Privacy Policy

Last Updated: July 7, 2026

1. Introduction

Welcome to Pan Mate ("PanMate", "we", "us", or "our"). We are committed to protecting your privacy and handling your personal information in an open and transparent manner. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile applications, and related services (collectively, the "Service").

We adhere to the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) ("Privacy Act"). By using our Service, you consent to the data practices described in this policy.

2. Information We Collect

We collect different types of information to provide and improve our Service to you.

2.1 Account Information

When you create an account, we collect information you voluntarily provide, including:

  • Name and email address.
  • Encrypted password (stored via Supabase Auth).
  • OAuth provider identity (if you sign in via Google or Apple).

2.2 User-Generated Content

You create, upload, or generate various content through the Service, including:

  • Recipes, meal plans, and meal entries.
  • Shopping lists and pantry/stock inventory data.
  • Images and text instructions provided for AI-assisted features.
  • Data imported from third-party URLs (e.g., recipe websites, Instagram, TikTok).

2.3 Shared Content

When you use collaborative features, information required for that feature (such as specific meals, shopping lists, or stock lists) is shared with other users as you direct. Your shared content is visible only to the users you explicitly share with.

2.4 Information Processed by AI

When you use our AI-powered features (such as importing recipes from a URL or image, generating meals from instructions, creating shopping lists, managing pantry stock, estimating nutrition, or receiving expiry suggestions), we send the relevant data (URLs, images, or text) to our third-party AI service providers for processing. AI features are available to Premium subscribers without limits; Free-tier users have limited access to AI recipe imports (up to 5 per calendar month).

Our current AI service providers are:

We contract with these providers under terms that prohibit them from using your data to train their AI models. However, we do not independently verify technical enforcement of this restriction at the API level. If this is a concern, you should avoid submitting sensitive content through AI features.

2.5 Sensitive Information

We do not intentionally collect sensitive information as defined by the Privacy Act. However, we recognise that information about dietary preferences, restrictions, or nutritional information inferred from your recipes and meal plans may be considered sensitive. We treat such information with a higher degree of care and in accordance with the Privacy Act.

2.6 Supermarket Product Data

When you use our price comparison feature, the names of items in your shopping lists are transmitted to third-party supermarket product databases to find matching products and pricing. Our current data sources are:

  • Woolworths — product image and pricing data fetched from Woolworths CDN.
  • Coles — product image and pricing data fetched from Coles CDN.
  • Aldi — product image and pricing data fetched from Aldi CDN.
  • IGA / Metcash — product image and pricing data fetched from Metcash CDN.

This data transmission is one-way (we fetch data from these services). We do not share your personal information with these supermarket services.

2.7 Nutritional Data

Nutritional information displayed in the Service is sourced from Open Food Facts, a collaborative, open-source food database. Product barcode data is synced periodically from their API. Open Food Facts is subject to its own terms and privacy policy.

2.8 Usage and Device Data

We automatically collect information on how you access and use the Service, including:

  • IP address, browser type, and device identifiers.
  • Pages visited, features used, and time/date of visits.
  • Device platform (iOS, Android, or web browser).

2.9 Local Device Storage

The Service uses browser-based storage for offline functionality and performance:

  • IndexedDB: Stores meals, shopping lists, stock data, and planner entries for offline access.
  • localStorage: Stores marketing attribution data

(UTM parameters, advertising click identifiers, and first-visit tracking) and application preferences.

  • Service Worker: Caches assets for offline use via Serwist/Workbox.

2.10 Marketing and Conversion Measurement

When enabled in our deployment, we may load third-party scripts on public marketing pages (not within the logged-in application) to measure advertising effectiveness:

  • Meta Pixel — for Facebook/Instagram advertising measurement.
  • Google Analytics 4 — for website analytics and conversion tracking.
  • Vercel Analytics — for aggregated page view and performance data.
  • Vercel Speed Insights — for Core Web Vitals performance metrics.

These providers may collect identifiers and usage events subject to their own privacy policies. We also store first-touch campaign parameters in your browser to associate sign-ups with marketing sources, including:

  • UTM parameters (source, medium, campaign, content, term).
  • Google Click ID (gclid) and Facebook Click ID (fbclid) — advertising tracking identifiers.

You can control certain tracking through your browser or device settings and through tools offered by those providers.

2.11 Payment Data

When you subscribe to Premium, payment information is collected by our third-party payment processors. We do not store your full credit card details on our servers.

  • Web subscriptions: Processed by Stripe. Stripe collects payment card details and billing information subject to its privacy policy.
  • Mobile app subscriptions: Processed through the Apple App Store or Google Play Store via RevenueCat. RevenueCat manages subscription lifecycle data subject to its privacy policy.

