Macromise
Sign inCreate account

Privacy Policy

Effective 29 May 2026

This Privacy Policy describes how Macromise (“the Service”, “we”, “us”) collects and uses information when you use macromise.app.

What we collect

To run the Service we collect the following:

  • Account data: email address and a hashed password, handled by Supabase Auth on our behalf. If you choose “Continue with Google” instead of a password, Google additionally shares your verified email address, your Google account identifier, and (where provided) your name and profile picture with us via Supabase Auth. We use this information solely to create and authenticate your account. We never request or receive access to your Gmail, Drive, contacts, or any other Google service data.
  • Product data you enter: daily macro targets, recipes, ingredients, logged meals, and weight entries.
  • Billing data: if you upgrade to Pro, Stripe collects your payment details and shares a customer id and subscription status with us. We never see or store full card numbers.
  • Operational logs: minimal server-side error and access logs (request paths, status codes, timestamps). We do not log request bodies or query parameters.
  • Contact messages: if you use the contact form, we receive the email address you provide, an optional name, and the message you write, so that we can read and reply to you. When you submit the form your IP address is used transiently to rate-limit submissions and prevent spam, it is held only as a short-lived counter and is not stored alongside your message or retained long-term.

Analytics

We use PostHog to understand how the Service is used. The pages people open, which features they use, where they get stuck on the grid, and conversion from free to Pro. Our PostHog deployment is set up as follows:

  • Hosted in the EU (eu.posthog.com). Analytics data is processed and stored in the European Union.
  • Served through a same-origin reverse proxy on macromise.app, so the cookies and local storage entries PostHog uses to recognise returning visits are first-party to our domain, not third-party tracking shared across other sites.
  • PostHog records page views, clicks, form interactions, and session recordings of in-app usage where enabled for debugging. Password fields and inputs marked sensitive are masked automatically in any recording.
  • PostHog derives an approximate country and region from the IP address of incoming events. We do not use this for anything other than aggregate usage statistics.
  • We never send your email, password, or the contents of your recipes, plans, or contact messages to PostHog. Events are identified pseudonymously by your Supabase user id only, so a PostHog leak could not be tied back to an inbox.

If you would prefer not to be measured, most browsers offer a setting to clear site data for macromise.app, and tracker-blocking extensions (such as uBlock Origin) will also stop PostHog from loading.

What we do not collect

  • No advertising pixels, ad-network cookies, or cross-site tracking.
  • No third-party tracking cookies on macromise.app. Our authentication cookie and the analytics cookies set by PostHog through our reverse proxy are all first-party to macromise.app. If you sign in with Google, Google will set its own cookies on accounts.google.com during the sign-in redirect; that is Google’s standard authentication flow, not tracking performed by us.
  • No precise location, contacts, or device sensor data.
  • We do not use data received from Google for advertising, profiling, training models, or any purpose beyond providing the sign-in feature you requested.
  • We do not sell or share your personal data with third parties for their own purposes.

How we use your data

  • To provide the Service: rendering your grid, recipes, and macros.
  • To bill you, if you upgrade to Pro (via Stripe).
  • To send transactional emails (sign-up confirmation, password reset, payment receipts, and occasional check-ins to request feedback if your account becomes inactive). We do not send marketing email.
  • To read and reply to messages you send us through the contact form.
  • To understand aggregate usage of the Service and prioritise improvements (see Analytics above).
  • To investigate bugs and abuse, using the minimal logs above.

Sub-processors

We rely on the following service providers to operate Macromise:

  • Supabase (EU region) — authentication, Postgres database, and file storage.
  • Google — identity provider for the optional “Continue with Google” sign-in flow. Used only if you choose this option; we receive the basic profile information described above and nothing else. Google’s use of any data shared during sign-in is governed by the Google Privacy Policy.
  • Vercel — web app hosting and edge delivery.
  • Stripe — payment processing for Pro subscribers.
  • Upstash — Redis cache for external food searches (Open Food Facts and USDA results), keyed by query string only, and short-lived rate-limit counters (including for the contact form).
  • Resend (United States) — email delivery provider used to send us the messages you submit through the contact form, and to store the email addresses of people who join the mobile-app waitlist until we email them to announce the launch.
  • Open Food Facts and USDA FoodData Central — public food databases we query on your behalf when you search for an ingredient. We send the search term you type; no account information is sent.
  • PostHog (EU region) — product analytics (page views and a small number of named events). Cookie-less, IP-anonymised. See Analytics above for the full configuration.

Where your data lives

Account and product data are stored in the European Union (Supabase EU region). Payment data is handled by Stripe and may be processed in the United States and other regions Stripe operates in. Contact-form messages are delivered via Resend, which processes them in the United States. Where data is transferred outside the EU/EEA, it relies on the relevant provider’s Standard Contractual Clauses.

Your rights

Under the GDPR and the Norwegian Personal Data Act, you have the right to access, correct, export, or delete your personal data. You can:

  • Export your data yourself: Profile → Your data → Export (Pro feature).
  • Delete your account: Profile → Delete account. This permanently removes your account and associated product data.
  • Email us at hello@macromise.app for any other request, including correcting data or filing a complaint.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

How long we keep data

Account and product data are retained as long as your account is active. When you delete your account, your data is removed within 30 days from primary storage and within 90 days from backups. If you opt out of re-engagement emails via the unsubscribe link, we record that preference until you delete your account. Stripe keeps a record of past invoices independently, as required for tax law.

Security

Macromise uses TLS in transit, row-level security on the database, and keeps a minimal attack surface. We do not store payment card numbers. If we ever experience a breach involving your personal data we will notify affected users without undue delay.

Changes to this policy

We may update this policy as the Service evolves. The current effective date is shown above. Material changes will be communicated by email or an in-app notice before they take effect.

Contact

Macromise is operated by KRISTOFFER MOLTU, a company registered in Norway (org. no. 937 795 920). Questions about this policy can be sent to hello@macromise.app.