Privacy Policy (Tastily App)

Last Updated: February 21, 2026

Contact: support@viro-tech.com

Thank you for using Tastily! We value your privacy and want you to understand how we collect, use, and share information about you. This Privacy Policy describes what data we collect, how we use it, your rights, and how you can control your information in the Tastily app and related services (“Service”).

By using Tastily, you agree to the collection and use of information as described in this Policy. If you do not agree, please do not use the App. If you have any questions, contact us at support@viro-tech.com.

1. Who We Are

Tastily is the brand name of our mobile app and service, which is owned and operated by VIRO Inc., a Delaware corporation (“Tastily,” “we,” “us,” or “our”). For purposes of data protection laws, we are the “data controller” for personal information we collect (except where this Policy explains otherwise). Our contact information is at the end of this Policy.

2. Information We Collect

We categorize the information we collect as follows:

a. Information You Provide Directly

Account Information: When you sign up via Sign in with Apple or Google Sign-In, we receive personal identifiers such as your name and email address from those providers (depending on what you permit them to share – for example, Apple may share either your real email or an anonymized relay email). We assign you a user ID within Tastily. If you choose to add other details to your profile, those are also stored (e.g. a profile nickname or avatar, if we allow those).

Taste Profile & Preferences: The core of Tastily is gathering your food taste preferences. During onboarding and as you use the App, you provide information like your favorite flavors, textures, cuisines, ingredients you dislike, and any dietary restrictions or allergies. This can include potentially sensitive dietary information (e.g. vegan preference, gluten-free, peanut allergy), which you consent to provide for the purpose of getting personalized food recommendations.

User Queries and Inputs: If you use the Tastily AI chat or search features, you may input questions or messages (for example, “I feel like something spicy with chicken” or “I hate mushrooms, what should I eat?”). We collect the text of these queries in order to process and answer them. Similarly, if you submit a photo of a menu or dish, we collect that image (and any metadata it contains) to analyze it and provide a recommendation.

Feedback and Support: If you contact us for support or give feedback (such as emailing a suggestion or using an in-app feedback form), we will collect whatever information you choose to share. This could include your contact details, the content of your communications, and any screenshots or attachments you send.

b. Information We Collect Automatically

When you use the App, certain information is collected automatically from your device and usage of the service:

Location Data: With your permission, Tastily collects precise location information from your device to enable our core feature of recommending nearby restaurant dishes. This is typically GPS-based location. We use this to find restaurants in your vicinity and show you relevant dishes. We do not collect location unless you have agreed via the system’s permission prompt, and you can withdraw permission at any time (see Your Choices, Section 6). Aside from the real-time recommendation use, we may store a rough location (e.g. city or latitude/longitude) associated with a recommendation request for a short period for analytics or to improve service coverage. We do not maintain or share an ongoing tracking history of everywhere you go.

Device and Usage Information: We collect data about your device and how you interact with the App. This includes:

Device identifiers and attributes: such as your device model, operating system version, unique device IDs (e.g. Apple’s Identifier for Vendors), and the Tastily app version.
Log data: such as the dates/times you launch the app, features you use, menu items you tap, and errors or crashes. For example, we might log that a user viewed a recommended dish details page or that the app crashed at a certain point (the crash report).
Token Usage Metrics: We monitor your token consumption (see Terms of Service Section 6) – i.e., how many input and output tokens you’ve used in the current billing cycle. This is tied to your account to enforce plan limits, but it’s essentially usage data we collect.
IP Address and Network: when you connect, our servers see your IP address (which can indicate general location), and potentially info like network provider. We also note basic telemetry like latency or failures in connecting to our services or to third-party API services.

