Legal

Privacy Policy

Version 1.1 · Last updated: 8 April 2026
Operated by: Mackay Advisory · ABN: 68 453 218 868
Registered address: c/- PG Hely Chambers, Level 9, 75 Elizabeth St Sydney NSW 2000, Australia

1. Who We Are

EnergyMatch is a personalised nutrition planning app designed to help parents and guardians fuel their young competitive athletes. The app provides meal timing guidance, food suggestions, and nutrition targets based on each child's age, weight, sport, and training schedule.

EnergyMatch is operated by Mackay Advisory, a business registered in Australia (ABN: 68 453 218 868). When we say "we", "us", or "EnergyMatch" in this policy, we mean that company.

We take our responsibilities as custodians of your family's health data seriously. This privacy policy explains clearly and honestly what data we collect, why we collect it, who we share it with, and how you can control it.

EnergyMatch is available to users in Australia, Canada, the United Kingdom, and the United States. Each jurisdiction has specific privacy rights, and we've addressed each one in this policy.

2. What Data We Collect

2.1 Account Information

When you create an account, we collect:

Email address — used to identify your account, send essential service emails, and allow password recovery
Password — stored as a secure hash by Supabase; we never see or store your plaintext password

2.2 Child Athlete Profiles

EnergyMatch accounts are created by parents or guardians. When you add a child athlete to your account, we collect:

First name or nickname — used for display only; we recommend using a nickname rather than a full legal name
Age (5–18 years) — used to calculate age-appropriate nutrition targets
Biological sex — optional; used to refine carbohydrate and energy calculations. You may select "Prefer not to say"
Body weight (in kilograms) — used to calculate carbohydrate and fluid targets per training session
Dietary requirements and food allergies — including vegetarian, vegan, gluten intolerance, dairy intolerance, nut allergy, egg allergy, fish allergy, Halal, Kosher, or other requirements entered as free text

This is sensitive information about a child. See Section 5 (Children's Privacy) for how we handle and protect this data.

2.3 Training and Activity Data

For each training day, we collect:

Training session time(s), duration, and intensity (Light / Moderate / Hard)
Whether a day is a rest day

2.4 Meal and Nutrition Logs

When you log meals for your child, we collect:

Meal names and descriptions
Food items selected, with portion sizes in grams
Time of each meal
Fluid intake (amount in mL and type of drink)
Recent meal history (up to 100 entries, cached on your device for autocomplete suggestions)

2.5 Training Feedback

After sessions, you can log how your child felt:

Perceived energy level (Great / Good / Low)
Issues such as hunger during training, stomach discomfort, or feeling heavy
Optional free-text notes

2.6 Barcode-Scanned Products

If you use the barcode scanner to look up a packaged food, the barcode number is sent to Open Food Facts (a French non-profit food database). The product information returned is cached in our database to improve future lookup performance. No personal information about you or your child is sent with this request.

To scan barcodes, the app requests access to your device's camera. The camera is used solely to read barcode numbers — no images or video are captured, recorded, or stored. Camera access is only requested when you initiate a barcode scan and is not used for any other purpose.

2.7 Usage and Analytics Data

We use Umami Analytics, a privacy-focused, cookieless analytics tool, to understand how the app is used. Umami collects:

Pages visited and navigation paths
Browser type and version, operating system, device type
Screen resolution
Referring website (how you arrived at the app)
Approximate country (derived from your IP address by Umami; the IP itself is not stored)

Umami does not set cookies and does not track you across other websites. For users in the UK or EU, this tracking requires your consent — see Section 9 (Cookies & Analytics).

2.8 Technical Data (Hosting and Infrastructure)

Our hosting provider, Vercel, may collect standard server access logs including your IP address for security, debugging, and performance purposes. This is not data we actively collect or process beyond infrastructure operation.

3. Why We Collect Your Data (Lawful Bases)

We only collect data for specific, legitimate purposes. Here is how each data type is justified under applicable law:

Data Type	Purpose	AU Lawful Basis (Privacy Act)	UK/EU Lawful Basis (GDPR Art. 6)
Email & password	Account authentication	Necessary for service	Art. 6(1)(b) — Performance of contract
Child profile (name, age, sex, weight)	Personalised nutrition calculations	Necessary for service / consent	Art. 6(1)(b) — Performance of contract; Art. 9 (special category health data) — Art. 9(2)(a) explicit consent
Dietary requirements & allergies	Personalise food suggestions, safety	Consent	Art. 9(2)(a) — Explicit consent (health/allergy data)
Training sessions	Calculate fuel plan timing and amounts	Necessary for service	Art. 6(1)(b) — Performance of contract
Meal logs	Track nutrition, improve recommendations	Necessary for service / consent	Art. 6(1)(b) — Performance of contract
Training feedback	Personalise future recommendations	Consent	Art. 6(1)(a) — Consent
Usage analytics (Umami)	Understand how the app is used, identify bugs	Legitimate interests (opt-out available)	Art. 6(1)(a) — Consent (opt-in required for UK/EU)

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 6 of this policy.

