Privacy Notice
Last updated: 11 May 2026
1. Who we are
Take One Bite is operated by Mohamed Shermarkia, an individual sole trader based in London, United Kingdom, trading as TINYBITE ("we", "us", "our"). For the personal data we process about you in connection with the Service at takeonebite.app, we act as the data controller.
You can reach us at m.shermarkia@gmail.com.
2. What data we collect and why
| Category | Purpose | Legal basis (UK/EU GDPR) |
|---|---|---|
| Account data (email, display name, password hash) | Create and manage your account; authenticate you | Performance of contract |
| Task content (titles, details, AI breakdowns you generate) | Provide the core productivity service; sync across devices | Performance of contract |
| Usage and telemetry (pages visited, feature usage, error logs, AI usage counts) | Operate, secure, debug, and improve the Service | Legitimate interests |
| Device and connection data (IP address, browser, device type) | Security, fraud prevention, abuse detection | Legitimate interests / legal obligation |
| Subscription and billing metadata (plan, status, customer ID returned by Paddle) | Manage your subscription and entitlement | Performance of contract |
| Support correspondence | Respond to enquiries and resolve issues | Legitimate interests |
Payment card details and billing addresses are collected and processed directly by Paddle as Merchant of Record — we do not see or store your payment-card data.
3. Who we share data with
- Hosting and backend infrastructure — Lovable Cloud (Supabase, Cloudflare) for application hosting, database, and authentication.
- AI providers — Google and OpenAI (via the Lovable AI Gateway) to generate task breakdowns. Task content you submit for AI breakdown is sent to these providers.
- Merchant of Record — Paddle.com Market Limited for sales, subscription management, payments, tax compliance, and invoicing.
- Email delivery providers — for transactional and authentication emails.
- Professional advisers — legal, accounting, and tax advisers where strictly necessary.
- Authorities — where required by law, court order, or to protect our rights.
We do not sell your personal data.
4. International data transfers
Some of our service providers (including AI model providers and infrastructure providers) are based outside the UK and EEA, including in the United States. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Addendum, EU Standard Contractual Clauses, and/or adequacy decisions issued by the UK Government or European Commission.
5. How long we keep data
We keep account and task data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain it (e.g. tax/accounting records kept by Paddle for up to 7 years). Backups are rotated and overwritten on a rolling basis.
6. Your rights (UK & EU GDPR)
You have the right to: access your personal data; have it rectified or erased; restrict or object to processing; receive a portable copy; withdraw consent (where processing is based on consent); and lodge a complaint with a supervisory authority. In the UK, the supervisory authority is the Information Commissioner's Office (ico.org.uk). To exercise any of these rights, email m.shermarkia@gmail.com. We will respond within one month.
7. Security
We use appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, role-based access controls, row-level security policies in our database, and regular review of access. No system is perfectly secure; please use a strong, unique password.
8. Cookies
We use only strictly necessary cookies and similar technologies for authentication and session management. We do not use advertising or third-party tracking cookies. Some of our subprocessors (e.g. Paddle, Cloudflare) may set their own essential cookies during checkout or to protect the Service from abuse.
9. Children
The Service is not directed at children under 13 (or the minimum digital-consent age in your country). We do not knowingly collect personal data from such children.
10. Changes to this notice
We may update this notice from time to time. We will post the updated version on this page and update the "Last updated" date.
11. Contact
Mohamed Shermarkia, London, United Kingdom — m.shermarkia@gmail.com