Privacy Policy

1. Introduction

Welcome to Crave List. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service to track restaurants, places, and locations.

2. Information We Collect

2.1 Information You Provide

• Account Information: When you sign up, we collect your email address and password. If you sign up using Google OAuth, we collect your email address, first name, and profile picture from your Google account.
• User-Generated Content: Information you add about restaurants, places, and locations, including names, addresses, notes, tags, photos you upload, and visit status.
• Geographic Data: Latitude and longitude coordinates for saved locations, addresses, and location search queries.

2.2 Information We Collect Automatically

• Cookies and Session Data: We use session cookies to keep you logged in. These cookies are stored for up to one year and are essential for the service to function.
• Analytics Data: We may collect information about how you use our service, including pages visited, features used, and interaction patterns to improve our service.
• Device and Browser Information: We automatically collect information about your device and browser for security and service optimization purposes.

2.3 Information from Third Parties

• Google Places API: When you search for locations, we retrieve information from Google Places API including place names, addresses, phone numbers, websites, hours, photos, ratings, and editorial summaries. This data is associated with your account when you save locations.
• Google OAuth: Authentication data from your Google account as described in section 2.1.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our service
• Authenticate your identity and manage your account
• Store and display your saved restaurants, places, and locations
• Search for and retrieve location information via Google Places API
• Display maps and geographic information
• Analyze usage patterns to improve user experience
• Communicate with you about service updates or issues
• Ensure security and prevent fraud or abuse

4. Third-Party Services

We use the following third-party services that may collect or process your data:

4.1 Supabase

We use Supabase for authentication, database storage, and file storage (photos). Your data is stored securely on Supabase servers. Supabase's privacy policy is available at supabase.com/privacy.

4.2 Google Services

We use Google OAuth for authentication and Google Places API for location data. Google's privacy policy is available at policies.google.com/privacy.

4.3 Vercel

Our application is hosted on Vercel. Vercel may collect analytics and performance data. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

5. Data Security

We implement industry-standard security measures to protect your data, including:

• Secure HTTPS encryption for all data transmission
• Row-level security on database tables ensuring users can only access their own data
• Secure session management with HTTP-only cookies
• Regular security updates and monitoring

However, no method of transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. You may request deletion of your account and associated data at any time by contacting us (see section 10).

Upon account deletion, we will immediately and permanently delete your profile, saved locations, photos, and all associated data.

7. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct your personal information through your profile settings
• Deletion: Request deletion of your account and all associated data
• Export: Request an export of your data in a portable format
• Opt-out: Opt out of non-essential data collection (such as analytics)

To exercise any of these rights, please contact us at the email address provided in section 10.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by us
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

8. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

9. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by updating the "Effective Date" at the top of this policy. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this privacy policy or wish to exercise your privacy rights, please contact us at:

11. Google API Services User Data Policy

Crave List uses Google API Services to provide its functionality. This section describes our use and handling of Google user data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

11.1 Google User Data We Access

Via Google OAuth (when you sign in with Google):

• Email address
• First name
• Profile picture URL

Via Google Places API (when you search for locations):

• Place identifiers (Google Place IDs)
• Place names and display names
• Addresses and address components (street, city, state, postal code, country)
• Geographic coordinates (latitude and longitude)
• Phone numbers and website URLs
• Opening hours and time periods
• Photos and photo references
• Price levels and ratings
• Place types and categories
• Editorial summaries

11.2 How We Use Google User Data

• Authentication: Google OAuth data (email, name, profile picture) is used solely to create and manage your Crave List account and identify you within the application.
• Location Search: Google Places API data is used to help you find and save restaurants, places, and locations to your personal lists.
• Data Population: When you save a location from search results, the place information from Google is stored in your account to display in your saved lists.
• Photo Display: Photos from Google Places are downloaded and stored on our servers to display within the application.
• Location-Based Search: Your current location coordinates may be sent to Google Places API to provide proximity-based search results.

11.3 Data Storage

• Google OAuth profile data is stored in your user profile on our secure database.
• Google Places data is stored only when you explicitly save a location to your lists.
• Photos from Google Places are downloaded and re-hosted on our secure storage servers.
• All data is associated with your user account and protected by row-level security.

11.4 Limited Use Disclosure

Crave List's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the Crave List service as described in this privacy policy.
• We do not sell Google user data to third parties.
• We do not use Google user data for advertising purposes.
• We do not transfer Google user data to third parties except as necessary to provide the service (e.g., storing data on our hosting infrastructure) or as required by law.
• We do not use Google user data for purposes unrelated to the core functionality of tracking restaurants, places, and locations.