Privacy Policy

1. Overview and Our Commitment to Privacy

At PeaceLoveDishes, privacy is not a feature—it's our foundation. We built this platform specifically to give families control over their data and escape the surveillance economy of big tech companies. This Privacy Policy explains our commitment to protecting your privacy and how we handle your information.

Our Core Privacy Principles:

• You Own Your Data: All data you upload, create, or store belongs to you. We do not claim ownership.
• No Data Selling: We do not sell your data to third parties. Ever.
• No Tracking: We do not track you across websites or use tracking pixels for advertising.
• No Advertising: We do not use your data for advertising purposes or show you ads based on your data.
• Minimal Collection: We collect only the information necessary to provide the Service.
• Transparency: We are transparent about what we collect and how we use it.
• Security First: We implement enterprise-grade security measures to protect your data.

2. Data Controller Information

2.1 Identity and Contact Details

The data controller responsible for your personal data is:

Company Name: Peace Love Dishes Inc.
Legal Form: Delaware Corporation
Address: 14205 N Mo Pac Expy Ste 570, PMB 387691, Austin, Texas 78728-6529, United States
Email: privacy@peacelovedishes.com
Phone: 512-650-8975
Website: https://peacelovedishes.com

2.2 Data Protection Officer

For privacy-related inquiries, GDPR requests, or data protection concerns, you may contact our Data Protection Officer:

Email: privacy@peacelovedishes.com
Subject Line: "Data Protection Inquiry" or "GDPR Request"

2.3 Representative in the European Union

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we will appoint an EU representative if required under GDPR Article 27. Until such time, please direct all inquiries to the contact information above.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Username: Your chosen username for account access
• Email Address: Used for account notifications, password resets, and service communications
• Password: Stored as a bcrypt hash (never in plain text). We cannot see or recover your password.
• Account Creation Date: Timestamp of when you created your account

Password Security: We require passwords to be at least 17 characters long. Passwords are hashed using bcrypt with appropriate cost factors. We never store passwords in plain text and cannot recover your password if forgotten.

3.2 Data You Upload or Create

The Service allows you to upload, create, and store various types of data across 27+ modules. This includes, but is not limited to:

Your Control: You control what data you upload and store. We do not require you to provide any specific data beyond account creation information. You may choose not to use certain modules or features.

3.3 Usage Information

We collect minimal usage information necessary to provide and improve the Service:

• Login Times: Timestamps of when you log in (for security and account management)
• Feature Usage: Which modules you access (for service improvement and support)
• Storage Usage: Amount of storage used (for billing and account management)
• Error Logs: Technical error information (for debugging and service improvement)

No Behavioral Tracking: We do not track your browsing behavior, mouse movements, keystrokes, or other behavioral data. We do not use analytics tools that identify individual users or track you across sessions.

3.4 Technical Information

When you access the Service, we automatically collect certain technical information:

• IP Address: Your IP address (for security, fraud prevention, and service delivery)
• Browser Type and Version: For compatibility and support purposes
• Device Information: Device type and operating system (for support and compatibility)
• Session Information: Session tokens and security information

This technical information is used for security, fraud prevention, and service delivery. We do not use IP addresses to track your location or build profiles about you.

3.5 Payment Information

When you subscribe, payment information is collected and processed by third-party payment processors. We do not store your complete credit card information. Payment processors may collect:

• Credit card number (last 4 digits only stored for identification)
• Billing address
• Payment method information

Payment processing is subject to the privacy policies of our payment processors. We do not have access to your complete payment information.

