Privacy Policy

2.1 Information You Provide

We collect information that you voluntarily provide to us, including:

• Account Information: Name, email address, and authentication credentials
• Profile Information: Dietary preferences, allergies, nutrition goals, and household information
• User Content: Recipes, meal plans, food logs, pantry items, and grocery lists you create
• Social Features: Content you share publicly, such as recipes and social interactions with other users
• Communication: Messages and feedback you send to us
• Subscription Information: Payment method details (processed securely by our payment processor), billing address, subscription tier, and subscription status

2.2 Automatically Collected Information

When you use our Service, we automatically collect certain information:

• Usage Data: Features you use, pages you visit, and actions you take within the app
• Device Information: Device type, operating system, browser type, and unique device identifiers
• Log Data: IP address, access times, and error logs
• Cookies and Similar Technologies: We use cookies and local storage to maintain your session and preferences
• Subscription Status: Information about your subscription tier, billing cycle, trial eligibility, and subscription history

2.3 Third-Party Data

We may receive information from third-party services:

• Authentication Providers: When you sign in using OAuth providers (e.g., Google), we receive basic profile information
• Payment Processors: When you subscribe, our payment processor (Stripe) provides us with subscription status and billing information
• Nutrition Databases: Product and nutrition information from OpenFoodFacts API and other nutrition data sources
• Analytics Providers: We use PostHog to analyze user behavior and improve our Service (only with your consent)

4.1 AI Service Providers

We use third-party AI services, including OpenAI, to power certain features of our Service. When you use AI-powered features, your requests and relevant data may be sent to these third-party services to generate responses. These services process your data according to their own privacy policies and terms of service.

4.2 Data Used for AI Processing

When you use AI features, we may send the following types of data to AI service providers:

• Recipe URLs or text you provide for recipe import
• Your dietary preferences, allergies, and nutrition goals
• Your meal planning history and patterns
• Pantry items and ingredients you have available
• Craving descriptions or food preferences you specify
• Meal Photos: When you log meals with photos, images are sent to OpenAI's vision API for food recognition and nutritional estimation

We do not send your personal identifying information (such as your name or email) to AI service providers unless necessary for the specific feature you are using.

4.3 Photo Food Recognition

When you upload photos of your meals for food logging, we use OpenAI's vision API to identify foods and estimate nutritional information. The photos are sent to OpenAI's servers for processing. According to OpenAI's current documentation, images are not retained beyond processing. We use contractual and technical safeguards intended to limit retention. The nutritional estimates returned are stored in your account. You should verify all nutritional information, as AI-based estimates may vary from actual nutritional content.

4.4 Text-to-Speech (Cooking Mode)

Our cooking mode feature uses Google Cloud Text-to-Speech to convert recipe instructions into audio. Recipe text is sent to Google's servers for audio synthesis and the generated audio is played back to you. Neither Google nor we store the audio content permanently. The recipe text is sent only when you actively use the cooking mode feature.

4.5 Model Training and Improvement

We may use anonymized and aggregated usage patterns, preferences, and interaction data to improve our AI models and service quality. This includes analyzing how users interact with AI-generated content to improve recommendations and accuracy. We do not use your personal identifying information or specific recipe content for model training without your explicit consent.

4.6 AI Content Accuracy

AI-generated content may contain errors or inaccuracies. We do not guarantee the accuracy, completeness, or suitability of AI-generated content. You should review and verify all AI-generated content, especially nutritional information, ingredient lists, and cooking instructions, before relying on it.

6.1 With Your Consent

When you choose to share recipes or content publicly through our social features, that content will be visible to other users.

6.2 Household Members

If you create or join a household, meal plans, grocery lists, and pantry items may be shared with other household members.

Important: When you join a household, other members may be able to view and modify shared data. Household sharing is designed for trusted relationships (such as family members or roommates). If you leave a household, your historical data may remain visible to household members who previously accessed it. Please only join households with people you trust.

6.3 Service Providers

We may share information with third-party service providers who perform services on our behalf, such as:

• Cloud Hosting and Storage: We use cloud hosting providers (e.g., Supabase, Vercel) to store and process your data
• Payment Processing: We use Stripe to process subscription payments. Stripe receives payment method information and billing details necessary to process transactions. We do not store your full payment card details on our servers
• Authentication Services: We use authentication providers (e.g., Google OAuth) to enable secure sign-in
• AI and Machine Learning Services: We use OpenAI to power AI features including recipe import, meal recommendations, and photo-based food recognition. These services receive your requests and relevant data to generate responses
• Text-to-Speech: We use Google Cloud Text-to-Speech to provide audio recipe instructions in cooking mode
• Nutrition Data: We use OpenFoodFacts API to retrieve product and nutrition information
• Analytics Providers: We use PostHog to understand how users interact with our Service and improve our features (only with your consent). You can enable or disable analytics tracking at any time in your account settings.
• Email Services: We may use email service providers to send you service updates, notifications, and support communications

All service providers are contractually obligated to protect your information and use it only for the purposes we specify. They are not permitted to use your information for their own purposes.

6.4 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.5 Business Transfers

If Sabor is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

8.1 Subscription Data Retention

If you have a paid subscription, we retain subscription and billing information for as long as necessary to process payments, comply with tax and accounting obligations, and resolve disputes. Even after you cancel your subscription, we may retain certain billing records as required by law.

8.2 Deleted Account Data

When you delete your account, we aim to complete deletion within 30 days and no later than 90 days, except where legal obligations require longer retention. Some information may be retained in backup systems for a limited period. We may also retain certain information if required by law, such as:

• Records required for tax and accounting purposes
• Information subject to legal holds or ongoing investigations
• Anonymized data used for analytics and service improvement

8.3 Legal Hold

In certain circumstances, we may be required to retain your information beyond our normal retention period due to legal obligations, ongoing disputes, or investigations. In such cases, we will retain the information only as long as necessary to fulfill these obligations.

