Privacy Policy

Effective date: April 20, 2026

1. Who we are

GeloPal ("we", "us", "our") operates the GeloPal website and services. This policy explains what personal information we collect when you use the GeloPal website and services (the "Service"), why we collect it, how we use it, and the choices you have. Contact us at any time via the Contact page.

2. Information we collect

Account information. Email address, password (stored as a salted hash by our auth provider, Supabase), display name, and any optional profile fields you provide.

Recipe and business data. The recipes, ingredient prices, flavor profiles, ROI entries, and business configuration you create or upload. This is your data — we hold it on your behalf.

Payment information. Card numbers and bank details are collected directly by Stripe, our PCI-DSS Level 1 certified payment processor. We never see, store, or have access to your card data; we only receive an opaque customer ID and the metadata of completed charges (amount, status, last 4 digits).

Usage data. Pages visited, features used, AI requests issued, and timestamps. We use this for product improvement and quota enforcement.

Device data. IP address, browser type, and operating system, captured automatically by the hosting platform (Vercel) for security and reliability.

3. How we use your information

  • Provide, operate, and maintain the Service.
  • Process subscriptions, one-time purchases, refunds, and dispute resolution through Stripe.
  • Send essential account communications (email verification, billing receipts, payment-issue alerts, retention reminders).
  • Enforce plan quotas and prevent abuse.
  • Improve recipe-engine accuracy, AI prompts, and overall product quality.
  • Comply with applicable legal obligations.

4. AI processing

Optional AI features (Recipe Advisor, Pricing Analysis, Flavor Studio, etc.) send the specific recipe or business inputs you submit to Anthropic's Claude API for processing. We do not send your account credentials, payment information, or unrelated data. Anthropic processes the request and returns a response; per Anthropic's terms, that data is not used to train their models. AI usage is metered and visible on your billing page.

5. How we share information

We do not sell your personal information. We share data only with:

  • Service providers who help us run GeloPal (Supabase for database + auth, Vercel for hosting, Stripe for payments, Anthropic for AI). Each is bound by their own privacy and security commitments.
  • Authorities when required by law, valid legal process, or to protect the rights, property, or safety of our users or the public.
  • Successors in the event of a merger, acquisition, or asset sale, with notice to you.

6. Data retention

We keep your account and the data you create for as long as your account is active. When you cancel a paid plan, we preserve your previous-plan data for 30 days(extendable in-app) before permanent deletion. You can purchase the Recovery Add-on at cancellation to download a complete export of your data. You can also request account deletion at any time via the Contact page; we will erase your personal information within 30 days unless we are legally required to retain certain records (e.g., tax invoices for the period required by your jurisdiction).

7. Security

We use HTTPS for all traffic, hashed passwords, row-level security on the database, and short-lived authentication tokens. Card data is held entirely by Stripe under PCI-DSS Level 1 controls. No security measure is perfect, but we work continuously to protect your data. Report suspected vulnerabilities via the Contact page.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and personal data ("right to be forgotten").
  • Export your data in a machine-readable format (Recovery Add-on).
  • Object to or restrict certain processing.
  • Lodge a complaint with your local data protection authority.

Contact us via the Contact page to exercise any of these rights.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect data from children under 16. If you believe a minor has provided us personal information, please contact us and we will delete it.

10. International transfers

Our service providers may host data in jurisdictions different from your own, including the United States and the European Union. By using the Service you consent to those transfers under appropriate safeguards (Standard Contractual Clauses where applicable).

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app or via email. The effective date at the top reflects the latest revision; continued use of the Service after the effective date means you accept the updated policy.

12. Contact

Questions, requests, or complaints? Reach us through the Contact page.