Spinach Privacy Policy
Effective date: October 26, 2025
App: Spinach (the “App”)
Website: https://spinach.guide
Data Controller:Bartosz Filipowicz
Contact: spinach.guide@gmail.com
1) Who we are
For the purposes of the EU/UK GDPR, the Data Controller is Bartosz Filipowicz, reachable at spinach.guide@gmail.com and [[postal address if provided]]. We do not appoint a Data Protection Officer because we don’t meet the legal criteria.
2) What we collect
We aim to collect only what’s necessary to run Spinach.
- Account data (if you create an account): email address, display name, password hash (never the raw password).
- Location data: coarse/approximate location (foreground) to show nearby places when you choose “use my location.” We do not collect background location.
- Usage analytics: app interactions such as screen views, taps, device/OS info, session IDs.
- Crash diagnostics: crash logs and device/OS info at the time of a crash.
- App content: your favorites, saved places, filters, and settings.
- Support communications: emails you send to us and the metadata necessary to reply.
We do not collect special categories of personal data (e.g., health, political opinions). We do not sell your data.
3) How we use your data (purposes & legal bases)
| Purpose | Examples | Legal Basis |
|---|---|---|
| Provide core functionality | Show nearby vegan-friendly places, save favorites | Contract (Art. 6(1)(b) GDPR) |
| Improve and secure the App | Analytics, crash diagnostics, debugging, fraud/abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Personalization | Remember filters, recent searches | Legitimate interests or Contract |
| Consent-based features | Location access, push notifications | Consent (Art. 6(1)(a)) |
4) Third-party processors & services
We use trusted providers to operate the App. They process data on our behalf under appropriate data protection terms:
- Supabase (authentication, database, storage) – stores account data, favorites, and app data you generate.
- Google Maps Platform (maps, geocoding, place details) – serves map tiles, search, and place info.
- Crash reporting (e.g., Firebase Crashlytics or Sentry) – crash logs and diagnostics.
- Analytics (e.g., Firebase Analytics or PostHog) – usage metrics to improve the product.
- Email/support (e.g., Gmail/Google Workspace) – support communications.
We do not share data with third parties for advertising, nor do we allow ad networks to track you across apps/sites.
5) Data retention
- Account & app content: kept until you delete your account or request deletion.
- Analytics: retained for 12–18 months.
- Crash logs: retained for 90–180 days.
- Backups: may persist for 30–90 days after deletion for disaster recovery.
We’ll retain data longer only if required by law or to establish/defend legal claims.
6) Your rights (GDPR/UK GDPR)
You have the right to access, rectify, erase, and port your data; to object or restrict certain processing; and to withdraw consent at any time.
To exercise your rights, email spinach.guide@gmail.com from the address linked to your account. You also have the right to lodge a complaint with your local supervisory authority.
7) Children
Spinach is not directed to children under 16. If you are under 16, please do not use the App. If we learn a child’s data was collected, we will delete it.
8) International data transfers
We are EU-based (Poland), but some providers may process data outside the EEA/UK (e.g., the US). When this happens, we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to protect your data.
9) Security
We use industry-standard security measures (encrypted transport, access controls, restricted API keys, database row-level security where applicable). No method is 100% secure, but we continually improve our safeguards.
10) Do we use advertising or tracking?
- No targeted advertising and no sale/sharing of personal data in the CCPA/CPRA sense.
- We do not use cross-app tracking (IDFA/GAID) for ads.
- If we ever introduce ads or tracking, we will update this policy and request consent where required (including iOS ATT).
11) Your choices
- Location: grant/deny in OS settings; you can always search by city instead.
- Notifications: opt in/out via OS settings.
- Account: delete your account in-app (if available) or email us at spinach.guide@gmail.com.
12) California (CCPA/CPRA) notice
We do not sell or share personal information for cross-context behavioral advertising. California residents can request access, correction, or deletion of their personal information by emailing spinach.guide@gmail.com.
13) Changes to this policy
We may update this policy from time to time. We’ll post changes at https://spinach.guide/privacy and update the “Effective date.” Material changes may also be announced in-app.
14) Contact
Controller: Bartosz Filipowicz
Email: spinach.guide@gmail.com