3.6 Information We Do NOT Collect

To be clear, we do NOT collect:

• Your browsing history outside our Service
• Information from other websites you visit
• Location data (except IP address for security)
• Biometric information
• Social media information
• Information from data brokers
• Advertising identifiers
• Information for marketing purposes

4. How We Use Your Information

4.1 Service Provision

We use your information solely to provide, maintain, and improve the Service:

• Account Management: To create and manage your account, authenticate you, and provide access to the Service
• Data Storage and Processing: To store, process, and retrieve your data when you access the Service
• Module Functionality: To enable features across all 27+ modules
• Family Account Management: To manage family member access and permissions
• Security: To protect your account and data from unauthorized access
• Support: To respond to your support requests and provide customer service

4.2 Communication

We use your email address to:

• Send important service notifications (security alerts, account changes)
• Send billing and subscription information
• Respond to your support requests
• Notify you of service updates or changes
• Send security alerts (e.g., login from new device)

No Marketing Emails: We do not send marketing emails, promotional messages, or newsletters unless you explicitly opt in. We do not share your email address with third parties for marketing purposes.

4.3 Service Improvement

We may use anonymized, aggregated data to improve the Service:

• Understanding which features are most used (anonymized)
• Identifying technical issues and bugs
• Improving performance and reliability
• Developing new features

Anonymization: Any data used for service improvement is anonymized and aggregated so it cannot identify you or your family. We never use your personal data for these purposes.

4.4 Legal Compliance

We may use or disclose your information when required by law, court order, or legal process, including:

• Responding to valid legal requests (subpoenas, court orders)
• Complying with applicable laws and regulations
• Protecting our rights and property
• Preventing fraud or security threats
• Protecting the safety of users or the public

4.5 What We Do NOT Use Your Information For

We do NOT use your information for:

• Advertising or marketing to you
• Building profiles about you for third parties
• Selling to data brokers
• Tracking you across websites
• Creating marketing lists
• Sharing with social media companies
• Any purpose other than providing the Service

5. Legal Basis for Processing (GDPR)

5.1 Applicability

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following lawful bases under the General Data Protection Regulation (GDPR):

5.2 Lawful Bases for Processing

5.2.1 Contract Performance (GDPR Article 6(1)(b))

Processing is necessary to perform our contract with you (the Terms of Service) and provide the Service you requested:

• Creating and managing your account
• Providing access to the Service and its modules
• Storing and processing your data
• Processing subscription payments
• Providing customer support

5.2.2 Consent (GDPR Article 6(1)(a))

We obtain your explicit consent for specific processing activities:

• Storing sensitive personal data (health information, financial data)
• Sending marketing communications (if you opt in)
• Processing children's data (parental consent for children under 13)

Withdrawal of Consent: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

5.2.3 Legitimate Interests (GDPR Article 6(1)(f))

Processing is necessary for our legitimate interests or the legitimate interests of third parties, where not overridden by your rights:

• Security and Fraud Prevention: Protecting the Service, users, and preventing fraud
• Service Improvement: Improving the Service using anonymized, aggregated data
• Legal Claims: Establishing, exercising, or defending legal claims
• Business Operations: Managing business operations and internal administration

Balancing Test: We have conducted a balancing test and determined that our legitimate interests do not override your fundamental rights and freedoms.

5.2.4 Legal Obligation (GDPR Article 6(1)(c))

Processing is necessary to comply with legal obligations:

• Tax and accounting requirements
• Responding to valid legal requests (subpoenas, court orders)
• Complying with data protection laws
• Breach notification requirements

5.2.5 Vital Interests (GDPR Article 6(1)(d))

Processing may be necessary to protect vital interests of you or another person:

• Emergency situations involving health or safety
• Preventing serious harm

5.3 Special Category Data

We process special category data (sensitive personal data) under GDPR Article 9, including:

• Health Data: Processed with explicit consent (Article 9(2)(a)) for the Health Records module
• Biometric Data: We do not process biometric data
• Genetic Data: Only if you choose to store it in the Health Records module (explicit consent)

5.4 Right to Object

Where we process your data based on legitimate interests, you have the right to object to such processing. Contact privacy@peacelovedishes.com to exercise this right.

6. Data Sharing and Disclosure

6.1 No Data Selling

We do not sell your data. We do not rent, trade, or otherwise monetize your personal information. Your data is not for sale.

