacy Policy (hereinafter — “Policy”) describes what personal data the Slimbo service (hereinafter — “Service”, “we”, “us”) collects and processes, for what purposes, on what legal grounds, and what rights the user has with respect to their data.

By using the Service, you confirm that you have read this Policy and agree to the terms of processing your personal data set forth herein.

This Policy is an integral part of the Terms of Service.

2. Personal Data Controller

The controller of your personal data is:

Individual Entrepreneur Nazarenko O.O. Tax ID (RNOKPP): 2900504395 Registered address: 27500, Kirovohrad region, Svitlovodsk, 2 Robitnycha St., apt. 240 Privacy contact email: privacy@slimbo.app
Support email: support@slimbo.app

3. Who This Policy Applies To

This Policy applies to:

  • Personal users — individuals who use the Service for personal meal planning and body composition tracking.
  • Business users — nutritionists, dietitians, fitness trainers, and other specialists who use the Service to work with clients.

The Service is intended exclusively for persons who have reached the age of 18. We do not knowingly collect data from persons under 18. If you become aware that a child has provided us with their data, please contact us at privacy@slimbo.app.

4. What Data We Collect

4.1. Account Data

Upon registration and authorization (via Clerk service) we receive:

  • Email address
  • Password (stored exclusively in hashed form on Clerk’s side)
  • First and last name (optional)
  • Profile photo (optional)
  • Registration date and time

4.2. Physical Profile

For the core functionality of the Service we collect:

  • Date of birth
  • Sex
  • Height
  • Physical activity level

4.3. Body Composition Data

  • Body weight (in kilograms or pounds)
  • Body fat percentage
  • Body fat measurement method (caliper, bioimpedance analysis, DEXA, etc.)
  • Measurement notes
  • Date and time of measurements

4.4. Nutrition Data

  • Calorie, macronutrient, and budget goals
  • Personal food database (name, calories, macronutrients, price)
  • Meal plans and diets generated by the Service
  • Nutritional calculation reports

4.5. Subscription and Payment Data

  • Selected subscription plan
  • Subscription status
  • Billing period start and end dates
  • Payment amount and currency
  • Payment identifier in the payment provider (Paddle)

We do not collect or store payment card data (card number, CVV, expiry date) — these are processed exclusively by the Merchant of Record, Paddle (Paddle.com Market Limited).

4.6. Business Profile Data (business plans only)

  • Brand name, tagline, description
  • Brand contact phone and email
  • Website
  • Brand logo and accent color

4.7. Business Users’ Client Data

If you are a business user, you may enter data about your clients:

  • Full name
  • Email address
  • Phone number
  • Address
  • Notes and comments
  • Client’s physical profile and body composition data

Processing of this data is governed by Section 12 of this Policy.

4.8. Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of access to the Service
  • Cookie data (according to your settings)
  • Data about interactions with Service pages

4.9. Support and Contact Request Data

When you use the Contact Us form or submit a support request through the application, we collect:

  • Contact Us form (all users): name, email address, subject, and message text.
  • In-app support form (paid subscribers only): additionally — browser type and version, operating system, device type, subscription plan name, internal user identifier, and any images attached to the message.

Image attachments are transmitted to the email delivery service (Brevo) solely for the purpose of delivering the support message and are not stored on our servers after delivery.

5. Health Data — Special Category

Body weight, body fat percentage, and the combination of data such as date of birth, sex, and height constitute health data under the Law of Ukraine “On Personal Data Protection” and EU Regulation 2016/679 (GDPR).

This data is a special category of personal data and requires separate, explicit consent for processing.

Legal basis for processing: explicit consent of the data subject (Art. 7 of the Law of Ukraine “On Personal Data Protection”; Art. 9(2)(a) GDPR), which you provide when first completing your physical profile in the Service.

You have the right to withdraw this consent at any time by contacting us at privacy@slimbo.app. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, but may make it impossible to use the core functionality of the Service.

We keep records of your consent, including the date, time, and version of the Policy in effect at the time consent was given.

