Privacy Policy

This privacy policy is applicable to the SaborSpot app for mobile devices, together with any related services operated by Andrei Grachev (collectively, the “Application”). Andrei Grachev is hereinafter referred to as the “Service Provider”.

Data Controller Information

Andrei Grachev acts as the Data Controller responsible for the processing of your personal data.

  • Name: Andrei Grachev
  • Address: Portugal, Setubal, Av. Republica da Guine-Bissau 36, 1D, 2900-406
  • Email: support@saborspot.com

For data protection inquiries and to exercise your GDPR rights, please contact the Data Controller using the contact information above.

What information does the Application obtain and how is it used?

The Application and related services acquire the information you supply when you download, access, or register for the service. Registration with the Service Provider is not mandatory. However, you might not be able to use some of the features offered by the service unless you register.

The categories of personal data processed include:

  • Account data: email address, display name, profile photograph (optional), language preference
  • Authentication identifiers: Apple ID or Google ID when you sign in using third-party authentication providers
  • User-generated content: photographs of restaurant menus you upload for processing, restaurant reviews or notes (when applicable)
  • Usage data: favorite restaurants, restaurant visit history, dishes viewed, search queries, language and theme preferences
  • Location data: approximate (city-level) location for restaurant discovery; precise location only when you explicitly request the “nearest restaurants” feature and grant location permission
  • Device and technical data: device type, mobile operating system version, IP address, application version, device locale
  • Transactional data: in-app purchase receipts and transaction identifiers (no payment card data is received or stored by the Service Provider; all payment processing occurs through Apple App Store or Google Play billing)

The Service Provider may also use the information you provide to send important information, required notices, and, where permitted by law, marketing communications.

Where the GDPR applies, the Service Provider relies on one or more lawful bases to process your personal data, including:

  • Contract performance: processing necessary to provide the Application or fulfil a contract with you.
  • Consent: where you have given explicit consent to processing, including for marketing, analytics, or optional features. You may withdraw consent at any time without affecting processing that occurred before withdrawal.
  • Legitimate interests: where processing is necessary for the Service Provider’s specific legitimate interests, such as maintaining network and information security, preventing fraud and abuse, or improving the Application’s core functionality through analytics, provided those interests are not overridden by your data protection rights or fundamental freedoms.
  • Legal obligation: to comply with laws or government requests.

Cookies and similar technologies

The Application or its third-party SDKs may use cookies, SDKs, pixels, and similar technologies to support functionality, analytics, and service delivery. Where required by law, the Service Provider will obtain your consent before using non-essential tracking technologies.

Automated decision-making and profiling

If the Application uses automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, you have the right to request human review, express your point of view, and contest the decision. Information about the logic involved and the likely consequences of that processing will be provided where required by law.

What information does the Application collect automatically?

In addition to data you provide, the Application may collect certain information automatically, including the type of mobile device you use, your mobile operating system version, application version, device locale, IP address, crash reports, and aggregated information about how you use the Application (screens viewed, features used, errors encountered).

Does the Application collect location information?

The Application uses location data in two modes:

  • Approximate (city-level) location: Derived from your IP address or coarse device location. Used to surface restaurants and menus relevant to your current city. No GPS-precise coordinates are stored.
  • Precise location (on request only): Used solely when you actively tap a feature such as “restaurants near me” or grant location permission for a specific session. Precise coordinates are processed in-memory to return nearby results and are not retained after the request completes.

Location data is not used for advertising, profiling, or continuous tracking. You can revoke location permission at any time through your device’s system settings.

Does the Application use Artificial Intelligence (AI) technologies?

The Application relies on AI technologies as a core part of its functionality. Specifically:

  • Menu extraction (Anthropic Claude): When you upload a photograph of a restaurant menu, the image is transmitted over a secure TLS connection to Anthropic, PBC (United States), where it is processed by the Claude large language model to extract dish names, descriptions, prices, ingredients, and allergens into structured data. Anthropic operates a zero-retention API policy: uploaded images and extracted text are not retained by Anthropic beyond what is necessary to return the API response, and are not used to train Anthropic’s models. Data transfer to the United States relies on Standard Contractual Clauses (SCCs) per GDPR Article 46.
  • Dish image generation: If a curated photograph for a given dish is not available, the Application may generate an illustrative image using an open-weights diffusion model (Stable Diffusion XL) hosted on infrastructure operated by the Service Provider. No user-provided photographs or text are transmitted to third parties for image generation; only the dish name and short description are used as the model prompt.
  • Restaurant deduplication: Vector embeddings of restaurant names are computed to detect duplicate venues across user submissions. Embeddings are stored alongside restaurant records and are not linked to individual users.
  • Automated decision-making: The AI processing described above produces informational outputs only (menu data, illustrations, deduplication suggestions). It does not produce legal or similarly significant effects concerning you within the meaning of GDPR Article 22. You can request manual review of any AI-generated content concerning your account by contacting the Data Controller.