6.2 Limited Sharing

We share your information only in the following limited circumstances:

6.2.1 Service Providers

We may share information with third-party service providers who perform services on our behalf:

• AWS S3: For photo and video storage (encrypted)
• Payment Processors: For subscription billing
• Email Service Providers: For sending account notifications (MXRoute)
• Hosting Providers: For server infrastructure

These service providers are contractually obligated to protect your information and use it only for the specific services they provide. They are not permitted to use your information for their own purposes.

6.2.2 Legal Requirements

We may disclose your information if required by law, court order, or legal process, including:

• In response to valid subpoenas or court orders
• To comply with applicable laws and regulations
• To protect our rights and property
• To prevent fraud or security threats
• To protect the safety of users or the public

We will notify you of any legal requests for your data unless prohibited by law or court order.

6.2.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and your information will continue to be protected under this Privacy Policy.

6.3 What We Do NOT Share

We do NOT share your information with:

• Data brokers or data aggregators
• Advertising networks
• Social media companies
• Marketing companies
• Analytics companies (except anonymized usage data)
• Third parties for their own purposes

7. Data Security

7.1 Security Standards

We implement security practices designed to meet enterprise-grade standards. However, no security system is perfect, and we cannot guarantee absolute security. You acknowledge that you use the Service at your own risk.

Important: We are not SOC 2 compliant, and we do not claim SOC 2 compliance. We implement security measures designed to protect your data, but we do not maintain SOC 2 certification.

7.2 Your Security Responsibilities

You also play a role in protecting your data:

• Use a strong, unique password (minimum 17 characters)
• Do not share your account credentials
• Log out when using shared devices
• Notify us immediately of any unauthorized access
• Keep your email account secure (used for password resets)

7.3 Security Breaches

In the event of a security breach that may affect your data, we will:

• Investigate the breach immediately
• Notify affected users as soon as reasonably possible
• Notify relevant authorities if required by law
• Take steps to prevent further breaches

Notification will be provided in accordance with applicable law. However, we are not liable for security breaches that occur despite our security measures.

8. Data Storage and Retention

8.1 Where Your Data is Stored

Your data is stored on secure servers located in the United States. Specific storage locations:

• Database: Stored on secure servers with encryption at rest
• Photos and Videos: Stored in AWS S3 (Amazon Web Services) with encryption
• Backups: Encrypted backups stored in secure locations

We do not transfer your data outside the United States except as necessary for service provision (e.g., AWS S3 may use data centers in various locations, but all are within AWS's secure infrastructure).

8.2 Data Retention

Active Accounts: We retain your data while your account is active and you are using the Service.

After Cancellation: After you cancel your account, we retain your data for 30 days to allow you to export it. After 30 days, we may delete your account and all associated data in accordance with our data retention policies.

Backup Retention: Backups may be retained for a longer period for disaster recovery purposes, but they are encrypted and not accessible except for recovery purposes.

Legal Requirements: We may retain certain information longer if required by law or for legal purposes.

8.3 Data Deletion

You may delete your data at any time through the Service's delete features. When you delete data:

• It is marked for deletion in our systems
• It is removed from active access
• It may remain in backups until backup rotation
• It is permanently deleted according to our deletion schedule

Permanent Deletion: Complete permanent deletion may take up to 90 days due to backup systems. We cannot recover data after permanent deletion.

9. Your Privacy Rights

9.1 Universal Rights

Regardless of your location, we respect your privacy rights. All users have the following rights:

9.2 Access Rights

You have the right to:

• Access Your Data: View all data you have stored in the Service
• Export Your Data: Download your data in a standard format
• Correct Your Data: Update or correct inaccurate information
• Delete Your Data: Delete data you no longer want stored

9.3 Account Rights

You have the right to:

• Cancel Your Account: Terminate your subscription at any time
• Export Before Cancellation: Download your data before canceling
• Request Account Information: Request information about what data we hold

9.4 Exercising Your Rights

To exercise your privacy rights:

• Use the Service's built-in features (export, delete, etc.)
• Contact us at privacy@peacelovedishes.com
• We will respond within 30 days (GDPR) or 45 days (CCPA)

9.5 No Discrimination

We will not discriminate against you for exercising your privacy rights. You will not receive different pricing, service levels, or quality based on exercising your rights.

