Privacy Policy

Last updated: April 2026

AllergyScan is operated by Gibson Wade. This policy explains what personal data we collect, why we collect it, and how we protect it.

If you have any questions, contact us at: privacy@allergyscan.com

Information We Collect

Account data. When you create an account, we collect your email address. Passwords are managed by Supabase (our authentication provider) and are stored as secure hashes — we never see your password in plain text.

Restaurant data. If you register as a restaurant operator, we store your restaurant name, location, dish names and descriptions, and the allergen information you upload. This data is publicly readable so customers can view your menu.

Allergen profile. If you create a customer account, we store the allergens you select in your profile so we can filter menus accordingly. This data is private and visible only to you.

Usage analytics. We use Vercel Web Analytics, a privacy-first analytics tool that collects anonymised, aggregated data (such as page views and general geographic region). It does not set cookies and cannot identify you individually.

How We Use Your Data

  • To provide and operate the AllergyScan service
  • To display menu allergen information filtered to your personal profile
  • To allow restaurant operators to manage their menus
  • To send account-related communications (e.g. password reset emails, via Supabase)
  • To understand how the service is used and improve it (anonymised analytics only)

Legal Basis for Processing (GDPR)

  • Performance of a contract — processing your account and allergen profile data to provide the service you have signed up for.
  • Legitimate interests — anonymised analytics to maintain and improve the service, where these interests are not overridden by your rights.

Data Processors

We share your data only with the following trusted service providers, who process it on our behalf under appropriate data processing agreements:

  • Supabase Inc. — database and authentication infrastructure. Data is stored on AWS servers.
  • Vercel Inc. — hosting and anonymised web analytics.

We do not sell your personal data to any third party.

Data Retention

We retain your personal data for as long as your account is active. If you delete your account or request erasure, we will remove your personal data within 30 days, except where we are required to retain it by law.

Children

AllergyScan is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Your Rights

Depending on where you are located, you may have rights to access, correct, delete, or port your data. See our Data Rights page for full details and instructions on how to submit a request.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For privacy-related enquiries or to exercise your rights, email us at privacy@allergyscan.com.