Privacy Policy

1. Who We Are

Zayvori ("Zayvori", "we", "us", or "our") is a recipe-collection application operated by [Your Legal Entity Name], registered at [Registered Address].

This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Zayvori mobile application and associated website (together, the "Service"). It applies to users in all jurisdictions in which we operate, with additional provisions for users in the United Kingdom and the United States.

If you have questions about this policy or our data practices, contact us at hello@zayvori.com.

2. Data We Collect

2.1 Account Data

When you register for a Zayvori account, we collect:

• Your name (or display name)
• Your email address
• A hashed version of your password (we never store passwords in plain text)
• Your profile photo, if you choose to upload one

2.2 Content Data

We store the recipes, collections, notes, ratings, and other content you create or save within the app. This data belongs to you and is hosted on our behalf by Supabase (see Section 5).

2.3 Usage Data

We automatically collect certain technical information when you use the Service, including:

• Device type, operating system version, and unique device identifiers
• IP address and approximate location (country/region level)
• App version and session duration
• Features accessed and actions taken within the app (e.g., recipes saved, searches performed)
• Crash reports and performance diagnostics

2.4 Communications

If you contact us by email or through the app, we retain those communications and any personal data you include in them.

2.5 Data We Do Not Collect

We do not collect payment card details (any future payments are processed by third-party payment providers), precise GPS location, or the contents of your device's photo library beyond photos you explicitly choose to attach to a recipe.

3. How We Use Your Data

We use personal data for the following purposes:

• Providing the Service — creating and managing your account, storing and syncing your recipes across devices, and delivering core app functionality.
• Improving the Service — analysing usage patterns (in aggregate or pseudonymised form) to understand how features are used and prioritise improvements.
• Security and fraud prevention — detecting and responding to abuse, unauthorized access, and technical vulnerabilities.
• Customer support — responding to your queries and resolving issues with your account.
• Transactional communications — sending account-related emails such as email verification, password reset, and significant policy updates. We will not send you marketing emails without your explicit opt-in consent.

4. Legal Basis for Processing (UK & EEA Users)

Where the UK GDPR applies, we rely on the following lawful bases:

5. How We Store Your Data — Supabase

We use Supabase as our backend database and authentication platform. Supabase acts as a data processor on our behalf under a Data Processing Agreement that complies with UK GDPR requirements.

Your data is stored on servers operated by Amazon Web Services (AWS), which Supabase uses as its infrastructure provider. Supabase's primary data centre region for new projects is US East (Northern Virginia) unless we configure an alternative region. This means your personal data may be transferred to and processed in the United States.

International data transfers (UK users): Transfers of personal data from the UK to the United States are made on the basis of the UK's International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses as recognised under UK law. Supabase maintains appropriate safeguards for such transfers as documented in their Data Processing Agreement.

Supabase's own privacy policy is available at supabase.com/privacy.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Service providers: We share data with trusted third-party companies that help us operate the Service (e.g., Supabase for storage, crash-reporting tools). These providers are contractually bound to process data only on our instructions and in accordance with applicable law.
• Legal obligations: We may disclose data if required by law, court order, or governmental authority in the United States or United Kingdom.
• Protection of rights: We may disclose data where necessary to prevent fraud, enforce our Terms of Service, or protect the safety of our users or the public.
• Business transfer: If Zayvori is acquired, merged, or transferred to another entity, your data may be transferred as part of that transaction. We will notify you in advance and your rights under this policy will continue to apply.

7. Data Retention

We retain your personal data for as long as your account is active. If you delete your account:

• Your profile, recipes, and content are deleted from our live database within 30 days.
• Backups containing your data are purged within 90 days of account deletion.
• We may retain anonymised or aggregated data derived from your usage indefinitely for analytics purposes.
• We may retain certain records for up to 7 years where required by applicable law (e.g., financial records).

8. Your Rights

8.1 UK Users (UK GDPR)

If you are based in the United Kingdom, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to certain exceptions.
• Right to restriction — ask us to pause processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests, including profiling.
• Rights related to automated decision-making — we do not make solely automated decisions that have a significant legal or similar effect on you.

To exercise these rights, email us at hello@zayvori.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk .

8.2 California Users (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of your personal information, subject to certain exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a CCPA request, contact us at hello@zayvori.com or within the app under Settings > Privacy. We will verify your identity before processing your request.

8.3 All Other Users

Regardless of your location, you can access, update, or delete your account data at any time through the app's Settings screen. For any request we cannot process automatically, email hello@zayvori.com.

9. Cookies and Tracking Technologies

The Zayvori mobile app does not use browser cookies. Our website uses a small number of cookies:

• Essential cookies — necessary for the website to function (e.g., session management). These cannot be disabled.
• Analytics cookies — we may use privacy-respecting analytics tools to understand how visitors use our website. These are set only with your consent, where required by law.

You can manage cookie preferences through your browser settings at any time.

10. Children's Privacy

The Service is not directed at children. We do not knowingly collect personal data from:

• Children under 13 (consistent with COPPA requirements applicable in the United States).
• Children under 13 in the United Kingdom (consistent with the UK Children's Code / Age Appropriate Design Code).

If we become aware that we have inadvertently collected data from a child below the applicable age, we will delete it promptly. Parents or guardians who believe a child has provided us personal data should contact us at hello@zayvori.com.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest within Supabase / AWS infrastructure
• Access controls limiting who within our team can access personal data
• Regular review of our security practices

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have provided one) and by posting a notice in the app at least 14 days before the changes take effect. The updated "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

13. Contact Us

For privacy-related questions, requests, or complaints:

UK users may also contact the Information Commissioner's Office: ico.org.uk