Skip to main content
Smart Pantry

Privacy Policy

Effective date: 1 June 2026

Smart Pantry is a meal planning and pantry management app available on the web at smartpantry.website and as a mobile app on the Apple App Store and Google Play Store. This policy explains what personal data we collect, why we collect it, how it is stored, and your rights over it. We keep things simple — no advertising, no selling your data, no hidden tracking.

At a glance

No advertising or tracking
Your data is never sold
No analytics SDKs
No push notifications
Passwords require 8+ chars and a special character
HTTPS everywhere
Self-serve account deletion
UK GDPR rights honoured

1. What data we collect

We collect only the information needed to run the app. The table below lists every category:

Email addressProvided when you create an account. Used to identify you and to send transactional emails (e.g. password reset).
PasswordYou choose this at sign-up. Must be at least 8 characters and include at least one special character (e.g. ! @ # $ %). We store only a one-way bcrypt hash — the plain-text password is never saved or transmitted.
Household profileNumber of people, dietary preferences (omnivore / vegetarian / vegan), dietary restrictions (gluten-free, dairy-free, halal, kosher), allergens per person, shopping day, and weekly budget — all entered voluntarily during onboarding or in Profile.
Pantry inventoryItem names, quantities, units, storage location, optional use-by dates, and optional barcode numbers that you add to your pantry.
Waste logWhen you mark an expired item as consumed or binned, it is removed from your pantry. No waste history is retained after deletion.
Meal plansThe 7-day meal plans generated for your household, including any swaps or customisations you make.
Shopping listsGenerated lists, items you mark bought or hidden, manual additions, quantity edits, and — if you choose to log it — your actual till spend.
Your recipesAny custom recipes you save to the app.

We do not collect your name, phone number, address, payment details, location, device identifiers, or biometric data. We do not run behavioural tracking or advertising pixels.

2. Device access (mobile app)

The Smart Pantry mobile app requests only the permissions it needs. Below is every permission the app may request and exactly why:

CameraUsed to scan barcodes when searching for pantry items. The camera feed is processed on-device; no images are captured, stored, or transmitted to our servers. On web, barcode numbers may be typed manually and looked up via Open Food Facts (see Section 5).
Secure storageYour session token is stored in the iOS Keychain or Android Keystore via expo-secure-store. This is protected hardware-backed storage — no other app can read it.

Permissions the app never requests:

  • Microphone
  • Photo library
  • Location / GPS
  • Contacts
  • Push notifications
  • Health & fitness data
  • Bluetooth
  • Face ID / Touch ID / biometrics
  • Background app refresh

3. How it's stored & security

All account and application data is stored in a MongoDB database. Depending on deployment configuration this may be a MongoDB Atlas cluster hosted on AWS or Google Cloud infrastructure in the EU or UK. Data is protected by:

  • Passwords stored as bcrypt hashes (cost factor ≥ 10) — the original password cannot be recovered even by us.
  • Session tokens are signed JWTs stored in httpOnly, SameSite=Lax cookies on web — inaccessible to JavaScript and not sent cross-site.
  • On mobile, session tokens are stored in iOS Keychain or Android Keystore — hardware-backed secure storage inaccessible to other apps.
  • All traffic is served over HTTPS / TLS. Plain HTTP is not accepted.
  • Database credentials are stored as server-side environment variables and are never exposed to the client or logged.
  • Access to production data is restricted to authorised personnel only.

We take reasonable technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. In the unlikely event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 UK GDPR.

4. Why we collect it (lawful basis)

Under UK GDPR, every purpose for processing personal data must have a lawful basis. Below are our purposes and the corresponding lawful basis for each:

Account & authenticationContract performance — necessary to provide the service you signed up for. Without an email address and password we cannot create or authenticate your account.
Household profile & allergensContract performance — required to personalise meal suggestions safely, filter allergens and dietary restrictions, and scale recipes for your household size.
Pantry & shopping dataContract performance — used to calculate what you need to buy, surface items nearing expiry, and generate shopping lists. This is the core service.
Custom recipesContract performance — stored at your request to appear in your personal meal planner and shopping list.
Password-reset emailLegitimate interests — sending a transactional email you explicitly requested to recover access to your account.
Anonymous aggregate patternsLegitimate interests — anonymised (hashed) ingredient patterns from custom recipes help improve future suggestions. No personal data is used; data cannot be reversed to identify you.

