Version 2.1 — Effective date: 30 June 2026 (supersedes version 2.0 of 26 May 2026)
VivaShelf ("we", "our", "us") operates the vivashelf.com website and SaaS platform. We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 ("GDPR") and the Brazilian Lei Geral de Proteção de Dados (Law 13.709/2018, "LGPD"). The Service is intended for businesses in the European Union and Brazil; if you access it from elsewhere, you are responsible for compliance with your own local law. This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have.
VivaShelf is currently operated as a pre-incorporation project by its founders, who reside in Poland and are jointly responsible for your personal data as controllers pending registration of the operating company. We intend to incorporate VivaShelf sp. z o.o., a Polish limited liability company with its registered seat in Poland; once registered, that company will become the data controller and this Policy will be updated with its registered address, court-register (KRS) number, and tax (NIP/VAT) number [to be added on incorporation]. You can reach the people responsible for your data at any time at [email protected]. Because VivaShelf is established in the European Union, no Article 27 GDPR representative is required.
Our core activities do not currently require the formal designation of a Data Protection Officer under Article 37 GDPR, and we have not appointed one. Privacy enquiries are handled directly by the individual responsible for VivaShelf, reachable at [email protected]. The same address serves as the contact point for purposes equivalent to the LGPD "Encarregado pelo Tratamento de Dados Pessoais". We will designate a formal DPO if and when our processing scale, scope, or sensitivity changes such that designation becomes mandatory.
VivaShelf acts as a data controller for account-level data (your name, email, login credentials, billing information, audit log of your actions, and direct communications with us). VivaShelf acts as a data processor on behalf of the organisation that employs or contracts you when handling operational data your organisation uploads — including inventory items, batches, supplier records, recipes, staff member assignments and roles, and consumption events. Where VivaShelf processes data as a processor, the customer organisation is the controller and must enter into the Data Processing Agreement (DPA) we publish at /dpa, which forms part of these Terms by reference. Joint controllership is not envisaged.
(a) Account information — full name, email address, hashed password (bcrypt or equivalent; plaintext is never stored), preferred language, role within your organisation (owner, manager, staff, chef), and, where you enable it, your encrypted TOTP multi-factor-authentication secret (AES-256-GCM). (b) Organisation data — restaurant or business name, location names, team member roles, subscription tier and billing reference. (c) Operational data uploaded by your organisation — product names, batch numbers, quantities, expiry dates, supplier records, recipes, consumption events, spoilage reports, stocktake snapshots. (d) Usage data — login timestamps, actions performed (audit log), feature usage patterns, in-app navigation events. (e) Technical data — IP address, browser type and version, operating system, device type, and referring URL. (f) Communication data — support requests and any correspondence you send us. (g) Consent-evidence data — for each consent you give (terms, privacy notice, cookies, leaderboard opt-in, marketing where applicable) we retain the timestamp, the version of the document accepted, your user identifier, the consent level, your IP address at the time of consent, and your User-Agent string. We process this evidence under Article 7(1) GDPR (legal obligation to demonstrate consent). (h) Push-subscription data — if you enable web-push notifications, we store the endpoint URL issued by your browser vendor's push service together with the cryptographic keys required to deliver messages to that endpoint. (i) Error-diagnostic data — application errors are forwarded to our error-monitoring sub-processor and may incidentally contain personal data present in URLs, form payloads, or stack traces. We do not enable Sentry session replay. (j) Benchmark and leaderboard data — see section 9. We do not knowingly collect special categories of personal data (Article 9 GDPR) and request that you do not upload such data into VivaShelf.
We process your personal data to: provide, operate, and maintain the VivaShelf platform; manage your account and your organisation's membership; send expiry alerts, low-stock notifications, and other service-critical communications; generate inventory reports and analytics for your organisation; enforce our Terms of Service and detect or prevent fraud, account compromise, and other misuse; respond to your support requests; comply with legal and regulatory obligations including food-safety traceability under Regulation (EC) No 178/2002; secure the service through rate-limiting, abuse detection, and audit logging; and improve service reliability and security through aggregated usage analysis. We do not use your personal data for advertising and we do not sell or share it with third parties for advertising purposes.
