Privacy Policy
Last updated: 28 May 2026
This policy explains how Oilive (“we”, “us”) collects, uses, and protects your personal data when you use oilive.app and the Oilive mobile web app (together, the “Service”).
1. Who we are (data controller)
Oilive is an early-stage project with legal entity formation pending. A registered legal name, registered office address, company / VAT number and (where applicable) an EU Art. 27 representative will be published on this page as soon as the entity is formed. Until then, please direct privacy questions and GDPR rights requests to privacy@oilive.app. We will respond within one month as required by Art. 12(3) GDPR.
2. Personal data we collect
- Account data: email address, optional display name, hashed password (or OAuth identifier when you sign in with Google).
- Taste profile: your quiz answers (intensity preference, flavour preferences, budget, use cases, health priority) and the derived persona label.
- Activity data: products you save, tasting log entries, scan history, search queries you submit, and consent state.
- Usage analytics: page views and feature interactions captured via PostHog (EU cloud) — see §6. We do not load PostHog until you grant consent, and we respect Do-Not-Track as a refusal.
- Scan submissions: when you submit a bottle that isn’t in our catalog, we keep the submitted fields (name, producer, barcode if any) and any image you upload, to expand the catalog.
- Technical data: IP address, device type, and browser version, processed by our hosting and infrastructure providers for security, abuse-prevention, and basic operation of the Service.
3. Lawful bases (GDPR Art. 6)
- Contract (Art. 6(1)(b)): creating your account, storing your taste profile and lists, generating recommendations, processing your submissions.
- Legitimate interests (Art. 6(1)(f)): keeping the Service secure, preventing abuse, debugging errors, and analysing aggregated, non-identifying usage to improve features. You can object at any time.
- Consent (Art. 6(1)(a)): loading the PostHog analytics SDK and storing analytics events. You can withdraw consent in settings or via the cookie banner; withdrawal does not affect prior processing.
- Legal obligation (Art. 6(1)(c)): responding to lawful access, retention, or removal requests where applicable.
4. How we use your data
- Generate personalised olive oil recommendations matched to your taste profile.
- Display your wishlist, pantry, and tasting log inside the Service.
- Improve Oilive’s catalog and product based on aggregate, non-identifying usage analysis (only after consent for non-essential analytics).
- Send transactional emails (password reset, sign-in confirmation). We do not send marketing emails without explicit opt-in.
- Detect abuse, fraud, and security incidents.
5. Processors and sub-processors
We do not sell your personal data. We share necessary data with these processors under written agreements:
- Supabase (database, authentication, object storage) — hosted in the EU.
- Vercel (web hosting, edge functions). See Vercel’s sub-processor list for current data-transfer terms.
- PostHog (product analytics) — EU cloud, loaded only after consent.
- Google (optional OAuth sign-in) — only when you choose to sign in with Google.
- OpenAI (image & label parsing when you scan an unknown bottle) — the uploaded image and parsed fields are sent to OpenAI for inference. We do not store or share other personal data with OpenAI.
- Email delivery (Supabase Auth’s built-in provider) — for sign-in, password reset, and security emails.
- Affiliate-link partners and merchants: when you click a “Buy” link we redirect you to a third-party site. We track that click for attribution but do not share your account data with the merchant. The merchant’s own privacy policy applies once you land there.
6. Cookies and similar technologies
We use a small number of strictly-necessary cookies for authentication sessions and for storing your consent choice. We do not load any non-essential or advertising cookies until you click “Accept” on the consent banner. If your browser sends a Do-Not-Track header, we treat that as a refusal.
You can withdraw consent at any time by clearing the oilive_consent item in your browser’s storage, or by writing to privacy@oilive.app.
7. International transfers
Our primary data hosting is in the EU. Some sub-processors (e.g. Vercel, OpenAI, Google OAuth) may transfer data outside the EEA. Where they do, transfers rely on the European Commission’s Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism. We will list the current jurisdictions for each sub-processor on request at privacy@oilive.app.
8. Data retention
- Account data: retained while your account is active. On deletion we remove or irreversibly anonymise it within 30 days, unless we are required by law to keep it longer (e.g. fraud or tax records).
- Activity and analytics data: retained for up to 24 months and then aggregated or deleted.
- Scan submissions: retained for as long as the bottle remains relevant to the catalog; we may anonymise or delete on request.
- Server logs: retained for up to 90 days for security and debugging.
9. Your rights
Under the GDPR and equivalent laws (UK GDPR, Swiss FADP), you have the right to: access your data, correct inaccurate data, request deletion (“right to be forgotten”), restrict or object to processing, receive a portable export of your data, and withdraw consent at any time. Where automated decision-making affects you (we do not make decisions that have legal or similarly significant effects), you also have a right to human review.
To exercise any of these rights, email privacy@oilive.app. We aim to respond within 30 days. You may also lodge a complaint with your local supervisory authority (e.g. CNIL in France, AEPD in Spain, Garante in Italy, ICO in the UK).
10. Security
We use industry-standard safeguards: TLS for all traffic, hashed credentials, row-level security on user-scoped tables in Supabase, and least-privilege access for staff. No system is perfectly secure; if we become aware of a personal-data breach affecting you we will notify you and the relevant supervisory authority in accordance with Art. 33–34 GDPR.
11. Children
Oilive is not directed at children under 16, and we do not knowingly collect data from anyone under 16. If you believe a child has provided us personal data, please contact privacy@oilive.app and we will delete it.
12. Health and polyphenol disclaimer
Oilive is not medical or nutritional advice. Polyphenol values vary by harvest, storage, and testing method. Health-related information on the Service is educational and should be independently verified. Do not rely on Oilive content to make medical decisions.
13. Changes to this policy
We may update this policy as the Service evolves. Material changes will be flagged in-app and dated above. Continued use of the Service after an update means you accept the revised policy.
14. Contact
Privacy questions or requests: privacy@oilive.app. General enquiries: hello@oilive.app. See also our Terms of Service.