These automated collections are done through our app’s code and third-party SDKs (Software Development Kits) integrated in the app, such as Firebase Analytics and Crashlytics (by Google). These tools help us understand app performance and usage. For example, Firebase Analytics may record events like “opened app” or “viewed recommendation” along with your device type. Crashlytics sends crash reports with device info and stack traces to help us debug.

c. Information from Third-Party Sources

Aside from sign-in data (Apple/Google) mentioned above, we might also receive information from:

Restaurant and Menu Data Partners: We may integrate with third-party services to get updated info on restaurants and menus. If so, we might send those services a query (e.g. coordinates or a restaurant name) and receive details like address, menu items, ratings. We do not receive personal data from these partners about you – just public business info. However, if you, for example, link a reservation or review account in the future (not a current feature), we’d update this policy accordingly.
Payment/Subscription Status: Apple’s App Store provides us information about your subscription status (e.g. whether you are currently subscribed, your plan and renewal date, trial status, and if a payment was successful or failed). We use this to manage your premium access.
Referral or Marketing Partners: If you arrived at Tastily via a special campaign or referral link, we might receive an identifier or code indicating the marketing source (e.g. a code that tells us which advertisement or partner referred you). This helps us track the effectiveness of marketing but typically does not identify you personally.

d. Sensitive Information

As noted, some of the data you provide could be considered “sensitive” under certain laws – e.g., dietary restrictions might imply health or religious information (for instance, keeping halal might indicate religious belief; allergy info is health-related). We collect this only directly from you, with your consent, and solely to provide you with the service (personalized recommendations). We treat it with extra care (see Data Use and Sharing below). We never use sensitive data for advertising or profiling outside of the app’s stated purpose.

3. How We Use Your Information

We use the collected information for the following business and service purposes:

Provide and Personalize the Service: We process your personal data to operate Tastily’s core functions. This includes using your Taste Profile, dietary preferences, and location to suggest suitable dishes and to tailor the app experience to you. For example, if you dislike seafood, we use that info to filter out fish dishes from recommendations. If you upload a menu photo, we use image processing to read it and find matching items. If you engage in an AI chat, we send your query and profile context to our AI engine and generate a response for you. Essentially, all the features you expect (personalized dish suggestions, explanations of why you’d like them, nearby restaurant search) rely on using the data you provide.
Subscriptions & Account Management: We use your data to manage your subscription plan (e.g. to check your entitlement to premium features), enforce token usage limits, and send you relevant account notices. For instance, we might send an in-app alert when you’ve used 80% of your monthly tokens, or an email reminding you that your free trial is ending. We also keep track of free trial eligibility and redemption (to ensure one trial per user as intended).
Improvement and Analytics: We want to make Tastily better. We analyze usage information (including aggregated token usage, popular cuisines or features, crash logs) to debug issues, test out new features, and inform our product decisions. For example, understanding that many users ask the AI for “spicy” dish recommendations might lead us to improve how our AI handles spice-level preferences. We may also analyze AI interactions in aggregate to improve our recommendation algorithms and AI prompts (including reviewing AI responses and user feedback to them). Note: If we review any specific AI chat content for improvement, we will redact personal identifiers; and our AI providers contractually commit not to use your data to train their general models without permission.
Communication: We may use your contact information to send you service-related communications. This includes transactional emails or notifications: e.g., a welcome email, confirmation of subscription, password-reset (if applicable), or important updates like changes to terms or privacy policy. We may also send you optional promotional communications (like tips on using Tastily or new features) if you have consented to or not opted out of such messages. You can unsubscribe from marketing emails at any time by clicking “unsubscribe” in those emails. (We do not send SMS messages unless specifically opted in, and we currently do not run an SMS program.)
Customer Support: If you reach out for support, we will use your information to assist you. For example, if you email about a bug, we might look at your recent app logs (with your permission) to diagnose the issue. If you request a data deletion or access (see Your Rights), we use your info to verify and fulfill the request.
Ensure Safety and Fair Use: We use data to prevent fraud, abuse, and other harmful activity. For instance, we may use device identifiers and accounts to detect if someone is creating multiple fake accounts to abuse free trials or if an automated bot is sending a high volume of queries. We also might screen the content of AI queries for red flags (such as hateful language or attempts to extract disallowed info from the AI) in line with our Acceptable Use rules. This helps keep our community safe and our AI outputs within appropriate bounds. We also may use general usage data to enforce our Terms of Service (e.g., limiting service if token usage grossly exceeds the plan allowance or if someone is clearly scraping data).
Legal Compliance: To comply with applicable laws or regulations, we may use or disclose necessary data. For example, keeping transaction records for tax or financial reporting, or responding to valid legal process (court orders, subpoenas) seeking information (see “Disclosures for legal reasons” below). If we collect personal information subject to California’s privacy law, we use and retain it in accordance with the allowable purposes under CCPA/CPRA (more on this in Section 8).