(a) Performance of a contract (Art. 6(1)(b)) — processing necessary to deliver the VivaShelf service you registered for, including account management, inventory tracking, alerts, and billing. (b) Legitimate interests (Art. 6(1)(f)) — securing the service against fraud and abuse, defending legal claims, basic aggregated usage analytics, and recording the actions necessary to demonstrate accountability under Article 5(2) GDPR. Our balancing test concludes that these interests do not override your rights because the processing is limited in scope, occurs within the closed B2B context you entered voluntarily, is subject to encryption, access control, and short retention, and you can object at any time under section 12. A written copy of the Legitimate Interests Assessment is available on request to [email protected]. (c) Consent (Art. 6(1)(a)) — for optional processing such as the anonymised leaderboard (section 9) and any future marketing communications. You may withdraw consent at any time in Settings → Privacy without affecting the lawfulness of processing before withdrawal. (d) Legal obligation (Art. 6(1)(c)) — tax, accounting, anti-fraud, and food-safety record-keeping obligations imposed on us or on your organisation. Under the LGPD, equivalent bases are Art. 7 II (compliance with legal obligation), Art. 7 V (execution of contract), Art. 7 IX (legitimate interest), and Art. 8 (consent).
We share personal data only with sub-processors who act on our behalf under written Data Processing Agreements that meet GDPR Article 28 requirements. The current authorised sub-processors, with their legal entity, role, hosting region, and transfer mechanism, are: (1) Supabase, Inc. — PostgreSQL hosting; EU region (Frankfurt) where available, fallback US; SCCs (Decision 2021/914) plus encryption and access controls. (2) Vercel, Inc. — application hosting, edge network, CDN; global with primary compute in EU (fra1, cdg1); SCCs plus EU-U.S. Data Privacy Framework certification. (3) Resend, Inc. — transactional email delivery; US; SCCs plus DPF certification. (4) Google LLC — Google Identity OAuth (only for users who choose to sign in with Google); US; DPF certification and SCCs. (5) Upstash, Inc. — Redis for rate-limiting; EU region where available, fallback US; SCCs. (6) Functional Software, Inc. d/b/a Sentry — error monitoring; US; SCCs plus DPF certification; session replay disabled. (7) Google LLC / Apple Inc. / Mozilla Foundation — web-push delivery endpoints contacted only when you enable push notifications; data shared is the encrypted payload and the endpoint URL your browser created; no account data is sent. (8) Cloudflare, Inc. — origin shield, DDoS protection, and bot mitigation where enabled; global anycast; SCCs plus DPF certification. (9) Stripe Payments Europe, Ltd. (Ireland), with onward processing by Stripe, Inc. (United States) — payment processing and subscription billing, contacted only when you subscribe to a paid plan; SCCs plus EU-U.S. Data Privacy Framework certification. We do not sell, rent, or trade your personal data. An up-to-date sub-processor list is published at /sub-processors. We will notify you at least 30 days before adding or replacing any sub-processor and you may object within that period; if we cannot offer a workable alternative you may terminate the affected service.
Where we transfer your personal data outside the EU/EEA we rely on the following safeguards: Standard Contractual Clauses adopted by the European Commission (Decision 2021/914); participating sub-processors' certification under the EU-U.S. Data Privacy Framework; and supplementary technical measures including encryption in transit (TLS 1.2+) and at rest, pseudonymisation, and strict access controls. For users located in Brazil, our primary hosting is in the European Union; any transfer of that data out of Brazil is carried out on the bases permitted by Article 33 LGPD — in particular the international-transfer safeguards and standard contractual clauses adopted by the Brazilian data-protection authority (ANPD Resolution CD/ANPD No. 19/2024) and, where relevant, the necessity of the transfer for performance of our contract with you. You may request a copy of the relevant safeguards by writing to [email protected].
VivaShelf offers two optional reports comparing your organisation's waste metrics against industry benchmarks and against other VivaShelf customers. Industry benchmarks (section /reports/benchmarks) use publicly sourced data and your own metrics computed locally; no personal data leaves your account. The peer Leaderboard (section /reports/benchmarks/leaderboard) is opt-in only. When you opt in, a deterministic pseudonymous handle is derived from your organisation identifier, the calendar week, and a server-side secret using SHA-256; the underlying organisation identifier is held server-side only and is not exposed through the public leaderboard view. Buckets containing fewer than five organisations are suppressed (k-anonymity floor of 5). Leaderboard rows are retained for a maximum of twelve calendar weeks and are then automatically purged. The legal basis is your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time in Settings → Privacy → Leaderboard; on opt-out, your existing leaderboard rows are deleted under your right to erasure (Art. 17 GDPR / Art. 18 LGPD).
VivaShelf does not subject you to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. The FEFO (First Expired, First Out) algorithm orders stock for consumption and never makes decisions about individuals. We do perform limited profiling for security: automated rate-limiting and account-compromise detection may temporarily restrict access if anomalous behaviour is detected; where this occurs, you may contact [email protected] to obtain human review of the decision and reinstatement.
