Privacy Policy

Last updated: April 19, 2026

Grain ("we," "us," or "our") is operated by Grain. We take your privacy seriously. This policy explains what information we collect, why we collect it, and how you can control it. This policy complies with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Information We Collect

1.1 Information you provide

• Account information: email address and password (if you create an account). Sign in with Apple optionally shares your name and a relay email address.
• Health preferences: dietary goals, allergies, ingredients to avoid, preferred certifications, preferred stores — all optional and stored to personalize your Grain Scores.
• Reviews and favorites: products you save or review.

1.2 Information collected automatically

• Scan history: barcodes you scan and when. Tied to your account if signed in, or stored only on your device if using guest mode.
• Device and usage data: app version, device model, iOS version, crash reports, and anonymized interaction events (e.g. which screens you view). Collected via Firebase Analytics and Crashlytics.
• Purchase data: subscription status and transaction IDs, managed by RevenueCat. We do not access your payment method — Apple handles all transactions.

1.3 What we do NOT collect

• We do not collect precise location data.
• We do not track you across other apps or websites.
• We do not collect your photos or camera imagery beyond the barcode being scanned in the moment.

2. How We Use Your Information

• Provide the service: look up products, generate AI ingredient explanations, personalize scores, save your history.
• Improve the app: understand which features are used, diagnose crashes, fix bugs.
• Communicate with you: respond to support requests and send critical account notifications (e.g. account deletion confirmation).
• Comply with the law: respond to valid legal requests, enforce our Terms of Service.

We do not sell your personal information to third parties. We do not show you advertising. We do not use your data to train AI models that are offered to other companies.

3. Legal Basis for Processing (GDPR)

• Contract: to provide the service you requested (scanning, account, subscriptions).
• Legitimate interest: app analytics, crash reporting, security.
• Consent: any optional personalization feature you opt into.
• Legal obligation: to comply with applicable law.

4. Third-Party Services

We share limited data with the following service providers, each of whom is contractually obligated to protect your data:

• Supabase (database and authentication): stores your account, scan history, and favorites. Data processed in the EU.
• Google Gemini (AI): ingredient text is sent for analysis. Google does not use this data to train its models under our API agreement.
• RevenueCat (subscriptions): manages subscription status. Receives your anonymized app user ID.
• Firebase (Google): Analytics and Crashlytics. Receives anonymized device and usage data.
• Apple (App Store): handles all payments and may share transaction IDs with us.

5. Your Rights

Under GDPR, CCPA, PIPEDA, and similar laws, you have the right to:

• Access: request a copy of all data we hold about you. Use the "Download My Data" button in the app (Profile → Account Settings).
• Correct: edit any profile information directly in the app.
• Delete: permanently delete your account and all associated data via Profile → Account Settings → Delete Account.
• Portability: export your data as a JSON file.
• Restrict or object: to certain processing — contact us to exercise this right.
• Withdraw consent: at any time, for any processing based on consent.
• Complain: to your data protection authority (e.g. your EU member state's DPA or the UK Information Commissioner's Office).

6. Data Retention

We retain your data for as long as your account is active. When you delete your account, we delete all associated data within 30 days, except where retention is required by law (e.g. transaction records for tax purposes — typically 7 years).

7. Data Security

All data is transmitted over HTTPS. Data at rest is encrypted. We use row-level security in our database to ensure users can only access their own data. Passwords are hashed using industry-standard algorithms and we never see them in plain text.

8. International Transfers

If you are in the EU, UK, or Switzerland and your data is transferred to a country without an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) with our processors.

9. Children's Privacy

Grain is rated 4+ but is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via email (if we have your email) and in the app. The "Last updated" date at the top of this policy always reflects the most recent revision.

11. Contact

For privacy questions, data requests, or to exercise any of your rights:
Email: contact@sonderbusiness.com
Data controller: Grain