Skip to main content
← Back
4pro-eat
RomânăEnglish

Privacy Policy

Fabulosos SRL·ROEffective 31 May 2026v2.2

Privacy Policy — 4PRO Eat

Data Controller: Fabulosos SRL · Jurisdiction: RO Reg. No. / VAT: 33968578 · Registered office: Str. Valea Oltului, nr. 8, Bl. A6, Ap. 36, Sector 6, București, RO Version: v2.2 · Effective from: 31 May 2026 DPO contact: dpo@4pro.io · Application: 4PRO Eat (eat.4pro.io)

This Privacy Policy describes how Fabulosos SRL collects, uses, shares and protects your personal data when you use 4PRO Eat (the eat.4pro.io Site and the Mobile Application).

4PRO Eat processes highly sensitive personal data (health data, food logs, body measurements, progress photos). We handle this data in accordance with the GDPR (EU Regulation 2016/679) and applicable Romanian legislation.

1. Who we are (the Data Controller)

Fabulosos SRL, registered under the RO jurisdiction, registration number 33968578, registered office Str. Valea Oltului, nr. 8, Bl. A6, Ap. 36, Sector 6, București, RO, is the data controller for 4PRO Eat.

Data Protection Officer (DPO): dpo@4pro.io

2. What types of data we collect

The categories of data collected depend on the features you use:

2.1 Identification data

  • Email address (mandatory — required to create the account)
  • Name (optional — if provided)
  • Unique Google or Apple identifier (in the case of third-party SSO authentication)
  • Unique 4PRO identifier (when you access via ecosystem SSO)

2.2 Demographic and anthropometric data (all optional)

  • Sex
  • Date of birth
  • Height, weight (current and target)
  • Physical activity level

2.3 Health and nutrition data (special category under GDPR Art. 9 — requires explicit consent)

  • Daily food log (meal photos + description + AI-estimated macronutrients)
  • Personalized meal plan (if created by you)
  • Body measurement history (weight, circumferences, body composition)
  • Progress photos (optional, uploaded by you)
  • Daily score + AI narrative + AI inferences about your nutritional status
  • Nutritional and fitness goals
  • Food allergies, dietary restrictions (if you provide them)
  • Menstrual cycle data and associated symptoms (if you enable female-health tracking — see the separate Health Data Consent Notice)

2.4 Technical and usage data

  • IP address
  • Device type, operating system, browser
  • How you use the Platform (pages accessed, buttons clicked, time spent)
  • Cookies and tracking identifiers (see the Cookies Policy)

2.5 Payment data (processed by our processors, NOT stored by us)

  • Bank card data — processed exclusively by Stripe (Site) or Apple/Google (Mobile Apps)
  • Billing data (name, address, registration number for legal entities)

2.6 AI data and interactions with the AI coach

  • Conversations with the AI Coach (text + context)
  • Questions and answers related to your plans
  • To improve responses, certain conversations may be reviewed by our team in anonymized form (without an identifier)

3. Why we collect this data (Purposes and legal basis)

PurposeData involvedGDPR legal basis
Creating and managing the AccountEmail, password / SSOPerformance of contract (Art. 6(1)(b))
Nutrition and fitness services (health data)Data 2.3Explicit consent (Art. 9(2)(a))
AI generation of recommendations, score and narratives from health dataData 2.3, 2.6Explicit consent (Art. 9(2)(a))
Payment processingData 2.5Performance of contract (Art. 6(1)(b))
Adaptive discipline (WhatsApp notifications)Phone number (if you opt in) + data 2.3Explicit consent (Art. 9(2)(a))
Personal progress statistics (health data)Data 2.3Explicit consent (Art. 9(2)(a))
Basic demographic/anthropometric data (non-health)Data 2.2Performance of contract / Consent
Security (anti-fraud, IP logging)Data 2.4Legitimate interest (Art. 6(1)(f))
Direct marketing (newsletter, offers)EmailSeparate consent (opt-in)
Legal obligations (invoicing, auditing)Data 2.5, identityLegal obligation (Art. 6(1)(c))

Important note on health data (Art. 9). All processing of health data (meal photos, body measurements, progress photos, daily score, AI inferences, menstrual cycle) rests solely on your explicit consent (Art. 9(2)(a) GDPR) — never on legitimate interest or the mere performance of the contract.

