Data processing related to the operation of the website (www.b4ll-app.com) and application (B4LL) operated by BID Holding B.V.
This Policy ensures compliance with the provisions of EU Regulation 2016/679 (GDPR/General Data Protection Regulation) by providing information on the activities carried out by BID Holding B.V. (hereinafter referred to as the Data Controller) that processes the data of natural persons in the course of operating the www.b4ll-app.com website and application.
It also provides information on the rules governing these activities and insight into the measures taken to protect the data used. Last but not least, it provides information on all the rights that data subjects are entitled to in order to protect their interests.
The data controller provides the mandatory information pursuant to Article 13 of the GDPR to data subjects and interested parties as follows.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Any information relating to a data subject, such as an identifier, name, number, location data, online identifier or data concerning the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.
Regardless of the procedure used, any operation or set of operations performed on personal data or data files, in particular collection, recording, storage, systematization, structuring, storage, alteration, transformation, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction, access to data, and prevention of further use of data, taking photographs, making audio or video recordings, and recording physical characteristics suitable for identifying a person (e.g., fingerprints or palm prints).
A natural or legal person or an organization without legal personality who or which, alone or jointly with others, determines the purposes and means of the processing of personal data, makes and implements decisions regarding data processing, or has them implemented by a data processor.
A natural or legal person or an organization without legal personality who or which processes personal data on behalf of the data controller.
Any natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Making personal data available to a specific third party. Data transfers to EEA Member States or to European Union bodies shall be considered as data transfers within the territory of Hungary.
Making data unrecognizable by deleting its content or by means that achieve an equivalent result.
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A Member State of the European Union and any other State party to the Agreement on the European Economic Area, and any state whose citizens enjoy the same legal status as citizens of a state party to the Agreement on the European Economic Area under an international agreement concluded between the European Union and its member states and a state that is not a party to the Agreement on the European Economic Area.
Any state that is not a member state of the EEA.
We process the data of our business partners or customers that we obtain in any way and to any extent in the course of our activities in accordance with this Data Processing Notice, undertaking to maintain confidentiality, in accordance with the provisions of the GDPR and the relevant Dutch legislation.
We may lawfully store personal data received in the course of performing tasks related to our activities, organize it within the framework of the law, and use it to the extent necessary.
We will immediately terminate data processing if its purpose has been fulfilled or has ceased to exist, or we will consider doing so if requested by the data subject.
Data subjects: Natural persons/legal entities who contact us with the intention of establishing contact
Purpose of data processing: Contacting, maintaining contact, providing information
| Type of data | Legal basis | Retention period |
| Name, email address, telephone number | GDPR Article 6(1)(a); Consent of the data subject | Until consent is withdrawn, but no later than 180 days after the last use of the system (login), the system will automatically delete the data. |
Data processing procedure:
If you provide us with your contact details via email or the website form, we will use them to contact you if necessary (e.g., for administrative purposes) and to provide you with information related to our services.
Please do not enter any personal data in the free text field of the „Contact us” form on our website! We are not authorized to process data received in this way (unsolicited), so we will delete it immediately and permanently.
Providing the above data is not mandatory, but without it we will not be able to contact you. You may withdraw your consent at any time without giving a reason, but this does not affect the lawfulness of data processing carried out on the basis of your previous consent.
You can withdraw your consent by sending a request to our customer service email address, which we will fulfill as soon as possible, but within a maximum of 5 working days.
Data subjects: natural persons who register as users
Purpose of data processing: Performance of a contract
| Type of data | Legal basis | Retention period |
| First name Last name Phone number Payment method Country of residence Preferred language Gender Date of Birth Height Weight Desired weight change (kg/pound) Level of sporting activity Daily cooking time preference Number of daily meals Carb-Fat-Protein ratio |
GDPR Article 6(1)(a), Consent of the data subject | Until consent is withdrawn or registration is deleted, which the User may do at any time. In the event of non-payment of fees, for 12 months after receipt of the last fee. |
The service organizes the information recorded by the User into menu items in the application (for ease of use). Examples of such menu items include: My recipes, Favorites, Shopping list
About the data processing process:
The information provided by registered users is collected and analyzed by the application. Based on this, it makes recommendations for adjusting your diet.
If you are a registered user, you can quickly log in to your account by entering just one piece of information (your email address).
Registration can be canceled, but without it, you will not be able to use your personal account. You can delete your registration and withdraw your consent at any time without giving a reason, but this does not affect the lawfulness of data processing that has already taken place based on your consent.
You can delete your registered data at any time in the application. In such cases, the deletion will take place immediately.
Service provider involved in data storage:
As an app developer we are not collecting any data such as form of payment, payment card or bank account number. The payment information is entered outside of our app.
We use the following fee payment and billing service provider:
Data subjects: users visiting our social media profile
Purpose of data processing: marketing, establishing contact
| Type of data | Legal basis | Retention period |
| Username | GDPR Article 6(1)(a), consent of the data subject | until consent is withdrawn, but for a maximum of 5 years |
Data processing procedure:
Some of our informational materials or advertisements may appear on our Facebook, Instagram, and TikTok profiles for marketing purposes. If someone responds to these (like, comment, message), the service provider will record their data. We use such responses to contact them, but please note that the service providers Facebook, Instagram, and TikTok also have access to this information. We have no influence over the latter.
Data subjects: Natural persons who feel that their rights have been violated.
