disheazy

⚠️ Document under legal review

This text is a solid baseline drafted according to GDPR (EU), Quebec Bill 25 and PIPEDA (Canada) requirements. It will be reviewed by a specialised lawyer before the public beta opens. It carries no definitive contractual value in its current form.

Legal

Privacy policy

Last updated: 31 mai 2026

disheazy processes your personal data with full transparency. This page explains what data is collected, why, how long it is kept and what your rights are. It applies to users in France, the European Union, Canada (including Quebec) and the rest of the world.

1. Data controller

The controller of personal data processing is disheazy — Grégory [NOM] (entrepreneur individuel). For any question relating to the protection of your data: privacy@disheazy.fr. Under Quebec Bill 25, this address is also that of the person in charge of personal information protection.

2. Data collected

When using the service, we collect: • Account data: email address, password (hashed and salted, never in clear text). • Profile data (optional): nickname, photo, bio. • Usage data: favourites, shopping list, pantry, preferences (unit system, country). • Contribution data: reviews, ratings, comments, flags. • Technical data: IP address (anonymised after 24h), browser type, login logs (12 months). We do NOT collect: banking data (payment handled by a third-party provider where applicable), precise geolocation data, third-party advertising tracking data.

3. Purposes

Your data is processed to: • Create and manage your account. • Personalise your experience (favourites, pantry, recommendations). • Send you essential transactional emails (signup confirmation, password reset, moderation notifications). • Moderate the community and ensure the security of the service. • Produce anonymised usage statistics. • Comply with our legal obligations.

4. Legal bases (GDPR)

Processing is based on: • Performance of the contract (account creation, service provision). • Legitimate interest (moderation, security, fraud prevention). • Compliance with legal obligations (log retention, response to judicial requests). • Your explicit consent for any non-essential communication (newsletter, surveys).

5. Sub-processors

To deliver the service, we rely on the following sub-processors, bound by data protection agreements: • Supabase (database hosting — Europe or United States depending on region selected). • Vercel (application hosting — United States with European edge servers). • Resend (transactional email sending — United States). • Sentry (production error detection — United States). Each is required to comply with GDPR through Standard Contractual Clauses (SCC) where transfers outside the EU are involved.

6. Transfers outside the EU and Quebec

Some sub-processors (Vercel, Resend, Sentry) are established in the United States. Transfers are governed by: • The European Commission's Standard Contractual Clauses (SCC) for EU users. • A Privacy Impact Assessment (PIA) for Quebec users in accordance with Bill 25. We have selected these providers for their compliance with international data protection standards.

7. Retention period

• Account data: as long as the account is active. Deleted within a maximum of 30 days after closure request. • Public reviews and contributions: kept as long as relevant to the community; anonymised in case of account deletion. • Technical logs: 12 months maximum. • Accounting data (if payment): 10 years (legal obligation).

8. Your rights

Under GDPR, Bill 25 and PIPEDA, you have the following rights: • Right of access to your data. • Right to rectification. • Right to erasure ("right to be forgotten"). • Right to data portability (export of your data in a structured format). • Right to restriction of processing. • Right to object. • Right to withdraw consent at any time. To exercise these rights, write to privacy@disheazy.fr. We will respond within 30 days. If you are dissatisfied, you can refer to: • CNIL (France): www.cnil.fr • Office of the Privacy Commissioner of Canada: www.priv.gc.ca • Commission d'accès à l'information du Québec: www.cai.gouv.qc.ca

9. Cookies and trackers

disheazy uses only: • Strictly necessary session cookies (Supabase authentication). Without them, the service cannot function. • Vercel Analytics: cookie-less, no individual tracking. No advertising or third-party tracking cookies are set. You therefore do not need to give prior consent under the ePrivacy directive.

10. Security

We implement reasonable technical and organisational measures to protect your data: TLS encryption of all communications, password hashing (bcrypt), role-restricted access, admin action logging, daily backups. Despite this, no system is infallible. In case of a security breach affecting your data, we will notify you within 72 hours of its discovery, in accordance with GDPR.

11. Minors

Registration is reserved for persons aged at least 16 (in France) and at least 14 (in Quebec, save for parental consent). If we discover that a minor below these thresholds has created an account without authorisation, the account will be deleted.

12. Specific provisions for Quebec (Bill 25)

For users residing in Quebec, specific provisions apply: • The person in charge of personal information protection is reachable at privacy@disheazy.fr. • A Privacy Impact Assessment (PIA) has been carried out for transfers outside Quebec; it is available on request. • Consent is requested in a granular manner for each non-essential purpose. • The deadline for responding to access requests is 30 days. In case of dispute, the Commission d'accès à l'information du Québec has jurisdiction.

13. Changes

This policy may be changed to adapt to service evolution or new legal obligations. Users are notified by email of substantial changes. The last-updated date appears at the top of the page.

14. Contact

For any question relating to your personal data: privacy@disheazy.fr. For general queries: contact@disheazy.fr.