Privacy Policy

1. Introduction

Welcome to VASO ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our family recipe application and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us, including:

• Account Information: Name, email address, password (encrypted)
• Profile Information: Optional profile photo, bio, dietary preferences
• Recipe Content: Recipes, photos, ingredients, instructions, notes, and categories
• Family Information: Family group names, member relationships (as designated by you)
• Communications: Messages, feedback, and support requests you send us

2.2 Automatically Collected Information

When you use our Service, we automatically collect:

• Usage Data: Pages visited, features used, time spent, search queries
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Server logs, error reports, performance data
• Cookies and Similar Technologies: Session cookies, authentication tokens (see Section 7)

2.3 Third-Party Information

If you sign up using a third-party service (Google, GitHub), we receive basic profile information (name, email) from that provider as authorized by you.

3. How We Use Your Information

We use your information for the following purposes:

• Service Provision: To create and maintain your account, store your recipes, enable family sharing
• Communication: To send service updates, password resets, and respond to your inquiries
• Improvement: To analyze usage patterns, fix bugs, and enhance features
• Security: To detect fraud, prevent abuse, and protect our users
• Legal Compliance: To comply with applicable laws and legal processes
• AI Features: To provide AI-powered recipe extraction and image generation (your content is not used to train AI models)

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your data based on:

• Contract Performance: Processing necessary to provide our Service
• Consent: You have given explicit consent for specific purposes
• Legitimate Interests: Our legitimate business interests (e.g., fraud prevention, analytics)
• Legal Obligations: Compliance with applicable laws

5. How We Share Your Information

5.1 Within the Service

• Family Members: Recipes marked as "family" are visible to members of your family groups
• Community Recipes: Recipes marked as "community" are publicly visible to all users
• Private Recipes: Recipes marked as "private" are only visible to you

5.2 Third-Party Service Providers

We share data with trusted service providers who assist us:

• Supabase: Database hosting and authentication (GDPR compliant)
• OpenAI: AI recipe extraction and image generation
• Resend: Transactional email delivery
• Upstash: Rate limiting and security
• Netlify/Vercel: Application hosting and CDN

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or to protect our rights, property, or safety, or that of our users or others.

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Data permanently deleted within 30 days of account deletion request
• Backup Data: Backup copies deleted within 90 days
• Legal Holds: Data subject to legal requirements may be retained longer

7. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Service

You can control cookies through your browser settings, but disabling essential cookies may affect your ability to use the Service.

8. Your Privacy Rights

8.1 All Users

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Export: Download your recipes and data in a portable format
• Opt-Out: Unsubscribe from marketing emails (if any)

8.2 GDPR Rights (EEA/UK Users)

In addition to the above, you have the right to:

• Data Portability: Receive your data in a structured, machine-readable format
• Restrict Processing: Limit how we use your data in certain circumstances
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Lodge a Complaint: File a complaint with your local data protection authority

8.3 CCPA Rights (California Users)

California residents have additional rights:

• Know: Request disclosure of data collected, sources, purposes, and third parties
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Non-Discrimination: We will not discriminate against you for exercising your rights

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@familyvaso.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Password Security: Passwords hashed using bcrypt with strong requirements (12+ characters, complexity)
• Access Controls: Role-based access control and least-privilege principle
• Rate Limiting: Protection against brute force attacks
• CSRF Protection: Protection against cross-site request forgery
• Regular Audits: Ongoing security assessments and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws different from your country.

For EEA/UK users: We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page with an updated "Last Updated" date
• Sending you an email notification (for significant changes)
• Displaying a prominent notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

14. California "Do Not Track" Disclosure

We do not currently respond to "Do Not Track" signals from browsers, as there is no industry standard for how to respond to such signals.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

16. Supervisory Authority

If you are located in the EEA or UK and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.