AllergentGet the app

Privacy Policy

Last updated 23 June 2026

Template — not legal advice. This document is a development draft and must be reviewed and finalised by qualified Dutch/EU counsel before launch. Items in brackets like […] are placeholders to be completed.
Your allergies are health data. The allergens and diets you set are special-category data under Article 9 GDPR. We process them only with your explicit consent, and you can withdraw it at any time.

1. Who is responsible (controller)

[Legal entity name], KvK [number], [registered address], Netherlands, is the data controller. Contact: privacy@allergent.app. Given our large-scale processing of special-category data, a Data Protection Officer is likely mandatory under Art. 37(1)(c) — [appoint a DPO and publish their contact details].

2. What we collect

  • Allergens & diets you select (health data). As a guest these stay on your device; if you have an account and consent, they are saved to your profile.
  • Account data — email address and display name — if you create an account.
  • Usage & device data via analytics, only if you allow it (section 4).
  • Favourites, points, and consent records (what you agreed to, and when).
  • Approximate location if you tap "Use my location", used only in your browser to sort nearby restaurants — we don't store your coordinates.

3. Why we use it, and our lawful basis

  • Filtering menus to your allergens — our core feature. Processing of your allergy data relies on your explicit consent (Art. 9(2)(a)). Non-health account mechanics (login, favourites) rely on performance of our contract with you (Art. 6(1)(b)). Withdrawing your Art. 9 consent stops all allergy processing and erases the stored profile.
  • Analytics — your consent (Art. 6(1)(a)); see section 4.
  • Allergy-tailored emails — your separate explicit consent (Arts. 6(1)(a) + 9(2)(a)); see section 5.
  • Sharing with partners — your separate explicit consent; see section 6.
  • Security & legal compliance — our legitimate interests / legal obligations.

4. Cookies & Google Analytics

We use strictly-necessary storage (your consent choice, session, theme, and your locally held allergens) which needs no consent. With your consent we use Google Analytics to understand usage. We do not load Google Analytics and set no analytics cookies until you opt in, and you can withdraw in your Account at any time. Analytics involves a transfer to Google (US) under the EU–US Data Privacy Framework and Standard Contractual Clauses. [Confirm the GA4 configuration and transfer wording with counsel.]

5. Allergy-tailored marketing emails

Only if you opt in (separately, in your Account) will we send occasional emails matched to your allergens. Because these use your health data, this is a separate explicit consent. You can unsubscribe from any email or switch it off in your Account — doing so both stops the emails and withdraws the tailoring consent. We do not rely on any "soft opt-in" exception for these emails.

6. Sharing your profile with partner companies

We would like to be able to share — and potentially sell — your name, email and allergy profile to selected partner companies (for example food, free-from or wellness brands) as commercial leads, only with your separate, explicit opt-in consent, which you can withdraw at any time.

This feature is not active. Sharing special-category health data with third parties is high-risk processing. We will not enable it until we have (a) completed a Data Protection Impact Assessment under Art. 35 (and, if needed, prior consultation with the Dutch DPA, the Autoriteit Persoonsgegevens), (b) published the actual named partner recipients at the point of consent, and (c) qualified counsel has confirmed it is lawful. Until then no profile data is shared, and the opt-in is shown as inactive.

7. Who else processes your data

Service providers acting on our instructions ("processors") — for example our hosting and database provider (Supabase) and email provider — process data to run the Service under data-processing agreements. They are not permitted to use your data for their own purposes.

8. International transfers

Where data is processed outside the EU/EEA (e.g. analytics), we rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses.

9. How long we keep it

We keep account and allergy data while your account is active and delete it on request or when no longer needed. Consent records are kept for accountability for [retention period — e.g. up to 5 years] even after account deletion. [Confirm retention periods with counsel.]

10. Your rights

Under the GDPR you can:

  • access, rectify, or erase your data;
  • restrict or object to processing, and request portability;
  • withdraw consent at any time (as easily as you gave it) — this does not affect processing already carried out;
  • lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or your local EU/EEA authority.

Manage analytics, emails and sharing directly in your Account, or contact privacy@allergent.app.

11. Security

We use appropriate technical and organisational measures, including row-level access controls, to protect your data. No system is perfectly secure.

12. Children

The Service is not intended for users below the applicable age of digital consent (16 in the Netherlands; the local age elsewhere in the EU/EEA). We do not knowingly collect health data from children below that age without verifiable parental consent.

13. Changes

If we materially change this policy or our consent categories we will ask you to review your choices again before relying on them.

You can change your privacy choices anytime in your Account. Contact: privacy@allergent.app.