All AI processing is performed in accordance with this Privacy Policy and applicable law.

Do third parties see and/or have access to information obtained by the Application?

Only aggregated, anonymized data is periodically transmitted to external services to aid the Service Provider in improving the Application and their service. The Service Provider may share your information with third parties in the ways that are described in this privacy statement.

International Data Transfers

The Service Provider or its third-party service providers may transfer personal data outside the European Economic Area (EEA). Where such transfers occur, the Service Provider will use an appropriate transfer mechanism required by GDPR Chapter V.

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other safeguards or derogations recognized under GDPR Chapter V, including consent where legally permitted

Countries outside the EEA may not provide the same level of data protection as the EEA. Where required by law, the Service Provider will apply appropriate safeguards and obtain any consent required for the transfer.

Please note that the Application utilizes third-party services that have their own privacy policies about handling data. The Service Provider has entered into Data Processing Agreements (DPAs) with these processors where required by GDPR Article 28. Below is the current list of third-party service providers and the relevant transfer mechanism where data is processed outside the EEA:

Authentication

  • Apple Sign in with Apple — sign-in identity provider. Apple operates Private Email Relay for users who choose to hide their email; the Service Provider receives only a relay address in that case.
  • Google Sign-In — sign-in identity provider. The Service Provider receives your name, email, and Google account ID upon your explicit consent during sign-in.

AI / menu processing

  • Anthropic, PBC — Claude API processes uploaded menu photographs for structured data extraction. United States. Zero-retention API enabled. Transfer mechanism: Standard Contractual Clauses (SCCs).

Analytics and error reporting

  • PostHog — product analytics, EU-hosted (Frankfurt). Pseudonymous event tracking; no advertising identifiers.
  • Sentry — application crash and error reporting. Personally identifiable information is scrubbed before transmission where technically feasible.

Communications

  • Resend — transactional email delivery (sign-in verification codes, password reset, account notifications). United States. Transfer mechanism: Standard Contractual Clauses (SCCs).

Infrastructure and hosting

  • Hetzner Online GmbH — primary application hosting, Germany (EU).
  • Neon — managed PostgreSQL database hosting, EU region.
  • Cloudflare, Inc. — content delivery network, DDoS protection, and secure tunnelling. Cloudflare processes IP addresses and request metadata to route traffic. Transfer mechanism: Standard Contractual Clauses (SCCs) for any data leaving the EEA.

Payment processing (when in-app purchases are enabled)

  • Apple App Store — handles payments for in-app purchases on iOS. The Service Provider receives only a transaction identifier and product code; no payment card data is transmitted to the Service Provider.
  • Google Play Billing — handles payments for in-app purchases on Android. The Service Provider receives only a purchase token and product code; no payment card data is transmitted to the Service Provider.

This list reflects the third-party services in use at the effective date of this Privacy Policy. The Service Provider will update this list when processors are added or removed.

The Service Provider may disclose User Provided and Automatically Collected Information:

  • as required by law, such as to comply with a subpoena, or similar legal process;
  • when they believe in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
  • with their trusted services providers who work on their behalf, do not have an independent use of the information the Service Provider discloses to them, and have agreed to adhere to the rules set forth in this privacy statement.

Where the GDPR applies, the Service Provider enters into Data Processing Agreements (DPAs) with third-party service providers that process personal data on its behalf, as required by Article 28 of the GDPR. These DPAs impose the same data protection obligations on those service providers as described in this Privacy Policy.

What are my opt-out rights?

You can stop further collection of information from your mobile device by uninstalling the Application. Uninstalling will stop the Application from collecting data from your device, but it does not automatically delete information that has already been transmitted to the Service Provider or to third parties.

To request deletion of your personal data, withdraw consent, or exercise any of your rights, contact the Service Provider at support@saborspot.com.

What is the data retention policy and how can you manage your information?

