Privacy Policy

Effective April 20, 2026

This Privacy Policy describes what Right Byte (“we”) collects when you use Right Byte, why we collect it, and what your choices are. We aim to collect the minimum needed to operate the service.

1. What we collect

Account information

• Email address — for sign-in, password reset, and transactional emails.
• Password hash — bcrypt-hashed; we never see or store your raw password.
• Display name (optional).

Household data you enter

• Family member names, age bands, and dietary information (allergies, conditions, preferences, dislikes).
• Pet information for pet-food recipes.
• Meal plans, recipes, shopping list items, and any custom notes you add.
• Household settings (preferred cuisines, time budgets, etc.).

Sensitive data note: dietary information you enter may include health-related data such as medical conditions (diabetes, celiac, IBD, etc.) and allergies. We treat this with the same protections as the rest of your account data, but Right Byte is not a HIPAA-covered entity. Don’t enter information you wouldn’t want associated with your email address in a consumer-app database.

Usage data

• AI generation logs: timestamps, which feature was used (meal plan, swap, nutrition, pet food), token counts, and a hash of the prompt context. Used for cost accounting, abuse detection, and product improvement.
• Bug reports you submit, including any context (URL, browser version, viewport) attached automatically by the in-app reporter.
• Standard server logs: IP address, request path, user agent, response code, timestamp.

Payment data (Plus subscribers only)

Payment is handled by Stripe. We store your Stripe customer ID and subscription status, but we never see or store your full card number, CVC, or expiration date.

2. How we use it

• To operate the service: authenticate you, save your data, generate the meals and shopping lists you ask for.
• To send you transactional emails: sign-in links, password resets, your weekly meal-plan reminder if you enabled it, billing receipts.
• To enforce usage limits, detect abuse, and improve the product (e.g. reviewing aggregate cost data per feature).
• To provide customer support when you contact us.
• To comply with legal obligations.

3. Third-party services

We share data with these processors only as needed to operate the service. Each handles your data under their own privacy policies.

• Anthropic (Claude API) — receives the prompt context for AI generation: household profile, restrictions, your notes for that generation. Anthropic Privacy Policy.
• Stripe — payment processing. Stripe Privacy Policy.
• Resend — transactional email delivery. Resend Privacy Policy.
• Railway — application hosting + database. Railway Privacy Policy.
• Sentry (if enabled) — runtime error monitoring. We don’t send personally identifying request bodies; Sentry receives stack traces, route paths, and timestamps. Sentry Privacy Policy.
• Instacart (when you tap “Send to Instacart”) — receives the contents of your shopping list to start a cart. Instacart Privacy.

4. We do not sell your data

We don’t sell, rent, or trade your personal information. We don’t serve ads. We don’t use third-party tracking beyond what’s necessary to operate the service.

5. Your rights

You can:

• Access your data — most of it is visible in the app; contact us for a full export.
• Update your data anytime in the app.
• Delete your account and all associated data — from account settings, or by emailing support@rightbyte.net. Deletion is permanent and removes data from active systems within 30 days. Backups age out on a rolling schedule.
• Object to or restrict processing, or withdraw consent for processing based on consent. Email support@rightbyte.net.

Residents of the EU/EEA, UK, and California have additional rights under GDPR / UK GDPR / CCPA respectively, including the right to lodge a complaint with a supervisory authority. We respond to verified rights requests at no cost within 30 days.

6. Retention

• Account + household data: retained while your account is active. Deleted within 30 days of account deletion.
• AI usage logs: retained for 13 months for billing reconciliation, then aggregated and the per-call rows deleted.
• Bug reports: retained until triaged + resolved, plus 90 days.
• Server logs: retained for 14 days.

7. Security

We use industry-standard practices: HTTPS-only, bcrypt password hashing, server-side session cookies marked Secure + HttpOnly, rate limiting on auth endpoints, multi-tenant data isolation verified per audit, single-use password reset tokens stored as SHA-256 hashes. No system is perfectly secure; promptly notify us of suspected unauthorized access.

8. Cookies and similar technologies

We use a small set of essential cookies to keep you signed in and remember preferences. We do not use third-party advertising cookies. The service worker caches static assets for performance and offline shopping-list use.

9. Children

Right Byte is not directed to children under 13. We don’t knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us at support@rightbyte.net and we’ll delete it.

10. International users

Our servers are hosted in the United States. By using the service from outside the US, you consent to your information being transferred to and processed in the US.

11. Changes to this policy

We may update this Policy from time to time. Material changes will be communicated by email to registered users at least 14 days before they take effect.

12. Contact

Questions, requests, or concerns? Email support@rightbyte.net.

This Privacy Policy was drafted as a starting template. It has not been reviewed by an attorney. Before charging users or accepting registrations from the general public, have a lawyer review and adapt it for your specific jurisdiction (especially regarding GDPR, CCPA, and any state-level privacy laws that apply to your users).