We never sell your personal information to third parties for monetary consideration. Also, we do not use your personal data for cross-context behavioral advertising (and thus do not “share” it in the CPRA sense) – we don’t show third-party ads in Tastily as of this Policy’s effective date. If that ever changes, we will update this Policy and provide appropriate opt-outs.

4. How We Share or Disclose Information

We understand that sharing your data is a sensitive topic. Tastily shares personal information only in the following circumstances:

a. With Service Providers (Processors)

We share information with third-party companies that perform services on our behalf, under contractual controls. These providers include:

AI Cloud Providers: We send your relevant data to third-party AI platforms to generate the recommendations and explanations. For example, we may send your taste profile data and a query (“User wants something spicy with chicken”) to AI provider APIs, which then return an AI-generated text response. These providers act as our processors – they are contractually barred from using your data for anything other than providing the service to us. We do not share more data than necessary – typically just what the AI needs to know to give a good answer.
Hosting and Storage: Tastily might use cloud infrastructure (such as Firebase/Google Cloud) to host databases, images, and account info. Personal data (your profile, preferences, etc.) may be stored on their secure servers.
Analytics and Crash Reporting: As noted, we use Firebase Analytics and Crashlytics. These tools, provided by Google, receive certain device and usage data from the App. They help us track engagement and fix crashes. Google processes this data on our behalf and does not share it except as agreed for service provision. (For instance, Crashlytics might share crash data with our developers’ consoles.)
Other Vendors: We may employ other service providers for functions like email delivery (e.g. a service to send you verification or support emails), customer support ticketing, or data analysis. They will get only the information necessary for their function – e.g. your email address and name for an email sending service. All such providers are bound by privacy and security obligations (for example, through Data Processing Agreements that meet GDPR/CPRA standards).

We maintain an updated list of key service providers in an appendix or on our website (or can provide it upon request). We do not allow our processors to use your data for their own marketing or purposes beyond what we instruct.

b. For Legal Reasons

We may disclose information about you if we reasonably believe that disclosing it is needed to:

Comply with applicable law or legal process, such as a court order, subpoena, or other lawful demand by authorities. We will attempt to notify you of requests for your data before disclosing, unless prohibited by law or court order, or if the request is an emergency.
Enforce our Terms of Service or other agreements, or investigate potential violations thereof.
Detect, prevent, or address fraud, security, or technical issues. For example, if someone is abusing our App to attack others or spreading malware, we might alert law enforcement or other authorities with relevant information.
Protect our rights, property, and safety, and those of our users or the public. If a user’s actions pose a threat, data may be shared with appropriate entities (e.g., sharing with law enforcement if someone posts a credible violent threat).

These disclosures will be made in line with applicable laws on data disclosure. We will narrow the information to what is necessary. For example, responding to a verified government request might involve providing logs or account info relevant to a specific investigation.

c. Business Transfers

If Viro Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction. We will ensure the successor (new owner/controller) continues to handle your personal data in line with this Privacy Policy or provides notice of any changes. If such a transfer materially affects how your data is used, we will notify you (e.g., via email or prominent notice in the App) and give you any choices available by law.

d. Aggregated or De-Identified Data

We may share data that has been aggregated (combined with other users’ data) or properly de-identified such that it cannot reasonably be used to identify you. For example, we might publish a blog post saying “X% of Tastily users love spicy food” or “City Y has the highest demand for vegan dishes,” which uses aggregated analytics. This kind of statistical info would not include any personal details.

No Sale of Personal Data: We do not sell your personal information for money. We also do not share your personal info for cross-context behavioral advertising. In California terms, we have not “sold” or “shared” personal information as those terms are defined in the CCPA/CPRA in the past 12 months, and have no plans to do so.