The Service Provider retains personal data based on its necessity for the stated purposes:

  • User Provided Data: Retained for the duration of your use of the Application plus 12 months thereafter, unless longer retention is required by law.
  • Automatically Collected Data: Retained for up to 24 months from collection, unless longer retention is required for legal compliance or security purposes.
  • Aggregated and Anonymized Data: Retained indefinitely as it no longer identifies you.
  • Data required for legal compliance: Retained as long as required by applicable law.

You have the right to request deletion of your personal data at any time, except where retention is required by law. If you’d like the Service Provider to delete User Provided Data that you have provided via the Application, please contact them at support@saborspot.com and they will respond within the time required by applicable law. Please note that some User Provided Data may be required in order for the Application to function properly.

How does the Application address children’s privacy?

The Application is not intended for users below the applicable age of digital consent. Under GDPR Article 8, the age of digital consent ranges from 13 to 16 depending on EU Member State (for example: Portugal 13, Spain 14, Italy 14, France 15, Germany 16). In the United States, the Children’s Online Privacy Protection Act (COPPA) sets the threshold at 13.

The Service Provider does not knowingly solicit data from users below the applicable age of digital consent in their jurisdiction, nor market the Application to them. Where parental or guardian consent is required under applicable law, the Application is not intended for use without that consent.

If the Service Provider becomes aware that a user below the applicable age has provided personal information without verifiable parental consent, the Service Provider will delete that information without undue delay. If you are a parent or guardian and you believe your child has provided the Service Provider with personal information, please contact support@saborspot.com so that the Service Provider can take the necessary actions.

How is your information kept secure?

The Service Provider is committed to safeguarding the confidentiality of your information. The Service Provider implements physical, electronic, and procedural safeguards to protect information it processes and maintains. For example, access is limited to authorized employees and contractors who need to know that information to operate, develop, or improve the Application. However, no security system can prevent all potential security breaches.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, the Service Provider will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law. Where the breach is likely to result in a high risk to your rights and freedoms, the Service Provider will also notify you without undue delay, providing information about the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach.

How will you be informed of changes to this Privacy Policy?

The Service Provider may update this Privacy Policy from time to time. The Service Provider will notify you of material changes by posting the updated Privacy Policy with an effective date. Where required by law, the Service Provider will seek your consent to material changes before they take effect.

Previous versions of this Privacy Policy will be maintained and made available upon request by contacting the Service Provider at support@saborspot.com.

This privacy policy is effective as of 2026-06-04.

What are your GDPR data protection rights?

Under the GDPR, you have the following rights:

  • Right of Access: You can request access to your personal data.
  • Right to Rectification: You can request correction of inaccurate data.
  • Right to Erasure: You can request deletion of your personal data (the “right to be forgotten”).
  • Right to Restrict Processing: You can request that the Data Controller limits how they use your data.
  • Right to Data Portability: You can request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to processing based on legitimate interests. You have an absolute right to object to processing for direct marketing purposes at any time.
  • Right to Withdraw Consent: Where processing is based on your consent, you can withdraw it at any time. Withdrawal is as simple as toggling preferences in the Application’s settings or contacting the Data Controller.
  • Rights Regarding Automated Decision-Making: You have rights related to automated decisions that affect you.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. Contact details for each country’s Data Protection Authority can be found at edpb.europa.eu.

If you are located in the United Kingdom, you may contact the Information Commissioner’s Office at ico.org.uk.

What are your California privacy rights (CCPA/CPRA)?

If you are a resident of California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information the Service Provider has collected about you.
  • Right to Delete: You can request deletion of personal information the Service Provider has collected from you, subject to certain exceptions.
  • Right to Correct: You can request correction of inaccurate personal information.
  • Right to Opt-Out: You can opt out of the sale or sharing of your personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: You can limit the use of your sensitive personal information to essential purposes.
  • Right to Non-Discrimination: The Service Provider will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of these rights, please contact the Service Provider at support@saborspot.com. The Service Provider will verify your request using the information you provide and respond within the timeframes required by law. You may designate an authorized agent to make a request on your behalf.

Where processing is based on consent, you provide that consent by affirmatively opting in to the relevant feature or action. You may withdraw consent at any time without affecting processing carried out before withdrawal. Processing based on other lawful bases, including contract performance, legitimate interests, or legal obligations, is carried out as described above.

How can you contact the Data Controller?

If you have any questions regarding privacy while using the Application, or have questions about the practices, please contact the Service Provider via email at support@saborspot.com.

To request deletion of your personal data or to exercise any of your rights, contact the Service Provider using the details provided above. The Service Provider will respond within one month of receiving your request, extendable by up to two months where necessary due to the complexity or volume of requests, as permitted by applicable law.