4. How We Use Your Data

Personalised meal timing and food suggestions — the core purpose of the app, based on your child's profile, training schedule, and dietary requirements
Calculating carbohydrate and fluid targets — using your child's age, weight, and training intensity
Improving recommendations over time — meal history and training feedback help us refine suggestions for your child across sessions
Sending essential account emails — email confirmation, password reset, and important service updates
Improving the app — aggregated, anonymous usage analytics to understand which features are used and where users encounter problems
Security and fraud prevention — to detect and prevent unauthorised access to accounts

5. Children's Privacy

This section is especially important. EnergyMatch collects detailed health data about children. We take that responsibility seriously.

Who creates accounts?

Only parents and guardians aged 18 and over may create an EnergyMatch account. Child athletes do not create their own accounts and are not direct users of the service. Children's data is entered and managed entirely by the parent or guardian account holder.

What data do we collect about children?

As described in Section 2.2, we collect each child athlete's nickname, age, biological sex (optional), weight, and dietary requirements. We also store their training schedule, meal logs, and training feedback — all entered by the parent.

Parental consent

Consent for health and dietary data processing is obtained explicitly at account creation, before any child data is entered. During sign-up, the parent or guardian must tick two mandatory checkboxes — the account cannot be created without both:

Parental authority confirmation — "I am the parent or guardian of the child athlete(s) I will add to this app and I have the authority to provide their information."
Terms and Privacy Policy acceptance — "I agree to the Terms of Service and have read the Privacy Policy, including how we handle my child's health data."

Both consent signals, along with a policy version number, are recorded in the user's account at the time of sign-up. Child health data (age, biological sex, weight, dietary requirements, and allergies) is entered on a separate screen after this consent has been recorded.

For users in the UK, this approach aligns with GDPR Article 8 (processing children's data) and satisfies the Article 9(2)(a) explicit consent requirement for special category data. The parent account holder provides consent on behalf of the child. We do not permit children to create their own accounts or provide consent independently.

UK Age Appropriate Design Code (Children's Code)

EnergyMatch is aware of the UK's Age Appropriate Design Code (also known as the Children's Code). As an app used by families with children, we commit to:

Not using children's data for profiling or targeted advertising
Collecting only the data necessary for the service
Enabling parents to access, correct, and delete their child's data
Not using dark patterns to encourage data sharing

Data minimisation for children

We recommend using a nickname rather than your child's full legal name. The app does not require a legal name and works equally well with any identifier you choose.

United States — COPPA

For users in the United States, the Children's Online Privacy Protection Act (COPPA) applies where an online service collects personal information from or about children under 13. EnergyMatch is designed exclusively for use by parents and guardians — children do not create accounts or interact with the service directly. However, because the app collects health and athletic data about children (including those under 13), we address COPPA as follows:

Account creation is restricted to adults. Only parents or guardians aged 18 and over may create an EnergyMatch account. We do not knowingly permit children to register or provide their own information.
Parental consent is obtained at sign-up. Before any child data is entered, the parent or guardian must confirm their authority and accept the Terms of Service and Privacy Policy. This consent is recorded against the account.
Data collected about children is limited to what is necessary for the nutrition planning service — nickname, age, weight, biological sex (optional), and dietary requirements. We do not collect location, behavioural data, or contact information for children.
Parents may review, correct, or delete their child's data at any time via Account Settings in the app, or by contacting us at hello@energymatch.app.
We do not share children's data with third parties for advertising, marketing, or any purpose beyond what is necessary to provide the service.

If you believe a child has provided information to EnergyMatch without appropriate parental authority, please contact us immediately at hello@energymatch.app and we will delete that information promptly.

6. Third-Party Services We Use

We use a small number of carefully selected third-party services. Each is listed below with their role and privacy information.

Service	What They Do	Data They Receive	Privacy Policy
Supabase	Database and authentication (Data Processor). Stores your account data, child profiles, and meal logs on our behalf.	Email, hashed password, child profiles, meal logs, training data	supabase.com/privacy
Open Food Facts	Public food database used for barcode scanning lookups	Barcode number only — no personal data	openfoodfacts.org/privacy
Umami Analytics	Cookieless, privacy-focused usage analytics	Page views, browser/device type, approximate country	umami.is/privacy
Vercel	Web hosting and content delivery (Data Processor)	IP address (server logs only, not stored by us)	vercel.com/legal/privacy-policy

We do not use advertising networks, data brokers, or marketing platforms. We do not sell data to any third party.

