DineCraft

Privacy Policy

Last updated: April 28, 2026

This Privacy Policy explains what personal data we collect when you use DineCraft, how we use it, who we share it with, and the rights you have over it. We try to keep this readable — if anything is unclear, contact us.

1. Who We Are (Data Controller)

DineCraft is operated by [Company Name], [Address], Hungary ("we," "us," "our"). For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for the personal data described below.

Contact for privacy questions: [privacy@example.com].

2. What We Collect

We collect only what we need to run the service. The categories below cover everything we store about you:

  • Account data: email address, display name, authentication identifiers from our auth provider.
  • Profile and preferences: diet type, dietary restrictions, allergens you tell us about, calorie and macro targets, language preference, theme.
  • Meals and plans: the meals you create, save, schedule, or generate; weekly meal plans; shopping lists; portion adjustments.
  • Generation inputs: the prompts and options you submit to the AI generator (cuisine, calories, free-text instructions, etc.) and the resulting AI outputs.
  • Usage data: request volume, feature usage counters, generation success/failure, and similar operational metrics.
  • Payment data: handled by our payment processor. We store the fact that you have an active subscription and a transaction reference, but we do not store your card number, CVV, or full bank details.
  • Technical data: IP address, browser/device type, basic logs needed to operate and secure the service.
  • Anything you put into free-text fields (notes, allergens, descriptions). Please don't include sensitive information you don't want stored.

3. Why We Collect It (Legal Bases)

Under GDPR Article 6, we rely on the following legal bases:

Performance of a contract — to provide the service you signed up for (account, meal storage, generation, billing).

Legitimate interests — to keep the service secure, prevent abuse, monitor usage, fix bugs, and improve the product. We balance these against your rights and you can object (see Your Rights below).

Consent — for any optional cookies, marketing emails, or other purposes where consent is required. You can withdraw consent at any time.

Legal obligation — to keep tax and accounting records as required by Hungarian and EU law.

4. AI Processing

DineCraft uses third-party AI providers to generate meals, recipes, and images. To do that we share your generation inputs with those providers.

  • What we send: your prompts and options (cuisine, calorie target, dietary preferences, free-text instructions). Account identifiers, your email, or other directly identifying information are not part of generation prompts.
  • What we store: both the inputs you submitted and the AI's outputs are saved to your account so you can view, edit, and reuse them.
  • Training: we do not use your data to train AI models, and we use providers under terms that prohibit training on our requests where commercially feasible.
  • Pro mode and USDA: in Pro mode we additionally send ingredient names to the USDA FoodData Central API (a public US government dataset) to look up nutritional reference values. No personal data is sent to USDA.
  • Generated images may be hosted by the image-generation provider for delivery; we cache or store URLs as needed.

5. Sharing & Subprocessors

We don't sell your personal data. We share it only with service providers who help us run DineCraft, under written contracts that bind them to GDPR-compliant processing. These currently include, but are not limited to:

  • Neon — database hosting and authentication.
  • AI text-generation providers — used to power meal generation.
  • AI image-generation providers — used to produce meal images.
  • USDA FoodData Central — public nutritional reference data (Pro mode).
  • Hosting and analytics providers (e.g. Vercel) — to deliver the app and understand aggregate usage.
  • Payment processors — to handle Pro subscription billing.
  • Email and notification providers — to send sign-in codes and service emails.
  • Law-enforcement or regulators — only when legally required.

6. International Transfers

Some of our providers are based outside the European Economic Area (EEA), including in the United States. When we transfer your data outside the EEA, we rely on legal safeguards such as the European Commission's Standard Contractual Clauses, adequacy decisions where applicable, or your explicit consent.

You can request a copy of the safeguards applicable to a specific transfer by contacting us.

7. How Long We Keep Your Data

We keep your account data and content for as long as your account is active.

When you delete your account, we delete or irreversibly anonymize your personal data within 30 days, except where we are required by law to keep it longer (for example, billing records under Hungarian tax law are typically kept for 8 years).

Backups are rotated on a regular schedule; data may persist in encrypted backups for a short additional period until the backup is overwritten.

8. Your Rights (GDPR)

If we hold personal data about you, you have the following rights, free of charge:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data, subject to limited legal exceptions.
  • Restriction: ask us to limit how we process your data while a dispute is resolved.
  • Portability: receive your data in a machine-readable format and have it transmitted to another controller.
  • Objection: object to processing based on legitimate interests, including profiling for analytics.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of past processing.
  • Complain: lodge a complaint with the Hungarian Data Protection Authority (NAIH — naih.hu) or your local supervisory authority in another EU country.
  • To exercise any of these rights, email [privacy@example.com]. We respond within one month.

9. Cookies & Similar Technologies

We use a small number of cookies and similar local-storage mechanisms:

  • Authentication — to keep you signed in.
  • Language preference (NEXT_LOCALE) — to show you the correct UI language.
  • Anti-bot verification (Turnstile) — to prevent automated signups.
  • Theme preference — to remember dark/light mode.
  • Aggregate analytics — basic usage counters provided by our hosting platform; these do not build cross-site advertising profiles.

10. Children

DineCraft is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at [privacy@example.com] and we will remove the account.

11. Security

We use TLS for data in transit, hashing for credentials handled directly by us, role-based access to our infrastructure, and application-level CSRF and bot-detection defenses. We rely on our infrastructure providers (Neon, Vercel) for additional protections.

No system can be guaranteed 100% secure. If a personal-data breach affecting you occurs, we will notify you and the supervisory authority in line with GDPR Articles 33-34.

12. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified by email or in-app notice at least 14 days before they take effect.

The "Last updated" date at the top of this page always reflects the current version.

13. Contact

Questions about this policy or your data? Contact us at [privacy@example.com].

Operator: [Company Name], [Address], [Tax/registration number].

Hungarian supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), 1055 Budapest, Falk Miksa utca 9-11, https://naih.hu.