Skip to main content
Back to Home

Privacy Policy

GDPR Compliant (EU Regulation 2016/679) — Last updated: February 24, 2026

1. Data Controller

Entity: YumiScan

Country: France

Contact: Contact

The data controller is the natural or legal person who determines the purposes and means of processing personal data. For any questions regarding your data, you can contact us at the address above.

2. Data Collected and Legal Bases

The table below summarizes all processed data, their purpose, and their legal basis under Article 6 of the GDPR:

Account Data

  • Data: Email address, first name, last name
  • Purpose: User account creation and management, authentication
  • Legal basis: Contract performance (Art. 6.1.b GDPR)
  • Retention period: Account lifetime + 3 years after deletion (legal obligations)

Allergen Preferences

  • Data: Selected allergens, personalized dietary criteria
  • Purpose: Personalization of scan analysis
  • Legal basis: Contract performance (Art. 6.1.b GDPR) — Since this data relates to health, its processing also relies on explicit consent (Art. 9.2.a GDPR)
  • Retention period: Account lifetime

Scan Images

  • Data: Photos or images of food labels imported by the user
  • Purpose: OCR and AI analysis to detect ingredients and allergens
  • Legal basis: Contract performance (Art. 6.1.b GDPR)
  • Retention period: 24 months from the scan date, then automatic deletion
  • Access: Stored in a private Supabase bucket, accessible only by the owning user

Scan Results and History

  • Data: List of extracted ingredients, detected allergens, date and time of scan
  • Purpose: History display, service improvement
  • Legal basis: Contract performance (Art. 6.1.b GDPR) and legitimate interest (Art. 6.1.f GDPR)
  • Retention period: Account lifetime

Payment Data

  • Data: Transaction amount, date, order reference
  • Purpose: Billing and credit management
  • Legal basis: Contract performance (Art. 6.1.b GDPR) and legal obligation (Art. 6.1.c GDPR)
  • Retention period: 10 years (legal accounting obligation)
  • Note: Bank card data is processed exclusively by Stripe. YumiScan does not store any card numbers.

Consent Log

  • Data: Accepted TOS version, date and time of acceptance, health warning acceptance
  • Purpose: Proof of consent (GDPR legal obligation)
  • Legal basis: Legal obligation (Art. 6.1.c GDPR)
  • Retention period: 5 years from the date of acceptance

3. Third-party Services and Subcontractors

YumiScan uses the following service providers to deliver the service. Each provider acts as a subcontractor and only processes data necessary for its function:

Supabase — Infrastructure and database

User data storage, authentication, scan images. Data hosted in the EU (eu-west). supabase.com/privacy

Google (Gemini API) — Artificial Intelligence

Image processing for OCR analysis and ingredient classification. Images are transmitted to the Google Gemini API for analysis and are not retained by Google beyond processing. policies.google.com/privacy

Stripe — Online payment

Secure payment processing, PCI-DSS Level 1 certified. YumiScan does not receive or store any credit card data. stripe.com/privacy

Vercel — Frontend Hosting

Web application hosting. Standard navigation data (IP address, user-agent) may be temporarily logged for security purposes. vercel.com/legal/privacy-policy

4. Data Transfers outside the European Union

Some providers (Vercel, Google Gemini, Stripe) may process data in countries outside the European Union, specifically in the United States. These transfers are governed by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • EU-U.S. Data Privacy Framework certification, where applicable.

Data in the primary database (Supabase) is hosted within the European Union.

5. Cookies and Trackers

YumiScan uses the following types of cookies and trackers:

Strictly necessary cookies (exempt from consent)

Supabase authentication session. These cookies are essential for the application to function and cannot be disabled.

Analytical cookies (subject to consent)

Audience measurement tools (Google Analytics, etc.), activated only if you have given your consent. These cookies allow us to improve the user experience by analyzing service usage.

Advertising cookies (subject to consent)

Advertising tracking pixels (Meta Pixel, TikTok Pixel, Google Ads), activated only if you have given your consent. These trackers allow us to measure the effectiveness of our advertising campaigns.

You can modify your cookie preferences at any time via the "Cookie Management" link available at the bottom of the page. In accordance with CNIL recommendations, your consent is obtained prior to setting any non-essential cookies.

6. Your Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18): request the suspension of your data processing.
  • Right to data portability (Art. 20): receive your data in a structured, readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise your rights: delete your account from the "My Account" page or contact us through the Contact page. We will respond within a maximum of one (1) month from receipt of your request.

In case of an unsatisfactory response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): cnil.fr.

7. Data Security

The Publisher implements appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of communications via TLS/HTTPS;
  • Secure authentication managed by Supabase Auth;
  • Data isolation per user (Row-Level Security in the database);
  • Access to scan images restricted to the account owner;
  • Payments processed by Stripe (PCI-DSS Level 1 certified).

In the event of a data breach likely to cause a risk to your rights and freedoms, the Publisher commits to informing you as soon as possible in accordance with Article 34 of the GDPR.

8. Policy Changes

This privacy policy may be updated to reflect changes in our practices or to comply with new legal obligations. In the event of a substantial change, you will be informed by email and/or via a notification in the Application. The date of the last update is indicated at the top of the document.

Privacy Policy — Effective since February 24, 2026 — YumiScan