2.12 Push Notification Tokens

If you opt in to push notifications (available on web and mobile), we store a device token associated with your account to deliver notifications. This token identifies your device and is stored alongside your account identifier. You can disable push notifications at any time through your device or browser settings.

2.13 Image Hosting

Images used in the Service (such as landing page assets and tutorial content) are hosted on Cloudinary. Cloudinary's CDN may collect standard access logs (IP address, referrer, user agent) subject to its privacy policy.

3. How We Use Your Information

We use the information we collect for various purposes, including to:

  • Provide, operate, and maintain our Service.
  • Process and fulfil your requests, such as generating recipes, scaling servings, converting units, and managing shopping lists.
  • Enable AI-powered features, including recipe creation and editing, shopping list generation, pantry management, nutrition estimation, and expiry suggestions.
  • Fetch supermarket product data for price comparison based on your shopping list items.
  • Facilitate sharing and collaboration on shopping lists, meals, stock lists, and planners as directed by you.
  • Manage your account, process payments, and send you related communications.
  • Deliver push notifications (if you have opted in).
  • Analyse usage to monitor and improve our Service, and for internal business purposes.
  • Detect, prevent, and address technical issues and security risks.

4. Disclosure of Your Information

We do not sell your personal information. We may disclose your information in the following situations:

  • With Service Providers: We share information with third-party vendors that help us operate our Service. These include:
    • Supabase — cloud hosting, database, and authentication.
    • Stripe — web payment processing.
    • RevenueCat — mobile in-app purchase processing.
    • Mistral AI, Groq, OpenAI, Google Gemini — AI processing (Premium features and limited Free-tier recipe imports).
    • Cloudinary — image hosting and delivery.
    • Vercel — hosting, analytics, and performance monitoring.
    • Meta (Facebook) and Google — advertising conversion measurement (when enabled on marketing pages).
  • For Collaboration: When you use sharing features, information required for that feature will be shared with other users as you direct.
  • To Comply with Laws: We may disclose your information where required by law or in response to valid requests by public authorities.
  • To Protect Our Rights: To protect and defend our rights, property, or the safety of our users or the public.

5. Data Security

We implement technical and organisational measures to protect your data in accordance with APP 11. Our infrastructure provider (Supabase) encrypts data at rest using AES-256 encryption and in transit using TLS. We also enforce row-level security policies in our database to ensure users can only access their own data (and data explicitly shared with them).

When transferring data outside Australia, we ensure it is protected in line with Australian Privacy Principles through appropriate contractual safeguards with our service providers. Our primary infrastructure is hosted in regions that maintain adequate data protection standards.

6. Third-Party Links and Services

Our Service may allow you to import information from third-party websites (e.g., recipe websites, Instagram, TikTok). We are not responsible for the privacy practices of these other sites. When you leave our Service, we encourage you to read the privacy policy of each website you visit.

7. Your Rights Under Australian Privacy Law

Under the Privacy Act, you have rights to access (APP 12) and correct (APP 13) your personal information. You can request to access or correct your data by contacting us. We will respond within a reasonable timeframe, typically within 30 days. You may also request the deletion of your account and associated data.

You may also request:

  • A copy of the personal information we hold about you.
  • Correction of inaccurate or incomplete information.
  • Deletion of your account and associated data (subject to our retention obligations).

8. Data Retention

We retain your personal information only for as long as necessary to provide you with our Service and for legitimate and essential business purposes.

  • Active accounts: Your data is retained while your account is active and as needed to provide the Service.
  • Inactive accounts: We may delete accounts that have been inactive for 12 months or more.
  • Shopping list items: Completed (checked) items remain on your list until you choose to clear them. When you clear completed items, they are migrated to your pantry/stock list before removal from the shopping list.
  • Local device data: IndexedDB and localStorage data is stored on your device and is not accessible to us. You can clear this data through your browser settings.

9. Real-Time Data Synchronisation

The Service uses Supabase Realtime (WebSocket connections) to synchronise data across devices and enable live collaboration on shared shopping lists. When real-time synchronisation is active, your device maintains a persistent WebSocket connection to our servers. Only data for resources you are actively viewing is transmitted over these connections.

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. Material changes will be communicated via the Service or by email where practicable.

12. Privacy Breach Notification

In the event of a data breach that is likely to result in serious harm, we are committed to complying with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. We will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law. For breaches affecting NSW residents, we will also notify the NSW Information and Privacy Commission in accordance with their guidelines.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data-handling practices, please contact us at: info@panmate.app.