7. International Data Transfers

EnergyMatch is operated from Australia. Your data may be stored and processed in other countries, primarily the United States, where our infrastructure providers are based.

For Australian users

Under the Australian Privacy Act (APP 8), we take reasonable steps to ensure that overseas recipients of personal information handle it with protections equivalent to Australian law. Supabase and Vercel both operate under enterprise-grade security and comply with international data protection standards.

For UK and EU users (GDPR)

Transfers of your personal data outside the UK/EEA are governed by appropriate safeguards. Specifically:

Supabase — data is stored on AWS infrastructure. Supabase provides Standard Contractual Clauses (SCCs) as the transfer mechanism. A Data Processing Agreement (DPA) is available at supabase.com/dpa.
Vercel — hosting infrastructure. Vercel provides SCCs for EU/UK data transfers via their Data Processing Addendum.
Umami Analytics — analytics data is processed in the US by Umami Inc. Consent is obtained before any analytics data is collected from UK/EU users.

For Canadian users

Under PIPEDA, transfers of personal information to service providers in other countries are permitted where we have contractual protections in place. Our service providers (Supabase, Vercel) operate under their own privacy programmes and we rely on their contractual commitments to protect your data.

8. Data Storage and Retention

Where is your data stored?

Your data is stored in two places:

Your device (localStorage) — child profiles, meal logs, and training data are stored locally on your browser or device for fast, offline access
Supabase cloud database — if you create an account, your data is also synced to our Supabase database for backup and multi-device access. Guest users' data remains on-device only.

How long do we keep your data?

While your account is active: We retain your data for as long as you have an active account
After account deletion: We will delete your data from our Supabase database within 30 days of account deletion
Local device data: Cleared when you uninstall the app or clear your browser's local storage; you can also delete it via your browser's developer tools
Barcode product cache: Cached product data (barcode number and product nutritional information sourced from Open Food Facts) is shared across all users and is not linked to any individual account, device, or user in any way. Because it contains no personal data as defined under UK/EU GDPR or the Australian Privacy Act, it is not subject to personal data retention rules and is retained indefinitely to improve lookup performance for all users.

You can delete your account and all associated data at any time directly in the app via Account Settings → Delete Account. You may also request deletion by emailing hello@energymatch.app. In both cases, your data will be removed from our database within 30 days.

9. Your Rights

Your rights depend on where you are located. Find your jurisdiction below.

🇦🇺 Australia

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to:

Access — request a copy of the personal information we hold about you and your child
Correction — ask us to correct inaccurate, incomplete, or misleading information
Complaints — if you're unhappy with how we handle your request, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992

🇬🇧 United Kingdom & EU

Under the UK GDPR (and EU GDPR where applicable), you have the right to:

Access (Art. 15) — obtain a copy of your personal data
Rectification (Art. 16) — have inaccurate data corrected
Erasure (Art. 17) — delete your account directly via Account Settings → Delete Account in the app, or request erasure by email
Data portability (Art. 20) — receive your data in a structured, machine-readable format. You can exercise this right directly in the app: go to Account Settings → Download my data to export all child profiles, meal logs, and training data as a JSON file. You may also request a copy by emailing hello@energymatch.app and we will provide it in JSON format within 30 days.
Restriction (Art. 18) — restrict how we process your data in certain circumstances
Object (Art. 21) — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, you may withdraw it at any time by contacting us at hello@energymatch.app. Withdrawing consent will not affect your account access; it may only limit features that depend on that specific data (for example, withdrawing consent for dietary data would disable allergy-based food filtering). Withdrawal is as easy as giving consent and will not result in any detriment to you.
Complaints — you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113

🇨🇦 Canada

Under PIPEDA (and Quebec's Law 25 / Bill 64 where applicable), you have the right to:

Access — request access to the personal information we hold about you
Correction — challenge the accuracy of your information and have it corrected
Withdrawal of consent — withdraw consent for non-essential data collection at any time. Withdrawing consent will not affect your account access; it may only limit features that depend on that specific data. Withdrawal will not result in any detriment to you.
Complaints — contact the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or 1-800-282-1376

Quebec residents have additional rights under Law 25, including the right to data portability and to request anonymisation rather than deletion.

