Who we are
bendzius.dev ("the Service", "we", "us") is a self-hosted personal platform operated by Edvinas Bendzius as an individual. It is a non-commercial project — there are no ads, no third-party trackers, no analytics scripts, and your data is never sold or rented.
For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), the operator is the data controller. The Service runs on the operator's own hardware located in Derby, United Kingdom. You can reach us about anything in this policy at hello@bendzius.dev.
The short version
- Your data lives on a server we own and run in the UK.
- We don't use advertising, analytics, or behavioural tracking.
- We never sell or share your data for marketing.
- A small number of named providers process some data so specific features work (AI nutrition analysis, food databases, email delivery, web-push, and Garmin — only if you connect it). These are listed below.
- You can ask us to access, export, or delete your data at any time.
What we collect
We only collect what's needed to run the features you use. Most of the health/fitness data below is only collected if you actually use those tools.
Account & profile
- Email address — required, used to sign you in and to send you login codes and account emails.
- Profile — display name/initial, avatar image (if you set one; the avatar is shown next to your blog comments), your role, and interface preferences.
- Optional body metrics & goals — if you use the health tools: age, sex, height, weight, activity level, and your calorie / macro / vitamin goals.
Authentication & security
- Login codes & magic links — one-time codes and links sent to your email; they expire after 15 minutes.
- Passkeys (WebAuthn) — if you register a passkey we store its public key and credential ID. We never receive or store your biometrics or your device's private key.
- Sessions & device info — to keep you signed in and let you manage your sessions, we record a session token plus your approximate device, browser, operating system, IP address and user-agent string.
- Tokens — a short-lived access token is held in your browser's local storage and a refresh token is stored in a secure, HTTP-only cookie. IP address and email are also used briefly (in memory) for rate-limiting to prevent abuse of the login system.
Health & fitness data (only if you use these tools)
- Meals — meal entries, descriptions, the food photos you upload, the AI nutrition analysis of them, and processing logs.
- Weight & body composition — weight, body-fat, muscle mass and similar readings, plus any progress photos you upload.
- Activity & sleep — steps, distance, calories, heart rate, sleep stages and workouts (entered manually or synced from a connected device).
- Supplements, nutrition settings, weight goals.
Connected accounts
- Garmin Connect — only if you choose to connect it. Your Garmin credentials/tokens are stored encrypted and used solely to pull your own activity, sleep and body data into the Service. You can disconnect at any time.
Content you create
- Code snippets and their version history, notes and whiteboards, and projects.
- Files you upload to the Drive / file storage.
- Blog comments you post (the comment text, your account identity, and the IP address used to post it; if commenting without an account, an optional name and email).
- Anything you store in the password vault is held encrypted.
- Game progress (e.g. the GAINS idle game) and language-learning progress.
Technical & usage data
- AI request logs — for reliability, debugging and rate limits we log metadata about AI requests (which model was used, the type of request, latency, and approximate token counts).
- Standard server logs needed to operate and secure the Service.
Cookies & local storage
We only use storage that's strictly necessary to run the Service. There are no advertising or analytics cookies.
- Refresh-token cookie — a secure, HTTP-only cookie that keeps you signed in.
- Local storage — holds your short-lived access token and some interface preferences.
How we use your data, and our lawful bases
Under the UK GDPR we rely on the following bases:
- To provide the Service (storing your content, showing your dashboards, syncing data you ask us to) — performance of our agreement with you and our legitimate interest in running the platform.
- To authenticate and secure accounts (login, sessions, rate-limiting, abuse prevention) — legitimate interests and, where relevant, legal obligations.
- AI nutrition analysis of photos/text you submit, sending login emails, web-push notifications, and connecting Garmin — your consent, given by choosing to use those features. You can withdraw consent at any time by stopping use of the feature or contacting us.
AI processing & the providers we share data with
We do not sell your data and we do not share it with advertisers or data brokers. The following providers ("processors/recipients") handle specific data only to deliver a feature you use:
- Google (Gemini API) — when you use AI meal analysis, the meal photo and/or text you submit is sent to Google's Gemini API to estimate nutrition. Subject to Google's terms.
- Ollama (AI models) — runs on our own server by default (your data stays on our infrastructure). For some models we may use a hosted Ollama endpoint; where that's used, the relevant text (e.g. a meal image, or embeddings of snippets/notes for search) is sent there for processing.
- USDA FoodData Central & Open Food Facts — we send food names / barcodes to look up nutrition data. These queries do not include your identity.
- Garmin Connect — only if you connect it; we use your stored credentials to fetch your own data.
- Email delivery (SMTP provider) — your email address and the login code/link are handed to our email provider to deliver sign-in and account messages.
- Web-push services (e.g. Apple, Google, Mozilla) — if you enable notifications, a push endpoint and encrypted message payloads are sent through your browser's push service.
Where your data is stored
Your account data and content are stored in a database, and your files and photos in object storage, both running on the operator's own hardware in Derby, United Kingdom. Some of the providers listed above (for example Google, the food databases, and push services) may process data on servers outside the UK; where that happens it is limited to what's needed for that feature and protected by those providers' safeguards.
How long we keep it
- Login codes and magic links: 15 minutes.
- Sign-in sessions: until they expire (typically ~30 days) or you sign out / revoke them.
- Items you move to trash (e.g. snippets, notes): permanently purged after 30 days.
- Your account, health, meal and other content: kept until you delete it or ask us to close your account.
- AI request logs: kept for a limited period for debugging and quota management.
Security
We take reasonable measures to protect your data: traffic is served over HTTPS; particularly sensitive items (Garmin credentials and your password vault) are encrypted at rest; API keys and OAuth secrets are stored hashed; sessions use a secure HTTP-only cookie; and the login system is rate-limited. No system is perfectly secure, and as a personal project this is provided on a best-effort basis — please keep your own backups of anything important.
Your rights
Under the UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to certain processing;
- receive a copy of your data in a portable format; and
- withdraw consent where we rely on it.
To exercise any of these, email hello@bendzius.dev and we'll action it within a reasonable time. If you believe we've handled your data improperly, you also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.
Children
The Service is a personal platform not directed at children and is not intended for anyone under 13. If you're under 16, please use it only with a parent or guardian's involvement.
Changes to this policy
We may update this policy from time to time. When we do, we'll revise the "last updated" date above, and for significant changes we'll make a reasonable effort to let signed-in users know.
Contact
Questions or requests? Email hello@bendzius.dev. See also our Terms of Service.