Important: you can withdraw your consent at any time for any opt-in purpose (newsletter, sharing with a coach, WhatsApp nudges, processing of health data) without affecting basic access to your account.

4. Who we share data with

4.1 Payment processors (sub-processors)

  • Stripe Inc. (USA) — Web card processing
  • Apple Inc. and Google LLC (USA) — processing within the mobile applications

4.2 Technical infrastructure (sub-processors)

  • Cloud hosting providers (PostgreSQL servers, image storage, CDN) — EU locations prioritized
  • AI providers (see the transfer table in section 9) — for vision analysis of meals and the AI Coach. The data sent to the AI is strictly limited to what is necessary for the request (the photo + context) and is NOT used to train the third party's models (per our commercial agreements)
  • Meta Platforms Ireland / WhatsApp (WhatsApp Business API) — for adaptive discipline notifications (if you opt in)

4.3 Sharing with a Nutritionist / Doctor / Trainer (only if you explicitly opt in) Your personal data and food log may be shared with a Nutritionist / Doctor / Trainer only with your explicit consent, by communicating the unique ID from your profile page. The purpose of sharing is to create personalized plans, monitor food logs, track measurements, and track statistics and progress. This sharing is optional and you can revoke it at any time from settings.

4.4 4PRO Ecosystem (SSO) When you access 4PRO Eat via 4PRO SSO, your identifiers (email, unique ID, role) are synchronized with 4pro-identity (the SSO broker). Your profile remains with Fabulosos SRL as the data controller for 4PRO Eat; your cross-app shared identity is managed by 4PRO Identity under the same GDPR conditions.

4.5 Legal obligations Your data may be disclosed to competent authorities (ANSPDCP, the Public Prosecutor's Office, courts) upon a legally justified formal request.

We do not sell and will NOT sell your data to third parties for marketing purposes.

5. How long we keep the data

  • Active account: for the duration you use your account
  • Inactive account (no login > 24 months): email notification, automatic deletion after 36 months of inactivity
  • Meal photos and progress photos: kept for the duration of the active account; you can delete them individually at any time from the app. On account deletion they are removed within 30 days from the active database and image storage, then from the encrypted backups within at most 90 days
  • After account deletion: 30-day retention to allow recovery of accidental deletion, then complete deletion from the active database. Encrypted backups retained for 90 days
  • Billing data: 10 years (statutory tax obligation)
  • Security logs: 12 months
  • Anonymized / aggregated data (usage statistics without an identifier): may be kept indefinitely

6. Your GDPR rights

Under the GDPR you have the following rights:

  • Right of access (Art. 15) — to obtain a copy of your data
  • Right to rectification (Art. 16) — to correct inaccurate data
  • Right to erasure ("right to be forgotten", Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — export in JSON/CSV format
  • Right to object (Art. 21) — in particular to direct marketing
  • Right to withdraw consent (Art. 7) — at any time, as easily as it was given, without affecting the lawfulness of prior processing
  • Right not to be subject to a decision based solely on automated processing (Art. 22) — see section 11
  • Right to lodge a complaint with ANSPDCP (the Romanian authority) or the authority in your country of residence

How to exercise these rights:

  1. Directly from the app: the "Settings → Privacy" section → Export / Delete account buttons
  2. By email at dpo@4pro.io — we respond within 30 days
  3. The centralized Your rights page of the 4PRO Legal Hub

7. Cookies and similar technologies

We use cookies for essential functioning (authentication, preferences), analytics (anonymized Google Analytics) and marketing (only with explicit consent through the cookie banner on the first visit).