We do not rely on consent as the basis for any processing (other than the device permissions listed in Section 2 which are handled by your operating system). You can withdraw your data entirely by deleting your account (see Section 7).

We do not use your data for marketing, profiling, or selling to third parties.

5. Data retention

We retain personal data for as long as your account is active. Specifically:

Account dataRetained until you delete your account. Immediately and permanently deleted on account deletion.
Pantry, meal plans, shopping listsRetained for the lifetime of your account. All records are deleted instantly when you delete your account.
Custom recipesRetained until you delete the recipe or your account. Anonymous aggregate hashes are retained separately and cannot be traced back to you.
Cooked meal logsRetained for the lifetime of your account to power week-review statistics and recipe ranking. Deleted with your account.
Password reset tokensExpire automatically after 1 hour. Expired tokens are purged periodically.
Session cookiesWeb session cookies expire after 24 hours. You can sign out at any time to invalidate your session immediately.

There are no separate retention periods for sub-categories of data. Everything tied to your account is removed in a single irreversible operation when you delete your account (see Section 7).

6. Third-party services

Smart Pantry uses a small number of infrastructure services. None of them receive your pantry, meal plan, or shopping data. The full list:

VercelThe web app is hosted on Vercel (vercel.com). All HTTP requests pass through Vercel's edge network. Vercel may log standard request metadata (IP address, user-agent, timestamp) per their privacy policy at vercel.com/legal/privacy-policy.
MongoDB AtlasYour account and application data is stored in a MongoDB Atlas cluster. MongoDB's privacy policy is at mongodb.com/legal/privacy-policy.
ResendWhen you request a password-reset email, your email address is passed to Resend (resend.com) to deliver that single transactional message. Resend does not receive any other data.
Open Food FactsWhen you look up a barcode (by typing or scanning it), the barcode number is sent to the Open Food Facts public API (world.openfoodfacts.org) to retrieve the product name. Open Food Facts is an open non-profit database. No account data, pantry data, or personally identifiable information is sent with this request. Open Food Facts privacy policy: openfoodfacts.org/privacy.
Apple App StoreThe iOS app is distributed via the Apple App Store. Apple may collect standard app-store metrics (download counts, crash reports) as described in Apple's privacy policy at apple.com/legal/privacy.
Google Play StoreThe Android app is distributed via Google Play. Google may collect standard play-store metrics as described in Google's privacy policy at policies.google.com/privacy.
Expo / EASThe mobile app is built with Expo (expo.dev). Over-the-air JS updates and build metadata may be handled by Expo Application Services. Expo's privacy policy is at expo.dev/privacy.

We do not use Firebase, Supabase, Stripe, Google Analytics, Meta Pixel, Mixpanel, Amplitude, Segment, or any other analytics or advertising platform.

7. Deleting your account

You can permanently delete your account and all associated data at any time. There are two ways:

Option A — self-serve (instant):

  1. Sign in and go to Profile.
  2. Scroll to the Account section.
  3. Tap Delete account and confirm.

Option B — by email (within 30 days):

If you cannot access the app, email us at smartpantryhelp@outlook.com and we will delete your account manually within 30 days.

Deletion removes all of the following from our database immediately and irreversibly: your user record, profile, pantry items, meal plans, shopping list data, shopping history, cooked meal logs, and any custom recipes. Anonymous aggregated data (recipe pattern hashes) that cannot be linked back to you is retained separately.

There is no grace period or recovery option. Once deleted, your data cannot be restored.

