Privacy Policy

1. Introduction

Annona Inc. ("Annona," "we," "our," or "us") operates a meal planning, food logistics, and social food platform accessible at annona.ca and through our mobile applications (collectively, the "Platform"). We are committed to protecting the privacy and security of the personal information entrusted to us by our users ("you" or "your").

This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your personal information in connection with your use of the Platform. It also explains your rights and choices regarding your personal information.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not access or use the Platform.

This Privacy Policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and other applicable provincial and federal privacy legislation. Where you are located in the European Economic Area (EEA) or the United Kingdom (UK), we also comply with the General Data Protection Regulation (GDPR) and UK GDPR, respectively.

2. Information We Collect

We collect information you provide directly, information generated automatically when you use the Platform, and information from third-party sources.

2.1 Information You Provide

• Account Information: Name, email address, phone number, password, profile photograph, and preferred language.
• Dietary and Health-Related Information: Dietary preferences, food allergies, intolerances, medical dietary restrictions (e.g., diabetic, celiac), cooking skill level, time preferences, and household size. This information is treated as sensitive personal information and subject to enhanced protections described in Section 5.
• User-Generated Content: Recipes, reviews, ratings, comments, meal plans, photographs, and other content you create, upload, or share on the Platform, including content submitted through the Curator Program.
• Social and Community Information: Profiles you follow, community interactions, messages sent through the Platform, saved or bookmarked content, and your public profile information.
• Pantry and Inventory Data: Items you add to your digital pantry, expiration dates, quantities, and food waste tracking information.
• Shopping and Order Information: Shopping lists, grocery orders, delivery addresses, order history, and preferred stores or delivery partners.
• Payment Information: Payment method details (credit/debit card number, billing address). Payment information is processed by our third-party payment processors and is not stored on our servers.
• Communications: Information you provide when contacting our support team, responding to surveys, or participating in promotions.
• Curator Application Data: Professional background, food industry certifications, portfolio samples, and other materials submitted in connection with an application to the Curator Program.

2.2 Information Collected Automatically

• Device and Browser Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Usage Data: Pages and features accessed, recipes viewed, search queries, clicks, scrolling behavior, time spent on pages, and navigation paths.
• Network Information: IP address, internet service provider, approximate geographic location (city/region level, derived from IP address), referring URLs, and connection type.
• Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, local storage, and similar tracking technologies (see Section 8).
• Log Data: Server logs recording requests made to the Platform, including timestamps, request methods, and response codes.

2.3 Information from Third Parties

• Authentication Providers: If you sign in using a third-party identity provider (e.g., Google, Apple), we receive your name, email address, and profile information as authorized by your identity provider settings.
• Grocery and Delivery Partners: Order status, delivery confirmations, product availability, and pricing information from integrated grocery and delivery services.
• Analytics Providers: Aggregated and de-identified usage data to help us understand how users interact with the Platform.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing and Operating the Platform

• Creating and managing your account
• Generating personalized meal plans and recipe recommendations based on your dietary preferences, allergies, household size, and cooking skill level
• Creating and managing shopping lists and grocery orders
• Tracking pantry inventory and providing food waste reduction insights
• Facilitating grocery ordering and delivery through integrated partners
• Processing payments and managing subscriptions
• Enabling social features, including sharing recipes, following curators, and community interaction

3.2 Personalization and Recommendations

• Tailoring recipe suggestions and meal plans to your preferences and restrictions
• Recommending curators and content aligned with your interests
• Displaying relevant grocery offers and product suggestions
• Adapting the Platform interface to your usage patterns

3.3 Safety and Food Allergen Alerts

• Flagging recipes and ingredients that may conflict with your declared allergies or dietary restrictions
• Providing allergen warnings and cross-contamination notices on user-generated and curated content
• Notifying you of product recalls or food safety advisories affecting items in your pantry or order history

3.4 Communications

• Sending service-related notifications (order confirmations, delivery updates, account alerts)
• Responding to your support requests and inquiries
• Sending promotional communications (where you have opted in or where permitted by applicable law), including new features, content recommendations, and special offers