10. GDPR Rights (European Users)

10.1 Applicability

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR) and equivalent laws.

10.2 Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access your personal data along with information about:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom data has been disclosed
• The envisaged period of data retention
• Your rights regarding your data
• The right to lodge a complaint with a supervisory authority
• The source of data (if not collected from you)

How to Exercise: Email privacy@peacelovedishes.com with "GDPR Access Request" in the subject line. We will respond within 30 days with a copy of your personal data.

10.3 Right to Rectification (Article 16)

You have the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed.

How to Exercise: Update your information directly in your account settings or contact privacy@peacelovedishes.com.

10.4 Right to Erasure / Right to be Forgotten (Article 17)

You have the right to obtain erasure of your personal data in the following circumstances:

• The personal data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The personal data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Exceptions: We may retain data where required by law, for the establishment, exercise, or defense of legal claims, or for other legitimate purposes under GDPR Article 17(3).

How to Exercise: Email privacy@peacelovedishes.com with "GDPR Erasure Request" in the subject line.

10.5 Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing in the following circumstances:

• You contest the accuracy of personal data (during verification)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

How to Exercise: Email privacy@peacelovedishes.com with "GDPR Restriction Request" in the subject line.

10.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON, CSV, or XML) and have the right to transmit that data to another controller.

This right applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

How to Exercise: Use the data export feature in your account settings or email privacy@peacelovedishes.com with "GDPR Portability Request" in the subject line.

10.7 Right to Object (Article 21)

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests (Article 6(1)(f))
• Processing is for direct marketing purposes (we do not engage in direct marketing)
• Processing is for scientific/historical research or statistical purposes

How to Exercise: Email privacy@peacelovedishes.com with "GDPR Objection" in the subject line. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

10.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise: Email privacy@peacelovedishes.com or adjust your settings in the Service.

10.9 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of alleged infringement if you believe our processing violates GDPR.

Supervisory Authorities: You can find your local supervisory authority at https://edpb.europa.eu.

10.10 Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

Our Practice: We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.

10.11 Response Time

We will respond to GDPR requests within 30 days. For complex requests, we may extend this period by two months and will inform you of the extension and reasons.

11. CCPA Rights (California Residents)

11.1 Applicability

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights regarding your personal information.

11.2 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, IP address, unique identifiers, account credentials
• Personal Information (Cal. Civ. Code § 1798.80): Name, contact information, financial information (encrypted)
• Protected Classifications: Age, health information (HIPAA-protected in Health Records module)
• Commercial Information: Subscription records, payment history
• Internet/Network Activity: Usage data, log files, device information
• Geolocation Data: IP-based approximate location
• Professional Information: Career/resume data (if using Career module)
• Inferences: We do not create profiles or draw inferences about preferences, characteristics, or behavior
• Sensitive Personal Information: Health data, financial data, precise geolocation (we do not collect precise geolocation)

11.3 Business Purposes for Collection

We collect and use personal information for the following business purposes:

• Providing and maintaining the Service
• Processing transactions and subscriptions
• Customer support and communication
• Security, fraud prevention, and legal compliance
• Service improvement (using anonymized, aggregated data)

11.4 Right to Know (CCPA § 1798.100)

You have the right to request disclosure of:

• Categories of personal information collected
• Categories of sources from which information was collected
• Business or commercial purposes for collecting or selling information
• Categories of third parties with whom we share information
• Specific pieces of personal information collected about you

How to Exercise: Email privacy@peacelovedishes.com with "CCPA Right to Know Request" in the subject line or call 512-650-8975.