5. Data Retention

We retain personal information for as long as needed to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. How long we keep data can vary by data type and user choices:

Account Data: We keep your account information (name, email, profile, preferences) until you delete your account or we close your account. If you simply delete the app or cancel a subscription, we still retain your account data for when you return, unless you specifically request deletion.
Taste Profile & Preferences: These are stored as long as your account exists, so we can continue providing tailored recommendations. If you update your preferences, we keep the latest data (and may keep historical changes for audit/log purposes). If you delete your account, we will erase or anonymize your Taste Profile data.
AI Queries & Chat Logs: We may keep logs of your AI interactions (questions and answers) to improve the service and for your reference in the app. By default, we might retain these conversation logs for a certain period so you can scroll back through recent recommendations or so we can analyze usage patterns. After that, we either delete or anonymize the logs, unless they have been flagged for review (e.g., containing a reported issue). Note that our AI providers may also keep temporary logs of the API requests for a short time. Those logs are automatically purged on their side unless needed for investigation of abuse.
Images: If you upload a menu photo, we store it to perform OCR/analysis. We may keep the image and extracted text for a limited time (to allow re-processing or to train/improve our recognition algorithms), but will delete or fully anonymize it after it is no longer needed. Any images known to contain personal data (unlikely in menu context) would be treated carefully and not used to train generalized models without your consent.
Location Data: We do not keep a continuous log of your precise location over time. We might retain the last location used to fetch restaurants (for example, caching your last search area to speed up the app), but you can clear that by disabling location or as part of account deletion. In analytics, we might retain generalized location info (e.g., how many users searched in New York versus Los Angeles) indefinitely in aggregated form.
Subscription and Transaction Records: We retain records of your subscriptions, payments, and free trial usage as long as needed for accounting and compliance (typically at least 7 years for financial records, per tax regulations). This includes things like receipts, transaction IDs, and correspondence with Apple’s in-app purchase system, which we may need for audits or resolving disputes.
Support Communications: If you contacted us, we may retain those communications (emails, support tickets) for as long as necessary to address your issue and maintain records of our support interactions. If it’s a general inquiry, we might delete it after resolving; if it relates to an ongoing issue or legal matter, we’ll keep it as needed.
Legal Compliance & Preventing Harm: We may retain any data if necessary to meet legal obligations or resolve disputes. For instance, if we deactivate an account for violating terms, we might keep certain information about that to defend against potential claims or to cooperate with law enforcement. Data that is subject to a legal hold (for an investigation or litigation) will be kept until the hold is lifted.

When we no longer have a legitimate need to retain your personal information, we will either delete it or anonymize it (so it can no longer be associated with you). If deletion or anonymization is not immediately feasible (e.g., the data is stored in backups), we will securely store it and isolate it from further active use until deletion is possible.

6. Your Choices and Controls

You have several controls over your personal data and how it’s used:

Accessing & Updating Profile: You can view and update your Taste Profile and account info within the App (e.g., change your flavor preferences, add/remove dietary restrictions, or update any profile fields we provide). Please keep your information current so we can serve you best. If any inaccuracies in your personal data cannot be corrected through the app, contact us to request correction.
Location Permissions: You have the choice to allow or deny location access. The first time Tastily needs your location, iOS will prompt you to grant permission (“Allow While Using App” or similar). If you grant it but later change your mind, you can revoke location permission at any time in your device settings (Settings > Privacy > Location Services > Tastily > set to “Never”). Without location, Tastily will either not function or ask you to manually input a location to find nearby restaurants.
Push Notifications: With your consent, we may send push notifications for things like new recommendation rounds or important account alerts. You can disable push notifications at any time in your device’s notification settings for Tastily. (We will not spam you; notifications would be meant to enhance your experience, and you control them.)
Marketing Communications: If we send marketing emails (e.g., “New feature” or newsletter), you can opt out by clicking “unsubscribe” in those emails or adjusting your subscription settings in-app (if available). Transactional emails (like receipts or essential account notices) may still be sent as they are not promotional. We do not sell your info to third parties for marketing.
In-App Privacy Settings: We may provide certain toggles in-app for privacy. For example, if we implement analytics opt-out or a way to reset your Taste Profile. Check the app’s settings for any privacy options. (Currently, our use of analytics is minimal and for internal improvement, but if you have concerns, let us know.)
Account Deletion: You have the right to delete your account and personal data. We provide a straightforward way to do this: likely in the app’s Account settings, a “Delete Account” option (in compliance with Apple’s requirement to allow account deletion in-app). When you request deletion, we will remove personal information associated with your account from our active databases. Some residual data (logs, backups) may remain in secure archives for a short period but will be purged according to our retention policy.
Access to Your Data: You may request access to the personal information we maintain about you and request a copy, subject to identity verification and applicable law. Where required by law, we will provide the information in an appropriate electronic format. See the Region-Specific Rights section for details (including EU and California rights).
Consent Management: In cases where we rely on your consent (for example, processing sensitive dietary data, or sending marketing communications), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the legality of processing already done, but we will cease the further use of the data for that purpose. For instance, if you withdraw consent for us to use your allergy info, we will stop processing that info – though be aware that limits our ability to warn you of allergens in recommendations. We might then delete the allergy info if consent is withdrawn.

