Privacy Policy

Last Updated: [DATE]

Yumroll (“we”, “us”, “our”) operates the website https://yumroll.app (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using Yumroll, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1-1. Information You Provide

Data	When Collected	Purpose
Email address	Account registration	Authentication, account recovery, transactional emails
Password	Account registration	Authentication (stored as a hash by Supabase Auth; we never see your plaintext password)
Dietary preferences	Settings page	Allergies, disliked ingredients, serving size — used to personalize recipe generation

1-2. Information Generated Through Use

Data	When Generated	Purpose
Recipe generation history	Each time you generate a recipe	Display history, prevent duplicate suggestions
Feedback data	When you like or dislike a recipe	Train your personal taste profile (Pro feature)
Taste profile	Derived from feedback	Personalize future recipe suggestions
Generation count	Each generation	Enforce free-tier daily limits

1-3. Information Collected Automatically

Data	How Collected	Purpose
Usage analytics	Google Analytics 4 (GA4)	Understand how users interact with the Service, improve features
Authentication session tokens	Supabase Auth cookies	Maintain your login session

1-4. Payment Information

When you subscribe to Yumroll Pro, your payment information (credit card number, billing address) is collected and processed directly by Stripe, Inc. We do not store your payment card details on our servers. We receive from Stripe only:

Stripe Customer ID
Stripe Subscription ID
Subscription status and billing period dates

2. How We Use Your Information

We use your information to:

Provide the Service — Generate recipe suggestions based on your preferences and feedback. Important: Your allergy and dietary preference data is used to instruct the AI, but does not guarantee allergen-free results. See our Terms of Service Section 6 for full health and safety disclaimers.
Manage your account — Authentication, password reset, account settings
Process payments — Manage subscriptions via Stripe
Improve the Service — Analyze usage patterns to improve features and user experience
Communicate with you — Send transactional emails (account confirmation, password reset, payment notifications)

We do not:

Sell your personal information to third parties
Use your data for advertising purposes
Share your individual recipe history or taste profile with other users

3. Third-Party Services

We share data with the following third-party services, each with their own privacy policies:

Service	Data Shared	Purpose
Supabase	Email, password (hashed), user preferences, generation history, feedback	Database hosting, authentication
Stripe	Email, payment information	Payment processing
Claude API (Anthropic)	Recipe generation prompts (theme/ingredients, dietary preferences)	AI recipe generation
Vercel	Server logs, IP addresses	Web hosting
Google Analytics	Anonymous usage data, cookies	Analytics

Important note about Claude API: When generating recipes, we send your theme or ingredient input along with your dietary preferences (allergies, disliked ingredients) to Anthropic's Claude API. We do not send your email address, name, or payment information to the AI. Anthropic's data retention policies apply to these API interactions.

4. Cookies

We use a minimal number of cookies:

Cookie	Type	Purpose	Duration
Supabase Auth session	Essential	Maintain your login session	Session / refresh token expiry
Google Analytics (_ga, _ga_*)	Analytics	Track anonymous usage patterns	Up to 2 years

Essential cookies are required for the Service to function. You cannot opt out of these.

Analytics cookies can be disabled through your browser settings. Disabling them will not affect Service functionality.

5. Data Retention

Data	Retention Period
Account data (email, preferences)	Until you delete your account
Recipe generation history	Until you delete your account
Feedback and taste profile	Until you delete your account
Subscription records	Until you delete your account
Analytics data	Per Google Analytics retention settings (default: 14 months)

Account deletion: When you delete your account, all associated data is permanently deleted from our database (CASCADE deletion). This action is irreversible. To delete your account, use the “Delete Account” option in Settings, or contact us at support@yumroll.app.

6. Data Security

We implement reasonable security measures to protect your information:

All data is transmitted over HTTPS (TLS encryption)
Passwords are hashed and salted by Supabase Auth (bcrypt)
Database access is controlled by Row Level Security (RLS) policies — users can only access their own data
API keys and secrets are stored as environment variables, never exposed to clients
Payment data is handled exclusively by Stripe (PCI DSS compliant)

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Your Rights

For All Users

You have the right to:

Access your personal data (available in Settings and Dashboard)
Update your personal data (Settings page)
Delete your account and all associated data (Settings page)
Export your data — contact us at support@yumroll.app

For Users in the European Economic Area (EEA) — GDPR

In addition to the above, you have the right to:

Rectification — Correct inaccurate personal data
Restriction — Request we limit processing of your data
Portability — Receive your data in a structured, machine-readable format
Object — Object to processing based on legitimate interests
Withdraw consent — Where processing is based on consent

Legal basis for processing:

Contract performance — Processing necessary to provide the Service
Legitimate interest — Analytics to improve the Service
Consent — Analytics cookies (where required by law)

To exercise these rights, contact us at support@yumroll.app.

For Users in California — CCPA

California residents have the right to:

Know what personal information we collect and how it is used
Delete personal information we hold about you
Non-discrimination — We will not discriminate against you for exercising your rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise these rights, contact us at support@yumroll.app.

8. Children's Privacy

Yumroll is not intended for use by anyone under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@yumroll.app and we will delete it promptly.

9. International Data Transfers

Your data may be processed in countries other than your own, including the United States, where our hosting providers (Vercel, Supabase) and service providers (Stripe, Anthropic, Google) operate. By using the Service, you consent to such transfers. We rely on the service providers' own compliance mechanisms (e.g., Standard Contractual Clauses) for lawful data transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page with a new “Last Updated” date
Sending an email notification for significant changes (if applicable)

Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: support@yumroll.app
Website: https://yumroll.app

This Privacy Policy is effective as of [DATE].