Purpose of ProcessingLegal Basis
Account creation and maintenanceContract performance (Terms of Service)
Providing core functionality (nutrition calculations)Contract performance
Processing health dataExplicit consent
Processing payments and managing subscriptionsContract performance; legal obligation
Sending transactional emailsContract performance
Sending marketing communicationsConsent (with option to unsubscribe)
Analytics and Service improvementLegitimate interest; consent (for cookies)
Displaying personalized advertisingConsent (for advertising cookies)
Compliance with legal obligationsLegal obligation
Processing support requests and contact enquiriesContract performance; legitimate interest
Fraud and abuse preventionLegitimate interest

7. Transfer of Data to Third Parties

We transfer your data only to the following categories of recipients:

7.1. Clerk (Authorization)

Clerk, Inc., USA — authentication and account management service. Receives: email, password (hashed), name, profile photo, session data. Clerk is SOC 2 Type II certified. Learn more: clerk.com/privacy.

7.2. Paddle (Merchant of Record)

Paddle.com Market Limited, United Kingdom — Merchant of Record for all subscription purchases. Paddle acts as the legal seller and independently processes: billing information, payment card data, name, email address, and IP address for the purposes of completing transactions, fraud prevention, and tax compliance. Card data is processed by Paddle in accordance with the PCI DSS standard. Paddle is an independent data controller for payment-related personal data — not a data processor on our behalf. Data transfers outside the EEA are covered by Standard Contractual Clauses under Paddle’s DPA. Learn more: paddle.com/legal/privacy.

7.3. Brevo (Sendinblue)

Brevo SAS, France — email marketing service. Receives: email address, name (if provided). Used for transactional emails and, with your consent, marketing communications. Also used for delivery of support correspondence (contact form messages and in-app support requests). Learn more: brevo.com/legal/privacypolicy.

7.4. DigitalOcean

DigitalOcean, LLC, USA — cloud infrastructure (VPS) hosting the Service’s backend. All user data is stored on DigitalOcean servers. Learn more: digitalocean.com/legal/privacy-policy.

7.5. Google (Analytics and Advertising)

Google LLC, USA — via Google Tag Manager. Data is transferred only with your consent to analytical and/or advertising cookies. May include Google Analytics, Google Ads, and other Google products. Learn more: policies.google.com/privacy.

7.6. Advertising Platforms

With your consent to advertising cookies, technical data and interaction data may be transferred to the following advertising platforms for the purpose of displaying personalized advertising:

  • Meta (Facebook, Instagram) — Meta Platforms Ireland Ltd.
  • TikTok — TikTok Technology Limited
  • Google (YouTube, Google Ads) — Google LLC
  • X (Twitter) — X Corp.
  • LinkedIn — LinkedIn Ireland Unlimited Company

You can opt out of advertising cookies at any time via the Cookie Settings page.

7.7. Google Drive and Google Sheets (Import/Export)

The Service provides the ability to import and export data (meal plans, food databases, etc.) via Google Drive and Google Sheets. This functionality uses the Google Drive API and Google Sheets API provided by Google LLC, USA.

When using this functionality:

  • You grant the Service limited access to your Google Drive / Google Sheets solely to perform the specific import or export operation.
  • The Service reads or writes only the files you explicitly selected or created as part of the operation.
  • We do not store the contents of your Google Drive / Google Sheets files on our servers after the operation is complete.
  • We do not share data from your Google Drive / Google Sheets files with third parties.
  • Access to Google Drive / Google Sheets is used exclusively for import and export features and is not used for any other purpose.

Learn more about how Google handles data: policies.google.com/privacy.

8. Cookies

We use cookies and similar technologies. Detailed information and settings are available on the Cookie Settings page.

