Privacy Policy

1. Information We Collect

• Account Information: When you create an account, we collect your email address and password (securely managed by Supabase Authentication). You may also sign in via Google, in which case we receive your name and email from the identity provider. You will also be asked to provide a username, bio (optional), and profile picture (optional).
• User Content: Reviews and visits you create (including titles, names, ratings, text, and photos), community photos you upload, and chat messages you send to other users.
• Social Data: Follower/following relationships, review likes, saved reviews and restaurants, follow requests, and block lists.
• Timezone: We automatically detect your timezone from device settings (via the Intl API) to send Push notifications at appropriate local times. No GPS data is collected for notification scheduling. However, when you use location-based search features, the app will request access to your device location (GPS) with your consent, and transmit the coordinates to the server to enable nearby dish and restaurant search.
• Notification Identifiers (Push Tokens): When you enable notifications, we store your device's Push identifier to deliver them. The identifier is deleted upon account logout or deletion.
• Automatically Collected Information: We collect device type, OS version, and app version to improve performance and stability. In production, crash reports and error data are collected via Sentry (see section 3).
• Analytics Data: We use Firebase Analytics to understand how the app is used, including screen views, user engagement, and events (e.g., creating visits and reviews, search queries). This data is anonymous and aggregated. On iOS, we request your permission to track activity across other companies' apps and websites via Apple's App Tracking Transparency framework. You can change tracking preferences at any time in Device Settings > Privacy & Security > Tracking.

2. How We Use Your Information

• To create and manage your account.
• To enable social features (following, messaging, sharing reviews and visits).
• To display your public profile to other users.
• To improve app functionality and fix bugs.
• To send Push notifications (follow requests, likes, messages, streak reminders, review suggestions, and marketing/promotional content).
• To enforce content moderation and community guidelines.
• To manage user blocks and content filtering.
• To display ads and measure ad performance (using device advertising identifiers, with your consent on iOS).

3. Third-Party Services

We use the following third-party services that may collect data:

• Supabase: Authentication, database storage, file storage, cloud functions, and analytics.
• Firebase Analytics: App usage analysis. Collects anonymous usage data and device identifiers.
• Sentry: Error and crash reporting in production only. No personal content (reviews, messages, etc.) is collected.
• Expo: Push notification delivery. Expo is used to register the device for a Push Token. Notifications are sent directly via Google's Firebase Cloud Messaging (FCM).
• Google Cloud Places API: Displaying location-based restaurant reviews. User location is sent to the server side only with user consent.
• Resend: Email delivery service. Used to send OTP codes for user identity verification during registration. Resend receives your email address solely for the purpose of delivering the code.
• Vercel: Hosting and deployment service used to run the MaOchlim website. Vercel may collect technical log data such as IP addresses, browser type and version, for security and performance monitoring. The website uses Vercel Analytics and Vercel Speed Insights to analyze traffic volume and improve the browsing experience. These tools are configured to operate anonymously, do not use persistent cookies for tracking or user profiling, and do not store information that directly identifies individual users.

5. Data Storage and Security

Your data is stored securely using Supabase. We use authentication tokens to protect API requests, security rules to restrict database access, and encrypted connections (HTTPS/TLS) for all data transfers. Passwords are never stored in plain text.

6. Data Sharing

We do not sell your personal data to third parties. Information may be shared only in the following cases:

• Public Profile: Your username, avatar, bio, recipes, and photos are visible to other users.
• Chat Messages: Messages are visible only to conversation participants.
• Service Providers: Third-party services listed above that help operate the app.
• Legal Requirements: If required by law, regulation, or legal process.

7. International Data Transfers

Your data is stored on Supabase servers located in Frankfurt, Germany. Users from the European Union (EU) or European Economic Area (EEA) agree that information is transferred to the US under Google's data processing terms and Standard Contractual Clauses (SCCs).

8. Your Rights

You have the right to:

• Access your data through the app.
• Update your information at any time in Settings.
• Permanently delete your account (Settings > Delete Account). This will remove all data including visits, reviews, photos, and social connections.
• For EU residents (GDPR) and California residents (CCPA): Additional rights exist such as data portability, processing restriction, and filing a complaint. To exercise these rights, contact us at: [email protected].

9. Automated Decision-Making

The app uses artificial intelligence to recommend reviews. These are suggestions only and do not constitute 'automated decision-making' with legal implications.

10. Local Storage and Cookies

The app uses on-device storage (AsyncStorage) for caching visits for offline use. No cookies are used in the app. Data is deleted upon app removal or logout. The website also does not use persistent cookies for tracking purposes; the Vercel analytics and performance tools used on the website are configured to operate anonymously and do not store information that directly identifies individual users. Supabase authentication on the website is stored in localStorage only.

11. Children's Privacy

The app is not intended for children under 13. We do not knowingly collect information from children under this age.

12. Data Retention and Deletion

We retain information as long as the account is active.

• Deleting an individual visit or review: You can delete a visit or review you published at any time directly from the app, without deleting your entire account. Deletion is permanent and removes all data associated with that visit/review, including descriptions, ratings, and photos.
• Full account deletion: When you delete your account (Settings > Delete Account), we will permanently remove: profile, reviews, visits, photos, social connections, chat messages, and notifications. This deletion is irreversible.

Note that content already incorporated into published marketing materials may be retained as described in the license in the Terms of Service.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify users via email and/or in-app notification without undue delay, and no later than 72 hours after becoming aware, as required by law.

14. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes through the app. Continued use constitutes acceptance of the updated policy.

15. Contact Us

For privacy questions, please contact us at: [email protected].