3.5 Analytics and Service Improvement

• Understanding how users interact with the Platform
• Identifying trends, usage patterns, and areas for improvement
• Developing new features and services
• Conducting research and analysis (using aggregated or de-identified data where possible)

3.6 Security and Legal Compliance

• Detecting, preventing, and addressing fraud, unauthorized access, and other security incidents
• Enforcing our Terms of Service and community guidelines
• Complying with applicable legal obligations, regulations, and lawful requests
• Protecting the rights, property, and safety of Annona, our users, and the public

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the EEA or the UK, we process your personal information on the following legal bases:

• Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the Platform, managing your account, processing orders).
• Consent: Processing based on your explicit consent, particularly for sensitive dietary/health information, marketing communications, and non-essential cookies. You may withdraw consent at any time.
• Legitimate Interests: Processing necessary for our legitimate interests (e.g., improving the Platform, fraud prevention, analytics), provided these interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.
• Vital Interests: In exceptional circumstances, processing necessary to protect your vital interests (e.g., notifying you of a serious food safety recall affecting items you have purchased).

5. Sensitive Personal Information

Certain information you provide, including dietary restrictions related to medical conditions (e.g., celiac disease, diabetes, phenylketonuria), food allergies, and religious dietary observances, may be considered sensitive personal information under applicable privacy laws.

We apply enhanced protections to this data:

• We collect sensitive information only with your explicit consent
• We use this information solely for the purposes of providing allergen alerts, personalized meal plans, and ingredient safety warnings
• Access to sensitive information is restricted to systems and personnel that require it to deliver these services
• Sensitive information is encrypted both in transit and at rest using industry-standard encryption
• We do not share sensitive dietary or health information with advertisers or marketing partners
• You can update or delete this information at any time through your account settings

6. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers

We engage trusted third-party service providers who process personal information on our behalf, including:

• Cloud hosting and infrastructure providers
• Payment processors (e.g., Stripe)
• Email and notification delivery services
• Customer support tools
• Analytics and monitoring services

These providers are contractually bound to use your information only for the purposes of providing services to us, and are required to maintain appropriate security measures.

6.2 Grocery and Delivery Partners

When you place a grocery order through the Platform, we share the information necessary to fulfill your order with our grocery and delivery partners, including your name, delivery address, phone number, and order details. These partners process your information in accordance with their own privacy policies.

6.3 User-Generated Content and Social Features

Content you post publicly on the Platform (recipes, reviews, comments, profile information) is visible to other users and may be indexed by search engines. Your display name and profile photograph will be associated with your public content. You can control the visibility of certain profile information through your privacy settings.

6.4 Curators

If you interact with Curator content (e.g., purchasing a meal plan, rating a recipe), Curators may receive aggregated, de-identified analytics about how their content is used. Curators do not receive your personal contact information unless you choose to share it directly.

6.5 Legal Requirements and Safety

We may disclose your information when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, court order, subpoena, or governmental request
• Protect the safety, rights, or property of Annona, our users, or the public
• Investigate or prevent fraud, security incidents, or violations of our Terms
• Respond to a food safety emergency or product recall

6.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

6.7 With Your Consent

We may share your information in other circumstances with your explicit consent.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security assessments, penetration testing, and vulnerability scanning
• Role-based access controls limiting data access to authorized personnel
• Secure coding practices and code review processes
• Incident response procedures for detecting and responding to security breaches
• Employee security awareness training

While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Platform, enhance your experience, and understand usage patterns.

8.1 Types of Cookies

• Strictly Necessary Cookies: Required for the Platform to function (e.g., authentication, session management, security). These cannot be disabled.
• Functional Cookies: Remember your preferences, language settings, and choices to provide a personalized experience.
• Analytics Cookies: Help us understand how users interact with the Platform (e.g., pages visited, features used) so we can improve our services.
• Marketing Cookies: Used to deliver relevant content and measure the effectiveness of our communications. Only set with your consent.

8.2 Managing Cookies

You can manage your cookie preferences through our cookie consent banner when you first visit the Platform, or at any time through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.

8.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals. However, you can use the cookie management options described above to control tracking on the Platform.

