Privacy Policy
Last updated: May 2026
1. Data Controller
The data controller for your personal data is:
- Mateusz Dabrowski IT
- ul. Firletki 25F/1, 05-462 Wiazowna, Poland
- NIP: 5322115266
- Email: privacy@yummoria.com
- Phone: +48 505 876 008
As a small business, we are not required to appoint a Data Protection Officer. For all privacy-related queries, contact us at the email above.
2. What Data We Collect
| Category | Data | Legal Basis (GDPR) |
|---|---|---|
| Account | Email address, display name, language preference | Contract performance (Art. 6(1)(b)) |
| Recipes & content | Recipes, ingredients, steps, images, tags, translations | Contract performance (Art. 6(1)(b)) |
| Meal planning | Meal plans, entries, shopping lists | Contract performance (Art. 6(1)(b)) |
| Social interactions | Likes, bookmarks, comments, follows, collections | Contract performance (Art. 6(1)(b)) |
| Billing | Subscription tier, billing period, payment status (no card details — stored by Stripe) | Contract performance (Art. 6(1)(b)) |
| Feed personalisation | Feed impressions, interactions (views, dwell time, likes) | Legitimate interest (Art. 6(1)(f)) — improving content relevance |
| Analytics | Page views, referrer (collected by Umami, cookie-free, no personal identifiers) | Legitimate interest (Art. 6(1)(f)) — service improvement |
| Authentication | Clerk session data (auth tokens, OAuth provider info) | Contract performance (Art. 6(1)(b)) |
3. How We Use Your Data
We use your data to:
- Provide and operate the Yummoria service (recipe storage, meal planning, shopping lists, community features)
- Process payments and manage your subscription
- Personalise your feed and content recommendations
- Improve the service and fix issues
- Communicate essential service updates (account, billing, security)
- Enforce our Terms of Service and protect against abuse
We do not sell your personal data. We do not use your data for third-party advertising profiling.
4. Sub-processors (Third-Party Services)
We share your data with the following service providers, each acting as a data processor under GDPR:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication & identity | Email, OAuth tokens | US (SCCs in place) |
| Stripe | Payment processing | Email, billing address, payment method | US (SCCs in place) |
| Neon | Database hosting | All application data | EU (AWS eu-central-1) |
| Cloudflare | CDN, security, image storage (R2) | Request metadata, images | Global (EU-compliant) |
| Umami | Privacy-friendly analytics | No personal data (cookie-free, no IP storage) | EU |
Where data is transferred outside the EEA (Clerk, Stripe), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
5. Data Retention
| Data | Retention Period |
|---|---|
| Account & content data | Duration of your account + 30 days after deletion request |
| Billing records | 7 years after the end of the subscription (tax obligations) |
| Feed interaction data | 12 months (rolling window) |
| Analytics data (Umami) | 24 months (aggregated, no personal identifiers) |
| Consent records | Duration of account + 3 years |
| Abuse/moderation reports | Duration of account + 1 year |
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Correct inaccurate or incomplete data via your account settings.
- Right to erasure (Art. 17): Request deletion of your account and all associated data.
- Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20): Export your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21): Object to processing based on legitimate interest (e.g., feed personalisation).
How to exercise your rights
- Data export: Use the "Export my data" feature in your Account settings, or send a request to privacy@yummoria.com.
- Account deletion: Use the "Delete my account" feature in your Account settings, or send a request to privacy@yummoria.com.
- Other requests: Email privacy@yummoria.com with the subject line "GDPR Request".
We will respond to all requests within 30 days. If a request is complex, we may extend this period by an additional 60 days with prior notice.
7. Cookies and Tracking
Essential cookies (no consent required)
- Clerk authentication cookies: Session tokens required to keep you logged in. These are strictly necessary for the service to function and cannot be disabled while using Yummoria.
Non-essential tracking
- Umami analytics: Cookie-free, privacy-friendly web analytics. No personal identifiers are collected or stored. No cookies are set.
- Cloudflare: May set performance cookies (e.g.,
__cf_bm) for bot protection. These are classified as strictly necessary for security.
We do not use advertising cookies, tracking pixels, or social media trackers.
8. Children's Data
Yummoria is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account, please contact us at privacy@yummoria.com and we will delete the account promptly.
9. Automated Decision-Making
Yummoria uses automated algorithms to personalise your "For You" feed based on your interaction history, preferences, and community trends. This personalisation does not produce legal effects or similarly significant effects on you. You can switch to the chronological "Following" feed at any time to avoid algorithmic ranking.
10. Data Security
We protect your data with:
- TLS encryption for all data in transit
- Encrypted database connections
- JWT-based authentication with short-lived tokens
- Infrastructure hosted within the EU (database) with reputable international providers (CDN, auth, payments)
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days in advance.
12. Supervisory Authority
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
- UODO (Urzad Ochrony Danych Osobowych / Office for Personal Data Protection)
- ul. Stawki 2, 00-193 Warszawa, Poland
- Website: uodo.gov.pl
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence.
13. Contact
For privacy-related questions, contact us at privacy@yummoria.com or by post at: Mateusz Dabrowski IT, ul. Firletki 25F/1, 05-462 Wiazowna, Poland.