Legal

Privacy Policy

This is a draft for review — it is not legal advice and must be reviewed by a qualified solicitor before publication.

1. Who we are

What's For Dinner?! ("WFD", "we", "us") is operated by [PLACEHOLDER: legal entity name, company number and registered address], a company registered in the United Kingdom.

We are the data controller for the personal data described in this policy. That means we decide why and how your personal data is processed, and we are responsible for looking after it under the UK General Data Protection Regulation (UK GDPR) and, where it applies, the EU GDPR.

2. What this policy covers

This policy covers two things:

  • Our website — the marketing and content site at [PLACEHOLDER: website URL], including our email signup form and blog.
  • The WFD app — our iOS app (with Android planned) that helps couples, families and households decide what to eat together.

If we introduce features that change how we handle your data, we will update this policy first. See section 11.

3. Data we collect

3.1 Website visitors

If you just browse our website, we collect very little:

  • Server logs. Our hosting provider, Vercel, automatically records basic technical data when you visit — such as your IP address, browser type and the pages you request. We use this to keep the site secure and working. Logs are short-lived and are not used to build profiles of visitors.
  • Analytics. We do not use any third-party analytics service, and we do not use analytics cookies. We plan to introduce our own first-party, privacy-conscious analytics, hosted on our own systems — [PLACEHOLDER: confirm before this goes live]. When we do, it will not use cookies, will not track you across other websites, and will not build a personal profile of you: it will record only aggregate, non-identifying information such as which pages are visited, roughly where visits come from (for example, country), and which links are clicked. We will not store your full IP address for this purpose. Our lawful basis for this limited measurement is our legitimate interests in understanding and improving the website.

We do not use tracking cookies on the website. That is why you will not see a cookie banner.

3.2 Email signups

If you sign up for updates through the form on our website, we collect:

Data Why we collect it
Your email address To send you the updates described at the form
Signup timestamp To keep a record of when you subscribed
Source page To know which page you signed up from
Consent record To prove you agreed to receive emails

This data is stored in Supabase (our database provider). We use it only to send you the updates described at the point you signed up. We never sell it, and we never share it for advertising. Every email we send includes an unsubscribe link, and you can opt out at any time. You can also email us (section 12) and we will remove you.

3.3 App users

When you use the WFD app, we expect to process data such as:

  • Account details — for example your name or display name, email address and login credentials.
  • Household pairing — if you invite a partner, family member or housemate, we process the connection between your accounts so you can plan together.
  • Meal preferences and plans — the meals you swipe on, match on, add to your weekly plan, dietary tags you set, and shopping lists you build.
  • Device data — basic technical information about your device needed to run and support the app.

[PLACEHOLDER: confirm exact app data collected, including any push notification tokens, crash reporting, and in-app analytics, before publication]

4. Why we use your data, and our lawful bases

UK GDPR requires us to have a lawful basis for each use of your personal data. Here is what we rely on:

What we do Lawful basis
Send you email updates you signed up for Consent — you can withdraw it at any time by unsubscribing
Keep server logs and protect the website and app from abuse Legitimate interests — keeping our services secure and reliable
Run aggregate, cookieless analytics (if enabled) Legitimate interests — understanding overall site usage without profiling individuals
Provide the app: your account, household pairing, meal plans and lists Contract — we need this data to deliver the service you signed up for
Respond when you contact us Legitimate interests — answering your questions

Where we rely on legitimate interests, we have checked that our interest does not override your rights. You can object at any time (see section 8).

5. Who processes your data for us

We use a small number of trusted service providers ("processors") who handle data on our instructions:

Provider What they do Location / notes
Supabase Database hosting (email signups; app data) [PLACEHOLDER: confirm Supabase hosting region]
Vercel Website hosting and server logs Global edge network; see section 6
Apple App Store App distribution and payments on iOS Apple processes payments under its own terms
Google Play (when available) App distribution and payments on Android Google processes payments under its own terms
(No third-party analytics provider.) Planned first-party analytics is hosted on our own systems (see Supabase above) Cookieless, aggregate website analytics Stored in our own database — no separate analytics processor
[PLACEHOLDER: email-sending provider] Sending the email updates you signed up for [PLACEHOLDER: provider region and terms]

Apple and Google act as independent controllers for the purchases you make through their stores. Their own privacy policies apply to those transactions.

6. International transfers

Some of our providers store or process data outside the UK and the European Economic Area, including in the United States. Where that happens, we make sure appropriate safeguards are in place — such as the UK International Data Transfer Agreement or Addendum, EU Standard Contractual Clauses, or an adequacy decision covering the destination country. [PLACEHOLDER: confirm the specific transfer mechanism for each provider once contracts are in place]

7. How long we keep your data

Data How long
Email signup data Until you unsubscribe or ask us to delete it
Server logs Short-lived — [PLACEHOLDER: confirm Vercel log retention period]
App account and household data While your account is active; deleted [PLACEHOLDER: confirm deletion window, e.g. within 30 days] after you delete your account
Analytics data (if enabled) Aggregate only — no personal data retained

We keep data no longer than we need it. Where the law requires us to keep something longer (for example, records of consent), we keep only what is necessary.

8. Your rights

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data.
  • Restriction — ask us to limit how we use your data.
  • Portability — receive your data in a portable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time, where we rely on consent (for example, email updates). Withdrawing consent does not affect processing that happened before you withdrew it.

To exercise any of these rights, contact us using the details in section 12. We will respond within one month.

If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the chance to resolve your concern first, but you do not have to contact us before going to the ICO.

9. Children

The website and the WFD app are not directed at children under 13, and we do not knowingly collect personal data from them. Family features in the app — such as household plans that include children's meal preferences — are designed to be set up and managed by adults. [PLACEHOLDER: confirm minimum age policy and whether child profiles will exist in the app]

If you believe a child has given us personal data, please contact us and we will delete it.

10. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit, access controls on our systems and databases, and reputable hosting providers with strong security practices. No system is completely secure, but we work to keep risks low, and we will tell you and the relevant regulator if a breach affects your data in a way the law requires us to report.

11. Changes to this policy

We may update this policy as the product develops — for example, when the Android app launches or if we confirm a premium tier. We will post the updated version on this page with a new "updated" date. If a change significantly affects your rights, we will take reasonable steps to bring it to your attention, such as emailing subscribers or notifying you in the app.

12. Contact

Questions, requests or complaints about your data:

  • Email: [PLACEHOLDER: contact email]
  • Post: [PLACEHOLDER: postal address]