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Active Account Data: Retained for the duration of your account.
• Order and Transaction Records: Retained for a minimum of seven (7) years after the transaction date to comply with tax and accounting obligations.
• User-Generated Content: Public content (recipes, reviews) remains on the Platform until you delete it or request its removal. Upon account deletion, your content may be anonymized rather than deleted where it is part of community interactions.
• Dietary and Health Information: Deleted within thirty (30) days of account deletion or upon your request.
• Server Logs: Retained for up to ninety (90) days for security and debugging purposes.
• Backup Data: Retained in encrypted backups for up to sixty (60) days after deletion from active systems.

When personal information is no longer needed, we securely delete or anonymize it in accordance with our data retention schedule.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

10.1 Rights Under Canadian Law (PIPEDA / PIPA / Law 25)

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Withdrawal of Consent: Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada or the relevant provincial privacy authority
• De-indexation: Under Quebec's Law 25, request that your personal information be de-indexed from search results or hyperlinks associated with your name
• Portability: Under Quebec's Law 25, request a copy of your personal information in a structured, commonly used, and machine-readable format

10.2 Rights Under GDPR / UK GDPR

If you are located in the EEA or the UK, you additionally have the right to:

• Erasure: Request deletion of your personal information ("right to be forgotten")
• Restriction: Request restriction of processing of your personal information
• Objection: Object to processing based on legitimate interests or for direct marketing purposes
• Data Portability: Receive your personal data in a structured, commonly used, and machine-readable format
• Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• Lodge a Complaint: File a complaint with your local data protection authority

10.3 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days, or as required by applicable law. We may need to verify your identity before processing your request.

You can also manage many of your preferences directly through your account settings, including updating your dietary information, adjusting notification preferences, and controlling the visibility of your profile.

10.4 Marketing Communications

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email, or by updating your notification preferences in your account settings. Please note that even after opting out, you will continue to receive service-related communications that are essential to your use of the Platform.

11. International Data Transfers

Your personal information may be transferred to and processed in countries other than your country of residence, including Canada and the United States, where our servers and service providers are located. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal information outside of Canada, the EEA, or the UK, we ensure that appropriate safeguards are in place, including:

• Standard contractual clauses approved by the European Commission or the UK Information Commissioner's Office
• Adequacy decisions by relevant authorities
• Binding corporate rules or other approved transfer mechanisms

You can request information about the safeguards in place for specific transfers by contacting us at [email protected].

12. Automated Decision-Making and Profiling

We use automated systems to personalize your experience, including:

• Recipe Recommendations: Suggesting recipes based on your dietary preferences, past activity, and household information. These recommendations are informational and do not produce legal or similarly significant effects.
• Allergen Flagging: Automatically identifying potential allergens in recipes based on your declared allergies. This is provided as an aid and does not replace your own due diligence in verifying ingredients.
• Content Moderation: Automated systems may flag user-generated content that potentially violates our community guidelines for human review.

We do not use automated decision-making for decisions that produce legal or similarly significant effects without human oversight. If you have concerns about automated processing, please contact us.

13. Children's Privacy

The Platform is not intended for use by individuals under the age of thirteen (13), or under the age of sixteen (16) in the EEA/UK. We do not knowingly collect personal information from children below these age thresholds.

If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us at [email protected].

14. Data Breach Notification

In the event of a data breach that creates a real risk of significant harm to you, we will:

• Notify the Office of the Privacy Commissioner of Canada and any other relevant regulatory authorities as required by law
• Notify affected individuals as soon as feasible, describing the nature of the breach, the information involved, and steps we are taking to address it
• Provide recommendations for steps you can take to protect yourself
• Maintain records of all breaches as required by PIPEDA and applicable provincial legislation

15. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through the Platform.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Provide prominent notice on the Platform (e.g., a banner or in-app notification)
• Send you an email notification for significant changes that affect your rights or how we handle your sensitive information
• Where required by law, obtain your consent before applying material changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

17. Privacy Officer and Contact Information

We have appointed a Privacy Officer responsible for overseeing our compliance with applicable privacy legislation. If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us: