1. Introduction

Welcome to Larna, your intelligent home management companion. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile application and web services. We are committed to protecting your privacy and ensuring transparency about our data practices.

2. Information We Collect

2.1 Personal Information

• Account Information: Email address, display name, phone number (if using phone authentication), unique user ID, profile photo URL
• Authentication Data: Authentication tokens from Google, Apple, or phone verification services
• Family Information: Family codes for shared household management, onboarding completion status

2.2 Shopping and Inventory Data

• Shopping Lists: Items you add, item details, store preferences, aisle locations, item status (needed/purchased)
• Inventory Items: Product names, details, tags, supermarket assignments, dates added
• Favorite Items: Your saved favorite products for quick re-adding
• Supermarket Preferences: Your selected supermarkets and shopping preferences

2.3 Recipe and Meal Data

• Recipe Information: Imported recipes (including from Pinterest), cooking instructions, ingredient lists, recipe images
• Meal Planning: Planned meals, cooking schedules, week start dates
• Meal History: Previously prepared meals, ratings (1-5 stars), preparation frequency, meal images
• Recipe Collections: Organized meal folders, personal notes, Pinterest URLs

2.4 Media and Storage

• Images: Meal photos uploaded to Firebase Storage, recipe images
• Camera Usage: Access for meal photography (with your permission)

2.5 Usage and Technical Data

• Device Information: Device type, operating system, app version, browser type
• Usage Analytics: Feature usage patterns, session duration, user interactions, navigation paths
• Performance Data: App crashes, error logs, performance metrics
• Push Notification Tokens: FCM (Firebase Cloud Messaging) tokens for sending notifications

2.6 Payment Information

• Transaction Metadata: User ID, family code, selected supermarkets, payment session IDs
• Trial Information: Trial start dates, trial end dates, subscription status
• Note: We do NOT store credit card numbers, CVV codes, or direct payment credentials

3. How We Use Your Information

3.1 Core App Functionality

• Shopping Management: Create and manage shopping lists, track inventory, organize items by supermarket and aisle
• Meal Planning: Organize recipes, plan weekly meals, maintain cooking history, rate meals
• Family Sharing: Enable household members to collaborate on shopping lists, inventory, and meal plans using shared family codes
• Recipe Import: Extract recipe data from Pinterest and other websites (with your consent)
• Image Storage: Store meal photos securely in Firebase Storage for your personal use

3.2 AI and Intelligence Services

• Price Intelligence: Use AI-powered services with web search capabilities to find real-time pricing from selected UK supermarkets and retailers
• Smart Suggestions: AI-powered item suggestions, aisle recommendations
• Price Comparison: Analyze pricing data across multiple retailers to help you find the best deals

3.3 Communication and Notifications

• Push Notifications: Send reminders about trial expiration, subscription updates, and app features
• Email Communications: Welcome emails, trial reminders, payment confirmations, cancellation confirmations
• Transactional Messages: Account-related notifications and service updates

3.4 Service Improvement

• Feature Development: Analyze usage patterns to improve existing features and develop new ones
• Performance Optimization: Monitor app performance, identify bugs, improve reliability
• User Experience: Customize app experience based on preferences and usage patterns

4. Data Storage and Security

4.1 Cloud Infrastructure

• Firebase/Firestore: Primary data storage for user accounts, shopping lists, recipes, meal plans, and inventory on Google Cloud Platform
• Firebase Storage: Secure storage for meal images and user-uploaded photos
• Firebase Authentication: Secure authentication management with industry-standard protocols
• Data Encryption: All data encrypted in transit (TLS/SSL) and at rest

4.2 Security Measures

• Access Controls: Role-based access control (RBAC) through Firestore security rules
• Authentication: Multi-provider authentication (Google, Apple, Phone) with secure token management
• Data Isolation: Family data completely segregated by unique family codes
• Regular Monitoring: Continuous monitoring for security threats and unauthorized access

5. Data Sharing and Third Parties

5.1 Essential Service Providers

• Google Firebase: Authentication, database (Firestore), file storage, cloud functions, and push notifications (FCM)
• Apple App Store / Google Play Store: In-app purchase processing for family code activation (£2.99 one-time fee) - Apple and Google handle all sensitive payment data
• AI Service Providers: Third-party AI services for price finding and smart suggestions (only item names and supermarket preferences are shared)
• Mailjet: Email delivery service for transactional emails (welcome, trial reminders, payment confirmations)

5.2 Recipe Sources

• Pinterest Integration: Import recipe images and metadata (user-initiated, requires Pinterest URL)
• Web Recipe Import: Extract Open Graph metadata from recipe websites (user-initiated)

5.3 No Sale of Personal Data

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes. Data sharing is strictly limited to essential service providers operating under strict data protection agreements.

6. Family and Shared Data

6.1 Family Accounts

• Shared Access: Family members using the same family code can view and edit shared shopping lists, inventory items, and meal plans
• Collaborative Features: All family members can add, edit, and remove items; rate meals; and manage the household inventory
• Shared History: Meal history and ratings are shared within family groups

6.2 Family Code System

• Unique Identifiers: Each family uses a unique 6-character code for data segregation
• Access Control: Only users who have joined a family code can access that family's data
• Data Isolation: Firestore security rules ensure complete separation between family groups
• Multiple Families: Users can belong to multiple family codes and switch between them

7. Subscription and Payment Data

7.1 Payment Processing

• Payment Provider: All payments are processed securely through Apple App Store (iOS) or Google Play Store (Android) in-app purchase systems; we never see or store your credit card details
• Payment Amount: £2.99 one-time payment for family code activation
• Trial Period: 7-day free trial period before payment is required
• Metadata Storage: We store only user ID, family code, trial dates, and transaction IDs in our "payments" collection

7.2 Trial and Subscription Management

• Trial Notifications: Automated reminders sent 6+ days into your trial period (not on the final day)
• Cancellation: You can cancel at any time; no refunds for one-time activation fees

8. Your Rights and Controls

8.1 Data Access and Portability

• View Your Data: Access all personal data stored in your account through the app
• Data Correction: Update or correct inaccurate personal information at any time
• Export Capability: Contact us to request a copy of your data in a portable format

8.2 Data Deletion

• Account Deletion: Request permanent deletion of your account and associated personal data
• Selective Deletion: Remove specific recipes, shopping lists, inventory items, or meal plans
• Family Impact: Deleting shared data affects all family members using the same family code

8.3 Privacy Controls

• Camera Permissions: Control app access to camera for meal photography (iOS/Android system settings)
• Push Notifications: Manage notification preferences in device settings
• Email Preferences: Opt-out options available in all marketing emails (transactional emails required for service)

9. Data Retention

9.1 Active Accounts

• Shopping and Inventory: Retained while account is active or until manually deleted
• Meal Plans and History: Stored indefinitely unless manually deleted by user
• Images: Meal photos stored in Firebase Storage until deleted
• Usage Analytics: Aggregated, anonymized data retained for service improvement

9.2 Account Deletion

• Immediate Removal: Personal data deleted within 30 days of account deletion request
• Backup Retention: Encrypted backups may retain data for up to 90 days for disaster recovery
• Legal Requirements: Some data (e.g., payment records) may be retained longer if required by law (tax/accounting regulations)
• Anonymized Data: Aggregated analytics may be retained indefinitely after anonymization

10. Children's Privacy

10.1 Age Restrictions

• Minimum Age: Larna is intended for users 13 years and older
• Parental Consent: Users under 18 should obtain parental consent before using the app
• Family Accounts: Children can participate in family accounts under parental supervision

10.2 COPPA Compliance

• No Targeted Collection: We do not knowingly collect personal information from children under 13
• Discovery Protocol: If we discover data from a child under 13, we will immediately delete it
• Parental Rights: Parents can request review and deletion of their child's information by contacting us

11. International Data Transfers

11.1 Global Infrastructure

• Cloud Services: Data stored and processed on Google Cloud Platform, which may involve transfers across various regions
• Data Protection Standards: We comply with GDPR (General Data Protection Regulation) and other applicable international data protection laws
• Transfer Safeguards: Standard contractual clauses (SCCs), encryption, and security certifications ensure your data remains protected during international transfers

12. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data. These may include:

12.1 Access and Correction Rights

• Access Your Data: Obtain confirmation of data processing and access to your personal data
• Correct Your Data: Update or correct inaccurate or incomplete personal data
• Data Portability: Receive your data in a structured, commonly-used, machine-readable format

12.2 Control and Deletion Rights

• Delete Your Data: Request deletion of your personal data (subject to legal exceptions)
• Restrict Processing: Limit how we use your data in certain circumstances
• Object to Processing: Object to certain types of data processing
• Withdraw Consent: Withdraw consent for data processing at any time (where consent is the legal basis)

12.3 Additional Rights

• Non-Discrimination: Equal service and pricing regardless of privacy rights exercise
• Lodge Complaint: File a complaint with your local data protection authority if available in your jurisdiction
• Opt-Out: Opt-out of sale of personal information (Note: We do not sell personal data)

12.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@larna-ai.app. We will respond within 30 days (or as required by applicable law in your jurisdiction). Some rights may not apply to you depending on your location and applicable local laws.

13. Changes to This Policy

13.1 Policy Updates

• Notification: Material changes will be communicated via email or push notification
• Effective Date: Changes become effective 30 days after notification (or as required by law)
• Review: Last updated date displayed at the top of this policy
• Continued Use: Continued use of Larna after changes constitutes acceptance
• Opt-Out: If you disagree with changes, you may delete your account before the effective date

14. Contact Information

14.1 Privacy Inquiries

• Email: privacy@larna-ai.app
• Support: support@larna-ai.app
• Response Time: We respond to privacy requests within 30 days (or as required by applicable law)

14.2 Regulatory Compliance

Larna is committed to compliance with major international privacy frameworks including:

• GDPR: General Data Protection Regulation (applicable globally)
• CCPA/CPRA: California Consumer Privacy Act and related regulations
• COPPA: Children's Online Privacy Protection Act
• Local Laws: Applicable data protection and privacy laws in your jurisdiction

If you have concerns about how your data is handled, you may have the right to contact your local data protection authority or regulatory body.

15. Technical Safeguards

15.1 Security Measures

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest
• Authentication: OAuth 2.0 with Firebase Authentication; secure token management
• Access Controls: Firestore security rules enforce strict access control based on user ID and family code
• Monitoring: Continuous security monitoring, error tracking, and threat detection
• Incident Response: Established procedures for security breach notification and remediation

15.2 Data Minimization

• Collection Limits: We only collect data necessary for app functionality
• Processing Limits: Third-party processing limited to item names, store preferences, and recipe metadata
• Retention Limits: Data automatically deleted when no longer needed (subject to legal requirements)
• Anonymization: Analytics data aggregated and anonymized whenever possible