Privacy Policy

Last updated: April 12, 2026

This policy describes how Plan Repas (Micronick — Nicolas Mailloux) collects, uses, and protects the personal information of users of the service. It applies jointly with Quebec's Law 25 (Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by Law 25).

1. Data controller

The data controller is Micronick, based in Quebec (Canada). The Privacy Officer can be reached at [email protected].

2. Information collected

  • Account: email address, password (stored as a bcrypt hash), creation date, verification status.
  • Family profile: number of people, approximate ages of children, declared dietary restrictions, meal preferences.
  • Menus: target budget, days to plan, maximum prep time, options (sales, variety, etc.).
  • Recipes: title, ingredients, instructions, photos you choose to add to your personal library.
  • Generated plans: history of meal plans and grocery lists produced by the service.
  • Billing: Stripe customer ID, subscription status, trial end date. Plan Repas never stores credit card numbers directly.
  • Technical logs: anonymized server logs (no IP address, no user ID, no personal content).

3. Purposes of processing

  • Provide the meal planning service and deliver weekly emails.
  • Authenticate users and secure accounts.
  • Handle billing and the Stripe subscription lifecycle.
  • Improve the service based on aggregated and anonymized metrics.
  • Respond to support requests.
  • Comply with our legal and regulatory obligations.

4. Legal basis

Processing is based on the performance of your contract with Plan Repas, on your consent (for optional processing — see the consent banner), and on our legitimate interests (security, fraud prevention).

5. Sub-processors

Plan Repas uses a limited number of sub-processors, each bound by a data processing agreement compliant with Law 25:

  • Automated processing provider: meal plan generation. Data transmitted is strictly limited to what is necessary for generation (family profile, menu, selected recipes). Our provider is contractually committed not to use the transmitted data to train its own systems.
  • Stripe: payment processing and subscription management. Payment information is transmitted directly to Stripe without passing through our servers.
  • Cloudflare: DDoS protection, caching, and static content delivery.
  • Flipp (Reebee Inc.): public reading of flyers for the grocery stores you choose — no user data is transmitted to Flipp.

The hosting infrastructure (database, application servers, email) is self-hosted in Canada. Some sub-processors (automated processing provider, Stripe, Cloudflare) may process data outside Quebec. Contractual clauses govern these transfers.

6. Retention period

  • Active account: as long as the user keeps their account.
  • Deleted account: immediate logical erasure (soft delete), then full physical erasure within a maximum of 30 days.
  • Technical logs: 30 days maximum, then rotation.
  • Invoices: 6 years from the end of the fiscal year, in accordance with Canadian tax obligations.

7. Cookies and similar technologies

Plan Repas uses a minimal number of cookies, grouped into three categories:

  • Functional (required): session cookies, authentication token — indispensable for the service to work.
  • Analytics (optional): aggregated audience metrics, activated only with your explicit consent.
  • Marketing (optional): not used for the MVP.

8. Security

  • Communications encrypted with TLS 1.2+ on all public endpoints.
  • Passwords hashed with bcrypt (cost ≥ 12).
  • Short-lived access tokens (JWT) with refresh-token rotation.
  • Rate limiting on authentication and generation endpoints.
  • Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options.
  • Daily encrypted backups, stored off-site.

9. Your rights

In accordance with Law 25, you have detailed rights listed on the Law 25 — Your rights page, including: right of access, rectification, portability (JSON/CSV export), withdrawal of consent, deletion, and de-indexing.

10. Contact

Any request regarding your personal information can be sent to [email protected]. We commit to responding within 30 days. In case of disagreement, you can file a complaint with the Commission d'accès à l'information du Québec (CAI).