Privacy Policy
1. Who We Are
Foodashi ("Foodashi", "we", "our", "us") operates an API and web platform for AI-generated food data, including recipes, nutritional information, allergen indicators, and food imagery.
For the purposes of applicable data protection laws:
- Foodashi acts as a Data Controller for account, billing, and usage data we collect directly from you.
- Foodashi acts as a Data Processor for API payloads (search terms, parameters, prompts) submitted by you to generate content via the API.
Contact for privacy matters: [email protected]
Registered address: Foodashi (Egyeni Vallalkozo), Budapest, Hungary.
Data Protection Officer: A DPO is not currently required under GDPR Article 37 due to the scale of processing. For all data protection inquiries, please contact: [email protected]
2. Data We Collect & Why
We minimise data collection and only process information required to provide, secure, and operate our Services. We do not collect data for advertising or behavioural profiling.
| Data Category | What We Collect | Legal Basis (GDPR) |
|---|---|---|
| Identity & Billing | Name, email address, country, VAT ID, payment method details (processed by Stripe; we do not store full card numbers). Used for account creation, invoicing, tax compliance, and customer support. | Contract performance (Art. 6(1)(b)), Legal obligation (Art. 6(1)(c)) for tax/invoicing |
| API Payloads | Search terms, parameters, and prompts submitted to generate recipes or food data. Processed solely to fulfil API requests. | Contract performance (Art. 6(1)(b)) |
| Technical & Usage Data | IP address, User-Agent, request timestamps, API endpoint usage, error logs, and usage patterns. Used for security, rate limiting, abuse prevention, and system diagnostics. | Legitimate interest (Art. 6(1)(f)) — platform security and stability |
| OAuth Sign-In Data | When you sign in via Google or GitHub, we receive your name, email address, and profile avatar from the provider. We do not receive or store your Google or GitHub password. | Contract performance (Art. 6(1)(b) GDPR) |
| Communication Data | Emails, support tickets, and correspondence when you contact us. Used to respond to your enquiries and improve our services. | Legitimate interest (Art. 6(1)(f)) — our legitimate interest in responding to enquiries, providing customer support, and improving service quality. Also: Contract performance (Art. 6(1)(b)) |
3. AI Sub-Processors & Data Transfers
To generate content, Foodashi transmits only the minimum necessary request data to trusted infrastructure and AI providers. We do not transmit billing, identity, or payment data to AI model providers.
| Provider | Purpose | Data Transferred | Transfer Safeguard |
|---|---|---|---|
| Google Cloud (Gemini AI) | Text prompt processing for recipe generation | API payloads (search terms, parameters) only | EU-US Data Privacy Framework + SCCs |
| Google (OAuth) | Authentication via Google Sign-In | Name, email address, profile avatar (received from Google) | EU-US Data Privacy Framework + SCCs |
| GitHub (OAuth) | Authentication via GitHub Sign-In | Name, email address, profile avatar (received from GitHub) | EU-US Data Privacy Framework + SCCs |
| DeepInfra / Black Forest Labs | Image generation from descriptive prompts | Text prompts for image generation only | SCCs |
| Supabase | Database hosting for accounts, API keys, usage metadata | Account data, API keys, usage logs | EU-US Data Privacy Framework + SCCs |
| Cloudflare | Traffic security, DDoS protection, CDN caching | Technical data (IP, User-Agent, request headers) | EU-US Data Privacy Framework + SCCs |
| Stripe | Payment processing and subscription management | Billing data, payment method details | EU-US Data Privacy Framework + SCCs |
| Brevo (Sendinblue) | Transactional emails (account, billing, refund notifications) | Email address, name, email content | EU (France-based) |
Some sub-processors may process data outside of the European Economic Area (EEA). Where this occurs, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or the sub-processor is certified under an applicable adequacy framework.
Foodashi does not use customer API payloads to train proprietary machine learning models.
4. Cookies & Tracking
Foodashi uses only strictly necessary cookies required for authentication, session management, and security. We do not use advertising cookies, tracking pixels, or behavioural analytics tools.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookies | WordPress session management and authentication | Session (browser close) |
| CSRF tokens | Cross-site request forgery protection | Session |
| Cloudflare (__cf_bm) | Bot management and DDoS protection | 30 minutes |
| Stripe | Payment processing and fraud prevention | Varies (set by Stripe) |
Because we only use strictly necessary cookies, consent is not required under the ePrivacy Directive (2002/58/EC) or the UK Privacy and Electronic Communications Regulations (PECR).
