This policy is specifically about your health-related data — glucose readings, weight logs, meal tracking, dietary preferences, allergies, and similar information. It supplements our main Privacy Policy and is required by laws including the Washington My Health My Data Act, Nevada SB 370, and similar consumer health data laws in other states.
1. Categories of Consumer Health Data We Collect
ThisWeekEats may collect or receive the following categories of consumer health data when you use our service:
Glucose readings — when you connect a continuous glucose monitor (such as Stelo, Dexcom G6/G7, or a future supported device), we receive your glucose values (mg/dL), timestamps, and trend indicators
Weight logs — values you enter manually or import from a connected scale (one entry per day maximum)
Meal and food intake — recipes you cook, ratings, what you ate vs what was planned, custom recipes you create
Allergies and intolerances — explicit food allergies you identify so we can exclude unsafe recipes
GLP-1 medication context (if you opt in) — which class of medication you take so we can tune calorie targets and recipe selection; we do not collect dose, prescriber, or pharmacy information
Inferences — patterns we derive from the above for the sole purpose of personalizing your meal plan (e.g., "user does better on lower-carb breakfasts based on glucose response")
2. Sources of This Data
Directly from you — when you enter information in the app or website
From devices you authorize — when you connect Stelo, Dexcom, Apple HealthKit, or a similar service via OAuth or device-side share, the device manufacturer transmits the data to us per their terms and yours
From your activity in the app — meals you mark as cooked, recipes you rate, plans you accept or modify
We do not purchase health data from data brokers, scrape it from public sources, or receive it from advertising networks.
3. How We Use Your Consumer Health Data
To generate and personalize your meal plans, recipes, and shopping lists
To display your glucose, weight, and meal data back to you in trend views
To filter out recipes that violate your allergies or dietary restrictions
To adjust calorie and macro targets for users on GLP-1 medications
To improve our recipe-quality algorithms in aggregate, deidentified form only
To respond to your support requests when you reference your data
We do not use your consumer health data for:
Advertising or marketing (we do not run targeted ads)
Sale to third parties (we do not sell consumer health data, period)
Training third-party AI models on your individual records
Insurance pricing, employment screening, or any adverse decision-making
4. Who We Share It With (And Who We Don't)
We share consumer health data only with the following categories of processors, and only as needed to operate the service:
Our cloud infrastructure providers (Vercel for our web application, Neon for our database, Railway for our background workers) — they host the data so we can serve it back to you; they are contractually prohibited from accessing or using it
Nutrition database providers (Edamam, USDA FoodData Central) — we send only ingredient names and quantities for calorie lookups, never glucose values, weight, or anything that identifies you
AI providers (Anthropic via Vercel AI Gateway, Google Gemini via OpenRouter) — we send recipe content and ingredient lists for generation and validation, never glucose values, weight, or identifying information
Payment processor (Stripe) — receives only billing data, never health data
We do not share consumer health data with:
Advertisers, marketing platforms, or data brokers
Analytics products that profile individuals (e.g., we do not send glucose readings to Google Analytics, Mixpanel, or similar)
Insurance companies, employers, or law enforcement (except where required by valid legal process)
Other ThisWeekEats users (your data stays in your account)
5. Your Rights
Regardless of where you live, you have the following rights regarding your consumer health data:
Right to access — request a copy of all consumer health data we hold about you, in a portable format
Right to delete — request deletion of your consumer health data; we will delete it from our active systems within 30 days and from backups within 90 days
Right to withdraw consent — disconnect a connected device (Stelo, Dexcom, etc.) at any time from your account settings; we stop receiving new data immediately and you can request deletion of past data
Right to confirm processing — ask us what categories of your data we are processing and for what purposes
Right to opt out — opt out of any sale of personal data (note: we do not sell consumer health data, but this right exists in principle)
Right to non-discrimination — we will not deny service, charge different prices, or provide different quality of service for exercising these rights
To exercise any of these rights, email privacy@thisweekeats.com with the subject "Health Data Request" and we will respond within 45 days. You can also use the "Delete My Health Data" control in your account settings to delete specific data categories yourself, immediately.
6. Security
We protect consumer health data using reasonable and appropriate security measures:
Encryption in transit (TLS 1.2+) for all data sent between your device, our servers, and connected services
Encryption at rest for our primary database
Access controls limiting which employees or contractors can view consumer health data; access is logged and audited
Authenticated API access for all device integrations (OAuth or equivalent)
No consumer health data sent to general-purpose analytics or error-reporting tools
No system is 100% secure. If we discover a breach affecting your consumer health data, we will notify you and the relevant regulators per applicable law (including, where applicable, the Washington Attorney General).
7. Retention
We retain consumer health data only as long as needed for the purposes described above. Specifically:
Glucose readings: retained while your account is active, for personal trend visualization
Weight logs: retained while your account is active
Meal tracking: retained while your account is active
When you delete your account, all consumer health data is removed from active systems within 30 days and from backups within 90 days
8. Geofencing (Washington MHMDA)
We do not use geofencing technology to collect, track, or target consumer health data based on your location near healthcare facilities, mental health providers, or reproductive health facilities. We do not currently collect precise geolocation data from your device at all.
9. Children
ThisWeekEats is intended for users 18 and older. Account holders may add family members under 18 as "managed members" for meal planning, but we do not knowingly collect consumer health data (glucose, weight, etc.) directly from anyone under 13. If you believe we have such data, email us and we will delete it promptly.
10. Changes to This Policy
Material changes — like adding new categories of consumer health data, sharing with new categories of processors, or new processing purposes — require your affirmative consent before we apply them to your data. We will notify you in the app and via email, and you will need to opt in before the change takes effect for your account. Non-material updates (typo fixes, clarifications) will be posted here with a new "Last updated" date.
11. Contact Us
For questions or requests about your consumer health data:
Email: privacy@thisweekeats.com
Subject line: "Health Data Request" for fastest routing
Mail (for formal requests): contact via email first; we will provide a mailing address if needed
You may also file a complaint with your state Attorney General. Washington residents can contact the Washington Attorney General's Office at atg.wa.gov/file-complaint.
This policy is provided for transparency. Nothing here constitutes legal advice. For specific questions about your rights in your jurisdiction, please consult an attorney or your state consumer protection office.
