Privacy Policy

We collect the following categories of personal information:

Account information: When you create an account, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your name and email from Google.

Meal preferences: Information you provide during onboarding, including household size, dietary requirements, allergies, cuisine preferences, disliked ingredients, cooking skill level, budget preference, and cooking equipment. This data is used solely to personalise your meal plans.

Subscription and payment information: When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment credentials on our servers. We receive from Stripe your subscription status, plan tier, and billing cycle information.

Usage data: We may collect anonymised data about how you interact with the Service, such as pages visited, features used, and meal plans generated. This helps us improve the product.

Device and browser information: Standard technical information including IP address, browser type, and operating system, collected automatically through server logs.

We use your personal information to:

Provide and maintain the Service, including generating personalised meal plans based on your preferences; process your subscription and manage your account; communicate with you about your account, updates, or support requests; improve and develop new features for the Service; comply with legal obligations; and detect and prevent fraud or abuse.

We will not use your personal information for purposes materially different from those described above without your consent.

We share your information with the following third-party service providers, only to the extent necessary to operate the Service:

Supabase (database and authentication) — stores your account data, preferences, and meal plans. Data is hosted in Supabase's infrastructure. See Supabase's Privacy Policy.

Stripe (payment processing) — processes all payment transactions. We do not have access to your full card details. See Stripe's Privacy Policy.

Anthropic (AI meal plan generation) — your meal preferences (dietary requirements, allergies, cuisine preferences, household size, and similar non-identifying data) are sent to Anthropic's Claude API to generate meal plans. Your name, email, and payment information are never sent to Anthropic. See Anthropic's Privacy Policy.

Vercel (hosting) — hosts the application. Standard server logs may include your IP address. See Vercel's Privacy Policy.

We do not sell your personal information to any third party.

Cartd uses essential cookies for authentication and session management. These are necessary for the Service to function and cannot be disabled.

We may use privacy-friendly analytics (such as Vercel Analytics or Plausible) to understand how the Service is used. These tools do not use cookies for tracking and do not collect personally identifiable information.

We do not use advertising cookies or share data with advertising networks.

We retain your personal information for as long as your account is active or as needed to provide the Service. Meal plans and preferences are retained in your account until you delete them or close your account.

If you delete your account, we will delete your personal information within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes.

Anonymised and aggregated data that cannot identify you may be retained indefinitely for analytics and product improvement.

Under the Australian Privacy Act, you have the right to:

Access the personal information we hold about you; correct any inaccurate or out-of-date information; request deletion of your personal information; and withdraw consent where we rely on consent to process your data.

To exercise any of these rights, please contact us at privacy@cartd.com.au. We will respond within 30 days.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. This includes using HTTPS encryption for all data in transit, secure authentication via Supabase, and access controls on our infrastructure.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us and we will take steps to remove that information.

Your information may be processed and stored in countries outside of Australia by our third-party service providers (including the United States). Where this occurs, we take reasonable steps to ensure your information receives a level of protection consistent with the Australian Privacy Principles.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to make a complaint about our handling of your personal information, please contact us at: privacy@cartd.com.au

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).