Privacy Policy
Last Updated: 24.12.2025
1. Introduction
Welcome to Shelfie ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our mobile application ("App").
This policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.
2. What Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address (required for account creation and authentication)
- Password (stored securely in hashed form; we never see or store your plain-text password)
- Full name (optional, used for personalization and notifications)
2.2 Pantry & Inventory Data
When you use the App to track your pantry, we collect:
- Product names, categories, and quantities
- Product barcodes (when scanned)
- Storage locations (e.g., fridge, freezer, pantry)
- Expiry dates and reminder settings
- Consumption history (items marked as consumed)
- Inventory snapshots (for statistics and analytics)
2.3 Device Information
To provide our services, we collect:
- Push notification tokens (to send you expiry reminders)
- Device identifier/name (for managing multiple devices)
- Operating system and platform (iOS or Android)
2.4 Camera and OCR Data
When you use scanning features:
- Barcode data (to look up product information)
- Images captured for OCR (expiry date recognition and receipt scanning)
Note: Images are processed in real-time and are not stored on our servers. Text recognition happens on-device or temporarily for processing.
2.5 Subscription & Payment Data
For paid features (Shelfie Solo):
- Subscription status and entitlements
- Purchase history (managed through Apple App Store / Google Play Store)
Note: We do not collect or store your credit card or payment details. All payments are processed securely by Apple or Google.
2.6 Usage Data
To improve our services and enforce usage limits:
- Scan usage counts (barcode scans, receipt scans per month)
- Feature usage (which features you access)
- App interaction data (for troubleshooting and improvement)
2.7 Family/Team Data
If you use family sharing features:
- Team membership information
- Shared inventory access (linked to your family/team ID)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account management – Creating and managing your user account | Contract performance (Art. 6(1)(b)) |
| Service delivery – Tracking your pantry items, expiry dates, and sending reminders | Contract performance (Art. 6(1)(b)) |
| Push notifications – Sending expiry reminders and important updates | Legitimate interest (Art. 6(1)(f)) or Consent (Art. 6(1)(a)) |
| Product lookup – Retrieving product information from external databases | Contract performance (Art. 6(1)(b)) |
| Subscription management – Managing your subscription status and features | Contract performance (Art. 6(1)(b)) |
| Analytics & improvement – Understanding how users interact with our App | Legitimate interest (Art. 6(1)(f)) |
| Customer support – Responding to your inquiries and troubleshooting issues | Contract performance (Art. 6(1)(b)) |
| Legal compliance – Meeting legal obligations and protecting our rights | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services
We use the following third-party service providers to operate our App:
4.1 Supabase (Database & Authentication)
Purpose: User authentication, data storage, and real-time synchronization
Data shared: Account information, pantry data, device tokens
Location: EU (Frankfurt)
4.2 RevenueCat (Subscription Management)
Purpose: Managing in-app purchases and subscriptions
Data shared: User ID, subscription status, entitlements
Location: United States (with GDPR compliance)
4.3 Open Food Facts (Product Database)
Purpose: Looking up product information from barcodes
Data shared: Product barcodes (no personal data)
Location: France/EU
4.4 Expo / EAS (Push Notifications)
Purpose: Delivering push notifications for expiry reminders
Data shared: Push tokens, notification content
Location: United States
4.5 Resend (Email Communications)
Purpose: Sending transactional emails and mailing list communications
Data shared: Email address, name (if provided)
Location: United States (with GDPR compliance)
4.6 Apple App Store / Google Play Store
Purpose: Payment processing and app distribution
Data shared: Purchase information (handled directly by Apple/Google)
5. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Pantry items | Until you delete them or your account |
| Consumption history | Up to 24 months for statistics, then anonymized or deleted |
| Inventory snapshots | Up to 24 months for analytics |
| Push notification tokens | Until you log out or uninstall the App |
| Usage logs | Up to 12 months |
When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are legally required to retain it.
6. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights:
6.1 Right of Access (Art. 15)
You can request a copy of all personal data we hold about you.
6.2 Right to Rectification (Art. 16)
You can request correction of inaccurate or incomplete data.
6.3 Right to Erasure ("Right to be Forgotten") (Art. 17)
You can request deletion of your personal data. You can delete your account directly in the App under Settings > Account > Delete Account, or by contacting us.
6.4 Right to Restriction of Processing (Art. 18)
You can request that we limit how we use your data in certain circumstances.
6.5 Right to Data Portability (Art. 20)
You can request your data in a structured, machine-readable format.
6.6 Right to Object (Art. 21)
You can object to processing based on legitimate interests, including direct marketing.
6.7 Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (e.g., push notifications), you can withdraw consent at any time through your device settings or the App.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. In Finland, this is:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: tietosuoja.fi
Address: P.O. Box 800, 00531 Helsinki, Finland
Email: tietosuoja@om.fi
To exercise any of these rights, contact us at: eino@shelfie.fi
We will respond to your request within 30 days as required by GDPR.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted between the App and our servers uses TLS/SSL encryption (HTTPS)
- Encryption at rest: Data stored in our database is encrypted
- Secure authentication: Passwords are hashed using industry-standard algorithms; we never store plain-text passwords
- Access controls: Only authorized personnel can access user data, and only when necessary
- Regular security updates: We keep our infrastructure and dependencies up to date
While we take reasonable precautions, no system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority as required by law.
8. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When this occurs, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Our third-party providers use EU-approved contractual clauses
- Adequacy decisions: Where available, we rely on EU adequacy decisions
- Additional safeguards: We implement supplementary measures where required
Our primary data storage through Supabase is located in the EU (Frankfurt), ensuring your data remains within the EEA.
9. Children's Privacy
Shelfie is not intended for children under the age of 16 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately, and we will delete such data.
10. Cookies and Tracking
The Shelfie mobile app does not use cookies. However, we may use:
- Local storage: To save your preferences and login state on your device
- Analytics identifiers: Anonymous usage data for app improvement (if applicable)
We do not engage in cross-app tracking or sell your data to advertisers.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We will update the "Last Updated" date at the top of this policy
- We may notify you through the App or via email
- Continued use of the App after changes constitutes acceptance of the updated policy
We encourage you to review this policy periodically.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Eino Matias Pitkälä / Shelfie NYT
Email: support@shelfie.fi
Address: c/o Helminauha 5, 70840 Kuopio, Finland
Website: shelfie.fi
We aim to respond to all inquiries within 30 days.
13. Summary of Data Collection
| What We Collect | Why | Shared With |
|---|---|---|
| Email, name, password | Account & authentication | Supabase |
| Email address | Mailing list & communications | Resend |
| Pantry items, expiry dates | Core service functionality | Supabase |
| Barcodes | Product lookup | Open Food Facts |
| Push tokens | Expiry reminders | Expo, Supabase |
| Subscription status | Feature access | RevenueCat |
| Device info | Multi-device support | Supabase |
| Usage statistics | Service improvement | Internal only |