7. Security Measures

We take the security of your data seriously. While no system is 100% secure, we implement reasonable and appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Data Minimization: We strive to only collect the data we need. By minimizing what we store (especially sensitive data), we reduce risk.
Incident Response: We have a basic incident response plan. In the event of a data breach or security incident affecting user data, we will promptly investigate and take appropriate steps, including notifying affected users and regulators as required by law. We may also post a notice in the app if urgent.
User Responsibilities: Security is also a shared responsibility. You must keep your device and app updated and secure. If you protect Tastily with a passcode or use Apple/Google login, maintain the security of those credentials. Avoid sharing your account with others. We also recommend you don’t reuse a weak password (if we ever allow password login). We are not responsible for breaches arising from your own negligence (like jailbreaking your phone without proper security or losing your Apple/Google account to hacking).

Despite our efforts, no method of transmission or storage is completely secure. Therefore, we cannot guarantee absolute security. However, we continuously evaluate new technologies and methods to enhance protection. If you have reason to believe that your data interaction with us is no longer secure (for example, if you feel your account has been compromised), please immediately contact us.

8. Your Privacy Rights

Depending on where you live, you may have specific legal rights regarding your personal information. Tastily is designed with compliance in mind for relevant privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) and the European Union General Data Protection Regulation (GDPR). Below is a summary of rights and how you can exercise them:

a. Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights with respect to your personal information, under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know: You can request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources of that information, the business or commercial purpose for collecting or disclosing it, and the categories of third parties with whom we share it. Essentially, you may ask, “What data do you have about me and how have you handled it?” and we will provide the applicable information for the 12-month period preceding your request (or longer, to the extent required by law).
Right to Delete: You can request that we delete personal information we collected from you. Upon verification of your request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For example, we may retain data needed to complete a transaction you requested, to detect security incidents, to comply with a legal obligation, or other exceptions permitted by law. If an exception applies, we will let you know (and will only keep what’s necessary for that exception).
Right to Correct: You have the right to request correction of inaccurate personal information maintained about you. If you find something incorrect in our records, please let us know and, once verified, we will correct it.
Right to Limit Use of Sensitive Personal Info: If we collect “sensitive personal information” (e.g. your precise location, dietary health data) for purposes not deemed necessary to provide the services, California gives you the right to limit our use of that information. However, we only use sensitive data you provide (like dietary preferences or allergies) to provide you with the Tastily service you requested (which is an expected purpose, e.g. using allergy info to avoid recommending allergens). We do not use sensitive info for secondary purposes like profiling or advertising. Therefore, we believe our use is within the allowed purposes. If you still wish to limit or remove sensitive info, you can always remove those data points from your Taste Profile or delete your account (effectively limiting our use).
Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means, for example, we won’t deny you the service or charge you a different price simply because you made a privacy request. If you request deletion, though, understand that we cannot provide personalized recommendations without your data, so certain features may be unavailable – that’s a logical consequence, not discrimination. We do not offer financial incentives in exchange for your data that would require explicit consent.

How to Exercise California Rights: To exercise the rights described above, you or your authorized agent may submit a verifiable consumer request to us by contacting support@viro-tech.com with the subject “CCPA Request” and specifying which right you seek to exercise. We will need to verify your identity (for example, by confirming control of your account email or requesting additional information). For access or deletion of sensitive requests, we might require a higher level of verification (especially if requesting specific pieces of info, we want to be sure it’s you). If you use an agent, we may ask for proof of authorization and still verify you. We aim to respond within 45 days of receiving your verifiable request. If we need more time (up to an additional 45 days), we will inform you of the reason and extension in writing. The disclosure will cover the preceding 12 months unless you request a shorter period. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or clearly unfounded, in which case we may charge a reasonable fee or refuse (with explanation).