We retain personal data only for as long as necessary for the purposes set out above. Specifically: Account profile data — for the duration of your account; on account deletion it is erased immediately and in any event within 30 days. Authentication tokens and session records — up to 30 days from last use. Operational data (inventory, batches, audit log) — duration of the customer organisation's subscription plus 24 months to satisfy food-safety traceability under Regulation (EC) No 178/2002 and equivalent national rules. Transactional email logs (delivery metadata only) — 90 days. Server access logs and IP addresses — 30 days. Security and rate-limiting telemetry — 30 days. Error reports — 90 days. Consent records — duration of the underlying processing plus 2 years to evidence compliance with Article 7(1) GDPR. Push subscriptions — until you unsubscribe or revoke notification permission in your browser. Leaderboard entries — 12 calendar weeks rolling. Backups — encrypted backups are retained for up to 35 days; deletions are propagated to backups within that window. Billing records — 7 years where required by tax law. Following the applicable retention period, data is securely deleted or irreversibly anonymised.
We implement appropriate technical and organisational measures to protect your personal data, including: TLS 1.2+ in transit and AES-256 at rest; bcrypt password hashing; AES-256-GCM encryption of MFA secrets with key separation; tenant isolation enforced both in application code (withTenant) and at the database level via PostgreSQL Row-Level Security; role-based access control with hierarchy owner > manager > staff > chef; a per-request cryptographic CSP nonce; origin-shield validation; rate limiting (60 requests/minute general API, 10 requests/minute health checks); audit logging of all data-modifying actions; secret rotation; automated dependency vulnerability scanning; principle-of-least-privilege production access; and incident-response runbooks. A summary of our Technical and Organisational Measures is included as Annex II of the Data Processing Agreement at /dpa. No system is completely secure, but we continuously review and improve our safeguards.
Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability in a structured machine-readable JSON format (Art. 20), objection to processing based on legitimate interests (Art. 21), and the right not to be subject to solely automated decisions (Art. 22). Under the LGPD you additionally have the rights of confirmation of processing (Art. 18 I), anonymisation (Art. 18 IV), portability (Art. 18 V), information about shared use (Art. 18 VII), and revocation of consent (Art. 18 IX). Most rights can be exercised self-service in Settings → Privacy (export, delete, opt-out toggles); others by emailing [email protected]. We acknowledge requests within 5 business days, verify your identity by reference to your authenticated account or by request of additional information where you contact us from an unverified address, and provide a substantive response within 30 days (extendable by up to 60 additional days for complex requests, with a reasoned explanation).
If you are located in Brazil, the processing of your personal data is also governed by the LGPD. The data-protection contact equivalent to the LGPD "Encarregado" is reachable at [email protected]. You may exercise the rights listed in section 13 and, if you believe your data is being processed unlawfully, lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing a description of the breach, the likely consequences, and the measures taken to mitigate it. We maintain an internal breach register in accordance with Art. 33(5) GDPR.
If you believe our processing of your personal data infringes applicable data-protection law, you have the right to lodge a complaint with a supervisory authority — in particular in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. A list of EU/EEA supervisory authorities is available at edpb.europa.eu. If you are in Brazil, you may also complain to the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
VivaShelf is a business-to-business service designed for restaurant and food-service professionals. It is not directed at, marketed to, or intended for individuals under 18 years of age and we do not knowingly collect personal data from children. Where contractual context permits adolescent workers as permitted by national labour law, no processing is based on the child's consent in the sense of Article 8 GDPR. If we learn that we have inadvertently collected data from a child, we will promptly delete it and, where required by Article 33 GDPR, notify the relevant supervisory authority.
VivaShelf is delivered as a Progressive Web App. To enable offline functionality and fast loading, the Serwist service worker caches application assets and a limited subset of your inventory data in the browser Cache Storage and IndexedDB. This is local-only processing that does not transmit data to third parties and falls within the "strictly necessary" carve-out of Article 5(3) of the ePrivacy Directive. You may clear this storage at any time via your browser settings or via Settings → Privacy → Clear Local Cache.
We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or service features. When we make material changes, we will update the version number and effective date at the top of this page, display a prominent in-app notice, and where required by law request renewed consent. A change log is published at /privacy/changelog (where unavailable, summaries are recorded in version-control documentation). Continued use of the service after changes take effect constitutes acceptance of the revised policy.
For any privacy-related inquiries, to exercise your data-protection rights, or to raise a concern, please contact us at [email protected]. We acknowledge requests within 5 business days and provide a substantive response within 30 days. A postal correspondence address will be published once VivaShelf sp. z o.o. is incorporated [to be added on incorporation].
See also our Data Processing Agreement, Sub-processor list, and Cookie Policy.