In compliance with Apple App Store Review Guideline 5.1.1(v) and Google Play Data Safety requirements, account deletion is available directly within the app and removes all associated personal data. This also satisfies the UK GDPR right to erasure (Article 17) and EU GDPR equivalent.

8. Cookies, sessions & local storage

Web app

Smart Pantry uses a single authentication cookie (sp_session) to keep you signed in. This cookie:

  • Contains a signed JWT — no personal data is embedded in the token itself.
  • Is marked httpOnly and SameSite=Lax — JavaScript cannot read it.
  • Expires after 24 hours.

A second cookie (theme_pref) stores your light/dark theme preference. It contains no personal data.

The web app uses a service worker to cache pages and API responses locally for offline access. Cached data mirrors what is already on the server and is cleared when the cache version changes or when you clear site data in your browser.

We set no advertising, analytics, or tracking cookies. No third-party scripts load cookies on smartpantry.website.

Mobile app

  • Session token — stored in iOS Keychain or Android Keystore via expo-secure-store. Hardware-backed; no other app can access it.
  • Offline cache — non-sensitive UI state (pantry, meal plan, shopping list) may be cached in AsyncStorage to support offline browsing. This data mirrors what is already on the server and is cleared on sign-out.
  • Preferences — theme choice, font size, and tutorial completion status are stored in AsyncStorage. These contain no personal data.

9. Children

Smart Pantry is not directed at children under the age of 13 and we do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at smartpantryhelp@outlook.com and we will delete that data promptly.

Users between 13 and 17 should use the app only with the knowledge and consent of a parent or guardian.

10. Your rights (UK & EU GDPR)

Under UK GDPR (and equivalent EU GDPR) you have the following rights. Most can be exercised directly in the app:

Access (Art. 15)Request a copy of all personal data we hold about you in a structured, commonly used format.
Rectification (Art. 16)Correct inaccurate or incomplete data. Most data (pantry, profile, household details) can be edited directly in the app.
Erasure (Art. 17)Delete your account and all associated personal data. Self-serve via Profile → Account → Delete account, or by emailing us. See Section 7.
Restriction (Art. 18)Ask us to temporarily stop processing your data while a complaint or query is being resolved.
Portability (Art. 20)Receive your data in a machine-readable format (e.g. JSON) suitable for transfer to another service.
Object (Art. 21)Object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling grounds that override your interests.
Automated decisions (Art. 22)Smart Pantry does not make automated decisions that produce legal or similarly significant effects. Meal suggestions are personalised recommendations, not binding decisions.

To exercise any of these rights, contact us at smartpantryhelp@outlook.com. We will respond within 30 calendar days and will not charge a fee for reasonable requests. We may ask for proof of identity before fulfilling a request.

11. Complaints

If you believe we have not handled your personal data in accordance with applicable data-protection law, you have the right to lodge a complaint with the relevant supervisory authority:

UKInformation Commissioner's Office (ICO) — ico.org.uk. You can report a concern online or by post to ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
EUThe data protection authority in your EU member state. A list of EU supervisory authorities is available at edpb.europa.eu.

We would appreciate the opportunity to address your concern directly before you contact the supervisory authority. Please email us first at smartpantryhelp@outlook.com and we will respond within 30 days.

12. Contact & data controller

Smart Pantry is the data controller for the personal data described in this policy. If you have any questions about this policy or how your data is handled, please contact us:

Smart Pantry (Data Controller)

smartpantryhelp@outlook.com

smartpantry.website

We aim to respond to all data-related requests within 30 days. For complex requests involving multiple rights or large volumes of data, we may extend this by a further two months — if so, we will notify you within the initial 30-day period and explain the reason for the extension.

We may update this policy from time to time as the service evolves or legal requirements change. The effective date at the top of this page reflects the most recent revision. Where changes are material, we will notify you by email (if we have one for your account) or by displaying a notice in the app. Continued use of the app after notification of a change constitutes acceptance of the revised policy.

Smart Pantry · smartpantry.website · Effective 1 June 2026 · Data controller: smartpantryhelp@outlook.com

Back to app