Categories of Personal Info Collected (CPRA Notice): For transparency and to meet California “notice at collection” requirements, here’s a summary of the categories of personal information Tastily collects and the purposes (with references to sections above):

Identifiers (e.g. real name, email, device ID) – Collected when you create an account or login (via Apple/Google) and through device usage. Used to provide the service, maintain your account, and communicate (Sections 2a, 3).
Personal Records (per Cal. Civ. Code §1798.80(e)), like contact information – essentially same as above (name, email).
Characteristics of Protected Classifications – We do not ask for things like race, gender, or religion. However, dietary choices could hint at religion (e.g. kosher/halal). We treat that as sensitive and only use it to honor your dietary rules in recommendations (Sections 2d, 3). We do not otherwise use such inferences.
Commercial Information – e.g. subscription plan details, transaction history (that you subscribed, when, what plan). We collect that via Apple’s APIs to manage your premium access. Used for internal accounting and providing service (Sections 2c, 3).
Internet or Electronic Activity – e.g. usage logs, interactions with our app, token usage, error logs, etc. Collected automatically via the app and analytics (Section 2b). Used for service improvement, analytics, preventing fraud (Sections 3, 4a).
Geolocation Data – precise location if you permit (Section 2b). Used to provide local recommendations (Section 3). Not used to track beyond providing service.
Sensory Data – photos you upload (Section 2a). Used to analyze menu text and give results (Section 3). We don’t collect audio or voice recordings.
Inferences – our system draws inferences about your taste preferences (e.g. “user likes spicy and savory”). These are based on data you give us and your usage. Used to personalize content (Section 3). We do not profile you for anything outside of food suggestions.
Sensitive Personal Info – this overlaps with some above: precise location, health/dietary preferences, maybe philosophical (if diet is religious). We use these only to provide the services requested (personalization, see Section 3) and not for secondary use. We offer the ability to remove/modify these at any time. We do not use or disclose sensitive info in a way that requires a “Limit Use of Sensitive Info” link under CPRA (we don’t use it for anything beyond the core service purpose the user would expect).

We do not knowingly collect data of minors under 16. If a California resident under 16 were to use the app, we would not sell or share their info either, and would take steps to delete upon discovery (see Children in Section 9).

b. Rights for Residents of the European Economic Area (EEA), United Kingdom, or other GDPR jurisdictions

If you are in the EEA, UK, or a similar jurisdiction with comprehensive data protection laws, you have the following rights under the GDPR (or UK GDPR):

Right to Access: You can ask us to confirm if we are processing your personal data and request a copy of the data, along with information about how it’s processed. (This is similar to the “right to know” above, but under GDPR it’s broader and not limited to 12 months).
Right to Rectification: You have the right to have inaccurate personal data corrected, or to have incomplete data completed. As mentioned, you can often do this via app settings (e.g. update preferences), or by contacting us.
Right to Erasure: Commonly known as the “right to be forgotten.” You may request deletion of your personal data in certain circumstances – for example, if it’s no longer necessary for the purposes collected, or if you withdraw consent and there’s no other legal ground for processing. We will honor deletion requests unless an exemption applies (GDPR outlines some, like needing to keep data for legal compliance or defending legal claims). Through the app’s account deletion or contacting us, you can exercise this.
Right to Restrict Processing: You can ask us to restrict (temporarily halt) processing of your data if you contest its accuracy, or if the processing is unlawful and you want restriction instead of deletion, or if we no longer need the data but you need it kept for a legal claim, or if you have objected (see next) and are awaiting verification of overriding grounds. When processing is restricted, we will just store it but not actively use it (aside from maintaining the restriction).
Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (or public interest) and you have a particular situation that makes you want to object. If you object, we will evaluate whether our legitimate grounds override your rights or if we must stop processing. You also have an unconditional right to object to processing for direct marketing purposes. (We currently don’t do direct marketing profiling, but if we sent marketing, you can opt out as noted.) If you object to certain processing (like analytics), we will either stop or reach out to discuss (for necessary service functions).
Right to Withdraw Consent: If we rely on consent for any processing (we do, e.g., for sending data to AI providers, though one could argue that’s also contract necessity; but certainly for processing any special category like allergies, we treat it as based on your explicit consent), you can withdraw consent at any time. As mentioned, you can do so by removing that data or contacting us. Withdrawal doesn’t affect lawfulness before it, but if withdrawn we won’t continue that processing.
Automated Decision-Making: The GDPR gives you rights relating to automated decision-making, including profiling, that produces legal or similarly significant effects. Tastily’s AI recommendation is a form of automated processing, but it does not produce legal effects or similarly significant effects on you – it’s offering suggestions for food, which you are free to accept or ignore. It does not lock you out of opportunities or significantly affect your rights. Therefore, this likely doesn’t apply. We do not make any solely-automated decisions with legal or serious impact (like credit approval or hiring decisions) about users. If that ever changed, we’d ensure GDPR compliance, including the right to human review of such decisions.

