Privacy Policy
Last updated: 2026-06-26
This Privacy Policy explains what data BurnWeek collects, why, who we share it with, and the choices you have. It covers both the BurnWeek mobile/web app and the BurnWeek app for ChatGPT (an OpenAI Apps SDK / MCP integration hosted at mcp.burnweek.fit).
BurnWeek is an AI calorie tracker. You tell us what you ate in plain language; BurnWeek estimates the calories and protein as honest ranges (never false precision) and keeps a running daily and 7-day total. That food log is the only substantive data BurnWeek holds about you.
Who we are
BurnWeek is operated by Fit Labs OÜ ("BurnWeek", "we", "us"). You can reach us at support@maxfit.ee. Mailing address: Harju maakond, Tallinn, Mustamäe linnaosa, Pöörise tn 7-51, 13520, Estonia.
What we collect
We collect only what is needed to log your meals and show your totals. We practice data minimization: tool responses returned to ChatGPT contain only your food data and totals, not internal IDs, debug payloads, or session metadata.
| Category | Examples | Source |
|---|---|---|
| Account identity | A stable account identifier (your WorkOS sub), your email address, and display name. |
Your identity provider (WorkOS AuthKit) when you sign in with Apple, Google, or an emailed one-time code. |
| Food & meal logs | The text you write describing what you ate or drank, the AI-estimated calorie and protein ranges, portion weights you adjust, and the timestamp/date of each entry. | You, via the app or ChatGPT. |
| Daily/weekly totals | Aggregated calorie/protein totals, your daily calorie target, and 7-day sliding-window figures derived from your logs. | Computed by BurnWeek from your logs. |
| Account linking codes | A short-lived one-time code you generate in the app to link your existing app data to ChatGPT. | You, when you choose to link. |
| Basic operational logs | Standard server logs needed to run and secure the service (e.g. request timing, error traces). These are not used to profile you. | Automatic. |
What we do NOT collect
To keep BurnWeek safe for general audiences and compliant with OpenAI's app policies, we deliberately do not collect:
- No payment or card data. BurnWeek's ChatGPT app is free; there is no in-app purchase, subscription, or checkout, so we never see PCI data.
- No precise/raw location. We do not request or store GPS or device location.
- No Protected Health Information (PHI) and no medical data. BurnWeek is a general-wellness calorie tracker, not a medical or healthcare service. We do not collect diagnoses, conditions, lab results, prescriptions, or any clinical/medical records. The only health-adjacent data is the food you choose to log and its calorie/protein estimates. BurnWeek does not provide medical advice, diagnosis, or treatment.
- No government IDs / SSNs, no authentication secrets (passwords are handled by your identity provider, not us), and no biometric data.
- No surveillance, ad tracking, or cross-app profiling.
How we use your data
- To log meals and estimate nutrition — turn your description into calorie and protein ranges and store the entry.
- To show your totals — today's running total, remaining for the day, and the 7-day sliding-window budget.
- To authenticate you and isolate your data — each user's logs are stored in their own partition, keyed to their identity; one user can never see another's data.
- To link accounts — connect your existing BurnWeek app history to ChatGPT when you provide a link code.
- To operate, secure, and debug the service.
We do not sell your data, and we do not use your food logs to train third-party models or for advertising.
How estimation works (and what leaves BurnWeek)
When you log a meal, the text you wrote is sent to an AI estimation provider (currently OpenAI's API) so BurnWeek can produce a calorie/protein estimate. We send the food description; we do not send your identity to the estimation provider for this purpose beyond what is required to make the request. The estimate returned is stored against your account.
Separately, when you use BurnWeek inside ChatGPT, your prompts and the app's responses are processed by OpenAI / ChatGPT as the platform you are using, subject to OpenAI's own privacy policy.
Who we share data with (sub-processors)
We share data only with infrastructure providers that help us run BurnWeek, each acting on our instructions:
| Provider | Purpose | Data involved |
|---|---|---|
| OpenAI (ChatGPT) | The platform you interact with when using the BurnWeek ChatGPT app. | Your prompts and the app's responses (your food data and totals). |
| OpenAI (API) | AI calorie/protein estimation. | The meal descriptions you log. |
| WorkOS (AuthKit) | Identity / sign-in (Apple, Google, email one-time code) and OAuth. | Your email and account identifier. |
| Amazon Web Services (AWS) | Hosting, database (DynamoDB), and storage in the United States. | All stored account and food-log data. |
We may also disclose data if required by law, or to protect the rights, safety, and security of our users and service.
Where data is stored
Data is stored on AWS infrastructure in the United States. If you access BurnWeek from outside the US, you consent to processing in the US.
How long we keep it
- Food & meal logs and totals: retained while your account is active so you can see your history and 7-day budget. You can delete individual meals at any time; deletion is immediate and permanent.
- Account identity: retained while your account exists.
- Link codes: short-lived (they expire shortly after creation).
- Operational logs: retained for a limited period for security and debugging, then rotated/deleted.
When you delete your account, we delete your food logs and account record (see below), except where we must retain limited records to comply with law.
Your choices and rights
- Access / export: request a copy of the data we hold about you.
- Correct: edit a meal's portion (which recomputes its estimate) or re-log.
- Delete a meal: remove any logged meal at any time, in the app or via ChatGPT ("undo that").
- Delete your account: request full deletion of your account and all associated food logs by emailing support@maxfit.ee (in-app account deletion is planned for the mobile app).
- Disconnect ChatGPT: remove the BurnWeek connector in ChatGPT at any time to stop ChatGPT's access; this does not delete the data already stored in your BurnWeek account.
To exercise any of these, contact support@maxfit.ee. We respond within a reasonable time and in line with applicable law.
Children
BurnWeek is not directed to children under 13 and we do not knowingly collect data from anyone under 13. The BurnWeek ChatGPT app is designed to be suitable for users aged 13 and up: no ads, no medical advice, no profiling, and no collection of sensitive categories. If you believe a child under 13 has provided us data, contact us and we will delete it.
Security
We use industry-standard measures: encrypted transport (HTTPS/TLS), token-based authentication via WorkOS, per-user data isolation, and least-privilege access to our database. No system is perfectly secure, but we work to protect your data.
Changes to this policy
We may update this policy as BurnWeek evolves. We will update the "Last updated" date and, for material changes, provide a more prominent notice.
Contact
Questions or requests: support@maxfit.ee · Fit Labs OÜ, Harju maakond, Tallinn, Mustamäe linnaosa, Pöörise tn 7-51, 13520, Estonia.