Privacy Policy
Last updated: March 28, 2026
1. Who we are
Wellthra ("we", "us", "our") operates the website wellthra.com and the Wellthra nutrition platform. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG).
Data Controller
Wellthra
Bremer Strasse 30, 65824 Schwalbach am Taunus
Email: privacy@wellthra.com
2. What data we collect
Data you provide:
- Account data: name, email, password (hashed, never stored in plain text)
- Profile data: age, gender, height, weight, dietary preferences, health goals
- Health data: allergies, medical conditions, medications (voluntarily provided) — classified as "special category data" under GDPR Article 9
- Payment data: processed by Stripe — we never store your card details
- Communications: messages sent through our contact form
Data collected automatically:
- Usage data: pages visited, features used, time spent
- Device data: browser type, operating system
- Log data: IP address (anonymized after 30 days)
- Cookies: see Section 7 below
3. Why we process your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide personalized meal plans | Contract performance (Art. 6(1)(b)) |
| Process payments | Contract performance (Art. 6(1)(b)) |
| Send account-related emails | Contract performance (Art. 6(1)(b)) |
| Send marketing emails | Consent (Art. 6(1)(a)) — opt out anytime |
| Process health-related data | Explicit consent (Art. 9(2)(a)) |
| Improve our service | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
| Tax and legal compliance | Legal obligation (Art. 6(1)(c)) |
4. How we use artificial intelligence
Wellthra uses AI technology (Claude by Anthropic) to generate personalized meal plans, recipes, and nutritional advice. When you use our AI features:
- Your dietary preferences and goals are sent to Anthropic's API to generate content
- Anthropic does not use your data to train their models
- We do not share your identity (name, email) with Anthropic
- AI-generated content is not medical advice (see Section 10)
5. Who we share your data with
| Provider | Purpose |
|---|---|
| Anthropic (Claude AI) | AI meal plan generation |
| Stripe | Payment processing |
| MongoDB Atlas | Database hosting |
| Vercel | Website hosting & analytics |
| Resend | Transactional emails |
| Google Analytics | Usage analytics (opt-in only) |
| Sentry | Error monitoring (no PII) |
| Upstash Redis | Rate limiting & abuse prevention |
| Telegram Bot API | Push notifications (if connected) |
| Unsplash | Food imagery for meal plans |
| USDA FoodData Central | Restaurant food nutrition lookup |
We do not sell your personal data. We do not share your data with advertisers. Affiliate links (Amazon, MyProtein, iHerb) use standard referral tags and do not transmit your personal data.
6. Your rights under GDPR
As an EU/EEA resident, you have the right to:
- Access (Art. 15): Request a copy of all personal data we hold about you
- Rectification (Art. 16): Correct any inaccurate or incomplete data
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Data portability (Art. 20): Receive your data in machine-readable format (JSON)
- Restriction (Art. 18): Limit how we process your data
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent: At any time for marketing and health data processing
- Lodge a complaint: With your local Data Protection Authority
To exercise any right, email privacy@wellthra.com. We respond within 30 days.
German users may also contact the BfDI at www.bfdi.bund.de.
7. Cookie policy
| Cookie | Purpose |
|---|---|
| session_token | Keep you logged in |
| cookie_consent | Remember your choice |
| _ga / _gid | Google Analytics |
| cookie_consent_prefs | Granular cookie preferences |
Essential cookies cannot be disabled. Analytics cookies are only set after you consent via our cookie banner. You can change your preferences at any time by clearing your cookies.
8. How long we keep your data
- Account data: While your account is active + 30 days after deletion
- Health data: While your account is active, deleted within 30 days of deletion or consent withdrawal
- Meal plans: While your account is active
- Payment records: 10 years (German tax law — AO §147)
- Server logs: 30 days
- Analytics data: Anonymized after 26 months
9. How we protect your data
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Passwords hashed using bcrypt
- Database access restricted by IP whitelist
- 2FA enabled on all administrative accounts
- Regular security audits and dependency scans
- Payments handled by Stripe (PCI DSS Level 1 certified)
- Error monitoring via Sentry (configured to exclude PII)
10. Health data disclaimer
Important medical notice
Wellthra is not a medical service or a replacement for professional medical advice. Our AI-generated meal plans are for general informational purposes only. Always consult a qualified healthcare professional before making dietary changes, especially if you have medical conditions or take medications.
11. Children's privacy
Wellthra is not intended for children under 16. We do not knowingly collect data from children under 16. Contact privacy@wellthra.com if you believe a child has provided us with personal data.
12. International transfers
Some providers are outside the EU/EEA (primarily USA). We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) for these transfers.
13. Changes to this policy
We will notify you of significant changes by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact us
For privacy questions: privacy@wellthra.com
Response time: within 30 days.