Privacy Policy
Effective date: June 5, 2026
Quick read
We are Develemit LLC, doing business as Diner Decider ("Diner Decider," "we," "us," or "our"). When you use Diner Decider you share three categories of personal information with us: (1) what your OAuth provider sends us on sign-in (your name, email, and profile image URL), (2) what you tell us about your meals (restaurants, photos, notes, ratings, stamps), and (3) what your browser tells us during ordinary use (your IP address, request paths, a session cookie). We do not sell or rent your data to anyone. We do not run third-party analytics or advertising trackers in this build.
We use this data to run the Service for you: to keep you signed in, to show your passport, to power the "Pick a Place" feature when you give your browser permission to share your location, and to enforce rate limits. Your location is forwarded to Google Places at the moment of a search and is not stored on our servers. Photos are stripped of EXIF metadata (including GPS) on the server before storage, so nothing about where a photo was taken is preserved.
You have specific rights over your data — you can request a copy, ask us to delete it, correct it, or object to certain uses. You can exercise most rights yourself directly from Settings inside the app (Export passport, Delete account). For anything else, email us at privacy@dinerdecider.com.
1. Who we are
Develemit LLC, doing business as Diner Decider (referred to here as "Diner Decider," "we," "us," or "our") is the controller of your personal information for purposes of the EU and UK General Data Protection Regulations and the equivalent "business" for the California Consumer Privacy Act and other US state privacy laws.
The fastest way to reach us about anything in this policy is by email at privacy@dinerdecider.com.
2. Information we collect
The table below lists every category of personal information we collect, where it comes from, where it is stored, and what we use it for. This list is exhaustive — if a category is not listed below, we do not collect it.
| Category | Source | Storage | Purpose |
|---|---|---|---|
| OAuth profile (email, name, profile image URL) | Google or Apple OAuth | Postgres users + auth_identities | Authentication; displaying your name and avatar in the app |
| Session token | Server-generated on login | Encrypted session cookie + backing store | Maintaining the logged-in state |
| Geolocation (lat/lng) | Browser navigator.geolocation API | Not stored server-side — forwarded to Google Places, then discarded | Powering "Pick a Place Near Me" |
| Meal logs (restaurant ID, eaten-at timestamp, notes, privacy setting) | You enter them in the app | Postgres meals table | Building your dining passport |
| Meal photos | You upload them | Cloudflare R2 | Visual record on your passport |
| Ratings (overall, taste, presentation, atmosphere, service, value) | You enter them | Postgres ratings table | Passport; future Garçon recommendations |
| Stamps (cuisine, neighborhood, earned-at) | Server-derived from your meals | Postgres stamps table | Visible collection on your passport |
| Achievements earned | Server-derived from your meal patterns | Postgres user_achievements table | Gamification |
| Daily usage counters | Internal counters | Postgres usage_quotas table | Rate-limiting and quota enforcement |
| Tier (free / premium) | Set on upgrade | Postgres users.tier column | Authorization gate for premium features |
| User preferences (theme, notification toggles) | You set them in Settings | Postgres user_preferences table | Customizing your experience |
| Request logs (IP, User-Agent, paths) | HTTP server | Hetzner Cloud | Operations, abuse prevention, debugging |
3. Sources of information
We receive personal information from three kinds of source:
- Directly from you — when you sign in, enter a meal, upload a photo, rate a restaurant, or change a setting
- From your devices and browsers — when your browser tells us your IP address, sends the session cookie back to us, or asks for permission to share your location
- From third-party identity providers — when Google or Apple confirms your sign-in and sends us the OAuth scopes you approved (your name, email, and profile image URL)
We also derive new personal information from what we already have. Stamps and achievements, for example, are not collected — they are computed from meals you have logged.
4. How we use your information
- Provide the Service: authenticate you, store and display your meals, photos, ratings, stamps, and achievements
- Power location features: forward your geolocation to Google Places when you tap "Pick a Place Near Me," receive the nearby-restaurant results, and display them
- Operate the Service safely: enforce rate limits, prevent abuse, detect and respond to security incidents
- Communicate with you about the Service: send transactional emails (account confirmations, important security notices), respond to support and privacy requests
- Improve the Service: analyze aggregated, non-identifying usage patterns to decide what to build next (we do not run third-party analytics in this build)
- Comply with law: respond to lawful requests from authorities, retain records required by tax or regulatory law
We do not sell personal data.
5. Legal bases for processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, the applicable legal bases for our processing are:
- Contract (GDPR Art. 6(1)(b)): processing necessary to deliver the Service you signed up for — your account data, meal logs, photos, ratings, stamps, achievements, preferences, and the session cookie all rely on this basis
- Legitimate interests (Art. 6(1)(f)): operating the Service safely, preventing abuse, debugging, securing our systems, and basic operational logging
- Consent (Art. 6(1)(a)): geolocation is requested via your browser only when you tap a feature that needs it; the prompt is the consent step
- Legal obligation (Art. 6(1)(c)): retaining records required by tax, accounting, or other regulatory law
6. Retention
- Active account: while you are signed in or have signed in within the past 24 months
- Inactive account: if you have not signed in for 24 months we may notify you and then purge your account. We will keep contact email on file separately for at most 30 additional days to handle bounce / re-activation
- Deleted account: your account remains soft-deleted and recoverable for 30 days, then permanently purged from the live Service
- Backups: rolling 90-day window. Deleted data persists in encrypted backups until it ages out, at which point it is unrecoverable
- Request logs: 90 days for security and debugging, then aggregated or deleted
- Billing records: 7 years as required by applicable tax and accounting law
7. Who we share information with
We share personal information only with the categories of recipient listed below. We do not sell your personal information.
