Privacy Policy
This Privacy Policy describes how Munat ("Munat", "we", "us", or "our") collects, uses, shares, and protects information when you use the Munat mobile application and related services (the "Service"). By using the Service, you agree to the practices described here.
1. Who we are
Munat is operated by the Munat team. You can reach us at privacy@munat.app.
2. Information we collect
2.1 Account information
- Email address — when you create an account with email/password, Apple Sign-In, or Google Sign-In.
- Display name — optional.
- Authentication identifiers — a stable user ID generated by Supabase auth and by Apple/Google when you use those sign-in methods.
2.2 Pantry and household data
- Inventory items you add: product name, brand, quantity, unit, category, storage location, purchase/expiry dates, estimated value, and notes.
- Household information: household name, invite codes, and members you choose to share a household with.
- Consumption events generated when you mark items used or wasted, used to compute waste-reduction insights.
2.3 Camera, photos, and voice (only with your permission)
- Barcode scans — barcode numbers are sent to Open Food Facts and our catalog to look up product metadata. No image is stored.
- Food recognition — if you take a photo to identify an item, the image is sent to our food-recognition service (OpenAI via our Supabase Edge Functions) to suggest matching products. The image is processed transiently and is not retained after the suggestion is returned.
- Voice input — if you add items by voice, audio is transcribed on your device via the operating system's speech-recognition APIs; audio is not sent to our servers.
- Profile picture — stored on your device only.
2.4 Subscription and purchase information
- Subscription status, tier, billing period, and trial state — processed via RevenueCat. We do not receive your payment-card details; those are handled exclusively by Apple or Google.
2.5 Device and diagnostics
- Device identifiers — an anonymous device ID generated locally; platform (iOS/Android); OS version; app version.
- Crash and error reports — via Sentry, for diagnosing bugs.
- Usage analytics — via PostHog, covering anonymous event counts such as "item added", "barcode scanned". No message content or food photos are sent to analytics.
- Language and region preferences.
2.6 Push-notification token
If you enable notifications, we store a push-notification token to deliver reminders about expiring items.
3. What we don't collect
- We do not collect precise geolocation.
- We do not track you across other apps or websites for advertising.
- We do not sell personal data.
- We do not collect payment-card numbers, bank details, or government IDs.
4. How we use your information
- Operate and improve the Service (sync your pantry across devices; detect duplicates; estimate shelf life).
- Generate insights, nudges, and recommendations that help you reduce food waste.
- Process subscriptions and manage entitlements.
- Communicate with you about service-related matters.
- Prevent abuse, fraud, and security incidents.
- Comply with legal obligations.
5. How we share your information
We share the minimum information necessary with the following processors, each of whom is contractually obligated to protect your data at least as strongly as we do:
| Processor | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, storage, edge functions | Account, pantry, household, consumption data |
| RevenueCat | Subscription management | Anonymous user ID, purchase events, entitlement status |
| Apple / Google | Sign-in and in-app purchases | Auth tokens, purchase receipts |
| Sentry | Error monitoring | Crash stacks, device metadata (PII scrubbed) |
| PostHog | Product analytics | Anonymous event names and counts |
| OpenAI (via Supabase Edge Functions) | Food-recognition inference | Food photos you explicitly capture, sent transiently; not retained by Munat |
| Open Food Facts | Public product catalog lookup | Barcode numbers; no personal data |
| Upstash | Rate limiting | Hashed user identifier; request counters |
| Expo / EAS | App updates and push notifications | Push tokens, update manifests |
We may also disclose information if required by law, court order, or to protect rights, safety, or property.
6. International transfers
Our processors may store and process data in the United States, the European Union, or other jurisdictions. Where applicable, transfers are governed by Standard Contractual Clauses or equivalent safeguards.
7. Data retention
- Account and pantry data — retained while your account is active.
- Subscription records — retained for up to seven (7) years to comply with tax and accounting rules.
- Error and analytics data — retained for up to 90 days in identifiable form, then aggregated or deleted.
- When you delete your account, we delete or anonymize your personal data within thirty (30) days, except where law requires retention.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data ("right to be forgotten"). You can do this from Settings → Account → Delete Account, or by emailing privacy@munat.app.
- Export a copy of your data in a machine-readable format.
- Object to or restrict certain processing.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with your local data-protection authority.
We will respond to verifiable requests within 30 days.
9. Security
We implement industry-standard safeguards, including:
- HTTPS-only transport (Android cleartext traffic disabled; iOS ATS enforced).
- Supabase Row-Level Security policies restricting each user to their own data and their household's data.
- Encryption at rest for sensitive local caches (MMKV encrypted with keys stored in the platform secure keystore).
- JWT-verified Edge Functions, per-user rate limits, and automated abuse-blocking.
- PII scrubbing on error reports.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
10. Children
Munat is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided personal data to us, please contact privacy@munat.app and we will delete it.
11. California residents (CCPA/CPRA)
California residents have the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal data. We do not sell or share personal data as those terms are defined under California law. Requests can be made at privacy@munat.app.
12. European Economic Area and United Kingdom (GDPR/UK GDPR)
Where GDPR applies, the legal bases we rely on are: (a) performance of a contract (providing the Service you signed up for); (b) legitimate interests (security, fraud prevention, improving the Service); (c) consent (push notifications, camera, voice); (d) legal obligations.
12a. United Arab Emirates residents (PDPL)
If you are in the UAE, our processing complies with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"). You have the right to access, correct, delete, restrict, object to processing, and request portability of your personal data, and to lodge a complaint with the UAE Data Office. Requests can be made at privacy@munat.app and we will respond within 30 days.
13. Changes to this policy
We may update this Privacy Policy. Material changes will be notified inside the app and/or by email at least 14 days before taking effect. The "Last updated" date at the top reflects the latest revision.
14. Contact us
Email: privacy@munat.app
Data controller: Munat — the Munat team.