Privacy Policy

1. Information We Collect

Personal Information

We collect information that you provide directly to us, including:

• Name and email address
• Dietary preferences, restrictions, and health-related food choices
• Household size and meal planning preferences
• AI Input Data: Specific prompts, recipe requests, and third-party recipe URLs provided to generate plans
• Payment information (processed securely through Stripe; we do not store full credit card numbers)
• Push Notification Token (Plateoffs): If you enable push notifications in Plateoffs, your device token is stored with Supabase solely to deliver division rotation alerts. You can revoke this permission at any time in your device settings.

Security and Abuse Prevention Data

We automatically collect certain technical information solely for security and abuse prevention purposes:

• IP address: Collected temporarily at signup and during guest demo sessions to detect and prevent bot registrations and abuse. Not stored against your profile after the rate-limit window expires.
• User agent (browser and device type): Logged during signup attempts for security auditing.
• Device fingerprint: Collected during guest demo sessions to enforce the one-demo-per-device policy. Not retained after account creation.
• API request logs: Which AI features were called and when, linked to your account for rate limiting and Smart Plate Credit tracking.

Data Linked to Your Account

The following information is stored in your Curate My Plate account and associated with your identity:

• Name and email address
• Dietary preferences, restrictions, and health-related food choices
• Household size and member profiles
• Meal plans you have generated or saved
• Recipes you have saved or imported
• Pantry items and shopping lists
• AI credit usage and subscription status
• Plateoffs dietary filter preferences are stored locally on your device only and are never linked to your account or transmitted to our servers.

2. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve our meal planning services
• AI Processing: Utilize Artificial Intelligence (specifically Google Gemini) to generate personalized meal plans. While your dietary constraints are processed by AI models, we do not share your personal identity (name or email) with AI model providers.
• Process payments and manage your subscription
• Respond to customer support inquiries and provide account updates
• Enforce rate limits, detect and prevent fraud and abuse, and maintain the security of our AI features
• Ensure the security and integrity of our service

3. Information Sharing and Disclosure

We do not sell your personal information. We share your information only with essential service providers:

• Supabase: For secure database storage and authentication
• Google (Gemini API): To provide AI-driven recipe generation and planning. Your dietary preferences are processed but your name and email are not shared.
• Stripe: For secure, PCI-compliant payment processing (web subscriptions)
• Apple: For In-App Purchase processing on iOS devices
• Vercel: For application hosting and infrastructure. Vercel may log server-side request metadata (IP addresses, request paths) for operational purposes.
• Cloudflare: For bot and fraud prevention via Cloudflare Turnstile on signup forms
• Resend: For transactional email delivery (account verification and support communications)
• Legal Requirements: We may disclose information if required by law or in response to valid legal requests by public authorities (e.g., a court or government agency)

4. Data Security

We implement appropriate technical and organizational measures via our providers to protect your personal information against unauthorized access, alteration, or destruction. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as necessary to provide our services. Our specific retention policies are:

• Account Deletion: When you delete your account through the app, your personal data is deleted immediately. Transaction records are retained for CRA compliance (see below).
• Security logs: IP addresses and signup attempt records are retained for up to 30 days for abuse monitoring, then purged.
• Financial Records: Transaction data is retained for a minimum of 7 years to comply with Canada Revenue Agency (CRA) tax requirements.
• Inactivity: Accounts that remain inactive for more than 24 consecutive months may be purged or anonymized at our discretion.

6. Your Rights and Choices

In accordance with Canadian privacy standards, you have the following rights:

• Access & Correction: Access and update your information through your account settings
• Deletion: Delete your account and all associated data directly through Account Settings → Account Deletion in the app. Deletion is immediate and permanent.
• Opt-out: Opt-out of marketing communications at any time
• Data Portability: Request a copy of your data in a digital format

7. Cookies and Tracking

We use cookies and similar technologies to manage user sessions and understand app usage. You can control cookies through your browser settings, though some features of the Service may not function properly without them.

8. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect information from children. If we become aware that a child under 13 has provided us with personal information, we will delete it immediately.

9. International Data Transfers

As a Canadian-based company, we manage data from Ontario. However, our service providers (Supabase, Google, Stripe) may store and process data on servers located in the United States or other jurisdictions. By using the Service, you consent to the transfer of information to countries outside of Canada.

10. Plateoffs Companion App

Plateoffs is a free companion app to Curate My Plate. It lets you vote on recipes in a bracket-style matchup to choose tonight's dinner. No account is required to use Plateoffs.

Data collected by Plateoffs

• Push notification token: Stored with Supabase to deliver alerts when new recipe divisions are available. Opt-in only; revocable at any time in your device settings. We do not use this token for any purpose other than division rotation notifications.
• Dietary filter preferences: Stored locally on your device only. These are never sent to our servers.

Saving a winner to Curate My Plate

When you choose to save a winning recipe to your Curate My Plate account, that action is processed through your existing CMP account and is subject to the same data practices described throughout this policy.

What Plateoffs does not collect

• No name, email, or account information is required or collected
• No payment information
• No browsing history or cross-app tracking
• No AI processing of your personal data

11. Bento Basket Companion App

Bento Basket is a free grocery list companion app to Curate My Plate. It is available on iPhone and Apple Watch. No account is required to use Bento Basket.

Data collected by Bento Basket

Without a CMP account: All grocery list data (groups, items, quantities) is stored locally on your device only. Nothing is transmitted to our servers.

With a CMP account connected: Your grocery list data is synced to Supabase to enable real-time household sharing. This data is linked to your CMP account and subject to the same data practices described throughout this policy.

What Bento Basket does not collect

• No name, email, or account information is required or collected without a CMP account
• No payment information — Bento Basket is free with no in-app purchases
• No location data
• No browsing history or cross-app tracking
• No AI processing of your personal data

Apple Watch

The Bento Basket Apple Watch app displays your grocery list and syncs check-off actions back to your phone. It does not independently collect any data beyond what your phone app already holds.

Linking to Curate My Plate

When you tap the "Build a recipe plan" prompt in Bento Basket, the app passes your current item names to Curate My Plate via a device deeplink (no network call). This action only occurs on your tap and only if CMP is installed. No data is shared with third parties.

12. PIPEDA Compliance