Effective date: 6 March 2026
VivaShelf ("we", "our", "us") operates the vivashelf.com website and SaaS platform. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data-protection laws of the countries we serve. This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have.
The data controller responsible for your personal data is VivaShelf, contactable at [email protected]. If you have questions about how your data is processed, or wish to exercise any of the rights described below, please contact us at this address.
We collect and process the following categories of personal data: (a) Account information — full name, email address, and a cryptographic hash of your password (we never store plaintext passwords); (b) Organization data — restaurant or business name, location names, and team member roles; (c) Inventory data — product names, batch numbers, quantities, and expiry dates you enter; (d) Usage data — login timestamps, actions performed (audit log), and feature usage patterns; (e) Technical data — IP address, browser type and version, operating system, device type, and referring URL; (f) Communication data — support requests and any correspondence you send us.
We process your personal data for the following purposes: to provide, operate, and maintain the VivaShelf platform; to manage your account and organizational membership; to send expiry alerts, low-stock notifications, and other service-critical communications; to generate inventory reports and analytics for your organization; to enforce our Terms of Service and prevent misuse; to respond to your support requests; to comply with legal and regulatory obligations; and to improve service reliability and security through aggregated, anonymized usage analysis.
We rely on the following legal bases: (a) Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the VivaShelf service you registered for, including account management, inventory tracking, and expiry alerts; (b) Legitimate interests (Art. 6(1)(f)) — improving service performance and security, preventing fraud, and conducting aggregated analytics, where these interests are not overridden by your rights; (c) Consent (Art. 6(1)(a)) — for optional processing such as marketing communications or non-essential cookies. You may withdraw consent at any time via your account settings without affecting the lawfulness of processing before withdrawal; (d) Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable law, such as tax or food-safety record-keeping requirements.
We share personal data only with processors who act on our behalf under written Data Processing Agreements (DPAs) that meet GDPR requirements. Our current sub-processors are: Neon Tech Inc. (PostgreSQL database hosting, USA); Vercel Inc. (application hosting and CDN, USA); Resend Inc. (transactional email delivery, USA); Google LLC (OAuth authentication, USA); Upstash Inc. (rate limiting via Redis, USA); and Sentry (error monitoring, USA). We do not sell, rent, or trade your personal data to any third party.
Your data may be transferred to and processed in the United States by the sub-processors listed above. Each transfer is safeguarded by at least one of the following mechanisms: Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914); the service provider's certification under the EU-U.S. Data Privacy Framework; or an adequacy decision by the European Commission. You may request a copy of the relevant safeguards by contacting us.
We retain personal data only as long as necessary for the purposes for which it was collected: account data is kept while your account is active and deleted within 30 days of account deletion; inventory and audit-log data is retained for a minimum of 2 years to comply with food-safety traceability obligations under Regulation (EC) No 178/2002, or longer if required by your national law; transactional email logs are retained for up to 90 days; server logs containing IP addresses are retained for up to 30 days. After the applicable retention period, data is securely deleted or irreversibly anonymized.
We implement appropriate technical and organizational measures to protect your personal data, including: encryption of data in transit (TLS 1.2+) and at rest; cryptographic hashing of passwords using industry-standard algorithms; AES-256-GCM encryption of MFA secrets; role-based access control with tenant isolation enforced at the database level via Row-Level Security (RLS); regular security assessments; and automatic session expiration. No system is completely secure, and we cannot guarantee absolute security, but we continuously review and improve our safeguards.
You have the following rights regarding your personal data: Right of access (Art. 15) — obtain a copy of your data via Settings > Privacy > Export Data; Right to rectification (Art. 16) — correct inaccurate data in your account settings or by contacting us; Right to erasure (Art. 17) — delete your account and all associated data via Settings > Privacy > Delete Account; Right to restriction (Art. 18) — request we limit processing in certain circumstances; Right to data portability (Art. 20) — receive your data in a structured, machine-readable JSON format; Right to object (Art. 21) — object to processing based on legitimate interests. We will respond to all rights requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you of the extension and the reasons.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing a description of the breach, the likely consequences, and the measures taken to mitigate it.
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. A list of EU/EEA supervisory authorities is available at edpb.europa.eu.
VivaShelf is a business-to-business service designed exclusively for restaurant and food-service professionals. It is not directed at individuals under 16 years of age, and we do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 16, we will promptly delete it and notify the relevant supervisory authority if required.
VivaShelf does not subject you to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. Our FEFO (First Expired, First Out) algorithm is an inventory management tool that recommends stock-consumption order — it does not make automated decisions about individuals or their legal rights.
We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or service features. When we make material changes, we will: update the "Effective date" at the top of this page, display a prominent notice within the application, and request renewed consent where legally required. We encourage you to review this policy periodically. Continued use of the service after changes take effect constitutes acceptance of the revised policy.
For any privacy-related inquiries, to exercise your data-protection rights, or to raise a concern, please contact us at: [email protected]. We will acknowledge your request within 5 business days and provide a substantive response within 30 days.