11.5 Right to Delete (CCPA § 1798.105)

You have the right to request deletion of personal information we collected from you, subject to certain exceptions.

Exceptions: We may retain information when necessary to:

• Complete the transaction for which information was collected
• Detect security incidents or protect against fraud
• Debug or repair functionality
• Comply with legal obligations
• Enable solely internal uses reasonably aligned with consumer expectations

How to Exercise: Email privacy@peacelovedishes.com with "CCPA Deletion Request" in the subject line or call 512-650-8975.

11.6 Right to Correct (CCPA § 1798.106)

You have the right to request correction of inaccurate personal information.

How to Exercise: Update information in your account settings or email privacy@peacelovedishes.com with "CCPA Correction Request" in the subject line.

11.7 Right to Opt-Out of Sale/Sharing (CCPA § 1798.120)

WE DO NOT SELL PERSONAL INFORMATION. We do not sell or share personal information to third parties for monetary or other valuable consideration. We have not sold personal information in the preceding 12 months.

No Opt-Out Required: Since we do not sell personal information, there is no need to opt out.

11.8 Right to Limit Use of Sensitive Personal Information (CCPA § 1798.121)

You have the right to limit our use of sensitive personal information. However, we only use sensitive personal information (health data, financial data) for purposes allowed without the right to limit:

• Performing services you reasonably expect (providing the Service)
• Security and integrity purposes
• Short-term, transient use

11.9 Right to Non-Discrimination (CCPA § 1798.125)

You have the right not to receive discriminatory treatment for exercising your CCPA rights. We will not:

• Deny goods or services
• Charge different prices or rates
• Provide different quality of goods or services
• Suggest you will receive different prices or quality

11.10 Authorized Agent

You may designate an authorized agent to make requests on your behalf. The authorized agent must provide:

• Written authorization signed by you
• Proof of their identity

We may require you to verify your identity directly or confirm the authorization.

11.11 Verification Process

To verify your identity for CCPA requests, we may request:

• Email address associated with your account
• Account username
• Additional information to match our records

For requests to know specific pieces of information, we may require additional verification.

11.12 Response Time

We will respond to verifiable CCPA requests within 45 days. If we need more time (up to 90 days total), we will inform you of the extension and reason.

11.13 Shine the Light Law

California's "Shine the Light" law (Cal. Civ. Code § 1798.83) permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

12. Children's Privacy (COPPA)

12.1 Age Requirements

The Service is intended for users who are at least 18 years of age. Users under 18 may use the Service only with the involvement and consent of a parent or legal guardian.

Children Under 13: We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 years of age without verifiable parental consent.

12.2 COPPA Compliance

Our Service is designed for families, including children. We comply with the Children's Online Privacy Protection Act (COPPA):

• We do not knowingly collect personal information from children under 13 without parental consent
• Parents control family member accounts and data
• Parents can review, modify, or delete their children's information
• We do not use children's information for advertising or marketing

12.3 Parental Consent Requirements

If you wish to create an account for a child under 13, you must:

• Be the parent or legal guardian of the child
• Provide verifiable parental consent before the child can use the Service
• Review and agree to this Privacy Policy on behalf of the child
• Take responsibility for all activities under the child's account
• Monitor the child's use of the Service

How to Provide Consent: Contact us at privacy@peacelovedishes.com with "Parental Consent for Child Account" in the subject line. We will verify your identity as the parent or legal guardian before activating the child's account.

12.4 Information Collected from Children

For children under 13 with parental consent, we may collect:

• Name and age
• Parent/guardian contact information
• Content created or uploaded by the child within the family account

Minimal Collection: We do not collect more information from children than is reasonably necessary to provide the Service. We do not condition a child's participation on disclosure of more personal information than is reasonably necessary.

12.5 Use of Children's Information

Information collected from children under 13 is used only for:

• Providing the Service to the child
• Communicating with parents about the child's account
• Protecting the security and integrity of the Service
• Complying with legal obligations

No Marketing: We do not use children's information for advertising, marketing, or building behavioral profiles.

