A
Food ArbTerms of Service →

Legal

Privacy Policy

Effective date: March 21, 2026

1. Who We Are

Food Arb is operated by XPRV OÜ, a company registered in the Republic of Estonia. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our grocery price comparison service. Please read it carefully.

Questions? Contact our privacy team at privacy@xprv.me.

2. Information We Collect

Information you provide directly:

  • Account information: email address, display name, and password (hashed by Firebase)
  • Grocery lists and saved searches you create in the Service
  • Feedback or support requests you submit

Information collected automatically:

  • Usage data: pages visited, features used, search queries (anonymised where possible)
  • Device and browser information: browser type, operating system, IP address
  • Session cookies and similar tracking technologies (see Section 6)

Information from third parties:

  • If you sign in with Google, we receive your name and email from Google OAuth
  • Payment metadata (not card details) from Stripe after a subscription purchase

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account
  • Provide, maintain, and improve the Service
  • Process subscription payments and send billing-related communications
  • Personalise your experience (e.g., remembering your grocery lists and location radius)
  • Send transactional emails (account confirmation, password reset, payment receipts)
  • Respond to your support requests
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with our legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising targeting.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your data on the following legal bases:

  • Contract performance — to provide the Service you signed up for
  • Legitimate interests — to improve the Service, detect abuse, and ensure security
  • Legal obligation — to comply with applicable laws
  • Consent — for any optional communications you opt into

5. Data Sharing and Disclosure

We share your information with the following categories of third parties, only as necessary:

  • Firebase (Google LLC) — authentication and identity management
  • Stripe, Inc. — payment processing
  • Supabase — database hosting for your grocery lists and account data
  • Vercel, Inc. — cloud hosting and serverless infrastructure
  • Google Cloud — Vision API for product image analysis (The Arb feature)

All third-party processors are bound by data processing agreements. We may also disclose data when required by law, court order, or to protect the rights and safety of our users and the public.

6. Cookies and Tracking

We use the following cookies:

  • __session — a session cookie set after login to maintain your authenticated state. Expires after 1 hour (refreshed on activity).
  • Firebase Auth tokens — stored in browser localStorage by the Firebase SDK to maintain your sign-in state.

We do not use third-party advertising cookies. You can control cookies through your browser settings, though disabling session cookies will prevent you from accessing the dashboard.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance reasons (e.g., billing records, which are retained for 7 years per Estonian accounting law).

8. International Transfers

XPRV OÜ is incorporated in Estonia (EEA). Our infrastructure providers (Vercel, Google, Stripe, Supabase) may process data in the United States and other countries. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Your Rights

Depending on your location, you may have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your account and associated personal data
  • Restrict or object to certain processing activities
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at privacy@xprv.me. We will respond within 30 days. EEA users may also lodge a complaint with their local data protection authority.

10. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will promptly delete it.

11. Security

We implement reasonable technical and organisational measures to protect your data, including TLS encryption in transit, hashed passwords (handled by Firebase), and access controls. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the latest version.

13. Contact Us

For privacy-related questions or requests, contact us at: privacy@xprv.me

XPRV OÜ
Registered in Estonia, European Union