Privacy Policy

When you create an account or use Yuzo, we collect:

• Account data — your email address and password (stored as a secure hash).
• Household profile — number of people and their dietary labels (e.g. “Partner”, “Child 1”).
• Dietary preferences and allergens — restrictions you declare (e.g. gluten-free, halal, nut allergy). Necessary for the core service.
• Location — country and postal code, used to determine seasonal produce and regional pricing. We do not collect GPS coordinates.
• Usage data — pages visited, features used, and meal ratings, used to improve your plan and the service.
• Payment data — billing details handled entirely by Stripe. We never see or store your card number.

We use your data to:

• Generate personalised weekly meal plans tailored to your location, season, restrictions, and household.
• Process and manage your subscription via Stripe.
• Send transactional emails (plan delivery, billing receipts, account notices) via Resend.
• Improve AI suggestions based on aggregated, anonymised usage patterns.
• Comply with legal obligations.

We do not use your data for advertising. We do not build advertising profiles.

User data is stored in Supabase, a PostgreSQL-based platform with data hosted in the EU (AWS eu-west-1). Supabase is SOC 2 Type II certified and encrypts data at rest and in transit.

Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We receive only a customer ID and subscription status.

Transactional emails are sent via Resend. Your email address is shared with Resend solely to deliver messages you have requested.

We do not sell, rent, or trade your personal data. We share it only with the sub-processors listed above (Supabase, Stripe, Resend) and only to the extent necessary to operate the service. We may disclose data if required by law.

We use a single first-party session cookie to keep you logged in. We use Vercel Analytics for anonymous, aggregated page-view statistics — no fingerprinting, no cross-site tracking, no personally identifiable data collected by analytics.

We do not use third-party advertising cookies.

We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where legally required (e.g. billing records retained for up to 7 years for tax purposes).

Under UK GDPR and EU GDPR, you have the right to access, correct, export, or delete your personal data. To exercise any of these rights, email us at privacy@yuzo.app with the subject line “Data request”. We will respond within 30 days.

You can also delete your account directly from your profile settings.

All data is transmitted over HTTPS. Passwords are hashed and never stored in plain text. Access to production data is restricted to authorised personnel only.

Yuzo is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a child, contact us and we will delete it promptly.

We may update this policy from time to time. If we make material changes, we will notify you by email or via an in-app notice at least 14 days before the change takes effect.