1. Introduction
Tinwise ("we," "us," or "our") is operated by a company registered in Tallinn, Estonia. We operate the Tinwise mobile application (the "App"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the App.
By creating an account or using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and a password (stored as a secure hash — we never store your password in plain text). You may optionally provide a display name, username, bio, and profile photo.
2.2 User-Generated Content
We collect content you voluntarily create within the App, including: sardine reviews (star ratings, text notes, flavor tags, portion sizes), review photos, cellar entries (quantities, storage dates, flip tracking records), community price reports, and social interactions (follows, likes, comments, activity feed).
2.3 Health and Nutrition Data
When you log sardine reviews, the App automatically calculates and stores derived nutrition data based on the product's nutritional information and your selected portion size. This includes estimated omega-3 intake, calories, protein, fat, and salt. The App also tracks daily consumption streaks, achievement milestones (such as consecutive-day streaks or cumulative omega-3 goals), earned badges, and Taste Passport award stamps (bronze, silver, gold, and platinum tiers earned by reviewing tins from specific countries, species, brands, and oil types). All of this data is derived from your review activity — we do not collect data from external health devices, Apple Health, Google Fit, or any other health platform.
Health and nutrition data is stored on our servers and used solely to provide the App's health metrics features. You may control the visibility of your health score on your public profile via the App's settings.
2.3a Challenge Data
If you participate in Sardine Fast Challenges, we collect and store your challenge progress data, including: the challenge template and duration you selected, daily tracking data (number of tins consumed, omega-3 intake, calories, brands and countries tried each day), challenge start and end dates, and completion status. Challenge data is derived from your review activity during the challenge period. You may abandon a challenge at any time, which stops further data collection for that challenge.
2.3b Shareable Card Images
The App can generate shareable summary images ("share cards") from your challenge progress and completion data. These images are rendered locally on your device and are not uploaded to our servers. When you choose to save or share a card, it is saved to your device's photo library or shared via your device's native sharing interface. We do not have access to share cards after they leave the App.
2.4 Camera and Photo Data
With your explicit permission, the App accesses your device camera to scan barcodes for product identification and to photograph sardine tins for AI-based identification. Photos you upload for reviews or cellar entries are stored on our servers. We do not access your camera or photo library without your permission, and you may revoke this access at any time through your device settings.
2.5 Barcode Scan Data
When you scan a barcode, the barcode number is sent to our server, which may query third-party food databases (Open Food Facts and USDA FoodData Central) to retrieve product information such as brand name, product name, and nutritional data. The barcode number itself is stored as part of the sardine product record.
2.6 AI-Processed Data
Certain features use artificial intelligence via Anthropic's Claude API to process your data: (a) tin photo identification — your photo is sent to Claude for sardine identification; (b) personalized recommendations — your review history and taste preferences are analyzed; (c) aging predictions — your cellar data is analyzed to predict optimal eating windows; (d) natural language search — your search queries are processed to find matching sardines; (e) content safety moderation — review photos and text are automatically screened by AI to detect content that violates community standards before it is published. AI-processed data is not used to train third-party models and is subject to Anthropic's data processing terms.
2.7 Device and Usage Data
We collect minimal device information necessary for the App to function: device type, operating system version, and push notification tokens (if you enable notifications). We use Sentry (sentry.io) for crash reporting and performance monitoring — see Section 5 for details. We do not use advertising SDKs, behavioral analytics, or cross-app tracking technologies.
3. How We Use Your Information
We use the information we collect to:
- Provide and maintain the App's core features (catalog, scanning, reviews, cellar, social feed, health metrics, challenges)
- Authenticate your identity and secure your account
- Display your profile, reviews, and cellar to you and other users (as applicable)
- Calculate and display nutrition data, omega-3 intake, health scores, consumption streaks, and milestones based on your review activity
- Generate AI-powered recommendations, aging predictions, and search results
- Send push notifications you have opted into (peak alerts, flip reminders, omega-3 alerts, weekly nutrition digests, challenge reminders)
- Respond to support requests you send to us
We do not sell, rent, or share your personal information with advertisers or data brokers. We do not use your data for targeted advertising.
4. Data Storage and Security
Your data is stored on Supabase infrastructure (powered by Amazon Web Services) with servers located in the United States. As an Estonian company transferring data outside the EEA, we rely on Supabase's Data Processing Agreement and Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for international transfers.
Data is encrypted in transit (TLS 1.2+) and at rest. User authentication uses industry-standard JWT tokens with automatic refresh. Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data unless explicitly shared (e.g., public reviews, public profiles).
Uploaded images are stored in Supabase Storage buckets with user-scoped write permissions. Review images are publicly readable (as part of shared reviews). Cellar images are stored in a separate bucket — while the image files are technically accessible via direct URL, cellar item metadata (which images belong to which items) is private and protected by Row Level Security, meaning only you can see your cellar contents through the App.
5. Third-Party Services
We use the following third-party services to operate the App:
- Supabase (supabase.com) — authentication, database, file storage, and serverless functions.
- Open Food Facts (openfoodfacts.org) — open-source food product database queried during barcode scanning. No personal data is sent; only barcode numbers.
- USDA FoodData Central (fdc.nal.usda.gov) — U.S. government food database used as a fallback for barcode lookups. No personal data is sent; only barcode numbers.
- Anthropic Claude API (anthropic.com) — AI model used for tin identification, recommendations, aging predictions, and natural language search.
- Sentry (sentry.io) — crash reporting and performance monitoring. No personal content (reviews, photos, health data) is sent to Sentry.
- Expo / EAS (expo.dev) — build and update infrastructure for the mobile app.
6. Data Retention
We retain your account data for as long as your account is active. You may delete your account at any time through the App's settings, which will permanently delete your profile, reviews, cellar entries, photos, social connections, notifications, nutrition logs, health scores, streaks, milestones, challenge progress, earned badges, and Taste Passport award stamps, and all associated data within 30 days. Sardine product records you contributed to the catalog (brand, name, nutrition data) may be retained as community data, but will be disassociated from your identity.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data — available via the "Export My Data" feature in the App
- Correct inaccurate data — edit your profile, reviews, and cellar entries at any time
- Delete your account and all associated data — available in the App's settings
- Withdraw consent for camera/photo access — revoke through your device settings
- Withdraw consent for push notifications — disable in your device settings or the App
To exercise any of these rights, use the in-app features or contact us at support@tinwise.com.
7.1 European Users (GDPR)
As a company registered in Estonia, we are directly subject to the EU General Data Protection Regulation (GDPR). Our legal basis for processing your data is: (a) performance of a contract; (b) your consent (camera access, notifications, AI features); and (c) legitimate interests (security, fraud prevention).
You may request data portability (available via "Export My Data" in the App) or lodge a complaint with your local data protection authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).
7.2 California Users (CCPA)
If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.
8. Children's Privacy
The App is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If we learn we have collected data from a child under the applicable age, we will delete it promptly. Contact us at support@tinwise.com.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and updating the "Last Updated" date above. Your continued use of the App after such changes constitutes acceptance of the updated policy.
10. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: support@tinwise.com