Lawful Bases for Processing (GDPR): We process personal data under the following legal bases:

Contract: Much of our processing is to provide the service you requested under our Terms of Service (GDPR Art. 6(1)(b)). For example, using your preferences and location to recommend dishes, or sending your data to AI APIs to get an answer – these are necessary to perform the Tastily service. If you subscribe, processing of your payment status and managing your token usage is also fulfilling our contract with you. Without this data, we cannot provide core features.
Consent: We rely on your consent (GDPR Art. 6(1)(a)) for certain processing that are not strictly necessary for the service or involve special categories. Notably, any dietary preferences that reveal health or religion are special category data – we collect and use those with your explicit consent (GDPR Art. 9(2)(a)). You give this consent by voluntarily providing that info in the app for us to use. You can withdraw it by deleting that info or your account. We also use consent for sending marketing emails (if we ever do, we’d ask you to opt-in). For location data, we consider that consent-based via the OS prompt.
Legitimate Interests: We process some data for our legitimate interests (GDPR Art. 6(1)(f)), after evaluating that our interests are not overridden by your privacy rights. For example, we have a legitimate interest in understanding how users interact with our app (analytics) so we can improve functionality; in ensuring the security of our platform and preventing misuse; and in contacting you about product updates or relevant offers (outside of strict marketing consent scenarios, say transactional or in-app suggestions which are part of user experience). When we rely on this basis, we ensure the processing is minimal and not intrusive. You have the right to object to processing on this basis (see above).
Legal Obligation: Where we need to comply with a law (GDPR Art. 6(1)(c)), such as keeping certain financial records for tax, or responding to valid legal requests, we will process data for that purpose.
Vital Interests / Public Interest: Unlikely to apply to Tastily’s typical operations. We do not process personal data for public interest tasks or vital life-and-death interests, except in a hypothetical emergency if someone’s safety was at stake and we had pertinent info (Art. 6(d)), in which case we would process data to protect vital interests. But that is not an everyday scenario.

If you have questions about the legal bases or want more detail, please contact us.

Exercising GDPR Rights: To exercise your rights, please contact us at support@viro-tech.com. We may ask you to verify your identity before fulfilling requests (to ensure we don’t give your data to the wrong person). We will respond within one month of receiving your request, or inform you if we need more time (we can extend by an additional two months for complex requests, per GDPR, but will let you know why). There is generally no fee for these requests unless they are manifestly unfounded or excessive. If you believe our processing of your personal data infringes the law, you also have the right to lodge a complaint with your local data protection supervisory authority. For example, in the UK that’s the Information Commissioner’s Office (ICO), and in the EU you can contact the authority in your country of residence or where we are established. We would, however, appreciate the chance to address your concerns directly first.

c. Rights for Other Jurisdictions

If you reside in a place like Canada, Australia, Brazil, or elsewhere with privacy laws, you likely have similar rights (e.g., access and deletion). We aim to honor those rights as well. Contact us and we will accommodate to the extent required by applicable law. For example, Canada’s PIPEDA gives you rights to access and correct personal information, subject to some exceptions. Our process described above would similarly apply. If any state laws in the US (e.g., Virginia, Colorado) apply to us, those states also provide rights largely aligned with CCPA/GDPR and we extend similar controls to their residents.

9. Children’s Privacy

Tastily is not intended for children under the age of 13. We do not knowingly solicit or collect personal information from children under 13 years old. If you are under 13, do not use the App or provide any personal data (for example, do not send us your name, email, or any preferences). If we learn that we have inadvertently collected personal information from a child under 13 without appropriate consent, we will delete that information as quickly as possible.

