Privacy Policy

Quick summary

1. Who we are

Sapora is operated by Sapora Inc., a company incorporated in Canada with registered office in Montréal, Québec. For the purposes of the EU General Data Protection Regulation (GDPR), Sapora Inc. is the data controller of the personal data described in this policy.

Contact our privacy team at [email protected].

2. What we collect

Information you give us

• Account: email, display name, password hash (or provider ID if you sign in with Apple or Google), optional avatar and bio.
• Dietary preferences: allergies, diet type, nutrition targets — only if you enter them.
• Your recipes, plans and shopping lists: everything you save or build inside Sapora.
• Support: email correspondence when you contact us.

Information we collect automatically

• Device info: model, OS version, app version, language, timezone.
• Usage analytics: which screens you opened, which features you used, extraction latency, crash reports. Aggregated and anonymised.
• Approximate location: city-level, from IP, used to match flyer deals to your region. We never store a precise GPS location.

Information from third parties

• Source videos: when you paste a TikTok / Instagram / YouTube / Pinterest link, we fetch the publicly available page (video, description, captions) to extract the recipe. We don't retain the full video — only the extracted structured data.
• Payment processors: Apple, Google or Stripe confirm a subscription is active. We never receive or store your card number.

3. How we use your information

• Provide and operate the Sapora app and web service.
• Extract structured recipes from the links you import.
• Sync your data across your devices if you have an account.
• Personalise the Discover feed, meal-plan generator and flyer matches to your preferences.
• Keep the service secure (fraud detection, abuse prevention, rate limiting).
• Bill you accurately and honor your subscription.
• Improve our extraction models — only on aggregated, de-identified data.
• Communicate with you: product updates, security notices, customer support. Marketing emails are opt-in only.

4. Sharing & third parties

We share data only with the service providers we need to run Sapora. Each one is bound by a data-processing agreement and is not allowed to use your data for their own purposes.

We do not sell personal data, share it with advertisers, or use it for third-party marketing.

5. Legal basis for processing (GDPR)

• Performance of a contract — most processing (running the app, syncing your recipes, billing) is needed to deliver the Sapora service you signed up for.
• Legitimate interest — security, abuse prevention, improving extraction on aggregated data.
• Consent — marketing emails, location-based flyer matches, optional product surveys. You can withdraw consent at any time.
• Legal obligation — tax records, responding to valid legal requests.

6. Storage & security

• All data is stored in AWS in the Canada region, replicated for redundancy.
• Encryption in transit: TLS 1.3.
• Encryption at rest: AES-256.
• Passwords: we never store plain-text passwords; we hash them with argon2id.
• Payment details: held by Apple, Google or Stripe — we never see your card number.
• Role-based access internally; every access is logged and audited.

7. How long we keep your data

• Account & recipes: until you delete your account. Guest-mode data lives only on your device.
• Analytics: up to 24 months, in anonymised form.
• Billing records: 7 years, to meet tax and accounting obligations.
• Support emails: 2 years after the last interaction.

When you delete your account, we purge personal data within 30 days. Backups holding your data are purged within a further 90 days.

8. Your rights

Depending on where you live, you have some or all of these rights over your data:

• Access — see what we hold about you (Settings → Data & Privacy → Export).
• Rectification — fix anything that's wrong.
• Erasure — delete your account and data.
• Restriction — ask us to pause processing.
• Portability — download a machine-readable copy.
• Objection — opt out of marketing or legitimate-interest processing.
• Withdraw consent — at any time, for consent-based processing.
• Complain — file a complaint with your local data-protection authority. In Canada: the Office of the Privacy Commissioner. In the EU: your national DPA.

Most actions live inside the app under Settings → Data & Privacy. For anything else, email [email protected] and we'll respond within 30 days.

9. Cookies & tracking

The Sapora app uses a single first-party analytics SDK (Mixpanel, anonymised). The web dashboard uses essential cookies for login and CSRF protection, and one optional analytics cookie you can decline in the banner. We do not use third-party advertising cookies or tracking pixels.

10. Children

Sapora is not directed at children under 13 (under 16 in the EEA and UK). We do not knowingly collect data from children. If you believe a child has given us data, email [email protected] and we'll delete it.

11. International transfers

Some of our processors are based in the US or EU. When data leaves Canada we rely on standard contractual clauses (SCCs) and adequacy decisions where applicable to ensure an equivalent level of protection.

12. Changes to this policy

We'll update this page when the policy changes and bump the "Last updated" date at the top. Material changes are announced in-app and by email at least 30 days before they take effect. Continued use of Sapora after that constitutes acceptance of the revised policy.

13. Contact us