12.6 Disclosure of Children's Information

We do not disclose personal information collected from children under 13 to third parties, except:

• To the extent necessary to provide the Service (e.g., secure data storage with AWS)
• To protect the security or integrity of the Service
• As required by law or to respond to legal process
• To protect the rights, property, or safety of Peace Love Dishes Inc., our users, or the public

12.7 Parental Rights Under COPPA

Parents and legal guardians have the right to:

• Review: Review the personal information collected from their child
• Delete: Request deletion of their child's personal information
• Refuse: Refuse to allow further collection or use of their child's personal information
• Revoke: Revoke consent and delete the child's account at any time

How to Exercise: Contact us at privacy@peacelovedishes.com with "COPPA Rights Request" in the subject line. We will verify your identity as the parent or legal guardian before processing the request.

12.8 Parental Control

Parents who create family accounts:

• Control what data children can access
• Control what data children can create or upload
• Can review all children's activities
• Can remove children's access at any time

12.9 Notification of Unauthorized Collection

If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible.

If you believe we have collected information from a child under 13 without parental consent, please contact us immediately at privacy@peacelovedishes.com with "Unauthorized Child Data Collection" in the subject line, and we will delete such information.

13. Family Account Data Sharing

13.1 Family Account Structure

PeaceLoveDishes is designed for family use. One subscription account ("Primary Account") may cover multiple family members. The Primary Account holder controls:

• Which family members have access
• What data is shared with family members
• What permissions each family member has

13.2 Shared Data

When you invite family members, they may have access to shared data according to permissions you set. This may include:

• Shared recipes and cookbooks
• Shared calendar events
• Shared photos and videos
• Family health records (if you choose to share)
• Family financial information (if you choose to share)
• Other data you designate as shared

Your Control: You control what is shared. You can change sharing permissions at any time. We do not monitor or control data sharing between family members—this is your responsibility.

13.3 Private Data

Some data remains private to individual users:

• Personal journals (unless shared)
• Private passwords in SecureVault
• Personal tasks and notes
• Individual user settings

Privacy Respect: We respect the privacy of individual family members. Private data is not accessible to other family members unless explicitly shared.

13.4 Family Member Responsibilities

When you invite family members, you are responsible for:

• Ensuring family members understand privacy settings
• Managing what data is shared
• Ensuring family members comply with the Terms of Service and this Privacy Policy
• Removing access when family members should no longer have access

14. Health Information and HIPAA

14.1 HIPAA Compliance

HIPAA Compliant Health Records Module: Our Health Records module is HIPAA compliant and designed to meet HIPAA requirements for Protected Health Information (PHI). We implement comprehensive HIPAA security measures to protect health data.

HIPAA Security Measures: The Health Records module complies with HIPAA requirements including:

• Administrative Safeguards: Access controls, workforce training, security management procedures, contingency plans, and security awareness training
• Physical Safeguards: Secure data centers, facility access controls, workstation security, and device controls
• Technical Safeguards: Access controls, audit controls, integrity controls, transmission security, and encryption
• Audit Logging: Complete audit trail of all health data access, modifications, and deletions
• User Authentication: Strong authentication requirements for accessing health data
• Encryption: AES-256 encryption for health data at rest and TLS/SSL encryption in transit
• Access Controls: User ownership verification and permission systems for health data

14.2 Business Associate Agreements

BAAs Available: We can provide Business Associate Agreements (BAAs) for covered entities who require them. If you are a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) and need a BAA, please contact us at privacy@peacelovedishes.com to request one.

BAA Terms: Our BAAs include standard HIPAA provisions regarding the use and disclosure of PHI, security measures, breach notification, and compliance with HIPAA requirements.

