Legal

Privacy Policy

Effective date: 01 / 01 / 2026 Last updated: 16 / 05 / 2026

1.Who we are

FoodWeb AI Ltd (“ROA”, “we”, “us”) is the data controller for personal data processed through the ROA application and website (roaapp.ai).

  • Registered address: 2 Castle Close, London SW19 5NH, United Kingdom
  • Company number: 16018953 (England & Wales)
  • VAT number: 482681365
  • Contact for privacy matters: privacy@roaapp.ai
  • EU representative (Art. 27 GDPR): Arnav Agarwal, privacy@roaapp.ai.
  • UK representative: not required — FoodWeb AI Ltd is established in the UK.
  • Data Protection Officer: not appointed (Article 37 assessment kept on file).

2.Scope

This policy describes how we process personal data of ROA users (account holders, members of kitchens), visitors to roaapp.ai, and users who interact with us by email or in-app messaging.

3.What data we collect and why

Account identity
Examples
Email, name, profile photo, OAuth identifiers from Apple / Google
Source
You (signup), your OAuth provider
Purpose
Create and operate your account
Lawful basis
Contract — Art. 6(1)(b)
Kitchen / business profile
Examples
Kitchen name, address, opening hours, social, website, type
Source
You
Purpose
Run the service
Lawful basis
Contract
Membership & role
Examples
Which kitchens you belong to and your role
Source
You / kitchen owner
Purpose
Access control
Lawful basis
Contract
Content data
Examples
Recipes, chats, invoices, menus, supplier info, parsed documents and the files you upload
Source
You and your team
Purpose
Provide product features
Lawful basis
Contract
Billing data
Examples
Stripe customer ID, billing address, invoice history. Payment card data is held by Stripe, not by us.
Source
You, via Stripe Checkout
Purpose
Subscriptions and tax records
Lawful basis
Contract; legal obligation (tax)
Device data
Examples
Device ID, name, platform, app version, device fingerprint, push token
Source
Your device
Purpose
Device limits, push notifications, account security
Lawful basis
Contract; legitimate interest (security)
Technical & usage data
Examples
IP address, user-agent, error reports, performance traces; on web, optional session replay if you consent
Source
Your device, our servers
Purpose
Stability, security, abuse prevention
Lawful basis
Legitimate interest; consent for non-essential telemetry
Support / feedback
Examples
What you write to us, optional screenshots, your email
Source
You
Purpose
Customer support
Lawful basis
Contract; legitimate interest
Communications
Examples
Auth emails, invitations, transactional notifications
Source
You / your team
Purpose
Service operation
Lawful basis
Contract

Special category data (Article 9). The content you upload (recipes, chats, dietary notes) may reveal information about religious diet, allergies, or health. We do not ask for this directly and do not use it for profiling. By uploading content you accept that we will store and process it as part of the service.

What we do NOT collect:

  • Payment card numbers (Stripe holds these directly).
  • Tracking data for advertising purposes.
  • Biometric data.

4.Sources

Most data comes directly from you when you sign up and use the service. Some comes from your team. Some comes from third parties when you use them to sign in (Apple, Google).

5.How long we keep it

  • Active accounts: while the account exists.
  • Deleted accounts: hard-deleted from production within 30 days; backups roll off within 30–35 days.
  • Stripe invoices: retained for at least 10 years for tax compliance.
  • Server logs: 30–90 days.
  • Sentry telemetry: 30–90 days, per Sentry project settings.

6.Who we share it with (sub-processors)

Main sub-processors: Supabase (database, auth), Google Cloud (hosting, file storage, AI inference via Vertex AI), Stripe (payments), Sentry (error monitoring), MailerSend (transactional email), Notion (support tickets), Neo4j Aura (ingredient graph), Expo (mobile push). We notify users of material changes before they take effect.

7.International transfers

ROA operates on EU-only data residency: primary infrastructure in europe-west1 (Belgium), Sentry in the EU region (de.sentry.io), MailerSend processes in the EU, Vertex AI inference pinned to EU regions. Where data is transferred outside the EEA / UK we rely on the EU → US Data Privacy Framework where the recipient is certified, and/or the European Commission's Standard Contractual Clauses (2021/914) plus, for UK transfers, the UK International Data Transfer Addendum.

8.Your rights

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data (Art. 17). Self-serve via Settings → Account.
  • Restrict or object to processing (Art. 18, 21).
  • Data portability (Art. 20).
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your supervisory authority. Our lead supervisory authority is the UK ICO, ico.org.uk.

We respond within one month (extendable to three for complex requests, with notice).

9.Automated decision-making

We use AI models (Google Gemini and Anthropic Claude via Google Vertex AI) to parse uploaded documents and recipes. These models do not make decisions that produce legal or similarly significant effects on you within the meaning of Art. 22.

10.Security

TLS in transit, disk encryption at rest, row-level security in the database, least-privilege access by ROA staff, vendor-side certifications (SOC 2 / ISO 27001 where applicable).

11.Children

ROA is not directed at children under 16. We do not knowingly collect personal data from anyone under 16.

12.Changes to this policy

We post material changes here and, where appropriate, notify you in-app or by email at least 30 days before they take effect.

13.Contact

privacy@roaapp.ai — we aim to respond within 5 business days.