Privacy Policy

1. What this policy covers

ExtraBite is the data controller for personal data collected in connection with marketplace operations — account registration, listings, orders, messaging, and delivery. Stripe is an independent data controller for payment data processed through its platform; their use of that data is governed by the Stripe Privacy Policy, not this one.

This policy does not cover data practices of third-party websites you may link to from ExtraBite.

2. Data we collect

Account information

When you register, we collect your name, email address, phone number, and a password hash (stored and managed by Supabase Auth — we never see your plaintext password).

Profile and location

Your home address is geocoded to a geographic point stored in our database; we use this to match buyers with nearby sellers. Buyers may also provide food preferences and allergen information to help sellers tailor their offerings.

Seller-specific data

If you enable seller mode, we also collect your specialties, availability schedule, Stripe Connect account ID, and payout history.

Order history

We record the items, quantities, and totals for each order, the fulfillment type (pickup or delivery), and the delivery address when applicable.

Messages

Buyer–seller message threads are scoped to individual orders and stored on our servers. These messages may be reviewed by ExtraBite staff when investigating a dispute.

Payment methods

Card details are tokenized and held by Stripe. We never receive or store raw card numbers, CVVs, or full account numbers on our servers.

Delivery proof

When a seller marks an order delivered, the app optionally captures a photo and GPS coordinates at the moment of delivery. This data is stored in private cloud storage and is accessible only to ExtraBite staff and, when a payment dispute is filed, to Stripe as supporting evidence.

Device and analytics data

We use PostHog to capture client and server events, page views, and (if enabled) session recordings. This data is used to understand how the product is used and to improve it. PostHog events may include your IP address, device type, and browser information.

3. How we use it

• Fulfillment — to process orders, coordinate pickup or delivery, and send order status notifications.
• Safety and fraud prevention — to detect suspicious activity, enforce our Terms of Service, and protect buyers and sellers from fraud.
• Dispute resolution — to mediate order disputes and, when a chargeback is filed with a card issuer, to submit evidence (proof-of-delivery photo, GPS coordinates, and order messages) to Stripe on the seller's behalf. See Section 8 of our Terms of Service for details on the dispute process and applicable fees.
• Analytics and product improvement — to understand how buyers and sellers use ExtraBite so we can make the product better.
• Service communications — to send transactional emails (order confirmations, payout notices, dispute updates) and, with your consent, marketing emails. You can unsubscribe from marketing emails at any time via the link in any such email.

4. Who we share it with

We do not sell your personal data. We share it only with the sub-processors listed below, each of which is bound by their own privacy commitments:

• Stripe — payments and Stripe Connect payouts. Privacy policy: stripe.com/privacy.
• Supabase — Postgres database, object storage, and authentication. Privacy policy: supabase.com/privacy.
• PostHog — product analytics and session recordings. Privacy policy: posthog.com/privacy.
• Resend — transactional and marketing email delivery. Privacy policy: resend.com/legal/privacy-policy.
• Vercel — application hosting and edge network. Privacy policy: vercel.com/legal/privacy-policy.
• Google Maps Platform — address geocoding (converting your street address to geographic coordinates for local search). Privacy policy: policies.google.com/privacy.

We may also disclose your data when required by law, court order, or regulatory authority.

5. Retention

• Order records — retained for as long as your account is open, plus the statute-of-limitations window required by applicable law. [ATTORNEY TO CONFIRM SPECIFIC PERIOD.]
• Delivery-proof photos and GPS — automatically deleted 180 days after upload by a scheduled cron job.
• Messages — retained for the life of your account.
• Analytics (PostHog) — retained per PostHog's default retention policy. See their privacy policy for details.

6. Your rights

Depending on where you live, you may have rights to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Portability — receive your data in a machine-readable format.
• Deletion — ask us to delete your account and associated personal data. Note that orders still inside the 180-day Stripe dispute window, or subject to a legal hold, cannot be deleted until that window closes.

To exercise any of these rights, email support@tryextrabite.com.

7. Children

ExtraBite is intended for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at support@tryextrabite.com so we can remove it.

8. California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you additional rights:

• Right to know — what personal information we collect, use, and disclose.
• Right to delete — subject to certain exceptions (see Section 6 above).
• Right to correct — inaccurate personal information.
• Right to limit use of sensitive personal information — we use sensitive data only as necessary to provide the service.

We are not a “data broker” as defined under California law; we do not sell or share personal information for cross-context behavioral advertising. To submit a CCPA rights request, email support@tryextrabite.com. [ATTORNEY TO CONFIRM WHETHER A SEPARATE CALIFORNIA-SPECIFIC CONTACT OR TOLL-FREE NUMBER IS REQUIRED.]

9. Security

We take reasonable technical measures to protect your data, including:

• Encryption in transit (TLS) and at rest.
• Row-Level Security (RLS) on the database, so each user can only read and write their own data.
• Least-privilege access controls for ExtraBite staff and third-party services.

No system is perfectly secure. If you discover a security vulnerability, please report it to support@tryextrabite.com rather than disclosing it publicly.

10. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change — something that meaningfully affects how we collect or use your data — we will tell you by email at least 30 days before the change takes effect. Other changes (typos, clarifications, reorganization) take effect when we post the updated version here.

11. Contact

Questions about this Privacy Policy? Email support@tryextrabite.com.