Small print.
No surprises.
Effective date: 27 April 2026 · Last updated: 27 April 2026
1. Who is the data controller
Daniil Shaposhnikov, Individual Entrepreneur, registered in Georgia under identification number 304687809 (registered with the LEPL National Agency of Public Registry, Ministry of Justice of Georgia, on 24 July 2023), with registered address Ponichala 3, Building 5, Floor 4, Krtsanisi District, Tbilisi, Georgia ("we", "us") is the data controller for personal data processed through Savera.
For all data protection matters, contact: hello@savera.kitchen
For EU/UK consumers: We are currently in the process of appointing representatives under Article 27 GDPR and UK GDPR. This notice will be updated when those appointments are complete. In the meantime, please direct all data protection inquiries to hello@savera.kitchen, and we will respond within 30 days as required by Article 12(3) GDPR.
2. What we collect and why
| Category | Examples | Legal basis (GDPR Art. 6 / 9) | Retention |
|---|---|---|---|
| Account data | Email, display name, password hash | Contract (Art. 6(1)(b)) | Life of account + 30 days after deletion |
| Dietary preferences | Cuisine preferences, dislikes, household composition | Contract | Life of account |
| Health-related dietary data (allergies, medical diets, pregnancy, religious diets) | As entered by you in onboarding or settings | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) | Until consent withdrawn + 30 days |
| AI prompts and outputs | Recipe queries, generated recipes, chat history | Contract + legitimate interest (service improvement) | 13 months or until account deletion |
| Billing data | Name, address, VAT/tax residence, truncated card data | Contract + legal obligation (invoice retention) | 10 years (tax law) — stored by Paddle, not by us |
| Usage data | Pages viewed, features used, device type | Legitimate interest (Art. 6(1)(f)) — service analytics | 13 months |
| Cookies | See section 8 | Consent for non-essential | Maximum 13 months |
We do not sell your personal data and we do not use your health-inferable data for advertising.
Account deletion. When you delete your account, we begin a 30-day soft-delete period during which deletion can be reversed by contacting hello@savera.kitchen. After 30 days, all personal data is permanently erased from production systems within 7 days. Backup copies are erased within 90 days as part of our standard backup rotation. Anonymized usage statistics may be retained indefinitely for service improvement.
How we collect explicit consent for health data. When you enter allergies, medical diets, pregnancy status, or religious diets in onboarding or settings, a separate consent dialog appears with: a clear description of what data is processed, an explanation of why (to filter recipes accordingly), confirmation that no other use is made, an unticked checkbox you must affirmatively click, and a link to withdraw consent at any time. Withdrawing consent removes the data from active processing within 24 hours and from all systems within 30 days.
3. How we use AI (automated processing disclosure)
Savera uses AI to generate recipes and meal suggestions based on your preferences and inputs. You are interacting with an AI system. AI-generated outputs are marked as such. The AI does not make legal or similarly significant decisions about you, so Article 22 GDPR restrictions on solely-automated decision-making do not apply; you may nonetheless request human review of any output at hello@savera.kitchen.
4. Data Protection Impact Assessment
Because we process health-inferable dietary data (Article 9 GDPR special category) using AI, we are preparing a Data Protection Impact Assessment in line with Article 35 GDPR. The DPIA will document processing activities, identified risks, and mitigation measures, and will be available on request at hello@savera.kitchen prior to public launch in the European Union.
5. Who we share data with (sub-processors)
We rely on the following sub-processors. Each is bound by a Data Processing Agreement incorporating EU Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Agreement.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| OpenAI, L.L.C. | AI recipe generation and chat | USA | openai.com/policies/data-processing-addendum |
| Supabase Inc. | Database, authentication | EU (Frankfurt) | supabase.com/legal/dpa |
| Vercel Inc. | Web/PWA hosting and edge delivery | USA / global edge | vercel.com/legal/dpa |
| Railway Corp. | Backend services | USA | DPA on request |
| Paddle.com Market Limited | Payments, invoicing, tax | UK / global | paddle.com/legal/dpa |
| Resend | Transactional email | USA / EU | Provider DPA |
How we notify you of changes. We publish this list and will notify users by email (and in-product banner) at least 30 days before adding a new sub-processor. If you object to a new sub-processor, you may close your account before the change takes effect and receive a pro-rata refund for any unused subscription period.
