Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your email address, display name, and profile photo (if you sign in with Google). This is used to identify you on the platform and display your profile.

Check-in Data

When you check in to a restaurant, we collect your approximate location (latitude and longitude) to verify you are near the restaurant. We also collect photos you upload, dish ratings, and review notes.

Background Location (iOS, “Always Allow” permission only)

If you grant the iOS app the “Always Allow” location permission, we receive two kinds of background location data from your device. We do not receive any background location data unless you grant this permission, and you can change it at any time in iOS Settings.

• Visit events(via Apple’s CLVisit framework). When iOS detects you have arrived at or departed from a place, your device sends us the visit’s centroid coordinates plus arrival and departure timestamps. We use this to detect when you may have visited a restaurant so we can send a relevant check-in reminder.
• Movement samples(via Apple’s Significant Location Changes framework). Coordinates with timestamps are sent from your device approximately every 500 meters of movement. We use these samples to derive candidate visits in cases where the CLVisit event arrived too late or did not fire at all.

Both kinds of data are stored for 90 days and then automatically deleted. They are stored alongside your account so visit reminders can reference your prior check-in history and so you can request a copy of (or deletion of) your data at any time — see Sections 4 and 5 below.

To stop background location collection, change the Eat Morels app’s location permission in iOS Settings → Privacy & Security → Location Services → Eat Morels to “While Using the App” or “Never.” Visit reminders will stop firing, but every other app feature continues to work.

Photo auto-find

When you check in, Eat Morels can suggest photos you already took at that restaurant so you can add them in one tap. This matching happens entirely on your device, using each photo’s time and location — we never receive or see your photo library. Only the photos you choose to add to a check-in are uploaded to us, and embedded location data is removed before upload.

Usage Data

We use PostHog and Vercel Analytics to collect usage data including pages visited, features used, and performance metrics. To understand and debug how features are used, PostHog also captures session replays — playbacks of your in-app interactions, such as taps and navigation. Text you type is masked and is not recorded. This helps us improve the Service. We honor your browser's “Do Not Track” signal and do not track admin users.

Device Information

We collect standard technical information including browser type, IP address, and device type for security (rate limiting, bot detection) and analytics purposes.

2. How We Use Your Information

• To provide and improve the Service
• To display your check-ins and profile to other users
• To verify check-in authenticity via geolocation
• To prevent abuse and enforce our Terms of Service
• To send essential account-related communications
• To compute restaurant rankings and recommendations

3. How We Share Your Information

We do not sell, license, or share your data with advertisers or data brokers, and we do not share it for cross-context behavioral advertising. We share data only with the service providers listed below, and only to the extent needed to operate the Service. Each provider is contractually required to protect your data and use it only for the purposes we specify.

• Supabase (database, authentication, file storage) — receives your account details, check-ins, photos, ratings, notes, collections, and follows. Hosted in the United States.
• Vercel (hosting and edge analytics) — receives request metadata including IP address, user agent, and referrer for every page load and API call.
• Upstash (rate limiting) — receives your IP address and user ID to enforce per-user and per-IP request limits. Data is stored transiently and not used for any other purpose.
• PostHog (product analytics and session replay) — receives a pseudonymous user identifier, IP address, device metadata, event data about your in-app actions, and session replays (playbacks of your in-app interactions, with typed text masked).
• Sentry (error monitoring) — receives error stack traces, browser/device metadata, and a pseudonymous user identifier when an error occurs.
• Google (OAuth sign-in, only if you choose it) — handles your sign-in and returns your email, name, and profile photo to us. Google's use of your data is governed by Google's own privacy policy.
• Apple Push Notification Service (APNS) and Firebase Cloud Messaging (FCM) — receive a push token and the notification payload when we deliver a notification to your device.
• OpenAI / Anthropic (AI generation) — receive restaurant names, menu descriptions, and public review snippets to produce AI verdicts and dish recommendations. Your personal check-ins and private notes are not sent to these providers.

We may also disclose information (a) to comply with a legal obligation, subpoena, or court order; (b) to enforce our Terms or protect the rights, property, or safety of Eat Morels, our users, or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you.

4. What Is Public to Other Users

The following is visible to other users of the Service by default: your display name, profile photo, bio, restaurants you've checked in at, dish photos and ratings, review notes, follower and following lists, and collections you've shared.

You control visibility in these ways:

• Private check-ins. You can mark an individual check-in as private when you post it, which hides it from the public feed and your public profile. Private check-ins are still used to compute your personal history and stats.
• Collection sharing.Collections (“Want to Go”, custom lists) are private by default. They are only visible to others if you generate a share link.
• Account deletion.You can delete your account at any time from Account Settings. See “Your Rights” below.

Search engines may index public profile and check-in pages. Once content has been public, copies may persist in search indexes and archives outside our control.

5. Legal Basis for Processing (EEA / UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data on the following legal bases under the GDPR:

• Contract (Art. 6(1)(b)) — to create your account, display your check-ins, and provide the core features you request.
• Legitimate interests (Art. 6(1)(f)) — for security (rate limiting, bot detection), fraud prevention, product analytics, and improving the Service.
• Consent (Art. 6(1)(a)) — for push notifications and, where required, non-essential analytics cookies. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

6. Data Retention

• Account data — retained while your account is active.
• Draft check-ins — auto-deleted if not finalized within 24 hours.
• Check-ins, photos, and ratings — retained for the life of your account unless you delete them.
• Server and access logs — retained for up to 90 days for security and debugging purposes.
• Analytics events — retained by PostHog according to its default retention policy.
• Deleted accounts — personal data is removed within 30 days of deletion, except where retention is required by law or to resolve disputes.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your data in a portable format
• Opt out of analytics tracking (contact us or use browser privacy settings)
• Object to or restrict certain processing (EEA / UK)
• Lodge a complaint with a supervisory authority (EEA / UK)

California residents (CCPA / CPRA): You have the right to know what personal information we collect, request deletion, correct inaccurate information, and limit use of sensitive personal information. We do not sell or share your personal information for cross-context behavioral advertising, and we do not offer financial incentives in exchange for personal information. You will not be discriminated against for exercising these rights. The business responsible for your personal information is Ardent Research, Inc.

To exercise any of these rights, email us at the address below or use the “Delete Account” option in Account Settings.

8. Cookies and Local Storage

We use cookies for authentication (session management via Supabase). PostHog sets cookies and uses local storage to measure product usage and capture session replays; you can opt out by enabling your browser's “Do Not Track” setting, which we honor. We also use browser local storage to save your city preference and collection data for offline access. We do not use advertising cookies.

9. Security

We implement reasonable security measures including row-level security on our database, rate limiting, bot detection, and encrypted connections (HTTPS). However, no method of transmission over the Internet is 100% secure.

10. Children's Privacy

The Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@eatmorels.com and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page.

12. International Data Transfers

Eat Morels is operated by Ardent Research, Inc. from the United States, and our service providers are primarily located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where required, transfers out of the EEA or UK rely on Standard Contractual Clauses or equivalent safeguards.

13. Contact

Questions about this policy? Contact Ardent Research, Inc. at support@eatmorels.com.