Legal
Privacy Policy
Last updated
This Privacy Policy explains how panhappy ("we," "us," or "our") collects, uses, shares, and protects personal information when you use https://www.panhappy.com and related services. It also describes your rights and how to exercise them. We operate panhappy as an independent project and process data only as needed to run the product.
Who is responsible for your data
panhappy is operated by its founders as an independent project rather than an incorporated company. For data protection law, including the EU and UK General Data Protection Regulation ("GDPR"), the operators of panhappy are the "controller" of the personal information described in this policy.
You can reach the people responsible for data protection at hello@panhappy.com. We have not appointed a separate Data Protection Officer because the scale of our processing does not require one; data protection requests are handled directly by the operators at that address.
Where we process personal information of individuals in the European Economic Area ("EEA") or United Kingdom, we do so in accordance with the GDPR and applicable national law. If we are required to appoint an EEA or UK representative under Article 27 GDPR, we will identify them here.
Information we collect
We collect information in these categories:
- Account information — such as your email address and authentication identifiers when you sign in.
- Profile and preference data — such as dietary goals, household settings, and meal preferences you choose to save. Some of this may reveal health or dietary information, which we treat as sensitive and use only to provide the features you request.
- App content you create — such as meal plans, pantry items, favorites, and photos you upload for pantry or kitchen capture features.
- Usage and device data — such as feature usage, approximate timestamps, browser or app type, and diagnostic logs needed to keep the service reliable.
- Billing-related identifiers — such as subscription status and Paddle customer or subscription IDs. We do not receive or store full payment card numbers; Paddle processes payments.
- Communications — such as support messages or emails you send us, and transactional emails we send (for example sign-in links or billing notices).
How we use information and our legal bases
We use personal information for the purposes below. For individuals in the EEA and UK, GDPR requires us to have a "legal basis" for each purpose; the applicable basis is shown alongside it.
- Provide and maintain the service — including meal planning, pantry tracking, and account features. Legal basis: performance of our contract with you.
- Authenticate you and keep your account secure. Legal basis: performance of our contract and our legitimate interest in securing the service.
- Process subscriptions and enforce plan limits. Legal basis: performance of our contract and compliance with legal obligations (such as tax and accounting).
- Send transactional messages related to your account, such as sign-in links and billing notices. Legal basis: performance of our contract.
- Provide AI-assisted features that you choose to use, such as generating meal suggestions or reading pantry contents from photos. Legal basis: performance of our contract; where the content reveals health or dietary information, your explicit consent given by choosing to use the feature.
- Monitor performance, debug issues, and protect against abuse and fraud. Legal basis: our legitimate interest in a reliable, secure service.
- Improve features and understand how the product is used in aggregate. Legal basis: our legitimate interest in improving the service; we use aggregated or de-identified data where practical.
- Comply with legal obligations and establish, exercise, or defend legal claims. Legal basis: compliance with legal obligations and our legitimate interests.
AI, image processing, and automated decisions
Some features send text or images you provide to third-party AI providers to generate meal suggestions, read pantry contents from photos, or similar tasks. We send only what is needed for the feature you use, and our providers process that data on our behalf under contractual safeguards.
These features produce suggestions for your convenience. They do not make decisions that produce legal effects or similarly significant effects on you within the meaning of Article 22 GDPR, and you remain in control of any choices you make. If we ever introduce solely automated decision-making of that kind, we will tell you and explain your rights first.
Please do not upload images containing sensitive personal information unrelated to food or your kitchen unless you are comfortable sharing them for processing.
Service providers and sharing
We use trusted providers (processors) to operate the service. They process data on our behalf under contractual safeguards required by GDPR and only as needed to provide their function. Categories include:
- Paddle — subscription checkout, billing, and customer portal (Paddle is the merchant of record and an independent controller for payment processing).
- Hosting and infrastructure providers — application hosting and delivery.
- Email delivery — transactional email.
- Analytics — privacy-oriented usage analytics to understand traffic and reliability.
- AI providers — processing for features you explicitly use.
We do not sell your personal information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising or targeted advertising, as those terms are defined under United States state privacy laws such as the California Consumer Privacy Act (as amended by the CPRA). We have not done so in the preceding twelve months.
We disclose personal information only to the service providers described above, where you direct us to, or where required by law.
International transfers
We and our service providers may process and store information in countries other than where you live, including the United States. These countries may not provide the same level of data protection as your home country.
When we transfer personal information out of the EEA or UK, we rely on a lawful transfer mechanism — typically an adequacy decision by the European Commission or UK Government, or the European Commission Standard Contractual Clauses together with the UK International Data Transfer Addendum, plus any additional safeguards required. You can request more information about these safeguards using the contact details below.
Data retention
We keep personal information only as long as needed for the purposes in this policy:
- Account, profile, and app content — while your account is active. If you delete your account or ask us to delete it, we remove this data from our active systems promptly (normally within 30 days) and from routine backups within the backup rotation cycle (normally within 90 days).
- Diagnostic and usage logs — kept for a short period (normally up to 90 days) unless needed longer to investigate security or abuse.
- Billing and transaction records — retained by us and/or Paddle for as long as required by tax, accounting, and other legal obligations (often up to 6–7 years).
- Support communications — kept for as long as needed to handle your request and a reasonable period afterward.
How we protect your data
We use reasonable technical and organizational measures designed to protect personal information, including encryption in transit, access controls, and limiting who can access data to what is needed to operate the service.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected individuals as required by law.
Your privacy rights
Subject to applicable law, you have the following rights over your personal information. If you are in the EEA or UK, these rights come from the GDPR:
- Access — obtain confirmation of whether we process your personal information and a copy of it.
- Rectification — have inaccurate or incomplete personal information corrected.
- Erasure — have your personal information deleted ("right to be forgotten"), subject to legal exceptions.
- Restriction — ask us to limit how we process your personal information in certain circumstances.
- Portability — receive personal information you provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Object — object to processing based on our legitimate interests, and object at any time to processing for direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time, without affecting processing carried out before withdrawal.
- Automated decisions — not be subject to a decision based solely on automated processing that produces legal or similarly significant effects; as noted above, we do not make such decisions.
- Complain — lodge a complaint with a supervisory authority (see below).
How to exercise your rights
To exercise any of these rights, email hello@panhappy.com. We may need to verify your identity before responding, and we will not charge a fee unless your request is manifestly unfounded or excessive.
We will respond without undue delay and within one month of receiving your request. We may extend this by up to two further months for complex or numerous requests, and we will tell you if we do. We will not discriminate against you for exercising your rights.
You may use an authorized agent to submit a request where the law allows, provided we can verify their authority to act for you and confirm your identity.
EEA, UK, and US state rights
If you are in the EEA or UK and believe we have not handled your personal information lawfully, you have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ICO); in the EEA, the data protection authority in your country of residence, place of work, or where the issue occurred. We would, however, appreciate the chance to address your concerns first.
If you are a resident of California or another US state with a privacy law, you have rights to know about, access, correct, and delete personal information, to opt out of any "sale" or "sharing" (we do not sell or share, as explained above), and not to be discriminated against for exercising these rights. You can exercise these rights using the contact details in this policy.
Children
panhappy is intended for adults. The service is not directed to children, and you must be at least 18 years old to use it (see our Terms of Service). We do not knowingly collect personal information from anyone under 18, and in particular we do not knowingly collect personal information from children under 13. If you believe a minor has provided us personal information, contact us and we will delete it.
Changes
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. For material changes, we will provide additional notice by email or in-app notice where appropriate before the changes take effect.
Last updated: June 29, 2026.
Contact
Privacy questions or requests: hello@panhappy.com.