| Subprocessor | What they receive | Purpose | Their privacy policy |
|---|---|---|---|
| Google LLC | OAuth scopes (name, email, image URL) on sign-in; geolocation coordinates at search time | Identity provider and Google Places API | Google Privacy & Terms |
| Apple Inc. | Hashed user identifier; relay email if you used Apple's private relay | Identity provider | Apple Privacy Policy |
| Hetzner Cloud GmbH | All request data (IP, User-Agent, paths), full data tier in transit and at rest | Application hosting and Postgres database | Hetzner Privacy Policy |
| Cloudflare, Inc. | Photos; DNS/CDN traffic metadata | R2 object storage for uploaded photos; CDN and DDoS protection | Cloudflare Privacy Policy |
| Resend, Inc. | Recipient email address + transactional email content | Transactional email delivery | Resend Privacy Policy |
| Stripe, Inc. | Billing contact info; payment method tokens | Subscription payment processing | Stripe Privacy Policy |
| emit-vision (Develemit LLC) | Audit-log and analytics events (login, deletion, subscription, page performance) | First-party telemetry — same legal entity; no data sold or shared | N/A (same entity) |
| Future: Anthropic, PBC | Relevant slice of your meal history at recommendation time | AI-powered Garçon recommendations (MVP 3) | Anthropic Privacy Policy |
We may also disclose information to: (a) law enforcement, courts, or other authorities in response to a lawful demand; (b) a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Privacy Policy; (c) our auditors, advisors, or legal counsel under confidentiality obligations.
8. International data transfers
We are based in the United States and we use US-based subprocessors. If you are in the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to the US. Where required, such transfers are covered by Standard Contractual Clauses (SCCs). We can provide a copy of the relevant SCCs on request.
9. Your rights
Available to everyone:
- Access: ask us what we have about you, or export it directly from Settings ("Export passport")
- Correction: edit your profile through your OAuth provider; for anything else email us
- Deletion: delete your account directly from Settings ("Delete account")
- Object / opt-out: tell us to stop a specific use of your data
GDPR / UK GDPR (additional):
- Restriction of processing
- Data portability (also covered by "Export passport")
- Withdraw consent at any time where the legal basis is consent
- Lodge a complaint with your supervisory authority
California (CCPA / CPRA):
- Right to know what categories of personal information we collect (see Section 2 above)
- Right to delete (covered by "Delete account")
- Right to correct
- Right to opt out of sale or sharing for cross-context behavioral advertising — we do not sell or share personal information, so this right is automatically satisfied
- Right to non-discrimination for exercising your rights
Other US state laws: residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those listed above. We will honor recognized opt-out signals (including the Global Privacy Control) when they apply.
To exercise any of these rights yourself, use the Settings → Data section in the app. For anything you cannot do in the app, email us at privacy@dinerdecider.com. We will respond within the timeframe required by your jurisdiction (within 30 days under GDPR; within 45 days under CCPA).
10. Cookies
We currently set exactly one cookie: dd_session. It is strictly necessary — it identifies your signed-in session. It is HttpOnly, Secure, and SameSite=Lax, and it is signed so it cannot be forged. The cookie expires 30 days after your last activity, or immediately when you sign out.
We do not set analytics or advertising cookies in this build. If that changes, a consent banner will appear and we will update this section and the Cookie Policy before any new cookie is set.
11. Geolocation
The "Pick a Place Near Me" feature asks your browser for your location through the standard navigator.geolocation API. Your browser will show you a permission prompt; nothing happens until you grant permission. If you grant it:
- Your coordinates are sent to the Google Places API to fetch nearby restaurants
- The coordinates are not stored on our servers
- The coordinates are not used for any purpose other than that one search
You can decline location access at any time in your browser settings.
12. Photos
When you upload a photo, we strip EXIF metadata — including GPS coordinates — on the server before storage by re-encoding the photo through the Sharp library. We then write the re-encoded bytes to Cloudflare R2. After EXIF strip we do not, and do not have access to, the original metadata.
Deleting a meal also deletes its photos. Deleting your account deletes all your photos, subject to the rolling 90-day backup retention window.
13. Children's privacy
The Service is not intended for users under 13. We do not knowingly collect personal information from anyone under 13. If we learn that we have collected personal information from a child under 13, we will delete it.
14. Security
- In transit: TLS 1.2 or higher for all connections
- At rest: encryption provided by Hetzner Cloud for the database tier and by Cloudflare R2 for photos
- Passwords: we do not hold passwords — sign-in is delegated to Google and Apple
- Session cookies: signed and
HttpOnly, served only overSecureconnections - Server access: principle of least privilege; production access is logged
If we become aware of a personal-information breach affecting your data, we will notify the relevant supervisory authority within 72 hours where required and will notify affected users without undue delay.
15. Changes to this policy
If a change is material, we will give you at least 30 days' notice via in-app banner, email, or both, and we will update the "Effective date" at the top. We will keep the prior version available for at least one year.
16. Contact us
For any privacy request, question, or complaint:
Email: privacy@dinerdecider.com
If you are in the European Economic Area or the United Kingdom you have the right to lodge a complaint with your local data-protection supervisory authority. A list of EEA authorities is available at the EDPB; for the UK, that is the ICO.
17. California notice at collection
We collect the categories of personal information listed in Section 2: identifiers (email, name, OAuth ID), internet activity (request logs), geolocation (only at the moment of a search; not stored), and inferences drawn from your meals (achievements, stamps).
We do not sell or share personal information for cross-context behavioral advertising. We retain data in line with the periods described in Section 6.
You can exercise your CCPA rights through Settings → Data in the app or by emailing privacy@dinerdecider.com. We will not discriminate against you for exercising any right.