DINNR ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how it is processed, and your rights under the General Data Protection Regulation (GDPR) and applicable EU/EEA data protection law.
i.Who we are
The data controller responsible for your personal data is:
DINNR
Email: dinnr@derekfidler.com
ii.What we collect & why
Account & recipe data
When you create an account we collect your email address and a securely hashed password — or, if you sign in with Google or Apple, a token from the respective provider. Your recipes, meal plans, and grocery lists are stored on our behalf by Supabase (see processors).
Legal basis: Article 6(1)(b) GDPR — processing is necessary to perform the contract (providing the DINNR service to you).
Usage analytics (PostHog)
We use PostHog to understand how people use Dinnr — for example, which pages are visited, when recipes are created, and which client (web or desktop) is being used.
- We do not send your email, name, or any directly identifying information to PostHog.
- You are identified only by a random internal ID (your Supabase user UUID).
- We do not collect your IP address (PostHog is configured with
ip: false). - PostHog stores a small token in your browser's localStorage to maintain session continuity.
- All analytics data is stored on PostHog's EU-hosted infrastructure and does not leave the EEA.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in improving product quality and reliability.
Crash & error reporting (Sentry)
We use Sentry to automatically capture errors and crashes so we can fix them quickly.
- Error reports include stack traces, browser/OS information, and the page you were on when the error occurred.
- If you are logged in, error reports are tagged with your Supabase UUID. Your email address is never sent to Sentry.
- All error data is stored on Sentry's EU-hosted infrastructure (Germany) and does not leave the EEA.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in maintaining the security and stability of the service.
iii.Cookies and local storage
Dinnr uses browser localStorage (not traditional cookies) for:
- Keeping you logged in (Supabase session token)
- Storing your language preference
- PostHog anonymous session identifier
- A flag indicating you have previously opened the app (used for onboarding analytics only)
None of this data is shared with third parties beyond the processors listed below.
iv.How long we keep your data
| Data | Retention period |
|---|---|
| Account & recipe data | Until you delete your account |
| PostHog analytics events | 12 months (PostHog default) |
| Sentry error events | 90 days (Sentry default) |
When you delete your account via Settings → Delete Account, all your recipes, meal plans, and grocery items are permanently deleted from our database.
v.Data processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication hosting | EU (Ireland) |
| PostHog | Product analytics | EU (PostHog Cloud EU) |
| Sentry | Error & crash monitoring | EU (Germany) |
| Sign in with Google authentication | United States (SCCs) | |
| Apple | Sign in with Apple authentication | United States (SCCs) |
We do not sell your data to any third party, and we do not use it for advertising.
vi.International transfers
Most of our data processors are hosted within the EEA. Google and Apple (used for authentication only) process data on US-based infrastructure. Both companies publish Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR as the transfer mechanism for data leaving the EEA.
vii.Your rights under GDPR
- Right of access — request a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure — ask us to delete your data. You can delete your account directly in Settings.
- Right to data portability — export your recipe data as JSON via Settings → Backup Recipes.
- Right to restrict processing — ask us to limit how we use your data.
- Right to object — object to processing based on legitimate interests (analytics and crash reporting).
- Right to lodge a complaint — contact your local supervisory authority. Find yours at edpb.europa.eu.
To exercise any of the above rights, contact us at dinnr@derekfidler.com. We will respond within 30 days.
viii.Security
Passwords are hashed by Supabase and never stored in plain text. All data in transit is encrypted using TLS.
ix.Children
Dinnr is not directed at children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
x.Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the app. The date at the top reflects when the policy was last updated.
xi.Contact
For any privacy-related questions or GDPR requests:
Email: dinnr@derekfidler.com