14.3 Health Data Responsibility

While we provide HIPAA-compliant infrastructure for health data, you are responsible for:

• Ensuring you have proper authorization to store health information in the Service
• Complying with all applicable health privacy laws beyond HIPAA (state laws, etc.)
• Obtaining necessary consents from individuals whose health information you store
• Using the Health Records module in accordance with HIPAA requirements
• Requesting a BAA if you are a covered entity and require one

14.4 Health Data Security

Health data stored in the Health Records module receives enhanced security measures:

• HIPAA-compliant encryption at rest and in transit
• HIPAA-compliant access controls and authentication
• Complete audit logging of all health data activities
• Secure storage in HIPAA-compliant data centers
• Encrypted backups with HIPAA-compliant retention policies
• User ownership verification and permission systems

HIPAA Compliance: These security measures are implemented in accordance with HIPAA requirements and constitute HIPAA compliance for the Health Records module.

14.5 Other Modules

Note: HIPAA compliance applies specifically to the Health Records module. Other modules (recipes, photos, etc.) are not designed for HIPAA compliance. If you need to store health information, use the Health Records module which is HIPAA compliant.

15. International Data Transfers

15.1 Data Storage Location

Your data is stored on servers located in the United States. If you are located outside the United States, you consent to the transfer of your data to the United States for processing and storage.

15.2 International Data Transfers

If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States. The United States may have data protection laws that differ from those in your country.

15.3 Adequacy Decisions and Safeguards (GDPR)

For data transfers from the EEA, UK, or Switzerland to the United States, we implement appropriate safeguards to protect your personal data in accordance with GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We use EU Standard Contractual Clauses approved by the European Commission for data transfers (Commission Implementing Decision (EU) 2021/914)
• Supplementary Measures: We implement technical and organizational measures including AES-256 encryption, access controls, audit logging, and security monitoring to ensure data protection equivalent to GDPR standards
• Data Processing Agreements: We maintain data processing agreements with third-party service providers (e.g., AWS) that include appropriate GDPR safeguards

15.4 Third-Party Service Providers

We use the following third-party service providers that may process your data:

• Amazon Web Services (AWS): Data storage and hosting (US-based, GDPR-compliant with SCCs and AWS Data Processing Addendum)
• Payment Processors: Stripe, PayPal (GDPR-compliant, PCI-DSS certified)

All third-party processors are contractually obligated to implement appropriate security measures and comply with applicable data protection laws, including GDPR.

15.5 Your Rights Regarding International Transfers

You have the right to:

• Obtain information about international data transfers
• Request a copy of the safeguards in place (e.g., Standard Contractual Clauses)
• Object to data transfers in certain circumstances

To request information about international data transfers or copies of safeguards, contact privacy@peacelovedishes.com with "International Transfer Information Request" in the subject line.

15.6 UK and Swiss Data Transfers

For transfers from the UK, we use the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs. For transfers from Switzerland, we comply with Swiss data protection law and use Swiss-approved Standard Contractual Clauses.

16. Cookies and Tracking Technologies

16.1 Essential Cookies

We use essential cookies and similar technologies necessary for the Service to function:

• Session Cookies: To maintain your login session (HttpOnly, Secure, SameSite)
• CSRF Tokens: To protect against cross-site request forgery
• Security Tokens: For authentication and security

These cookies are essential and cannot be disabled. They do not track you across websites.

16.2 No Tracking Cookies

We do NOT use:

• Advertising cookies
• Analytics cookies that identify users
• Social media tracking pixels
• Third-party tracking cookies
• Any cookies for advertising or marketing purposes

16.3 Cookie Management

You can control cookies through your browser settings. However, disabling essential cookies may prevent the Service from functioning properly.

16.4 Cookie Duration

Our session cookies expire when you log out or after 30 minutes of inactivity. Security tokens expire after their designated validity period.

17. Third-Party Services

17.1 Service Providers

The Service integrates with third-party services necessary for operation:

• AWS S3: For photo and video storage. AWS S3 privacy policy applies to data stored there.
• Payment Processors: For subscription billing. Payment processor privacy policies apply.
• Email Service (MXRoute): For sending account notifications. Email service privacy policy applies.
• Hosting Providers: For server infrastructure.