6. International transfers
Transfers to the USA (OpenAI, Vercel, Railway) rely on Standard Contractual Clauses (2021/914) and supplementary technical measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), and access logging. A Transfer Impact Assessment is available on request at hello@savera.kitchen.
7. Your rights
Under GDPR and UK GDPR you have the right to: access, rectification, erasure, restriction, portability, objection, withdraw consent, and lodge a complaint with a supervisory authority.
How to exercise rights. Email hello@savera.kitchen with your account email. We respond within 30 days. In complex cases, we may extend by an additional 60 days and will notify you within the first 30 days, as permitted by Article 12(3) GDPR. We will not charge a fee unless your request is manifestly unfounded or excessive.
Supervisory authorities you can contact:
- CNIL (France): cnil.fr — for users in France
- ICO (UK): ico.org.uk — for users in the United Kingdom
- For other EU Member States: edpb.europa.eu/about-edpb/about-edpb/members_en
California residents additionally have rights to know, delete, correct, and opt-out of sharing under CCPA/CPRA; we do not sell or share personal information. Submit requests to hello@savera.kitchen. We respond within 45 days as required by §1798.130(a)(2) of the California Civil Code.
8. Cookies and local storage
We use strictly necessary technologies (cookies and browser localStorage) to keep you signed in and to remember your consent choice. Non-essential analytics scripts (Google Analytics) load only after you give consent.
Cookie banner mechanics. On your first visit, a banner appears with two clearly labelled options at equal visual prominence: "Accept" (turns on analytics) and "Only essential" (no analytics, no tracking). Until you choose, no analytics scripts load. Your choice is stored in your browser's localStorage under the key savera_consent and persists until you clear your browser data. You can change your choice anytime via the "Cookies" link in our footer, which re-opens the banner. We do not use dark patterns, pre-ticked boxes, or "scroll = consent" approaches.
Cookies and storage we use:
| Name | Purpose | Type | Stored as | Lifetime |
|---|---|---|---|---|
sb-access-token | Authentication (Supabase) | Strictly necessary | Cookie | Session |
sb-refresh-token | Session refresh | Strictly necessary | Cookie | 7 days |
savera_consent | Stores your cookie/consent preference | Strictly necessary | localStorage | Until you clear browser data |
_ga, _ga_* | Google Analytics 4 — anonymous usage measurement | Analytics (consent-based) | Cookie | Up to 13 months — only loaded if you click Accept |
9. Security
We apply industry-standard safeguards: TLS 1.2+ in transit, AES-256 at rest, least-privilege access, regular key rotation, and vendor due diligence. No system is 100% secure.
Breach notification. In the event of a personal data breach affecting your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR)
- Notify affected users without undue delay by email when the breach is likely to result in high risk to rights and freedoms (Article 34 GDPR), including the nature of the breach, likely consequences, and measures taken
- Maintain an internal record of all breaches regardless of severity, available for supervisory authority inspection
10. Children
Savera is not directed at children under 16. We do not knowingly collect data from children under 16 (or under 13 in jurisdictions where COPPA applies, including the United States). If you believe we have, contact hello@savera.kitchen and we will delete it within 30 days.
11. Changes
We will notify you of material changes by email at least 30 days before they take effect. Non-material changes (typo fixes, formatting) may be made without notice. We maintain a public changelog of all changes at https://savera.kitchen/privacy-changelog with the date of each change and a summary of what was modified.
12. Contact
Daniil Shaposhnikov, Individual Entrepreneur
Identification number: 304687809
Address: Ponichala 3, Building 5, Floor 4, Krtsanisi District, Tbilisi, Georgia
Email: hello@savera.kitchen