5. Automated Processing
Foodashi uses automated systems exclusively for:
- Content generation: AI models process API requests to generate recipe and food data.
- Infrastructure protection: Automated rate limiting, abuse detection, and DDoS mitigation.
- Billing automation: Automated subscription management, renewals, and refund processing via Stripe.
We do not engage in automated decision-making that produces legal effects or similarly significant effects on individuals, as defined under GDPR Article 22. No profiling is performed for marketing, credit scoring, or behavioural analysis.
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| API Logs | Up to 90 days | Security, debugging, abuse investigation. Deleted or anonymised after retention period. |
| Billing Records | Up to 8 years | Tax, accounting, and legal obligations (Hungarian Accounting Act (2000. évi C. törvény), EU VAT Directive, and applicable tax legislation). Administered by NAV (Nemzeti Adó- és Vámhivatal). |
| Account Data | Duration of account + 30 days | Service provision. Deleted 30 days after account deletion request. |
| Support Correspondence | Up to 2 years | Customer service continuity and dispute resolution. |
After the retention period expires, data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for aggregate statistical purposes.
7. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights under applicable data protection law:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. |
| Restriction | Request restriction of processing in certain circumstances. |
| Data Portability | Receive your data in a structured, machine-readable format (GDPR Art. 20). |
| Objection | Object to processing based on legitimate interests (GDPR Art. 21). |
| Withdraw Consent | Withdraw consent at any time where processing is based on consent (does not affect prior processing). |
GDPR (EU/EEA): You have all rights listed above. You also have the right to lodge a complaint with your national Data Protection Authority (DPA).
Hungary (Lead Supervisory Authority): For users in Hungary and where Foodashi is the lead controller, the competent supervisory authority is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), https://naih.hu, address: 1055 Budapest, Falk Miksa utca 9-11.
UK GDPR: You have all rights listed above. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
CCPA/CPRA (California): California residents have the right to know what personal information is collected, request deletion, and opt out of the "sale" or "sharing" of personal information. Foodashi does not sell or share personal information as defined by the CCPA/CPRA. You may exercise your rights by contacting us. We will not discriminate against you for exercising your rights.
To exercise any of these rights, contact: [email protected]. We will respond within 30 days (or within the timeframe required by applicable law).
8. Data Sharing & Sale
Foodashi does not sell, rent, or trade personal data.
We only share data with:
- Service providers (sub-processors): As listed in Section 3, strictly necessary to operate the Services, under contractual confidentiality and data protection obligations.
- Legal authorities: If required by law, court order, or regulatory requirement, or to protect the rights, safety, or property of Foodashi or others.
- Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy commitments.
9. International Data Transfers
Your data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection. Where we transfer data outside of the EEA or UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by the European Commission or UK Secretary of State.
- Binding Corporate Rules where applicable.
You may request a copy of the safeguards we use for international transfers by contacting [email protected].
10. Children's Privacy
The Services are not directed to, and we do not knowingly collect personal data from, children under the age of 16 (or such lower age as may apply in your jurisdiction). If you are a parent or guardian and believe your child has provided personal data to us, please contact [email protected] and we will promptly delete such data.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data in transit (TLS 1.2+) and at rest.
- API key hashing and secure storage.
- Access controls and principle of least privilege for staff and systems.
- Cloudflare WAF, DDoS protection, and bot management.
- Regular security monitoring and incident response procedures.
No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
Foodashi will notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, in accordance with GDPR Article 33, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk (Article 34).
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account. The "Effective Date" at the top of this policy indicates the date of the most recent revision.
We will notify you of material changes at least 30 days in advance via email or in-app notification. Where consent is the legal basis for processing, we will seek your renewed affirmative consent for material changes. For processing based on contract or legitimate interest, your continued use after the effective date constitutes acceptance.
13. Contact
For any privacy-related questions, data subject requests, or complaints:
- Privacy enquiries: [email protected]
- General support: [email protected]
- Legal: [email protected]