These service providers are contractually obligated to protect your information. However, their privacy policies also apply to data they process.

17.2 What We Do NOT Use

We do NOT use:

• Google Analytics or similar tracking services
• Facebook Pixel or social media tracking
• Advertising networks
• Data brokers
• Marketing automation tools
• Any service that tracks users for advertising

17.3 Links to Third-Party Websites

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read the privacy policies of any third-party websites you visit.

18. Automated Decision-Making

18.1 No Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.

No Profiling: We do not create profiles about you for marketing, advertising, or behavioral targeting purposes.

18.2 Service Functionality

Automated processing is used only for essential service functionality:

• Authentication and access control
• Data storage and retrieval
• Security monitoring and fraud prevention

These automated processes do not make decisions that produce legal effects or similarly significantly affect you.

19. Do Not Track Signals

19.1 Do Not Track

Some web browsers and devices permit you to broadcast a preference that you not be "tracked" online. At this time, there is no industry consensus on what constitutes a "Do Not Track" signal.

Our Practice: Since we do not track you for advertising or behavioral profiling purposes, Do Not Track signals do not affect our practices. We do not track you across websites or use tracking technologies for advertising regardless of your Do Not Track settings.

20. Changes to Privacy Policy

20.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of material changes by:

• Email to the address associated with your account
• Prominent notice in the Service
• Updating the "Last Updated" date at the top of this policy

20.2 Material Changes

Material changes to this Privacy Policy will take effect 30 days after notice. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

20.3 Review Policy

We recommend reviewing this Privacy Policy periodically. The "Last Updated" date indicates when this policy was last revised.

21. Contact Information

21.1 Privacy Questions and Data Rights Requests

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

General Privacy Inquiries: privacy@peacelovedishes.com
GDPR Requests: privacy@peacelovedishes.com (Subject: "GDPR Request")
CCPA Requests: privacy@peacelovedishes.com (Subject: "CCPA Request") or call 512-650-8975
COPPA/Parental Requests: privacy@peacelovedishes.com (Subject: "COPPA Request")
Data Protection Officer: privacy@peacelovedishes.com
Website: https://peacelovedishes.com

Mailing Address:
Peace Love Dishes Inc.
14205 N Mo Pac Expy Ste 570
PMB 387691
Austin, Texas 78728-6529
United States

21.2 Response Time

We will respond to privacy inquiries within 30 days. For urgent security concerns, please mark your email as "URGENT" in the subject line.

21.3 Languages

This Privacy Policy is written in English. Any translation is provided for convenience only. In the event of conflict between the English version and any translation, the English version shall prevail.

22. Complaints and Supervisory Authority

22.1 Right to Lodge a Complaint

If you believe we have violated your privacy rights or applicable data protection laws, you have the right to lodge a complaint with us and with the appropriate supervisory authority.

22.2 Filing a Complaint with Us

Please contact us first at privacy@peacelovedishes.com with "Privacy Complaint" in the subject line. We will investigate and respond to your complaint promptly.

22.3 Supervisory Authorities

European Users: If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority:

• EU Member States: Find your supervisory authority at https://edpb.europa.eu
• United Kingdom: Information Commissioner's Office (ICO) at https://ico.org.uk
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch

California Users: California residents may file complaints with the California Attorney General at https://oag.ca.gov.

22.4 We Value Your Feedback

We take privacy concerns seriously and encourage you to contact us directly so we can address your concerns promptly. We are committed to resolving complaints in accordance with applicable law.

23. Additional Information

23.1 Terms of Service

This Privacy Policy is incorporated into and subject to our Terms of Service. Please review our Terms of Service for additional information about your use of the Service.

23.2 No Third-Party Rights

This Privacy Policy does not create rights enforceable by third parties or require disclosure of any personal information relating to users of the Service.

23.3 Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.