For teens between 13 and 18 (or the age of majority in your jurisdiction), we recommend parental guidance. If you are a parent or guardian and believe your child under 13 may have provided personal information to us, please contact us at support@viro-tech.com so we can take steps to remove the data and terminate the child’s account.

Note for EU/UK: We do not knowingly offer our services to children under 16 in the EU or UK without parental consent. In some EU countries, the age for requiring parental consent may be set lower (like 13–15). We do not have a mechanism to verify age other than asking users to confirm they meet our minimum age (13 to sign up, 16 if in a place with that requirement). If you are a minor over 13 but under 16 in the EEA/UK, by using the App you affirm that you have parental permission if required by your local law. We reserve the right to ask for verifiable parental consent for users we suspect are under the required age.

10. International Data Transfers

Tastily is operated from the United States. If you are using the app from outside the US, be aware that your personal information will likely be transferred to and stored in the United States (and possibly other countries where our service providers have infrastructure, such as data centers in the EU or Asia, depending on how we configure services like Firebase). These countries may have data protection rules that are different from your country, and in some cases may not be as protective. For example, personal data stored in the US may be subject to lawful requests by US authorities (see Section 4c).

However, we take steps to ensure that adequate safeguards are in place to protect your privacy when we transfer data internationally:

Standard Contractual Clauses: For users in the EEA, UK, or Switzerland, when we transfer personal data to the US (or any country not deemed “adequate” by the European Commission or UK authorities), we rely on Standard Contractual Clauses (SCCs) as an appropriate safeguard (per GDPR Art. 46). We have incorporated the EU Commission’s approved SCCs in our agreements between our US entity and any international subsidiaries or with our service providers as needed. These SCCs contractually obligate us and recipients of the data to protect it to EU GDPR standards. You can request a copy of these clauses by contacting us.
Data Privacy Framework: Google (Firebase and related services) has certified its compliance with the EU-U.S. Data Privacy Framework and Swiss-U.S. Framework. This means that for data we send to Google’s US operations, Google ensures a level of protection that meets EU requirements, as they are under oversight of the Department of Commerce and FTC. We, as of [Effective Date], have not self-certified to the DPF as a company, but we are monitoring developments. If we do, we will update this Policy.
By Necessity for Contract: In some cases, we transfer data internationally as necessary to perform our contract with you (GDPR Art. 49(1)(b)), for instance when you, an EU user, request our service which inevitably involves sending data to our US servers to get a recommendation. Also, if a transfer is occasional and necessary in relation to a service you request, that can be a justified basis. However, our default approach is to use SCCs as the long-term safeguard.
Other Measures: We implement technical measures like encryption (in transit and at rest) and access controls, which help protect data even if it’s stored outside your country. Our service providers, like Apple and Google, also implement strong security measures globally.

By using Tastily, you understand that your information will be transferred to our facilities (in the US and possibly other countries) and to those third parties with whom we share it as described in this Policy. We will always handle your personal information in accordance with this Policy wherever it is processed.

If you have questions about international transfers or want more info on the safeguards, please contact us.

11. Updates to This Privacy Policy

We may occasionally update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by appropriate means. This could include a prominent notice within the App, an email notification (if we have your email), or posting on our website. Material changes might include things like using your data for new purposes, or sharing with new types of partners not previously identified.

The “Last Updated” date at the top indicates when the Policy was last revised. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use Tastily after an updated Privacy Policy has been posted and notified, we will consider that as acceptance of the changes, to the extent permitted by law. If you do not agree with any changes, you should stop using the app and may delete your account.

For significant changes that require your consent, we will obtain that consent as needed.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Company Name: VIRO Inc.
Address: 8 The Green #24978, Dover, DE, 19901, United States
Contact Email: support@viro-tech.com

We will do our best to respond promptly and resolve any issues. Your privacy is important to us, and we welcome feedback. If contacting us does not resolve your concern, and you are in a region with a data protection authority, you have the right to contact that authority as well (as noted in Section 8).

Thank you for reading our Privacy Policy. We hope you enjoy discovering delicious dishes with Tastily, knowing we respect your privacy.

Thank you for tasting the world with Tastily!

← Back to home