Privacy Policy
Last updated: 2026-03-23
TL;DR: We collect the minimum data needed to run GreLife (email, name, password). We don't track you, we don't show ads, and we don't sell your data. AI suggestions are optional and require your consent. Your data stays in Switzerland. You can export or delete everything on request.
1. Who is responsible
Loïc Gremaud Email: contact@grel.info
2. What we collect and why
| Data | Why we need it | Legal basis |
|---|---|---|
| Email address | So you can log in | Contract |
| Display name | So your family sees your name | Contract |
| Password | Authentication (we only store an irreversible hash) | Contract |
| IP address | Protect against attacks, rate limiting | Legitimate interest |
| User-agent | Session security | Legitimate interest |
| Language preference | Show the app in your language | Contract |
We also store what you create: recipes, meal plans, shopping lists, ingredients, tags, and family invitations. This data belongs to your family and is isolated from other families at the database level.
We may analyze aggregated or anonymized usage patterns to improve the service (for example, better meal suggestions or faster performance). This never exposes one family's data to another.
3. How we treat your data today
- No data selling. Your data is not a product.
- No tracking. No analytics, no tracking pixels, no fingerprinting.
- No ads. GreLife is ad-free.
- No sharing except with OpenAI for AI suggestions (and only with your consent).
If this changes, we will update this policy, notify you, and give you a choice (see Terms of Service, section 6).
4. AI meal suggestions (optional)
This feature requires your family's explicit consent. When enabled, we send the following to OpenAI (based in the United States):
- Recipe names, ingredient names, and tag names
- Meal history (last 8 weeks: dates and meal names)
- Your language preference
- Custom meal instructions (if provided)
We never send your email, password, or personal identifiers to OpenAI.
You can withdraw consent and disable this feature at any time. The data transfer to the US is covered by Standard Contractual Clauses (SCCs) in our Data Processing Agreement with OpenAI.
5. Cookies
We use exactly two cookies, both strictly necessary:
| Cookie | Why | Duration |
|---|---|---|
session_id |
Keeps you logged in | 7 days |
PARAGLIDE_LOCALE |
Remembers your language | 400 days |
No tracking cookies. No analytics cookies. No cookie banner needed.
6. Third parties
| Who | Why | Where | Safeguard |
|---|---|---|---|
| OpenAI | AI meal suggestions (optional) | United States | DPA with SCCs |
That's it. No analytics providers, no ad networks, no error tracking services.
7. Where your data lives
Your data is hosted in Switzerland on infrastructure we operate ourselves. The database (PostgreSQL) and cache (Redis) are self-hosted. No cloud provider processes your data.
If this changes, we will update this policy.
8. How long we keep your data
| Data | How long |
|---|---|
| Your account | Until you delete it |
| Recipes, meal plans, shopping lists | Until you delete them or your account |
| Sessions | 7 days (auto-deleted) |
| AI suggestion cache | 24 hours (auto-deleted) |
| Meal history for AI | Rolling 8-week window |
| Backups | Up to 30 days (auto-deleted) |
| Cold storage snapshots | Up to 90 days (auto-deleted) |
We don't keep data longer than necessary. When you delete something, it is removed from the live database immediately. Automated backups and cold storage snapshots kept for disaster recovery may still contain deleted data for up to 90 days, after which they are permanently deleted. We never restore individual data from backups to reverse a deletion you requested. If we ever perform a full database restore, we make reasonable efforts to re-apply deletion requests that occurred after the backup date.
9. Your rights
You can always:
- See your data: request a copy of everything we have about you.
- Fix your data: correct anything that's wrong.
- Delete your data: request full deletion of your account and data.
- Export your data: get your data in a machine-readable format.
- Restrict processing: ask us to limit how we use your data.
- Object: object to processing based on legitimate interest.
- Withdraw consent: turn off AI suggestions at any time.
Contact us at contact@grel.info. We respond within 30 days.
10. Access to your data
We only look at your data when:
- You ask us for help (support request)
- We need to fix a technical issue affecting your account
- We are legally required to (court order, legal obligation)
We never browse your data out of curiosity.
11. Children
Children can use GreLife only through a parent or guardian's invitation. We don't allow direct registration for minors. The inviting parent is responsible for their children's access.
12. How we protect your data
- Passwords are hashed with Argon2id (industry best practice)
- Sessions use cryptographically random identifiers
- Authentication cookies are HttpOnly and Secure
- CSRF protection via custom headers and SameSite cookies
- Rate limiting on login and registration
- Database-level row security isolates each family's data
13. If something goes wrong
If we discover a data breach that puts your rights at risk:
- We notify the Swiss data protection authority (FDPIC) as quickly as possible
- We notify the relevant EU authority within 72 hours (if GDPR applies)
- We inform you directly if the breach poses a high risk to you
14. Where to complain
You can lodge a complaint with:
- Switzerland: FDPIC, https://www.edoeb.admin.ch
- EU: The data protection authority in your country
15. Changes to this policy
When we update this policy, we change the date at the top. For significant changes, we notify you by email or in the app.