Privacy Policy | Eat Morels

1. Information We Collect

Account Information

When you create an account, we collect your email address, display name, and profile photo (if you sign in with Google). This is used to identify you on the platform and display your profile.

Check-in Data

When you check in to a restaurant, we collect your approximate location (latitude and longitude) to verify you are near the restaurant. We also collect photos you upload, dish ratings, and review notes. Location data is only collected at the moment of check-in and is not continuously tracked.

Usage Data

We use PostHog and Vercel Analytics to collect anonymous usage data including pages visited, features used, and performance metrics. This helps us improve the Service. We do not track admin users.

Device Information

We collect standard technical information including browser type, IP address, and device type for security (rate limiting, bot detection) and analytics purposes.

2. How We Use Your Information

To provide and improve the Service
To display your check-ins and profile to other users
To verify check-in authenticity via geolocation
To prevent abuse and enforce our Terms of Service
To send essential account-related communications
To compute restaurant rankings and recommendations

3. How We Share Your Information

We do not sell, license, or share your data with advertisers or data brokers, and we do not share it for cross-context behavioral advertising. We share data only with the service providers listed below, and only to the extent needed to operate the Service. Each provider is contractually required to protect your data and use it only for the purposes we specify.

Supabase (database, authentication, file storage) — receives your account details, check-ins, photos, ratings, notes, collections, and follows. Hosted in the United States.
Vercel (hosting and edge analytics) — receives request metadata including IP address, user agent, and referrer for every page load and API call.
Upstash (rate limiting) — receives your IP address and user ID to enforce per-user and per-IP request limits. Data is stored transiently and not used for any other purpose.
PostHog (product analytics) — receives a pseudonymous user identifier, IP address, device metadata, and event data about your in-app actions.
Sentry (error monitoring) — receives error stack traces, browser/device metadata, and a pseudonymous user identifier when an error occurs.
Google (OAuth sign-in, only if you choose it) — handles your sign-in and returns your email, name, and profile photo to us. Google's use of your data is governed by Google's own privacy policy.
Apple Push Notification Service (APNS) and Firebase Cloud Messaging (FCM) — receive a push token and the notification payload when we deliver a notification to your device.
OpenAI / Anthropic (AI generation) — receive restaurant names, menu descriptions, and public review snippets to produce AI verdicts and dish recommendations. Your personal check-ins and private notes are not sent to these providers.

We may also disclose information (a) to comply with a legal obligation, subpoena, or court order; (b) to enforce our Terms or protect the rights, property, or safety of Eat Morels, our users, or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you.

4. What Is Public to Other Users

The following is visible to other users of the Service by default: your display name, profile photo, bio, restaurants you've checked in at, dish photos and ratings, review notes, follower and following lists, and collections you've shared.

You control visibility in these ways:

Private check-ins. You can mark an individual check-in as private when you post it, which hides it from the public feed and your public profile. Private check-ins are still used to compute your personal history and stats.
Collection sharing.Collections (“Want to Go”, custom lists) are private by default. They are only visible to others if you generate a share link.
Account deletion.You can delete your account at any time from Account Settings. See “Your Rights” below.

Search engines may index public profile and check-in pages. Once content has been public, copies may persist in search indexes and archives outside our control.

5. Legal Basis for Processing (EEA / UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data on the following legal bases under the GDPR:

Contract (Art. 6(1)(b)) — to create your account, display your check-ins, and provide the core features you request.
Legitimate interests (Art. 6(1)(f)) — for security (rate limiting, bot detection), fraud prevention, product analytics, and improving the Service.
Consent (Art. 6(1)(a)) — for push notifications and, where required, non-essential analytics cookies. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

6. Data Retention

Account data — retained while your account is active.
Draft check-ins — auto-deleted if not finalized within 24 hours.
Check-ins, photos, and ratings — retained for the life of your account unless you delete them.
Server and access logs — retained for up to 90 days for security and debugging purposes.
Analytics events — retained by PostHog according to its default retention policy.
Deleted accounts — personal data is removed within 30 days of deletion, except where retention is required by law or to resolve disputes.

7. Your Rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your account and associated data
Export your data in a portable format
Opt out of analytics tracking (contact us or use browser privacy settings)
Object to or restrict certain processing (EEA / UK)
Lodge a complaint with a supervisory authority (EEA / UK)

California residents (CCPA / CPRA): You have the right to know what personal information we collect, request deletion, correct inaccurate information, and limit use of sensitive personal information. We do not sell or share your personal information for cross-context behavioral advertising, and we do not offer financial incentives in exchange for personal information. You will not be discriminated against for exercising these rights.

To exercise any of these rights, email us at the address below or use the “Delete Account” option in Account Settings.

8. Cookies and Local Storage

We use cookies for authentication (session management via Supabase). We use browser local storage to save your city preference and collection data for offline access. We do not use advertising cookies.

9. Security

We implement reasonable security measures including row-level security on our database, rate limiting, bot detection, and encrypted connections (HTTPS). However, no method of transmission over the Internet is 100% secure.

10. Children's Privacy

The Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page.

12. International Data Transfers

Eat Morels is operated from the United States, and our service providers are primarily located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where required, transfers out of the EEA or UK rely on Standard Contractual Clauses or equivalent safeguards.

13. Contact

Questions about this policy? Contact us at support@eatmorels.com.