Privacy Policy

Last updated: May 2025 · Compliant with EU GDPR (Regulation 2016/679)

Your privacy matters. This Privacy Policy explains how Malyte collects, uses, stores, and protects your personal data — including sensitive health-related information — in compliance with the EU General Data Protection Regulation (GDPR). By registering or using the Platform, you explicitly consent to the processing described in this Policy.

1. Data Controller

The data controller responsible for your personal data is:

Malyte
Italy
Email: hello@malyte.com

This Privacy Policy applies in favour of Malyte and any individual, company, or legal entity that at any time owns, manages, operates, or is responsible for the Malyte platform and its associated services, whether now or in the future.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

First and last name
Email address
Password (stored in encrypted form)
Account type (Buyer or Seller)
Registration date and time

2.2 Profile Data (Sellers)

Professional bio and credentials
Profile photo
Specialisation and category
Uploaded methodology and content
Payment and payout information (processed via Lemon Squeezy)

2.3 Personal and Health-Related Data (Buyers)

In order to generate personalised wellness plans, we collect the following information from Buyers. This data may constitute sensitive personal data under the GDPR and is processed only with your explicit consent:

Full name and age
Physical address
Body measurements (including weight, height, and other physical metrics)
Health habits, lifestyle information, and daily routines
Fitness goals and activity levels
Dietary preferences, restrictions, and intolerances
Skincare type, conditions, and concerns
Any other personal information you voluntarily provide through questionnaires

Sensitive Data Notice: Physical measurements, health habits, and related personal information are classified as sensitive personal data under Article 9 of the GDPR. By completing a Buyer questionnaire, you explicitly consent to the collection and processing of this data solely for the purpose of generating your personalised wellness plan.

2.4 Transaction Data

Purchase history and amounts
Payment method details (processed and stored by Lemon Squeezy — Malyte does not store full card details)
Invoices and receipts

2.5 Usage Data

IP address and approximate location
Browser type and version
Device type and operating system
Pages visited, time spent, and actions taken on the Platform
Referral source

2.6 Cookie and Tracking Data

Malyte currently uses essential cookies only. In the future, we may deploy analytics, marketing, and third-party tracking cookies and technologies (including but not limited to Google Analytics, Meta Pixel, and similar tools). By accepting this Privacy Policy, you consent to the use of such cookies and tracking technologies, now and as they may be introduced in the future. You will be notified of any material changes via an in-platform notice or email, and will have the opportunity to update your preferences at any time through our Cookie Settings.

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Creating and managing your account	Performance of a contract (Art. 6(1)(b))
Generating personalised wellness plans	Explicit consent (Art. 6(1)(a) and Art. 9(2)(a))
Processing payments and managing transactions	Performance of a contract (Art. 6(1)(b))
Communicating with you about your account or purchases	Performance of a contract (Art. 6(1)(b))
Sending platform updates, product news, and marketing	Consent (Art. 6(1)(a)) — you may opt out at any time
Improving the Platform and AI models	Legitimate interests (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Analytics and usage tracking (current and future)	Consent (Art. 6(1)(a))
Fraud prevention and platform security	Legitimate interests (Art. 6(1)(f))

4. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with the following categories of third parties, strictly as necessary to operate the Platform:

Lemon Squeezy — payment processing. Subject to their own privacy policy and PCI-DSS compliance.
Supabase — database and infrastructure hosting. Data stored within secure, GDPR-compliant cloud infrastructure.
Anthropic (Claude API) — AI plan generation. Questionnaire data is processed to generate wellness plans. Data is not used to train Anthropic's models without consent.
Vercel — platform hosting and deployment.
Analytics and marketing providers — as introduced in the future, including Google Analytics, Meta, and similar platforms, subject to your cookie consent.
Legal and regulatory authorities — where required by applicable law.

All third-party processors are bound by data processing agreements and are required to handle your data in compliance with applicable privacy laws.

5. International Data Transfers

Some of our third-party service providers may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or equivalent measures as permitted under the GDPR.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law:

Account data: Retained for the duration of your account plus 2 years after deletion, unless a longer period is required by law.
Health and questionnaire data: Retained for the duration of your account. Upon account deletion, this data is permanently deleted within 30 days.
Transaction data: Retained for 10 years in accordance with Italian tax and accounting regulations.
Usage and analytics data: Retained for up to 26 months.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access — you may request a copy of all personal data we hold about you.
Right to rectification — you may request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — you may request deletion of your personal data, subject to legal retention obligations.
Right to restriction — you may request that we limit the processing of your data in certain circumstances.
Right to data portability — you may request your data in a structured, machine-readable format.
Right to object — you may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — you have the right to lodge a complaint with your national data protection authority. In Italy, this is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

To exercise any of these rights, please contact us at hello@malyte.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure authentication and access controls
Regular security assessments
Limited access to personal data on a need-to-know basis

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and accept no liability for unauthorised access beyond our reasonable control.

9. Children's Privacy

Malyte is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has registered on our Platform, please contact us at hello@malyte.com.

10. Cookies

We currently use only essential cookies necessary for the Platform to function. In the future, we intend to introduce additional cookies including:

Analytics cookies — to understand how users interact with the Platform (e.g. Google Analytics)
Marketing and retargeting cookies — to deliver relevant advertising (e.g. Meta Pixel, Google Ads)
Preference cookies — to remember your settings and preferences

By accepting this Privacy Policy at registration, you provide advance consent to the use of these cookie categories as they are introduced. You will always have the ability to manage your cookie preferences through our Cookie Settings panel, which will be made available when additional cookies are deployed.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify you by email or through a prominent notice on the Platform. Your continued use of the Platform following notification constitutes your acceptance of the updated Policy.

12. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact:

Malyte — Data Protection Contact
Italy
hello@malyte.com