Legal
Privacy Policy
This is a draft for review — it is not legal advice and must be reviewed by a qualified solicitor before publication.
1. Who we are
What's For Dinner?! ("WFD", "we", "us") is operated by [PLACEHOLDER: legal entity name, company number and registered address], a company registered in the United Kingdom.
We are the data controller for the personal data described in this policy. That means we decide why and how your personal data is processed, and we are responsible for looking after it under the UK General Data Protection Regulation (UK GDPR) and, where it applies, the EU GDPR.
2. What this policy covers
This policy covers two things:
- Our website — the marketing and content site at [PLACEHOLDER: website URL], including our email signup form and blog.
- The WFD app — our iOS app (with Android planned) that helps couples, families and households decide what to eat together.
If we introduce features that change how we handle your data, we will update this policy first. See section 11.
3. Data we collect
3.1 Website visitors
If you just browse our website, we collect very little:
- Server logs. Our hosting provider, Vercel, automatically records basic technical data when you visit — such as your IP address, browser type and the pages you request. We use this to keep the site secure and working. Logs are short-lived and are not used to build profiles of visitors.
- Analytics. We do not use any third-party analytics service, and we do not use analytics cookies. We plan to introduce our own first-party, privacy-conscious analytics, hosted on our own systems — [PLACEHOLDER: confirm before this goes live]. When we do, it will not use cookies, will not track you across other websites, and will not build a personal profile of you: it will record only aggregate, non-identifying information such as which pages are visited, roughly where visits come from (for example, country), and which links are clicked. We will not store your full IP address for this purpose. Our lawful basis for this limited measurement is our legitimate interests in understanding and improving the website.
We do not use tracking cookies on the website. That is why you will not see a cookie banner.
3.2 Email signups
If you sign up for updates through the form on our website, we collect:
| Data | Why we collect it |
|---|---|
| Your email address | To send you the updates described at the form |
| Signup timestamp | To keep a record of when you subscribed |
| Source page | To know which page you signed up from |
| Consent record | To prove you agreed to receive emails |
This data is stored in Supabase (our database provider). We use it only to send you the updates described at the point you signed up. We never sell it, and we never share it for advertising. Every email we send includes an unsubscribe link, and you can opt out at any time. You can also email us (section 12) and we will remove you.
3.3 App users
When you use the WFD app, we expect to process data such as:
- Account details — for example your name or display name, email address and login credentials.
- Household pairing — if you invite a partner, family member or housemate, we process the connection between your accounts so you can plan together.
- Meal preferences and plans — the meals you swipe on, match on, add to your weekly plan, dietary tags you set, and shopping lists you build.
- Device data — basic technical information about your device needed to run and support the app.
[PLACEHOLDER: confirm exact app data collected, including any push notification tokens, crash reporting, and in-app analytics, before publication]
4. Why we use your data, and our lawful bases
UK GDPR requires us to have a lawful basis for each use of your personal data. Here is what we rely on:
| What we do | Lawful basis |
|---|---|
| Send you email updates you signed up for | Consent — you can withdraw it at any time by unsubscribing |
| Keep server logs and protect the website and app from abuse | Legitimate interests — keeping our services secure and reliable |
| Run aggregate, cookieless analytics (if enabled) | Legitimate interests — understanding overall site usage without profiling individuals |
| Provide the app: your account, household pairing, meal plans and lists | Contract — we need this data to deliver the service you signed up for |
| Respond when you contact us | Legitimate interests — answering your questions |
Where we rely on legitimate interests, we have checked that our interest does not override your rights. You can object at any time (see section 8).
5. Who processes your data for us
We use a small number of trusted service providers ("processors") who handle data on our instructions:
| Provider | What they do | Location / notes |
|---|---|---|
| Supabase | Database hosting (email signups; app data) | [PLACEHOLDER: confirm Supabase hosting region] |
| Vercel | Website hosting and server logs | Global edge network; see section 6 |
| Apple App Store | App distribution and payments on iOS | Apple processes payments under its own terms |
| Google Play (when available) | App distribution and payments on Android | Google processes payments under its own terms |
| (No third-party analytics provider.) Planned first-party analytics is hosted on our own systems (see Supabase above) | Cookieless, aggregate website analytics | Stored in our own database — no separate analytics processor |
| [PLACEHOLDER: email-sending provider] | Sending the email updates you signed up for | [PLACEHOLDER: provider region and terms] |
Apple and Google act as independent controllers for the purchases you make through their stores. Their own privacy policies apply to those transactions.
6. International transfers
Some of our providers store or process data outside the UK and the European Economic Area, including in the United States. Where that happens, we make sure appropriate safeguards are in place — such as the UK International Data Transfer Agreement or Addendum, EU Standard Contractual Clauses, or an adequacy decision covering the destination country. [PLACEHOLDER: confirm the specific transfer mechanism for each provider once contracts are in place]
7. How long we keep your data
| Data | How long |
|---|---|
| Email signup data | Until you unsubscribe or ask us to delete it |
| Server logs | Short-lived — [PLACEHOLDER: confirm Vercel log retention period] |
| App account and household data | While your account is active; deleted [PLACEHOLDER: confirm deletion window, e.g. within 30 days] after you delete your account |
| Analytics data (if enabled) | Aggregate only — no personal data retained |
We keep data no longer than we need it. Where the law requires us to keep something longer (for example, records of consent), we keep only what is necessary.
8. Your rights
Under UK GDPR you have the right to:
- Access — ask for a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data.
- Restriction — ask us to limit how we use your data.
- Portability — receive your data in a portable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — at any time, where we rely on consent (for example, email updates). Withdrawing consent does not affect processing that happened before you withdrew it.
To exercise any of these rights, contact us using the details in section 12. We will respond within one month.
If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the chance to resolve your concern first, but you do not have to contact us before going to the ICO.
9. Children
The website and the WFD app are not directed at children under 13, and we do not knowingly collect personal data from them. Family features in the app — such as household plans that include children's meal preferences — are designed to be set up and managed by adults. [PLACEHOLDER: confirm minimum age policy and whether child profiles will exist in the app]
If you believe a child has given us personal data, please contact us and we will delete it.
10. Security
We take reasonable technical and organisational measures to protect your data, including encryption in transit, access controls on our systems and databases, and reputable hosting providers with strong security practices. No system is completely secure, but we work to keep risks low, and we will tell you and the relevant regulator if a breach affects your data in a way the law requires us to report.
11. Changes to this policy
We may update this policy as the product develops — for example, when the Android app launches or if we confirm a premium tier. We will post the updated version on this page with a new "updated" date. If a change significantly affects your rights, we will take reasonable steps to bring it to your attention, such as emailing subscribers or notifying you in the app.
12. Contact
Questions, requests or complaints about your data:
- Email: [PLACEHOLDER: contact email]
- Post: [PLACEHOLDER: postal address]