Shelvly
Start for free
Back to home

GDPR-first privacy information

Privacy Policy

This policy explains how Shelvly handles personal data for shared pantry and home food stock management. It is designed to support GDPR-style privacy rights and may be updated as the service evolves.

Last updated: 8 June 2026

1. Who we are2. What data we collect3. Why we use data4. Legal bases under GDPR5. How shared pantry data works6. Third-party service providers and processors7. International data transfers8. Data retention9. User rights10. Children11. Security12. Changes to this policy13. Contact

1. Who we are

Shelvly is a pantry and home food stock management app for households, families, and caregivers. Data Controller: Newlux Multiservice LDA. Contact email (TODO): privacy@shelvly.app until the final privacy contact email is confirmed. Company address: TODO before public launch. Registration/tax details: TODO before public launch. Controller country: TODO before public launch.

2. What data we collect

We collect only the data needed to create accounts, keep pantries in sync, support shared access, and keep the service safe.

  • Account data: email address, full name, and avatar URL if provided through Google login.
  • Authentication data: user id, session information, login provider, and Supabase Auth state.
  • Pantry data: pantry names, descriptions, items, quantities, units, categories, locations, expiry dates, and notes.
  • Shared access data: pantry members, roles, invites, and invited email addresses.
  • Activity data: actions such as item added, pantry stocked, item updated, or member invited.
  • Preferences: language, theme, install or home-screen preference, and cookie preference choices.
  • Technical data: device/browser details, IP address, request logs, or deployment logs if collected by hosting or infrastructure providers.
  • Cookies, localStorage, sessionStorage, and similar technologies used for auth, preferences, and app functionality.

3. Why we use data

We use data for clear service purposes and avoid using pantry content for unrelated purposes without a lawful basis.

  • Create and manage user accounts.
  • Provide pantry, fridge, freezer, expiry, and restocking tracking.
  • Save and sync pantry data across devices.
  • Enable shared pantry access, member roles, and invitations.
  • Keep users signed in and protect authenticated routes.
  • Improve security, prevent abuse, and investigate service issues.
  • Provide support and respond to privacy requests.
  • Maintain, improve, and comply with legal obligations for the service.

4. Legal bases under GDPR

Where GDPR applies, Shelvly relies on appropriate legal bases depending on the purpose of processing.

  • Contract: to provide the Shelvly service users request.
  • Consent: for optional cookies, marketing, and optional future AI features where consent is needed.
  • Legitimate interests: security, fraud prevention, debugging, and service improvement that does not override user rights.
  • Legal obligation: where applicable, such as responding to valid legal requests or keeping required records.

5. How shared pantry data works

Shelvly is collaborative. If a pantry is shared, other members or viewers may see pantry items, notes, expiry dates, and activity depending on their role.

  • Pantry owners should invite only the correct people and review roles carefully.
  • Members and viewers may see pantry content and activity depending on access level.
  • Users should avoid entering highly sensitive personal information in pantry names, item names, descriptions, or notes.

6. Third-party service providers and processors

We use trusted providers to run the service and may update this list as the service evolves. See our subprocessors section when it is published.

  • Supabase: authentication, database, storage/session management, and related backend services.
  • Vercel: hosting, deployment, edge/network delivery, and technical logs.
  • Google: OAuth login only if a user chooses Continue with Google; Google may provide name, email, and avatar.
  • Email/password login: users provide email and password credentials; passwords are handled by Supabase Auth and are not displayed in the Shelvly UI.
  • Future providers may include analytics, email delivery, AI/OCR, barcode scanning, recipe suggestion, or payment processors.

7. International data transfers

Data may be processed by providers with infrastructure outside the user’s country. We avoid overpromising where provider locations can change.

  • Providers may process or store data in regions outside Portugal, Mozambique, the EU, or the user’s country.
  • Where GDPR applies, transfers should rely on appropriate safeguards such as standard contractual clauses or equivalent provider safeguards where available.
  • We will update this policy if data hosting or important provider arrangements materially change.

8. Data retention

We keep data for as long as needed to provide the service, support security, meet legal obligations, or complete deletion workflows.

  • Account data is retained while the account is active unless deletion is requested and completed.
  • Pantry data is retained while the user account, pantry, or shared pantry membership exists.
  • Deleted data may remain in backups for a limited period. TODO: add exact backup retention period when confirmed.
  • Invites and activity logs may be retained for security, audit, and abuse prevention unless deleted according to the final retention policy.

9. User rights

Where GDPR-style rights apply, users can request access, correction, deletion, restriction, objection, portability, or withdrawal of consent. Portuguese users may complain to CNPD, the Portuguese supervisory authority.

  • Access a copy of personal data we process.
  • Rectify inaccurate or incomplete data.
  • Request deletion of account and pantry data where available and lawful.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interests.
  • Request portability of data in a commonly used format where technically feasible.
  • Withdraw consent for optional processing without affecting previous lawful processing.
  • Complain to a supervisory authority, including CNPD for Portugal.

10. Children

Shelvly is not intended for children under 16 unless use is allowed with appropriate guardian consent under applicable law. If we learn that a child has used the service without the required consent, we will take appropriate steps.

11. Security

We design Shelvly with practical security measures, but no online service can guarantee absolute security.

  • Supabase Auth supports account login and session management.
  • Protected routes limit access to authenticated areas.
  • Access controls and roles help separate pantry owners, members, and viewers.
  • Row-level security is used in Supabase to restrict database access.
  • HTTPS encrypted transport protects data in transit.
  • Users should protect their accounts and report suspicious access.

12. Changes to this policy

This policy may be updated as the service evolves, including when new features such as receipt scanning, barcode scanning, recipe suggestions, analytics, payments, or new providers are added.

13. Contact

For privacy questions or GDPR-style rights requests, contact privacy@shelvly.app while the final privacy contact email is being confirmed. Data Controller: Newlux Multiservice LDA. TODO before public launch: confirm the final privacy contact email, company address, and registration/tax details.

Questions about privacy?

Use the privacy contact for data protection questions, rights requests, or controller details that still need to be finalized.

privacy@shelvly.app