Privacy Policy (UK GDPR)

Last updated: 15 August 2025

Controller: Cavan Judge (sole trader) trading as “FlavDex”
Contact: Cavan@flavdex.com

1. Who we are

For UK GDPR, the data controller is Cavan Judge (sole trader) trading as “FlavDex”. If we appoint a Data Protection Officer (DPO) later, we will update this notice.

2. What we collect

Account data: email address, password (hashed), display name, optional profile photo.
Contact data: your email address for communications and friend discovery (as configured).
Content you provide: ratings, notes, photos (if uploaded), comments, favourites, lists.
Device & usage data: app version, device type, IP address, log data, basic diagnostics for security and performance.
Camera/photos & barcodes: when you upload images or scan products.
Location (optional): if enabled, to show nearby stores/branches or relevant content.
Communications: emails you send us, support requests, notification preferences.
Cookies (web only): essential cookies/session storage for login and security. If we later add analytics or ads, we will ask for consent.

We do not intentionally collect special category data (e.g., health data). Please avoid posting medical/allergen information. If you choose to post such information, you do so at your own discretion.

3. Why we use your data (and legal bases)

Provide the Service (accounts, show/share content, store photos): contract.
Safety & moderation (detect abuse, enforce rules, approve photos): legitimate interests.
Improvement & diagnostics (debugging, performance, crash reporting/analytics): legitimate interests.
Communications (essential service messages): contract/legitimate interests.
Marketing (optional updates/newsletters): consent (withdraw anytime).
Advertising (if enabled): consent for personalised ads/cookies where required; legitimate interests for limited non-personalised ads where permitted.
Legal compliance (lawful requests, disputes): legal obligation.

4. Sharing your data

Processors: Supabase (auth, DB, storage; UK region), email provider (e.g., 123-reg), push notification services (APNs/FCM if used), crash reporting/analytics (if added).
Public outputs: aggregate rating averages may be public on product pages; food photos may be public only if approved by moderation. Profiles and individual ratings/notes are not public by default.
Payments: purchases via Apple App Store / Google Play are handled by those stores; they act as independent controllers for payment data.
Legal & safety: where required by law or to protect rights, safety, and property.

We do not sell your personal data.

5. International transfers

We aim to keep your data in the UK (and EEA as applicable). Some providers (e.g., Apple/Google for app-store payments or push notifications, or future analytics/ad vendors) may process data outside the UK/EEA. Where that occurs for our processors, we will use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (with UK addenda), plus additional measures as needed.

6. Retention

We keep your personal data only as long as necessary to provide the Service and for legitimate and legal purposes. In general:

Account data & UGC: retained while your account is active. We may delete or anonymise content/accounts at our discretion (e.g., storage management or rule breaches).
Inactive accounts: may be deleted or anonymised after a period of inactivity, with reasonable notice where feasible.
Logs & diagnostics: typically 90–180 days unless needed longer for security/legal reasons.
Backups: stored for limited periods, then deleted.

You can delete your ratings and notes in-app where available, and you can request full account deletion at any time (see Section 9).

7. Security

We use reasonable technical and organisational measures, including encryption in transit (TLS), encryption at rest via our hosting providers, and access controls. No service can be 100% secure.

8. Your choices

Profile & visibility: profiles are private by default; adjust privacy settings in the app.
Location: disable location sharing in your device settings if you prefer.
Marketing: opt in/out of optional emails at any time.
Cookies (web): if we add analytics/ads later, we’ll show a consent banner with choices.

9. Your rights (UK GDPR)

You have rights to access, rectify, erase, restrict processing, object to processing based on legitimate interests, and data portability. Where processing is based on consent, you can withdraw consent at any time. To exercise your rights or request account deletion, email Cavan@flavdex.com.

You also have the right to complain to the UK Information Commissioner’s Office (ICO). We’d appreciate the chance to resolve your concerns first.

10. Children

The Service is not intended for anyone under 18. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.

11. Changes to this Policy

We may update this Policy to reflect changes in our practices or the law. We will notify you of material changes (e.g., by email or in-app).

12. Contact

For privacy queries or rights requests, email Cavan@flavdex.com.

Cookies: On web, we currently use only essential cookies. If we add analytics/ads later, a consent banner will let you choose your preferences.