Privacy policy
Last updated 2026-05-13
Trophic is a tool for planning meals. This policy tells you, plainly, what data we collect when you use it, why, who else sees it, and what you can do about it.
Trophic is operated by Minimal Systems LLC, a Texas limited liability company. If anything here is unclear, email support@trophic.app.
What we collect
Your account. Your email address, first name, and last name. You give these to us when you sign up. Your email is also how you sign in (we send you a one-time code).
What you create in the app. The meals and meal plans you build — names, ingredients, amounts, labels, servings, groups, and per-nutrient targets. This is your work; we store it so you can come back to it.
Billing data, if you upgrade to Pro. When you subscribe, payment runs through Stripe. Trophic never sees or stores your card details. We do share your email with Stripe so they can issue receipts and so the Stripe-hosted Customer Portal recognizes you. What we store on our side, tied to your account, is a Stripe customer ID, your subscription ID, your plan, its price, its status (including whether it's paused or scheduled to cancel), and your renewal date — what we need to show your account state and respond to renewals.
Product analytics. When you use Trophic, we send a small set of events to PostHog — things like signed up, created a meal, exported a CSV, clicked upgrade — so we can see how the product is actually used and where it breaks. Each event is tied to your account ID, and your name and email are attached to your PostHog person record so we can recognize you across sessions.
Technical data collected automatically. When you load the app, our hosting and analytics providers automatically capture standard request metadata: your IP address, an approximate location derived from it (typically city-level), the page you're on, the URL that referred you, and your browser, operating system, device type, and viewport size. Supabase logs your IP on sign-in for account-security purposes. If the app throws an error, the contents of that error — which can include identifiers for the meals or plans you were working on — are also captured so we can debug it.
Cookies and similar storage. We use a small number of first-party cookies and local-storage entries:
- Supabase sign-in cookies that keep you signed in and refresh your session.
- PostHog cookies that hold your analytics ID and session state — anonymous before you sign in, tied to your account afterwards.
- A small local-storage entry that remembers which nutrient columns you've chosen to display in tables. It holds preferences only — no personal information.
We don't use advertising cookies, third-party trackers, or fingerprinting.
What we don't collect. Your card details, your precise location (we only see an IP-derived approximation, as noted above), your contacts, session-replay recordings of your screen, anything from outside the app, or anything we haven't listed above.
How we use it
We use the data above for four things, and only these four things:
- To run Trophic — sign you in, save your meals, show you your nutrition totals, sync your subscription state.
- To take your payment if you upgrade — through Stripe.
- To understand and improve the product — by looking at analytics and debugging errors.
- To send you essential service emails — sign-in codes, important account notices, and material updates to this policy.
We don't sell your data. We don't share it with advertisers. Trophic does not use your data to train AI models, and our processors are contractually limited to using your data only to provide their services to us. We don't profile you beyond what's needed to run the features you see.
Who we share it with
To run Trophic we rely on four companies. Each one only receives the data it needs to do its job, and each one has its own privacy policy worth reading:
- Vercel — hosting and request routing for the website itself.
- Supabase — the database your meals live in, the authentication system that signs you in, and the delivery of sign-in and account emails.
- Stripe — payment processing and subscription management. Your card details only ever exist with Stripe, not with us.
- PostHog — product analytics and error tracking.
That's the whole list. No one else sees your data.
These processors are based in the United States and process your data there. If you use Trophic from outside the US, your data will be transferred to and processed in the US under the terms of the agreements we have with each processor.
Your rights
You can:
- See what we have. Most of it is already in the app — your account, your meals, your meal plans, your subscription. For anything else, ask us.
- Correct it. Your name and email are editable from the Account page. For anything else, email us.
- Delete it. The Delete account button on the Account page removes your profile, your meals, your meal plans, and your subscription row from Trophic. (See Data retention below for the details and the few exceptions.)
- Ask us anything. Email support@trophic.app and we'll get back to you.
We don't sell your data and we don't share it for cross-context advertising, so there's nothing to opt out of on that front. Exercising any of these rights won't change the service you get from us.
Data retention
We keep your account data, the content you create, and your billing state for as long as your account is active.
When you delete your account, your profile, meals, meal plans, and subscription record are removed from Trophic's live systems immediately. A few things outlive that deletion, and you should know about them:
- Stripe payment records. If you've ever paid us, Stripe retains your customer and invoice records — they're legally required to, for tax and payment-history reasons. We cancel your subscription on the way out, but the historical record stays with Stripe and cannot be removed.
- PostHog analytics events. Events we captured before you deleted your account stay in PostHog under their retention policy, associated with your account ID and with the name and email attached to your PostHog person record. If you'd like us to issue a deletion request to PostHog to remove that record as well, email us and we'll do it.
For anything else we can act on, email us and we'll handle it.
For California residents
Under the CCPA/CPRA, the personal information we collect falls into these categories: identifiers (name, email, account ID, IP address), commercial information (subscription plan and status), internet or network activity (analytics events, error data, technical request metadata), and geolocation data (approximate, derived from your IP address).
You have the right to know what we hold about you, to correct it, to delete it, and not to be discriminated against for exercising any of these rights. The Your rights and Data retention sections above describe how to exercise each one. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
For users in the EU, UK, and EEA
Trophic is operated from the United States and intended for US residents. We do not market Trophic to, or design it for, users in the EU, UK, or EEA. If you nevertheless choose to use Trophic from one of those regions, the following applies:
- Controller. Trophic (operated by Minimal Systems LLC, a Texas limited liability company) is the data controller for the personal information described in this policy.
- Legal basis. We process your data to perform our contract with you (running the service and taking your payment), on the basis of our legitimate interests in understanding and improving the product, and to comply with our legal obligations (e.g., tax records held by Stripe).
- International transfers. Your data will be transferred to and processed in the United States by Vercel, Supabase, Stripe, and PostHog. Each of these processors offers Standard Contractual Clauses (SCCs) or equivalent safeguards as part of their data processing terms.
- Your rights. In addition to the access, correction, and deletion rights above, you have the right to data portability, to restrict or object to processing, and to withdraw consent where consent is the basis. To exercise these, email us.
- Complaints. You have the right to lodge a complaint with your local data protection supervisory authority.
Security
We use HTTPS everywhere, lean on Supabase and Stripe for authentication and payment, and don't store anything we don't need to.
No system is perfectly safe, and we won't pretend otherwise. If you spot something that looks like a vulnerability, please email support@trophic.app and we'll take it seriously.
Children
Trophic isn't built for children. In the US, we don't knowingly collect information from anyone under 13. In the EU, UK, and EEA, we don't knowingly collect information from anyone under 16. If you think a child has signed up, email us and we'll delete the account.
Changes to this policy
If we change this policy, we'll update the date at the top of this page. If a change is material — meaning it changes what we collect, who we share it with, or what you can do about it — we'll email everyone with an active account before it takes effect.
Contact
Questions, requests, or anything else: support@trophic.app.