Full details + granular control in the Cookies Policy.

8. Data security

We implement technical and organizational measures compliant with Art. 32 GDPR:

  • HTTPS encryption for all communications (TLS 1.2+)
  • Passwords stored with bcrypt (cost 12)
  • Daily encrypted backups (AES-256)
  • Restricted access to production data (need-to-know)
  • Logging and auditing of administrative actions
  • Proactive incident monitoring

In the event of a security breach that presents a high risk to your rights, we will notify ANSPDCP within 72 hours and you without undue delay.

9. International data transfers

Certain sub-processors are established in the United States. This includes health data (for example meal photos and related context) which is transmitted to US AI providers strictly to generate your analysis and recommendations. Transfers are made with adequate safeguards in accordance with Chapter V of the GDPR, as follows:

RecipientCountryPurposeTransfer mechanism (Art. 46 / adequacy)
Stripe Inc.USAPayment processing (Site)SCCs 2021/914 + EU-US Data Privacy Framework (where certified)
OpenAI, L.L.C.USAMeal vision analysis / AI CoachSCCs 2021/914 + DPA with no-training clause
Google LLC (Google AI / Gemini)USAMeal vision analysis / AI CoachSCCs 2021/914 + EU-US Data Privacy Framework
Groq, Inc.USAMeal vision analysis / AI inferencesSCCs 2021/914 + DPA with no-training clause
Anthropic PBC (Claude)USAAI Coach / narrative generationSCCs 2021/914 + DPA with no-training clause
Apple Inc.USAPayment processing (App Store)SCCs 2021/914 + EU-US Data Privacy Framework (where certified)
Meta Platforms / WhatsAppUSA / Ireland (EU)WhatsApp notifications (opt-in)SCCs 2021/914 + EU-US Data Privacy Framework

In all cases we apply Transfer Impact Assessments (TIA) updated periodically. The AI providers do not use your data — including health data — to train their models, in accordance with our data processing agreements (DPAs).

10. Minors

4PRO Eat is intended for persons aged at least 18 years. We do not knowingly collect data from minors. If you learn that a minor has created an account, please contact us at dpo@4pro.io and we will delete the account + associated data.

11. Automated decisions and profiling (Art. 22 GDPR)

4PRO Eat uses automated processing and profiling. The logic is as follows: from your meal photo the AI estimates the macronutrients, from which the daily nutrition score is calculated; your score and history determine your adaptive discipline tier (soft / moderate / firm), which in turn may trigger a motivational WhatsApp notification. The AI Coach uses the same context to respond to you.

Significance of the processing. Profiling influences your in-app experience (recommendations, message tone, intensity of discipline "nudges"), but it does not produce legal effects on you and does not similarly significantly affect you. These outputs are decision-support tools, not solely-automated final decisions; you remain the decision-maker.

Your rights (Art. 22(3)): you can request human intervention by us, express your point of view, contest an outcome, and switch off the profiling components (for example WhatsApp adaptive discipline and cycle-phase-based adjustments) from settings, without losing access to core features. For assistance, write to dpo@4pro.io.

We do not use profiling for decisions with legal effect on you (e.g. credit approval, employment evaluation, etc.).

12. Contact and supervisory authority

For questions or to exercise your rights:

  • DPO Fabulosos SRL: dpo@4pro.io
  • Postal address: Str. Valea Oltului, nr. 8, Bl. A6, Ap. 36, Sector 6, București, RO

Romanian supervisory authority: the National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest · www.dataprotection.ro · anspdcp@dataprotection.ro

You also have the right to lodge a complaint with the data protection authority in your country of habitual residence, if other than Romania.

13. Changes to the Privacy Policy

Substantial changes to this Policy will be notified by email and by a banner in the Application at least 15 days before they take effect. The version history is available at legal.knowbest.ro/en/privacy/4pro-eat.