Legal

Privacy Policy

Last updated

This Privacy Policy explains how panhappy ("we," "us," or "our") collects, uses, shares, and protects personal information when you use https://www.panhappy.com and related services. It also describes your rights and how to exercise them. We operate panhappy as an independent project and process data only as needed to run the product.

Who is responsible for your data

panhappy is operated by its founders as an independent project rather than an incorporated company. For data protection law, including the EU and UK General Data Protection Regulation ("GDPR"), the operators of panhappy are the "controller" of the personal information described in this policy.

You can reach the people responsible for data protection at hello@panhappy.com. We have not appointed a separate Data Protection Officer because the scale of our processing does not require one; data protection requests are handled directly by the operators at that address.

Where we process personal information of individuals in the European Economic Area ("EEA") or United Kingdom, we do so in accordance with the GDPR and applicable national law. If we are required to appoint an EEA or UK representative under Article 27 GDPR, we will identify them here.

Information we collect

We collect information in these categories:

  • Account information — such as your email address and authentication identifiers when you sign in.
  • Profile and preference data — such as dietary goals, household settings, and meal preferences you choose to save. Some of this may reveal health or dietary information, which we treat as sensitive and use only to provide the features you request.
  • App content you create — such as meal plans, pantry items, favorites, and photos you upload for pantry or kitchen capture features.
  • Usage and device data — such as feature usage, approximate timestamps, browser or app type, and diagnostic logs needed to keep the service reliable.
  • Billing-related identifiers — such as subscription status and Paddle customer or subscription IDs. We do not receive or store full payment card numbers; Paddle processes payments.
  • Communications — such as support messages or emails you send us, and transactional emails we send (for example sign-in links or billing notices).

AI, image processing, and automated decisions

Some features send text or images you provide to third-party AI providers to generate meal suggestions, read pantry contents from photos, or similar tasks. We send only what is needed for the feature you use, and our providers process that data on our behalf under contractual safeguards.

These features produce suggestions for your convenience. They do not make decisions that produce legal effects or similarly significant effects on you within the meaning of Article 22 GDPR, and you remain in control of any choices you make. If we ever introduce solely automated decision-making of that kind, we will tell you and explain your rights first.

Please do not upload images containing sensitive personal information unrelated to food or your kitchen unless you are comfortable sharing them for processing.

Service providers and sharing

We use trusted providers (processors) to operate the service. They process data on our behalf under contractual safeguards required by GDPR and only as needed to provide their function. Categories include:

  • Paddle — subscription checkout, billing, and customer portal (Paddle is the merchant of record and an independent controller for payment processing).
  • Hosting and infrastructure providers — application hosting and delivery.
  • Email delivery — transactional email.
  • Analytics — privacy-oriented usage analytics to understand traffic and reliability.
  • AI providers — processing for features you explicitly use.

We do not sell your personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising or targeted advertising, as those terms are defined under United States state privacy laws such as the California Consumer Privacy Act (as amended by the CPRA). We have not done so in the preceding twelve months.

We disclose personal information only to the service providers described above, where you direct us to, or where required by law.

International transfers

We and our service providers may process and store information in countries other than where you live, including the United States. These countries may not provide the same level of data protection as your home country.

When we transfer personal information out of the EEA or UK, we rely on a lawful transfer mechanism — typically an adequacy decision by the European Commission or UK Government, or the European Commission Standard Contractual Clauses together with the UK International Data Transfer Addendum, plus any additional safeguards required. You can request more information about these safeguards using the contact details below.

Cookies and local storage

We use strictly necessary cookies and similar technologies for sign-in sessions, security, and basic preferences (such as theme). These are required for the service to work and do not need consent.

Where we use any non-essential cookies or similar technologies (for example, optional analytics) in regions that require consent, we will ask for your consent first and you can withdraw it at any time. You can also control cookies through your browser settings, but some features may not work without session cookies.

Data retention

We keep personal information only as long as needed for the purposes in this policy:

  • Account, profile, and app content — while your account is active. If you delete your account or ask us to delete it, we remove this data from our active systems promptly (normally within 30 days) and from routine backups within the backup rotation cycle (normally within 90 days).
  • Diagnostic and usage logs — kept for a short period (normally up to 90 days) unless needed longer to investigate security or abuse.
  • Billing and transaction records — retained by us and/or Paddle for as long as required by tax, accounting, and other legal obligations (often up to 6–7 years).
  • Support communications — kept for as long as needed to handle your request and a reasonable period afterward.

How we protect your data

We use reasonable technical and organizational measures designed to protect personal information, including encryption in transit, access controls, and limiting who can access data to what is needed to operate the service.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected individuals as required by law.

Your privacy rights

Subject to applicable law, you have the following rights over your personal information. If you are in the EEA or UK, these rights come from the GDPR:

  • Access — obtain confirmation of whether we process your personal information and a copy of it.
  • Rectification — have inaccurate or incomplete personal information corrected.
  • Erasure — have your personal information deleted ("right to be forgotten"), subject to legal exceptions.
  • Restriction — ask us to limit how we process your personal information in certain circumstances.
  • Portability — receive personal information you provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
  • Object — object to processing based on our legitimate interests, and object at any time to processing for direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time, without affecting processing carried out before withdrawal.
  • Automated decisions — not be subject to a decision based solely on automated processing that produces legal or similarly significant effects; as noted above, we do not make such decisions.
  • Complain — lodge a complaint with a supervisory authority (see below).

How to exercise your rights

To exercise any of these rights, email hello@panhappy.com. We may need to verify your identity before responding, and we will not charge a fee unless your request is manifestly unfounded or excessive.

We will respond without undue delay and within one month of receiving your request. We may extend this by up to two further months for complex or numerous requests, and we will tell you if we do. We will not discriminate against you for exercising your rights.

You may use an authorized agent to submit a request where the law allows, provided we can verify their authority to act for you and confirm your identity.

EEA, UK, and US state rights

If you are in the EEA or UK and believe we have not handled your personal information lawfully, you have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ICO); in the EEA, the data protection authority in your country of residence, place of work, or where the issue occurred. We would, however, appreciate the chance to address your concerns first.

If you are a resident of California or another US state with a privacy law, you have rights to know about, access, correct, and delete personal information, to opt out of any "sale" or "sharing" (we do not sell or share, as explained above), and not to be discriminated against for exercising these rights. You can exercise these rights using the contact details in this policy.

Children

panhappy is intended for adults. The service is not directed to children, and you must be at least 18 years old to use it (see our Terms of Service). We do not knowingly collect personal information from anyone under 18, and in particular we do not knowingly collect personal information from children under 13. If you believe a minor has provided us personal information, contact us and we will delete it.

Changes

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. For material changes, we will provide additional notice by email or in-app notice where appropriate before the changes take effect.

Last updated: June 29, 2026.

Contact

Privacy questions or requests: hello@panhappy.com.