Privacy Policy
Last updated: 11 April 2026
1. Who we are
Creator Camp Ltd (“we”, “us”, “our”) operates poby.app and the Poby iOS app. We are the data controller for personal data processed through our website and app, unless we say a provider acts only as our processor.
Registered office:Suite Ra01, 195–197 Wood Street, London, United Kingdom, E17 3NU
Privacy contact: contact@poby.app
2. Who this notice is for
This notice applies if you use our website, join a waitlist, email us, or use the Poby app (account, logging, optional features).
We process personal data in line with the UK GDPR and the Data Protection Act 2018. The ICO publishes general guidance on your rights.
Age: Poby is for adults (18+). Do not use the website or app if you are under 18.
3. What we collect (by category)
We only collect what we reasonably need for the purposes in Section 4.
A. Website — waitlist, contact, and general browsing
- Contact details you give us (for example email, message content).
- Technical data such as IP address, device or browser type, approximate location from IP, pages viewed, and timestamps (logs).
- Cookies and similar technology on the site: described in our cookie banner; non-essential analytics runs where you consent.
B. App — account and profile
- Account data from Sign in with Apple or Google (and a stable user ID in our systems).
- Profile and preferences you provide or we derive to run the app (for example country, gender, date of birth, height, weight, goal type, targets, calculated energy figures, notification preference).
C. App — what you log
Meal descriptions and related nutrition information you save (including estimates where you use that feature).
D. App — optional photo feature
If you choose it: photos you take or pick so we can suggest a short food description or support logging. We use them only to provide that feature, not for unrelated advertising.
E. App — subscriptions
Information needed to provide paid features through Apple (we do not receive your card number from Apple).
F. App — optional AI features
If you use them: the text or profile snippets needed to run the feature, and the result returned to you. See Section 4.
G. Security and reliability
Limited technical and usage data to keep the service secure, fix errors, and prevent abuse (including fair use of AI features).
We do not use separate third-party product-analytics SDKs inside the Poby iOS app. Website analytics are described above and in our cookie banner.
4. Why we use data (purposes) and lawful bases (summary)
| What we do | Why | Typical lawful basis |
|---|---|---|
| Run the website (pages, waitlist, contact) | Provide information and respond to you | Consent (waitlist and non-essential cookies), legitimate interests (security, basic operation), contract or steps before contract where relevant |
| Run the app (account, sync, saving your log) | Provide the service you asked for | Contract; legitimate interests (security, reliability) |
| Optional photos | Provide the photo-based logging assist | Contract |
| AI features (if you use them) | Return estimates or suggestions you requested | Contract and/or legitimate interests; where data is health-related, we may also rely on grounds permitted under Article 9 UK GDPR for personal data you provide in a health or wellbeing context through the app |
| Subscriptions (Apple) | Unlock paid features | Contract; payment handled by Apple |
| Analytics (site) | Understand use of the site | Consent for non-essential cookies |
| Compliance and disputes | Meet legal obligations, defend claims | Legal obligation and legitimate interests |
We do not sell your personal data. We do not use meal content or photos for marketing unless we ask for separate consent.
5. Who we share data with
We use service providers under contracts that meet UK GDPR processor expectations, for example:
- Hosting and backend (including database and authentication for the app), for example Vercel and Supabase.
- Apple and Google where you use Sign in with Apple or Google; and Apple for subscriptions and related payment flows (Apple processes payment card data).
- Website tools we use, including Google Tag Manager, Google Analytics, and PostHog (EU configuration) where you consent to non-essential analytics on the site.
- AI providers, only when you use an AI feature and only through our controlled backend.
We may share data if law or a valid legal request requires it.
6. International transfers
Some providers may be outside the UK. Where we transfer personal data, we use appropriate safeguards such as the UK extension to the EU–US Data Privacy Framework and/or UK IDTA, Addendum, or standard contractual clauses, depending on the supplier.
7. How long we keep data
We keep data only as long as needed for the purposes above, for example:
- Waitlist and marketing list: until that programme ends or you withdraw consent, then deleted or anonymised as soon as practicable.
- Support emails: typically up to 24 months after the last message.
- Web logs (security): often about 90 days, unless we need longer for an incident.
- App account and logs: while your account is active. After you delete your account or ask us to erase data, we delete or anonymise within a reasonable period, including residual copies in backups, within 90 days in ordinary circumstances.
8. Your rights
You may have the right to access, rectify, erase, restrict, object (where legitimate interests apply), data portability (where applicable), and to withdraw consent where processing is consent-based. You may complain to the ICO.
To exercise rights: contact@poby.app. We may ask for reasonable identity checks.
9. Security
We use appropriate technical and organisational measures. No online service is perfectly secure; we work to reduce risk in line with UK GDPR.
10. Changes
We may update this notice; the “Last updated” date will change. For important changes we may use the site, in-app messaging, or email where we can.