11.1 Data Processing Locations

Our primary servers and operations are located in Canada. However, we may use service providers located in other countries, including the United States, to process your data. For example:

• Cloud hosting providers may store data in multiple geographic locations
• AI service providers (e.g., OpenAI) may process data in the United States
• Payment processors may process payment data in various locations

11.2 Safeguards for Data Transfers

When we transfer your data to countries outside Canada, we implement appropriate safeguards to protect your information, including:

• Contractual clauses that require service providers to protect your data
• Encryption of data in transit and at rest
• Regular security assessments of our service providers
• Compliance with applicable data protection laws

11.3 Your Consent

By using our Services, you consent to the transfer, storage, and processing of your information in Canada and other countries where our service providers operate, subject to the safeguards described in this Privacy Policy.

12.1 Types of Cookies We Use

We use the following types of cookies:

• Essential Cookies: Required for the Service to function properly (e.g., authentication, session management). These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to enhance your experience (e.g., theme preferences, language settings).
• Analytics Cookies: Help us understand how users interact with our Service to improve functionality (anonymized data only).

12.2 Cookie Consent

When you first visit our Service, we will ask for your consent to use non-essential cookies. You can accept or decline these cookies. You can also change your cookie preferences at any time through your browser settings or our cookie consent banner.

Note that disabling certain cookies may affect the functionality of certain features. Essential cookies are required for the Service to function and cannot be disabled.

12.3 Managing Cookies

You can control cookie settings through your browser settings. Most browsers allow you to:

• See what cookies are stored on your device
• Delete cookies individually or all at once
• Block cookies from specific sites or all sites
• Block third-party cookies
• Clear cookies when you close your browser

Please note that disabling cookies may affect the functionality of certain features of our Service.

16.1 Legal Basis for Processing

We process your personal data based on the following legal bases under GDPR:

• Consent: When you provide explicit consent (e.g., cookie consent, marketing communications)
• Contract Performance: To provide the Services you have requested and fulfill our contractual obligations
• Legitimate Interest: For service improvement, security, fraud prevention, and analytics (where our interests do not override your rights)
• Legal Obligation: To comply with legal requirements (e.g., tax, accounting, law enforcement requests)

You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.

16.2 Your GDPR Rights

As an EEA resident, you have the following rights:

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, please contact us using the information provided in Section 19 (Contact Us).

16.3 Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer (DPO) at: privacy@trysabor.com (or use the contact information in Section 19).

17.1 Provincial Privacy Laws

If you are located in Quebec, Alberta, or British Columbia, additional provincial privacy laws may apply. We comply with all applicable Canadian federal and provincial privacy laws.

17.2 Data Residency

While we primarily store and process data in Canada, some data may be processed in other countries as described in Section 10 (International Data Transfers). We take steps to ensure that your data receives adequate protection regardless of where it is processed.

18.1 Types of Health-Related Data

We may collect the following types of health-related information:

• Dietary preferences and restrictions
• Food allergies and intolerances
• Nutrition goals and targets
• Food logs and meal tracking data
• Body measurements or health metrics (if you choose to provide them)

18.2 How We Use Health Data

We use health-related data solely to provide and improve our Services, including:

• Personalizing meal recommendations based on your dietary needs
• Filtering recipes to avoid allergens
• Tracking nutrition and adherence to your goals
• Providing relevant features and content

We do not use your health data for advertising or share it with third parties for marketing purposes.

Important: Sabor does not account for individual medical conditions unless explicitly supported by the Service. The nutrition information and dietary guidance we provide are general in nature and should not be relied upon for managing specific medical conditions. Always consult with a qualified healthcare provider for advice tailored to your individual health needs.

18.3 Medical Information Disclaimer

Sabor is not a healthcare provider, and the information we collect is not considered protected health information under laws such as HIPAA (Health Insurance Portability and Accountability Act) in the United States. We are not a "covered entity" or "business associate" under HIPAA. However, we treat your health-related data with the same care and security as other sensitive personal information.

18.4 Special Protections

We implement additional security measures for health-related data, including:

• Encryption of sensitive health data
• Limited access to health data by our employees and service providers
• Regular security assessments
• Compliance with applicable health data protection laws

18.5 Third-Party Data Accuracy

Some nutrition and product information in our Service comes from third-party sources, such as OpenFoodFacts (a crowdsourced database) and other nutrition data providers. While we strive to provide accurate information, we cannot guarantee the completeness or accuracy of third-party data. Product formulations, nutritional values, and ingredient information may change without our knowledge. Always verify critical information from original product packaging or manufacturer sources, especially if you have allergies or dietary restrictions.

19.1 Our Commitment

In the event of a data breach that may affect your personal information, we will:

• Investigate the breach immediately and take steps to contain it
• Assess the risk to your personal information
• Notify affected users and relevant authorities as required by law
• Provide information about what happened, what data may have been affected, and what steps we're taking
• Recommend actions you can take to protect yourself

19.2 Notification Timeline

We will notify you of a data breach:

• GDPR (EEA): Without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• CCPA (California): In the most expedient time possible and without unreasonable delay
• PIPEDA (Canada): As soon as feasible after we determine that the breach creates a real risk of significant harm

Notifications will be sent to the email address associated with your account. In cases of high-risk breaches, we may also use other communication methods to ensure you are informed.

19.3 What You Can Do

If you receive a data breach notification from us, we recommend:

• Reviewing the information we provide about the breach
• Changing your password immediately if your account credentials may have been compromised
• Monitoring your accounts for suspicious activity
• Reviewing your credit reports if financial information may have been affected
• Contacting us if you have questions or concerns