🇺🇸 United States

There is no single federal privacy law equivalent to GDPR in the United States. However, under COPPA (where applicable) and applicable state laws, parents have the right to:

Review — request access to the personal information collected about your child
Delete — delete your account and all associated child data directly in the app via Account Settings → Delete Account, or by contacting us at hello@energymatch.app
Refuse further collection — you may withdraw consent and request we stop collecting data about your child by deleting your account
California residents (CCPA/CPRA) — you additionally have the right to know what personal information is collected, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising privacy rights

To exercise any of these rights, contact us at hello@energymatch.app. We will respond within 30 days (or within the timeframes required by your local law, if shorter).

10. Cookies and Local Storage

Does EnergyMatch use cookies?

EnergyMatch does not set cookies via the application code. Our authentication provider, Supabase, may use browser local storage for session tokens, but does not set traditional HTTP cookies.

What we store in your browser

We use localStorage (not cookies) to store app data on your device. All items in the table below are classified as Essential / Strictly Necessary under UK PECR Regulation 6(4) and the equivalent EU ePrivacy rules: they are stored solely on your own device, contain no tracking data, are never shared with third parties, and are technically required to provide the service you have explicitly requested. No consent is required for strictly necessary storage.

Storage Key	Purpose	Category	Expiry
`sb-*`	Supabase authentication session token	Essential	Until sign-out
`energymatch-children`	Child athlete profiles	Essential	Until manually deleted
`energymatch-daily-logs-*`	Meal logs per child per date	Essential	Until manually deleted
`energymatch-sessions-*`	Training session data per child	Essential	Until manually deleted
`energymatch-training-feedback-*`	Training feedback per child	Essential	Until manually deleted
`energymatch-meal-history-*`	Stores meal names previously entered by the user to power in-app autocomplete — purely a local cache of data the user has already provided; never transmitted	Essential	Until manually deleted
`energymatch-last-screen`	Restores the user's last active screen within a 4-hour session window; without this, users must navigate from the start on every visit	Essential	4 hours
`energymatch-active-child-id`	Records which child profile is currently selected; required for the app to display the correct child's nutrition data — the service cannot function without knowing which child is active	Essential	Until manually deleted
`em_cookie_consent`	Records your analytics consent choice	Essential	12 months

Analytics (Umami)

We use Umami Analytics, which is cookieless. It does not set any cookies and does not track you across other websites.

UK/EU users: Umami analytics only loads after you give explicit consent via the cookie notice on first visit
Australian and Canadian users: Umami loads by default. You may opt out via the cookie settings banner

You can change your analytics preference at any time using the cookie settings link in the app, or by contacting us at hello@energymatch.app.

11. Security

We take reasonable steps to protect your data from unauthorised access, disclosure, or loss:

All data is transmitted over HTTPS (TLS encryption in transit)
Passwords are hashed by Supabase using industry-standard algorithms — we never store plaintext passwords
Account access requires email verification
Supabase provides Row Level Security (RLS) so users can only access their own data

While we take security seriously, no online service is 100% secure. If you believe your account has been compromised, please contact us immediately at hello@energymatch.app.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify account holders by email where required by law
Show an in-app notice for significant changes

Your continued use of EnergyMatch after changes are published constitutes acceptance of the updated policy. If you do not agree to the changes, you may delete your account at any time via Account Settings → Delete Account in the app.

13. Contact Us

Privacy enquiries and data requests:

Email: hello@energymatch.app

Mackay Advisory
c/- PG Hely Chambers, Level 9, 75 Elizabeth St
Sydney NSW 2000
Australia

We aim to respond to all privacy requests within 30 days. For urgent matters (such as a suspected data breach), please mark your email "URGENT — Privacy".

Data Protection Officer (UK/EU)

Under UK GDPR Article 37 and EU GDPR Article 37, appointment of a Data Protection Officer is mandatory where an organisation processes special category data (including children's health and dietary data) at large scale. We have assessed our processing activities and determined that a DPO is not required at this stage: EnergyMatch is an early-stage product with a small user base, and the volume of special category data processed does not meet the large-scale threshold as interpreted by the ICO and the European Data Protection Board. We keep this determination under review and will appoint a DPO if our processing activities change in scale or nature.

All privacy and data protection enquiries for UK/EU users should be directed to: hello@energymatch.app.

Supervisory Authorities

If you are unsatisfied with our response to a privacy complaint, you may contact the relevant supervisory authority for your jurisdiction:

Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
Quebec, Canada: Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
United States (COPPA): Federal Trade Commission (FTC) — ftc.gov

EnergyMatch Privacy Policy · Version 1.1 · Last updated 8 April 2026 · Terms of Service