Purpose of data processing: Identification, conducting the procedure, and maintaining contact.
| Type of data | Legal basis | Retention period |
| Name Mother’s name Phone number Information about disputed data processing |
GDPR Article 6(1)(c); Compliance with legal obligations Regulation (EU) 2016/679 (GDPR) |
5 years after the closure of the case |
Data processing procedure:
With regard to the data processing carried out by us, all data subjects have the right to lodge a complaint if they feel that they have been wronged. The provision of data is mandatory for the investigation of grievance and for maintaining contact, i.e. for the proper conduct of the procedure. Without this, the complaint and/or the complainant cannot be identified, and we are therefore unable to conduct the procedure.
Data subjects: anyone who visits our website
Purpose of data processing: operating the website and collecting information related to its operation
The application is available from the Apple Store and Google Play. Both providers record personal data. You can find out more about this at the link below.
Data processing procedure:
Our website uses „cookies.” A cookie is a small text file that the website provider places on your computer’s hard drive. Cookies provide various functions that support the operation of the website.
Users can choose to accept or reject cookies when they first visit the website. They can then change their decision on each subsequent visit. If you decide to reject cookies, you may not be able to use certain features of our website properly.
User data stored electronically in the app is also accessible to service providers with the User’s consent. Only the User has the ability to modify and delete data.
As the operator, we do not have access to banking information, but you must provide this to the financial service provider when paying the fee.
We ensure the security of the personal data we process through technical and organizational measures and the development of procedures. Personal data is only accessible to those of our employees who need to know it in order to perform their duties.
You can exercise your rights by sending a request to contact@b4ll-app.com.
Based on your right of access, you may request information on whether your personal data is being processed and, if so, you may access your personal data and receive information on the security conditions of data processing.
In accordance with the right to rectification, we will correct any inaccurate personal data and complete any incomplete data at your request without delay.
Based on the right to erasure, we will erase your personal data without undue delay in the following cases:
We cannot delete personal data if it is necessary for the establishment, exercise, or defense of legal claims.
Upon request, we will restrict the use of personal data based on the right to restrict data processing, in which case we will only use personal data within a specific scope.
Based on the right to data portability, provided that it does not violate the rights and freedoms of others, we will send your data to you in a structured, commonly used, machine-readable format, or, upon your request, we will transfer the data directly to another data controller.
During the period of data processing, the data subject may request information from us about the processing of their personal data. We will provide the data subject with information about the data processed, the purpose of the data processing, and the legal basis for the data processing in writing, in an easily understandable form, within the shortest possible time, but no later than 30 days.
We will provide the data subject with information in writing and in an easily understandable form about the data processed, the purpose of the data processing, the legal basis, the duration, and, if the data has been transferred, who receives or has received the data and for what purpose.
We will examine the objection within the shortest possible time after the request is submitted, but within 15 days at the latest, decide on its merits, and inform you of our decision in writing.
If we are unable to comply with the data subject’s request for rectification, blocking or erasure, we will communicate the factual and legal reasons for rejecting the request for rectification, blocking or erasure in writing or, with the consent of the data subject, by electronic means within 30 days of receipt of the request.
We will delete all personal data:
Instead of erasure, we block personal data if the data subject requests this or if, based on the information available to us, it can be assumed that erasure would harm the legitimate interests of the data subject. We only process personal data that has been blocked in this way for as long as the purpose of data processing that precluded the erasure of the personal data exists.
The procedure: we treat and handle all comments submitted to us in writing by data subjects as complaints if they relate to data protection and express grievances regarding our procedures or omissions that are not in line with this Data Processing Notice (hereinafter: complaints).
Complaints can be submitted (electronically) to our email address above or by sending a letter to our postal address.
The complaint must contain at least: the name, address (e-mail address), telephone number of the complainant, the date of the grievance, a specific description of the complaint, the signature of the complainant, and the complainant’s consent to the processing of the data contained in the complaint in the procedure related to the complaint, at the same time as signing the complaint.
In the absence of this information and the statement, we will not investigate the complaint and will notify the complainant in writing.
We will only process the Complainant’s data in connection with the complaint, and we will not disclose it to third parties, except in the case of official or court requests as stipulated by law, nor will we use it for business purposes.
We will investigate the complaint and provide a reasoned written response within 30 days of receipt, using the same method as the complaint was submitted (by email or post). If the 30-day deadline is not sufficient to investigate the complaint, we will inform the complainant accordingly. In this case, we will provide a written, reasoned response within 3 months of the report in the same manner as the report.
If, after investigating the complaint, we find that it was factual and justified, we will inform you of the manner and extent of the remedy at the same time as we decide on the complaint.
If the complaint is rejected, we will inform you in writing that you may refer the complaint to the Dutch Privacy Authority: Autoriteit Persoonsgegevens (AP) https://www.autoriteitpersoonsgegevens.nl/en/submitting-a-tip-off-or-a-complaint-to-the-ap.
Any activity, intervention or omission that enables the unlawful handling or processing of personal data, in particular unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage.
Anyone who notices such an incident in connection with our activities should report it as soon as possible by email to contact@b4ll-app.com.
As data controller, we record the report and immediately begin investigating it. If the data protection incident occurred in relation to an IT system, we also inform the service providers responsible for operating the databases concerned.
Where possible, we record:
In addition to the above, in accordance with legal requirements, we will report the incident to the Authority (Autoriteit Persoonsgegevens: AP) within 72 hours.
As a data controller, we do not process large amounts of personal data and/or personal data that can be classified as particularly sensitive in connection with our main activity, and we are not considered a public authority, therefore we do not consider it necessary to appoint or employ a data protection officer, and our company is not required to do so by the applicable legal regulations.
As a data controller, we reserve the right to continuously update this Privacy Policy and to unilaterally modify the information contained therein, in line with changes in legislation. The currently valid Privacy Policy is available on our website.
Eindhoven, March 07, 2026.
BID Holding B.V.
