Privacy Policy

Updated on July 29, 2025

1. Introduction

Character Types LLC (“MealPlan,” “we,” “us” or “our”) provides a web and mobile software-as-a-service platform that creates personalised meal plans. This notice explains how we collect, use, disclose and protect information about you when you use mealplan.co, our help centre at help.mealplan.co, related MealPlan-branded applications or otherwise interact with us. It incorporates:
  • All current U.S. federal privacy rules (e.g., COPPA, CAN-SPAM) and every enacted state consumer-privacy statute, including the California Privacy Rights Act (CPRA), Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Florida FDBR, Texas TDPSA, Oregon OCPA, Montana MCDPA, Iowa ICDPA and Tennessee TIPA.
  • The EU General Data Protection Regulation (GDPR) and UK GDPR for users located in the EEA or United Kingdom.
  • Industry security safeguards for health-related data, although MealPlan is not a HIPAA-covered entity.
If you do not agree with this Policy, please do not use the Service.

2. Types of Data We Collect

We collect information that falls into three broad groups:
  1. Usage Data – when you visit the Service without creating an account we record, for example, IP address, cookie IDs, browser and device type, operating system, referring webpage, pages viewed, links clicked, session length, time and day of visit, performance in our games, and device or advertising IDs.
  2. Registration and Account Data – when you sign up for an account we ask for your first and last name, email address, username and password. Once registered we log the way you use MealPlan (session length, pages or screens viewed, games played, performance and other in-app actions).
  3. Health and Dietary Data – to generate meal plans you may provide information such as food preferences, allergies, medical conditions, weight or fitness goals and other nutrition-related inputs. This information is considered “sensitive” under many privacy laws and we handle it with enhanced safeguards.
You are responsible for any third-party information you choose to share with us and confirm you have that party’s permission to do so.

3. Tracking Technologies

We and our partners use cookies, web beacons, pixels, software development kits (SDKs) and similar technologies for:
  • authentication and session management
  • remembering your preferences or progress
    analytics and product improvement
  • interest-based advertising (only if you have not opted out)
Most browsers allow you to refuse or delete cookies. If you disable cookies, parts of the Service may not function. EEA/UK visitors will see a cookie-consent banner that permits granular choice.

4. How We Use and Share Your Data

We use the information we collect to:
  • operate, maintain and personalise the Service
  • manage your account, process payments and provide customer support
  • conduct internal research, analytics and product development
  • send transactional messages, service announcements and—with your consent—marketing communications
  • detect, investigate and prevent fraud or security incidents
  • comply with legal obligations and enforce our Terms of Use
  • facilitate a merger, acquisition, financing or sale of all or part of our business (your data would remain subject to this Policy)
We disclose information:
  • to trusted service providers (hosting, cloud storage, analytics, payment processors, customer-support platforms, email delivery, push-notification tools and marketing platforms) who may process data only on our instructions and under confidentiality agreements
  • to advertising partners such as Google and Meta so they can show you relevant ads, but never your health or dietary inputs and only when you have not exercised your opt-out rights
  • to professional advisers (lawyers, auditors, insurers) bound to keep it confidential
  • to public authorities when required by law, subpoena or court order, or to protect rights, property or safety
  • to an acquiring or successor entity in a business transfer, provided the recipient honours this Policy
  • to third parties when you expressly ask us to
We do not sell your personal information for money. Under CPRA and similar laws “sharing” for cross-context behavioural advertising may occur unless you opt out.

5. Cross-Device Linking

Some partners link the same user across different browsers or devices to measure performance or deliver advertising. You can opt out:
  • via the Network Advertising Initiative (NAI) opt-out page
  • via the Digital Advertising Alliance (DAA) opt-out tools
  • through individual partner choices listed on our Partners page

6. Your Choices

  • Marketing e-mails – click “unsubscribe” in any promotional email or adjust Settings → Email Preferences. Transactional messages (e.g., password resets, purchase receipts) will still be sent.
  • Advertising opt-outs – use the NAI or DAA tools, your mobile device advertising settings, or our in-app Privacy Center.
  • Cookie control – manage cookies in your browser or via our cookie banner.
  • Do Not Track signals – browsers send various DNT signals; we do not currently act on them because there is no industry consensus.

