Privacy Policy

The data controller is {{LEGAL_ENTITY_NAME}}, {{REGISTERED_ADDRESS_GERMANY}}. You can reach us at [email protected]. For data protection inquiries specifically, contact [email protected].

Account data: when you register we collect your email address and a hashed password. If you sign in via Google or Apple, we receive your name and email from the identity provider. We never store third-party passwords.

Restaurant data: restaurant name, city, country, cuisine type, locale preference, and billing email. This is provided by you during onboarding.

Ingredient and recipe data: ingredient names, allergen classifications, verification status, confidence levels, scan metadata, recipe compositions, and allergen propagation results. This is the core compliance data you create and manage.

Scan data: when you upload a label photo, menu image, or invoice, the image is sent to our AI provider for text extraction. We do not permanently store uploaded images on our servers. Extracted text and allergen results are stored as part of your ingredient records.

Billing data: we use Stripe to process payments. We store your Stripe customer ID and subscription status. We do not store credit card numbers, bank details, or other payment credentials — Stripe handles this directly.

Usage data: we log anonymised operation counts (e.g. number of scans per month) for internal cost monitoring. This data is not shared with third parties and is not linked to individual users.

Technical data: standard server logs including IP addresses, browser user agent, and request timestamps. These are retained for 30 days for security and debugging purposes.

Contract performance (Art. 6(1)(b) GDPR): account creation, restaurant data management, ingredient and recipe processing, allergen matrix generation, billing, and subscription management are necessary to deliver the service you signed up for.

Legitimate interest (Art. 6(1)(f) GDPR): server logging, abuse prevention, internal usage monitoring, and service improvement. You can object to processing based on legitimate interest at any time by contacting us.

Consent (Art. 6(1)(a) GDPR): optional features such as analytics cookies (if any) are only activated with your explicit consent. You can withdraw consent at any time.

Supabase (PostgreSQL database hosting): Supabase Inc., EU region (AWS eu-west-1, Ireland). Stores all account, restaurant, ingredient, recipe, and billing data.

Vercel (application hosting): Vercel Inc., edge functions deployed globally with EU-primary routing. Hosts the Recipal web application.

OpenRouter / Anthropic (AI text extraction): OpenRouter Inc. and Anthropic PBC. Processes uploaded images for ingredient text extraction and allergen classification. Images are sent via API and are not retained by the AI provider beyond the request lifecycle.

Stripe (payment processing): Stripe Inc. Processes subscription payments and stores payment credentials. Stripe is a PCI DSS Level 1 certified payment processor. See stripe.com/privacy.

Resend (transactional email): Resend Inc. Sends password reset emails and account notifications. Receives your email address for delivery purposes only.

Open Food Facts (product database): Open Food Facts non-profit. Used for barcode-to-product matching. Queries are anonymous and contain only barcode numbers or product search terms — no personal data is sent.

FatSecret (barcode lookup): FatSecret Pty Ltd. Used as an alternative barcode lookup service. Queries contain only barcode numbers — no personal data is sent.

Plausible Analytics (website analytics): Plausible Insights OÜ, EU-hosted (Estonia). Cookieless, privacy-first analytics. No personal data is collected. See plausible.io/data-policy.

Recipal operates an internal outreach automation workflow for business-to-business restaurant acquisition. This workflow is not consumer profiling and does not process personal consumer data.

The workflow processes only publicly available business context such as restaurant name, business website, business contact channels, cuisine metadata, and public compliance-relevant signals. We do not buy third-party lead lists.

Outreach legal basis is legitimate interest (Art. 6(1)(f) GDPR) with relevance controls. We record per-lead relevance rationale and market context before outreach enrollment.

Data minimisation is enforced: raw source payloads are retained only for short validation windows, while only structured fields needed for outreach operations are kept long-term.

Every outreach message includes an unsubscribe mechanism. Unsubscribe requests and 'remove me' style replies trigger immediate suppression and no further outreach.

Your database is hosted in the EU (AWS eu-west-1, Ireland). Some subprocessors (Vercel, OpenRouter, Anthropic, Stripe, Resend, FatSecret) are US-based companies. Where data is transferred to the US, these transfers are covered by EU-US Data Privacy Framework adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards as required by GDPR Chapter V.

AI image processing: when you upload a label, menu, or invoice image, it is transmitted to OpenRouter/Anthropic servers for text extraction. The image content is processed in-memory and is not stored by the AI provider after the response is returned.

Account and restaurant data: retained for the duration of your active subscription plus 30 days after account deletion to allow for reactivation.

Ingredient, recipe, and allergen data: retained for the duration of your subscription. Upon account deletion, all restaurant data is permanently deleted within 30 days.

Allergen audit logs: retained for 3 years after creation to support regulatory compliance and inspection history. This aligns with typical EU food safety record-keeping requirements.

Billing records: retained for 7 years as required by German tax law (Aufbewahrungspflicht, §147 AO).

Server logs: retained for 30 days, then automatically deleted.

Usage monitoring data: retained for 12 months in anonymised form.

You have the right to: access your personal data (Art. 15), rectify inaccurate data (Art. 16), erase your data (Art. 17, 'right to be forgotten'), restrict processing (Art. 18), data portability (Art. 20), and object to processing based on legitimate interest (Art. 21).

To exercise any of these rights, email [email protected]. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with a supervisory authority. For Germany, this is the relevant Landesdatenschutzbeauftragte for your state. For the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Recipal uses only strictly necessary cookies for authentication (NextAuth session cookie). These are required for the service to function and do not require consent under GDPR.

Website analytics are disabled by default and only activated if you opt in through the cookie banner. Plausible Analytics itself operates without cookies and does not track individual users.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

Passwords are hashed using bcrypt with 12 salt rounds. We enforce rate limiting on authentication endpoints. All data in transit is encrypted via TLS. Database connections use SSL. We do not store raw payment credentials.

If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond promptly.

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users. The effective date at the top of this page will be updated accordingly.