Cookie categories:

  • Necessary — ensure the Service operates; no consent required
  • Analytics — collection of anonymized data about Service usage (Google Analytics and others)
  • Advertising — tracking for personalized advertising on external platforms
  • Personalization — saving your settings and preferences

9. Data Storage

Data is stored on DigitalOcean servers. Some data may be processed outside Ukraine (in particular, Clerk, Brevo, Paddle, Google, and advertising platforms are located or process data in the USA and EU). In such cases, transfer is carried out on the basis of contractual guarantees (EU Standard Contractual Clauses) or adequacy decisions.

10. Data Retention Periods

Data CategoryRetention Period
Account dataFor the duration of the account + 3 years after deletion
Physical profile and health dataFor the duration of the account; deleted upon request
Payment and subscription data7 years (Ukrainian tax law requirement)
Cookie consent data3 years
Business users’ client dataUntil deleted by the business user or upon account deletion
Technical logs12 months

11. Your Rights

Under the Law of Ukraine “On Personal Data Protection” and GDPR you have the right to:

  • Know about the sources of collection, location of your personal data, and the purpose of its processing
  • Access your personal data
  • Rectify inaccurate or outdated data
  • Erase your data (“right to be forgotten”)
  • Restrict the processing of your data
  • Port your data (receive it in a machine-readable format)
  • Object to processing based on legitimate interest
  • Withdraw consent to processing at any time
  • Lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua)

To exercise any of these rights, send a request to: privacy@slimbo.app

We will respond within 30 calendar days.

12. Processing of Business Users’ Client Data

This section constitutes a Data Processing Agreement between Individual Entrepreneur Nazarenko O.O. (hereinafter — “Processor”) and the business user of the Service (hereinafter — “Controller”).

By registering as a business user and using the client management functionality, you as the Controller instruct the Processor to process personal data of your clients under the following terms:

Subject of processing: storage and provision of access to personal data of the Controller’s clients (full name, contact details, health data) exclusively for the purpose of providing the Service.

Processor’s obligations:

  • Process client data exclusively in accordance with the Controller’s documented instructions
  • Ensure confidentiality and technical protection of data
  • Not transfer client data to third parties, except as provided in this Policy (DigitalOcean hosting)
  • Assist the Controller in fulfilling obligations to data subjects
  • Delete client data after the provision of the Service ceases or upon the Controller’s request

Controller’s obligations:

  • Independently ensure the existence of a legal basis for entering and processing their clients’ data in the Service
  • Notify their clients about the transfer of their data to the Service
  • Not enter data of persons under 18 years of age

By accepting these terms upon registration, the Controller confirms having read and agreed to them.

13. Marketing Communications

We will send you marketing emails only with your explicit consent. Each marketing email contains an unsubscribe link. You can opt out of mailings at any time:

  • by clicking the “Unsubscribe” link in any email
  • by sending a request to privacy@slimbo.app

Transactional emails (payment confirmation, account status notifications) are sent regardless of marketing communication settings.

14. Data Security

We implement technical and organizational measures to protect your data:

  • Data is transmitted exclusively over a secure connection (HTTPS/TLS)
  • Passwords are stored in hashed form (Clerk)
  • Access to production databases is restricted and logged
  • Payment card data is not stored on our servers (processed by Paddle under the PCI DSS standard)

15. Changes to This Policy

We may update this Policy. In the event of material changes, we will notify you by email or through a notification in the Service no later than 14 days before the changes take effect. Continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.

An archive of previous versions of the Policy is available upon request at privacy@slimbo.app.

16. Applicable Law and Dispute Resolution

This Policy is governed by Ukrainian law, in particular:

  • Law of Ukraine “On Personal Data Protection” dated 01.06.2010 No. 2297-VI
  • Civil Code of Ukraine
  • Law of Ukraine “On Electronic Commerce”

All disputes arising in connection with this Policy shall be resolved through negotiations, and if no agreement is reached — in the courts of Ukraine in accordance with applicable law.

In relations with users from EU/EEA countries, we also comply with the requirements of EU Regulation 2016/679 (GDPR).

The Ukrainian-language version of this Policy takes precedence over translations in the event of any discrepancies in interpretation.