7. EU / UK Privacy Rights

If you reside in the EEA or UK you have the right to:
  • access the personal data we hold about you
  • correct inaccurate or incomplete data
  • delete your account or specific data
  • restrict or object to certain processing
  • data portability (receive your data in a machine-readable format)
  • withdraw any consent you have provided
  • lodge a complaint with your supervisory authority (although we encourage you to contact us first so we can address the issue)

8. Data Subject Access Requests

To exercise any right—whether under GDPR, CPRA or another U.S. state law—contact us by:
We may ask for additional information to verify your identity. We usually respond within 30 days (45 days for certain U.S. states, with a possible extension of another 45 days where permitted).

9. Legal Bases for Processing (Personal Data)

We rely on different legal grounds depending on context:
  • Contract fulfilment – providing the Service you requested
  • Consent – processing your health or dietary data, sending marketing, placing non-essential cookies
  • Legitimate interests – enhancing security, preventing fraud, improving products, marketing similar services to existing customers, and ensuring a positive user experience (balanced against your rights and freedoms)
  • Legal obligation – compliance with tax, accounting, consumer-protection and other laws
Where consent is the basis you may withdraw it at any time.

10. Information Security

We employ technical, organisational and administrative measures such as:
  • TLS 1.3 encryption in transit and AES-256 encryption at rest
  • firewalls and intrusion-detection systems
  • role-based access controls and multi-factor authentication for staff
  • annual penetration tests and regular vulnerability scanning
  • employee privacy and security training
No system is perfectly secure. Use strong, unique passwords and keep them confidential.

11. Data Retention

  • Account and billing records are kept while your account is active, then for up to seven years for auditing, tax and dispute-resolution purposes.
  • Health and meal-plan inputs are retained for three years after your last activity or deleted immediately upon your verified request.
  • Analytics logs are stored for up to 24 months.
  • Marketing subscription information is kept until you unsubscribe.
You can trigger automated deletion at any time within the app under Settings → Delete Account.

12. California Privacy Rights (CPRA “Notice at Collection”)

We collect the categories of personal information described above in Sections 2 and 3 for the purposes in Section 4. We do not sell personal information for monetary consideration. We may “share” identifiers and internet activity with advertising partners for cross-context behavioural advertising. We honour the right to access, correct, delete, opt out of sale/share, limit use of sensitive personal information, and portability. California residents may designate an authorised agent to make requests on their behalf.

13. Nevada Privacy Rights

Nevada residents may opt out of future sales of certain “personally identifiable information” as defined by Nevada SB-220. We do not currently sell such information, but you can submit a request via the contact methods below.

14. International Data Transfers

We store data in the United States. When we transfer data from the EEA or UK to the U.S. we rely on:
  • European Commission-approved Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Addendum
  • supplementary safeguards such as encryption, pseudonymisation and access controls
You may request a copy of the SCCs by contacting us.

15. The Service and Children

MealPlan is intended for individuals aged 18 years and older. We do not knowingly collect personal information from children under 13. If you believe your child has provided us data, contact us so we can delete it.

16. Storage of Information in the United States

If you live outside the U.S. you acknowledge that your information will be transferred to, stored and processed in the United States, whose data-protection laws may differ from those in your country.

17. Contact

Character Types LLC
1875 Century Park E
Los Angeles, CA 90067

18. Updates to This Privacy Policy

We may modify this Policy from time to time. When we do we will revise the “Updated” date at the top and, if changes are material, provide prominent notice (for example, by email or in-app message) at least ten days before the new version takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.