Privacy Policy

Last Updated: February 22, 2026

Effective Date: February 22, 2026

1. Introduction

Welcome to FridgeFlow. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our household inventory management application.

FridgeFlow is operated by Karim Cherkaoui. You can contact us at: fridgeflow.app@gmail.com

2. Data Controller

The data controller responsible for your personal data is:

Karim Cherkaoui

Email: fridgeflow.app@gmail.com

3. Information We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Password (encrypted and hashed)
  • User ID (automatically generated)

Legal Basis: Contract performance (necessary to provide the service)

3.2 Profile Data

You may provide additional information including:

  • User preferences and settings
  • Dietary restrictions and preferences
  • Household settings

Legal Basis: Contract performance (to personalize your experience and provide AI-powered recipe suggestions)

3.3 Inventory Data

We store data you provide about your household inventory:

  • Grocery items and quantities
  • Recipes and meal plans
  • Shopping lists
  • Stock tracking events

Legal Basis: Contract performance (core functionality of the app)

3.4 Usage Data

We automatically collect information about how you interact with our service:

  • App interactions and feature usage
  • Recipe searches and queries
  • Device information and browser type

Legal Basis: Legitimate interest (to improve app functionality and user experience)

3.5 Location Data (Optional)

With your explicit consent, we may collect approximate location data (city/country level) to:

  • Provide store recommendations
  • Suggest local shopping options
  • Enable delivery features

Legal Basis: Consent (you can opt-out at any time in your privacy settings)

3.6 Payment Data (Future)

When we implement premium subscriptions, payment information will be processed by our payment processor (Stripe). We do not store your payment card details on our servers. We only retain:

  • Billing records and transaction history
  • Subscription status

Legal Basis: Contract performance and legal obligation (tax and accounting requirements)

3.7 Communication Data

If you contact us for support or feedback:

  • Support emails and messages
  • Feedback forms

Legal Basis: Contract performance (to respond to inquiries and provide support)

4. How We Use Your Information

We use your personal data to:

  • Provide, maintain, and improve our service
  • Authenticate your account and manage user sessions
  • Personalize your experience with dietary preferences
  • Generate AI-powered recipe suggestions based on your inventory
  • Process transactions and manage subscriptions (when available)
  • Send important service notifications
  • Respond to your inquiries and provide customer support
  • Analyze usage patterns to improve functionality
  • Ensure security and prevent fraud

5. Third-Party Service Providers

We share your data with trusted third-party processors who help us provide our service. All processors have Data Processing Agreements (DPAs) in place ensuring GDPR compliance:

5.1 Supabase

  • Purpose: Database, authentication, and backend APIs
  • Data shared: All user data (account, inventory, recipes)
  • Location: AWS eu-central-1 (Frankfurt, Germany)
  • Privacy Policy: supabase.com/privacy

5.2 Vercel

  • Purpose: Web application hosting and content delivery
  • Data shared: HTTP requests, logs, static assets
  • Location: Global CDN
  • Privacy Policy: vercel.com/legal/privacy-policy

5.3 OpenAI

  • Purpose: AI-powered recipe suggestions and recommendations
  • Data shared: User inventory, dietary preferences, recipe queries
  • Location: USA
  • Privacy Policy: openai.com/policies/privacy-policy

5.4 Stripe (Future)

  • Purpose: Payment processing for subscriptions
  • Data shared: Payment information, billing details
  • Location: USA (with EU data residency options)
  • Privacy Policy: stripe.com/privacy

6. International Data Transfers

Your data is primarily stored in the EU (AWS Frankfurt). Some of our service providers (OpenAI, Stripe) are based in the USA. These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with GDPR compliance provisions
  • Adherence to EU-US Data Privacy Framework where applicable

7. Data Retention

We retain your personal data for the following periods:

  • Account data: Until account deletion + 30 days (for backup/recovery)
  • Inventory data: Until account deletion + 30 days
  • Usage data: 12 months (aggregated analytics may be retained longer, anonymized)
  • Location data: Only while feature is active, deleted upon opt-out or account deletion
  • Payment data: As required by law (typically 10 years for tax purposes)
  • Communication data: 24 months or until issue resolved + 6 months

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

8.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you. To exercise this right, please send an email to fridgeflow.app@gmail.com with the subject "Data Access Request" and include your registered email address. We will provide your data in machine-readable format (JSON) within 30 days.

8.2 Right to Rectification (Art. 16)

You can update your personal information directly in your account settings at any time.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

You can request deletion of your account and all associated data. To exercise this right, please send an email to fridgeflow.app@gmail.com with the subject "Account Deletion Request" and include your registered email address. This action is permanent and cannot be undone. We will process your request within 30 days and confirm once completed.

8.4 Right to Restriction of Processing (Art. 18)

You can request that we limit how we use your data. Contact us at fridgeflow.app@gmail.com to exercise this right.

8.5 Right to Data Portability (Art. 20)

You can request your data in machine-readable JSON format. To exercise this right, please send an email to fridgeflow.app@gmail.com with the subject "Data Access Request" and include your registered email address. We will provide your data within 30 days.

8.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests. Contact us to exercise this right.

8.7 Right to Withdraw Consent

For processing based on consent (e.g., location data), you can withdraw consent at any time in your privacy settings without affecting the lawfulness of processing before withdrawal.

Response Time: We will respond to requests within 30 days (as required by GDPR). For general inquiries, we aim to respond within 72 hours.

9. Cookies and Tracking

FridgeFlow currently uses only essential cookies for authentication and session management. We use localStorage (not cookies) for storing authentication tokens.

Essential Cookies: These are necessary for the app to function (login, maintaining your session). You cannot opt-out of these without losing core functionality.

If we implement analytics or marketing cookies in the future, we will:

  • Request your explicit consent via a cookie banner
  • Allow you to customize your cookie preferences
  • Provide opt-out mechanisms

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • SSL/TLS encryption for all data in transit (HTTPS)
  • Industry-standard password hashing and encryption
  • Secure authentication via Supabase
  • Regular security updates and monitoring
  • Access controls and data minimization principles
  • Regular backups stored securely

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected users without undue delay
  • Describe the nature of the breach and likely consequences
  • Outline measures taken to address the breach

12. Children's Privacy

FridgeFlow is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

Your continued use of FridgeFlow after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your GDPR rights, or have concerns about how we handle your data, please contact us:

Email: fridgeflow.app@gmail.com

Data Protection Contact: fridgeflow.app@gmail.com

15. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have not complied with applicable data protection laws. You can find your local supervisory authority at:

European Data Protection Board - List of Supervisory Authorities

This Privacy Policy was last updated on February 22, 2026and is compliant with the EU General Data Protection Regulation (GDPR).