Privacy Policy

Dishula ("we," "us," or "our") operates the Dishula mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the App.

By using Dishula, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

This policy applies to users worldwide, including those in the European Economic Area (EEA), United Kingdom, Canada, and California.

Information You Provide

When you create an account, we collect:

• First and last name
• Email address (used for authentication and account management)
• Username (your chosen public display name)
• Age range — a selected range (Under 18, 18–24, 25–34, 35–44, 45–54, or 55+) collected at account creation, used to understand our user demographics and improve the App
• Profile photo (avatar) — optional, may contain your likeness
• Instagram handle — optional; if provided, displayed publicly on your profile and used solely to link visitors to your Instagram account
• Photos you voluntarily upload of dishes and reviews
• Ratings and reviews (star rating, optional review text, optional photo)
• Deletion requests (when you report content for removal, including the reason you provide)

Information Collected Automatically

• Location data — to show you nearby restaurants (only when you grant permission)
• Device identifiers — such as device type, operating system, and app version
• Usage data — how you interact with the App (screens visited, features used)
• New device sign-in data — when you sign in from a device not previously associated with your account, we record the device name, device type, and platform. This is used to send you a security email alert notifying you of the new sign-in.
• Photo content hash — a one-way cryptographic hash (SHA-256) of photos you upload for reviews, stored solely to prevent duplicate photo submissions for the same dish.
• Beta testing data — when the App is distributed via Apple TestFlight, Apple independently collects crash logs, performance metrics, and usage data. This data collection is governed by Apple's privacy practices.

Information from Third Parties

• Google Places API — provides restaurant and location data. Google may independently collect data per their own privacy policy.
• Apple / Google — when you use Sign in with Apple or Sign in with Google, those services provide your name and email address. We do not receive your Apple or Google password.

If you are located in the EEA or United Kingdom, we process your personal data under the following lawful bases as defined by GDPR:

• Contract performance — processing your name, email, and username is necessary to create and manage your account and provide the App's core features.
• Legitimate interests — processing usage data, device identifiers, and new device sign-in data to improve App performance and security, where such interests are not overridden by your rights.
• Consent — processing your location data, which requires your explicit permission. You may withdraw this consent at any time through your device settings.
• Legal obligation — retaining certain data where required by applicable law.

We use the information we collect to:

• Create and manage your account
• Authenticate your identity via email, Apple, or Google
• Display your username alongside your ratings and reviews
• Display your Instagram handle on your public profile, if you choose to provide one
• Show nearby restaurants based on your location
• Display dish and review photos you submit
• Detect and prevent duplicate photo submissions
• Alert you by email when your account is accessed from a new device
• Understand user demographics using age range data to improve the App
• Moderate content to maintain a safe and respectful community
• Improve and maintain the App
• Respond to your questions or support requests
• Comply with legal obligations

Service Providers

We share data with trusted third-party service providers that help us operate the App:

• Supabase — for database hosting, authentication, and file storage
• Vercel — for serverless infrastructure
• Google Places API — for restaurant and location data
• Anthropic — for AI-powered content moderation; user-submitted text and images are processed to detect policy violations. Anthropic does not retain submitted content beyond what is necessary to perform the moderation check.
• Resend — for transactional email delivery (account confirmation, password reset, new device alerts)
• Apple — for Sign in with Apple authentication and TestFlight beta distribution
• Google — for Sign in with Google authentication
• Cloudflare Turnstile — for bot detection and CAPTCHA during authentication flows. Turnstile processes request metadata to distinguish human users from automated bots.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process (such as a court order or subpoena).

Administrative Access

Authorized Dishula administrators may access certain account information — including your username, email address, age range, and profile details — solely for the purposes of account support, content moderation, and platform integrity. Administrator access is limited to personnel with a legitimate need and is logged for accountability.

Business Transfers

If Dishula is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

We retain your personal information for as long as your account is active or as needed to provide the App's services. If you delete your account:

• Your username, email address, name, age range, Instagram handle (if provided), and profile photo are deleted or anonymized
• Dishes and reviews you created remain visible but are attributed to "Deleted User"
• Your user ID is removed from all associated records
• Certain data may be retained longer if required by law or for legitimate business purposes (e.g., fraud prevention)

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Row-level security (RLS) on our database, ensuring users can only access their own data
• API key protection via server-side functions — no sensitive keys are stored in the app
• Access controls limiting who can access production systems

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete data
• Deletion — request that we delete your personal data (subject to legal requirements)
• Portability — request that your data be provided in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — withdraw consent for location data at any time via device settings

• The photo is stored on our servers via Supabase Storage
• The photo is sent to Anthropic's API for automated content moderation before being stored
• Anthropic does not retain submitted images beyond what is necessary to perform the moderation check
• A one-way cryptographic hash (SHA-256) of the photo is stored to prevent duplicate submissions for the same dish
• If you delete your account, photos remain in the App but are no longer linked to your identity
• You grant Dishula a license to display your photos within the App as described in our End User License Agreement

Dishula is operated from the United States. If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

For users in the EEA or United Kingdom, we ensure that such transfers comply with applicable data protection law, including through the use of Standard Contractual Clauses where required.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete — request deletion of personal information we have collected, subject to certain exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out — we do not sell or share personal information for cross-context behavioral advertising
• Right to Non-Discrimination — we will not discriminate against you for exercising your rights

To submit a request, contact us at privacy@dishula.com or use the Delete Account feature in the App. We will verify your identity before processing requests.

The App is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@dishula.com and we will delete that information.

If you are a minor, please review this policy with a parent or guardian before using the App.

The Dishula mobile application does not use cookies. We may use anonymous analytics tools to understand how users interact with the App in aggregate. These tools do not identify individual users.

When you create an account, we record the date and version of the Privacy Policy and End User License Agreement that you accepted. This record is stored in our database and may be used to demonstrate your consent under applicable data protection law.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the 'Last Updated' date and, where appropriate, through in-app notification. Continued use of the App after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, to exercise your data rights, or to submit a privacy concern, contact us at: