Privacy Policy

MealBridge (the “Platform”) is operated by MealBridge Association, a non‑profit organization (“we”, “us”, “our”). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, how we use it, on what legal bases (GDPR), and the choices and rights you have.

1. Controller & Contact

Controller: MealBridge Association, Bucharest, Romania.
Email: privacy@mealbridge.net
If appointed, our Data Protection Officer (DPO) can be reached at the same address with the subject “DPO”.

2. Personal Data We Collect

• Account & Profile: name, display name, email, password (hashed), role (donor/recipient/NGO/admin), phone (optional), short bio, profile photo (optional).
• Location: approximate address label (e.g., neighborhood), latitude/longitude for mapping nearby donations. We do not require precise geolocation beyond what you provide.
• Donation Data: item photos, categories, description, expiry date, pickup window, status, chat messages related to the donation and reservation.
• Usage & Device: log data, IP address, browser type, pages viewed, referrers, and basic analytics.
• Communications: emails and notifications you receive from us and your preferences.
• Partner Logistics (optional): if you opt for delivery via partners (e.g., couriers), we may process pickup/drop‑off details necessary to fulfill the request.

3. Legal Bases for Processing (GDPR)

• Performance of a contract: to create your account, enable listings, reservations, and messaging.
• Legitimate interests: to keep the Platform safe, prevent abuse, provide core analytics, and improve the service (balanced against your rights).
• Consent: for optional features such as marketing emails or precise geolocation (where requested). You can withdraw consent at any time.
• Legal obligations: to comply with applicable laws and requests from competent authorities.

4. How We Use Your Data

• Provide and operate the Platform, including listings, reservations, messaging, and notifications.
• Maintain trust & safety (moderation, preventing fraud, enforcing guidelines and Terms).
• Communicate service updates and respond to your requests.
• Improve usability and performance, run basic, privacy‑respecting analytics.
• Facilitate optional delivery/logistics through partners when you choose that option.

5. Sharing & Disclosures

We share personal data only as needed to provide the service and for lawful purposes:

• Service providers / processors: hosting, databases, email, error monitoring, and mapping.
• Delivery partners (optional): if you request courier pickup/delivery, we share necessary pickup/drop‑off details. Partners act as independent controllers for their services.
• Public content: listings (minus private contact details) are visible to other users to enable pickups.
• Legal & safety: to comply with the law or protect rights, safety, and property of users and the public.

6. Sub‑processors & Infrastructure

Core infrastructure currently includes (subject to change as the platform evolves):

• Supabase (EU data hosting where available): authentication, Postgres database, storage.
• Vercel: web hosting and edge network for the web app.
• Email service (e.g., transactional emails for magic links and notifications).
• Maps: OpenStreetMap / Leaflet tiles via a third‑party tile provider.
• Analytics: lightweight, privacy‑preserving analytics (no cross‑site tracking).
• Optional couriers (e.g., Glovo/Bolt/Uber) for pickups and deliveries initiated by you.

We maintain Data Processing Agreements (DPAs) where applicable and ensure appropriate safeguards for international transfers under GDPR (e.g., SCCs) if data is processed outside the EEA.

7. Data Retention

We keep personal data only as long as necessary for the purposes described above. Typical retention periods: account/profile data for the life of the account; listings, messages, and ratings for as long as needed to operate the Platform and for a short period afterward for safety and audit; logs and analytics for a limited, proportionate period.

8. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit, role‑based access, and Row Level Security (RLS) in our database. No method of transmission or storage is 100% secure; we continuously improve our safeguards.

9. Your Rights (EEA/UK)

Subject to conditions and exceptions under GDPR, you may have the right to:

• Access your personal data;
• Rectify inaccurate or incomplete data;
• Erase data (right to be forgotten);
• Restrict or object to processing (including for legitimate interests);
• Data portability;
• Withdraw consent at any time where processing is based on consent;
• Lodge a complaint with your local Data Protection Authority.

To exercise your rights, contact us at privacy@mealbridge.net. We may need to verify your identity before acting on your request.

10. Cookies & Similar Technologies

We use necessary cookies for authentication and core features. We may use optional, privacy‑respecting analytics cookies with your consent. You can manage preferences in the cookie banner or your browser settings. Learn more on our Cookies Policy (coming soon).

11. Children’s Privacy

The Platform is intended for users aged 16+ (or the age of digital consent in your country). If you believe a child under the relevant age has provided us personal data, please contact us so we can take appropriate action.

12. International Data Transfers

Where data is transferred outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and conduct transfer impact assessments where required.

13. Changes to This Policy

We may update this Policy from time to time. We will post the new version here and update the “Last updated” date. If changes are material, we will provide additional notice (e.g., in‑app or by email).

14. Contact Us

Questions or requests about this Policy? Email us at privacy@mealbridge.net.