Privacy Policy - PantryFlow

PantryFlow LLC ("PantryFlow," "we," "us," "our") provides a tool that helps people convert recipes from the internet into items in their grocery cart. This Privacy Policy explains what we collect, why, and what you can do about it.

If you do not agree with this policy, do not use the service.

1. Who we are

PantryFlow LLC is a limited liability company organized in Ohio, USA. You can reach us at [email protected] or by mail at:

Mailing address — to be set

2. The plain-English summary

You can use PantryFlow without an account — anonymously.
We collect the least we need to make the product work.
We never sell your personal information to third parties.
We share data only with the services that operate PantryFlow (e.g., grocery retailers when you ask us to send items to your cart, our hosting provider, our AI provider).
You can request deletion of your data at any time.

If you only read one section of this policy, this one is the spirit of it.

3. What we collect

3.1 If you use PantryFlow anonymously

An opaque session token (stored as a cookie or in your local storage) so we can remember your recipes and pantry between visits. The token is meaningless outside our service.
The IP address(es) you connect from — for fraud prevention and abuse signals. Stored in an audit log capped at 50 most-recent IPs.
The recipes, ingredients, pantry items, and brand preferences you create or edit.
Standard server logs (timestamp, user-agent, page path, response status).

3.2 If you sign up for an account

Everything in §3.1, plus:

Your email address.
Your name (optional).
An encrypted password hash (we never store plaintext passwords).
Two-factor authentication recovery codes (encrypted).

3.3 If you connect a grocery store account

An OAuth access token issued by the retailer, scoped to the permissions you grant. We never see or store your retailer username/password.
Your selected store location (e.g., a specific Kroger store ID).

3.4 If you use a recipe page on a creator's website (the embed)

The recipe URL or text you submit.
The token described in §3.1 (so the experience persists across visits).
The referring domain (so we can attribute affiliate revenue to the creator).

3.5 If you become a paying subscriber

Billing information collected and processed by Stripe. We never see your full card number — Stripe stores it; we store a Stripe customer ID and the last four digits.

3.6 What we don't collect

Your physical address (we never need it; the retailer handles delivery/pickup).
Your government IDs, dates of birth, or financial accounts beyond what Stripe processes.
Tracking pixels or third-party analytics that profile you across the web.

4. How we use what we collect

Purpose	Data used
Make the product work	Tokens, recipes, pantry, brand prefs, store connections
Send items to your grocery cart when you click "Add to Cart"	OAuth token + matched ingredient list
Prevent abuse and fraud	IP address log, rate limits
Bill you for Premium	Stripe customer ID, subscription status
Pay creator commissions on the embed	Referring domain, attributed cart record
Improve matching quality	Anonymized aggregates of which products you pick when shown options
Reach you when needed (account, billing, security)	Email

We do not use your data to train AI models, nor do we send your personal data to AI providers as training data. The AI parses recipe text only — never your account info.

5. Who we share data with

Grocery retailers (Kroger, Albertsons, Instacart, etc.) — only when you click "Add to Cart" with their store selected. We send the matched ingredient list and your OAuth token. Retailers have their own privacy policies.
Anthropic (Claude AI) — recipe text you submit is sent for parsing. Anthropic does not retain it for training per their commercial-API terms.
Stripe — billing only. Stripe is PCI-DSS compliant and stores your payment information.
Cloud infrastructure — Vultr (hosting), Cloudflare (CDN), Postmark (transactional email), Sentry (error monitoring).
Affiliate networks — Impact (Instacart) and FlexOffers (Kroger) receive a tracking pixel when you click an affiliate link, so commissions can be paid.
Legal compliance — if compelled by valid legal process. We will resist over-broad requests.

We do not sell your data to advertisers, data brokers, or third-party publishers. Period.

6. Cookies and similar technologies

We use:

First-party cookies to remember your session, anonymous token, and preferences.
Affiliate-tracking parameters in URLs when you click "Add to Cart" via an embed.
No third-party advertising or cross-site tracking cookies.

If you disable cookies, the product won't work — anonymous-first usage requires the session cookie.

7. Your choices

Use anonymously. No signup required for core features.
Export your data. Email [email protected] and we'll send your full record within 30 days.
Delete your account. Email [email protected]. We delete or de-identify within 30 days of receipt.
Opt out of email — every non-essential email has an unsubscribe link. Account-security and transactional emails (e.g., password reset) are not opt-out-able.
Anonymous-token deletion — clear your cookies / local storage and the data goes idle. Email us with proof of token possession (or a verified merge-into-account audit) to fully delete.

8. How long we keep data

Data type	Retention
Active account	As long as the account exists
Soft-deleted (merged) anonymous account	30 days, then hard-deleted
IP address audit log	50 most-recent per user, indefinitely while account is active
Server logs	90 days
Anthropic API logs (prompts)	Per Anthropic's data policy — typically 30 days
Stripe billing records	7 years (US tax retention)
Recipe corpus (cached parses)	Indefinitely; user-association can be deleted

9. Children's privacy

PantryFlow is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, email [email protected] and we will delete it.

10. International / GDPR / CCPA

Most users are in the United States. If you are in the European Economic Area, the United Kingdom, or California:

Right to access: Email [email protected] for an export.
Right to delete: Email [email protected].
Right to portability: Same.
Right to object to processing / withdraw consent: Same.
Lawful basis (GDPR): Consent + legitimate interest (operating the service) + contract (paid subscriptions).
Data Protection Officer / EU Representative: to be appointed if/when EU launch becomes intentional. Until then, the service is not actively marketed to the EU.

We aim to be GDPR-aligned even before formal EU launch. The anonymous-first model, minimal-PII collection, and clear deletion path are all by design for this reason.

11. Security

HTTPS everywhere (Let's Encrypt, auto-renewed).
Passwords hashed with bcrypt; 2FA available.
Anonymous session tokens stored as SHA-256 hashes — the plaintext is never on our servers.
Encrypted database backups, regional redundancy.
Anthropic API keys, Vultr keys, Stripe keys, etc. stored in environment variables, rotated periodically.
Two-factor authentication enabled on all founder admin accounts.

We are a small team. We do not claim SOC 2 / ISO 27001 compliance. If you need formal security attestation for enterprise use, we are not the right product yet.

12. AI processing notice

PantryFlow uses Anthropic's Claude AI to parse recipes. Matches are AI-assisted and may be wrong. We require you to review your cart before checkout. We are not a source of medical, dietary, or allergen guidance. Always read product labels for allergen and dietary information.

13. Changes to this policy

We will update this policy as the product changes. We will notify registered users of material changes by email at least 30 days before they take effect, and post the change date at the top of this page.

14. Contact

Privacy questions: [email protected]

PantryFlow LLC, Ohio, USA.