Privacy Policy

Effective Date: November 5, 2025 Last Updated: November 5, 2025

Introduction

At Cibarious, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered ingredient narrative database at www.cibarious.org.

We apply EU-level data protection standards globally, ensuring consistent privacy protection for all our users worldwide. This policy should be read alongside our Cookie Policy, which provides specific details about our use of cookies and similar technologies.

Content Types: Our database includes educational content about a wide range of ingredients, including some that discuss alcoholic beverages (spirits, wines, beers) and dietary supplements in an educational, encyclopedic context. This content is provided for informational purposes only and does not promote consumption or constitute medical advice. For more information about how we handle specialized content, please see our Editorial Policy.

Who We Are

Data Controller: Francesco Paolo Maria Di Salvia (Individual ownership) Location: Corso Vittorio Veneto, SNC - 84020 Valva (SA) - Italy Contact: [email protected] Website: www.cibarious.org Note: As we grow, our legal structure may evolve to include a registered company entity. This policy will be updated accordingly.

Information We Collect

Information You Provide Directly

Account Registration

When you create an account with us, we collect:

1. Email address (required for authentication and communication)

1. Name (for personalization)

1. Nickname (display name within your account)

1. Location (to provide region-relevant content)

1. Age (to verify you meet our minimum age requirement of 18)

Pantry Collections

1. Ingredient preferences: Items you save to your personal pantry collection

1. Favorites and shelves: Your curated lists of preferred ingredients

1. Usage patterns: How you organize and interact with your saved ingredients

Communications

1. Support inquiries: When you contact us for help or feedback

1. Newsletter subscription: If you separately opt-in to our mailing list (planned feature)

Information We Collect Automatically

Technical Information

1. Device data: Browser type, operating system, device identifiers

1. Usage data: Pages visited, features used, time spent on site

1. Network data: IP address, general location (country/region level)

Analytics Data (with your consent)

1. Website performance: Page load times, error rates, user flows

1. Interaction patterns: How users navigate and use our service

1. Aggregated statistics: Non-personally identifiable usage trends

This automatic collection is detailed in our Cookie Policy.

How We Use Your Information

We process your personal data for the following purposes:

Essential Service Provision (Legal Basis: Contract Performance)

1. Account management: Creating and maintaining your user account

1. Authentication: Secure login via magic links sent to your email

1. Service delivery: Providing access to our ingredient database and features

1. Pantry synchronization: Syncing your saved ingredients across devices

Service Improvement (Legal Basis: Legitimate Interest)

1. Security monitoring: Detecting and preventing fraudulent or malicious activity

1. Service stability: Ensuring reliable performance and preventing abuse

1. Technical improvements: Identifying and fixing bugs or performance issues

Communication (Legal Basis: Consent or Contract Performance)

1. Transactional emails: Account-related notifications and security alerts

1. Marketing communications: Newsletter and updates (separate opt-in required)

1. Support responses: Addressing your questions and providing assistance

Analytics and Optimization (Legal Basis: Consent)

1. Usage analysis: Understanding how users interact with our service

1. Feature development: Identifying popular features and areas for improvement

1. Performance monitoring: Ensuring optimal website performance

Legal Bases for Processing

Under GDPR, we rely on the following legal bases:

1. Contract performance: Processing necessary to provide our service

1. Consent: For analytics, advertising, marketing communications, and non-essential features

1. Legitimate interests: For security, fraud prevention, and service stability

1. Legal obligation: For compliance with applicable laws and regulations

Data Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties, except as described below:

Service Providers

We share data with trusted service providers who help us operate our service: Supabase (Database & Authentication)

1. Purpose: Secure data storage and user authentication

1. Data shared: Account information, pantry data, authentication tokens

1. Location: AWS US-East-2 data center

1. Protection: Data Processing Agreement, encryption, access controls

SMTP2GO (Email Services)

1. Purpose: Sending authentication magic links and planned newsletters

1. Data shared: Email addresses, basic delivery metadata

1. Location: EU data residency (Amsterdam) for European users

1. Protection: Data Processing Agreement, encryption in transit

Netlify (Website Hosting)

1. Purpose: Website hosting and content delivery

1. Data shared: Technical logs, basic usage statistics

1. Location: Global content delivery network

1. Protection: Privacy-focused hosting with data retention controls

Google AdSense (Third-Party Advertising, when implemented)

1. Purpose: Displaying personalized advertisements on our website (with your consent)

1. Data shared: Anonymized usage data, advertising identifiers, cookies, page views

1. Location: Global processing with servers primarily in the US

1. Protection: Your explicit consent, Google's privacy safeguards, managed through InMobi CMP

1. Third-party access: Google may share data with advertising partners for ad personalization

1. Opt-out: You can manage your advertising preferences through our cookie consent dialog or Google Ad Settings

InMobi CMP (Consent Management Platform)

1. Purpose: Managing cookie consent preferences and generating IAB TCF consent strings

1. Data shared: Consent preferences and consent strings

1. Location: Global processing

1. Protection: InMobi's privacy safeguards and GDPR compliance

Cloudflare (Content Delivery Network & Security)

1. Purpose: Website performance optimization, DDoS protection, and security services

1. Data shared: IP addresses, request metadata, security logs, performance metrics

1. Location: Global content delivery network with data centers worldwide

1. Protection: Cloudflare's privacy policy, data processing agreements, and security measures

Umami Analytics (Privacy-Focused Analytics)

1. Purpose: Website analytics and usage statistics (with your consent)

1. Data shared: Anonymized page views, session data, device information (no personal identifiers)

1. Location: Self-hosted or cloud-hosted analytics service

1. Protection: Privacy-first analytics with no cookies, GDPR compliant, anonymized data collection

IpQualityScore (Fraud Prevention & Security)

1. Purpose: Detecting and preventing fraudulent activity, bot detection, and security monitoring

1. Data shared: IP addresses, request metadata, device fingerprints (anonymized)

1. Location: US-based processing with global coverage

1. Protection: Data Processing Agreement, encryption, and security safeguards

Legal Requirements

We may disclose your information if required by law or to:

1. Comply with legal processes or government requests

1. Enforce our terms of service

1. Protect the rights, property, or safety of Cibarious, our users, or others

Note: We have no obligation to disclose user data to Italian authorities under current data retention laws, as we are not a telecommunications provider.

International Data Transfers

Some of our service providers are located outside the EU/EEA. When we transfer your data internationally, we ensure adequate protection through:

1. Standard Contractual Clauses approved by the European Commission

1. Data Processing Agreements with all international service providers

1. Your explicit consent for services requiring it (analytics, advertising)

1. Technical safeguards including encryption and access controls

Specifically:

1. EU users' data processed by SMTP2GO remains in EU data centers (Amsterdam)

1. Supabase data is transferred to AWS US-East-2 under appropriate safeguards

1. Google AdSense (when implemented) operates globally with your consent

1. InMobi CMP processes consent data globally with appropriate safeguards

1. Cloudflare processes traffic data globally with appropriate safeguards

1. Umami Analytics processes analytics data with privacy-first measures (with your consent)

1. IpQualityScore processes security data in the US with appropriate safeguards

Data Security

We take data security seriously and implement appropriate technical and organizational measures:

Technical Safeguards

1. Encryption: Data encrypted in transit (TLS) and at rest

1. Authentication: Secure multi-factor authentication systems

1. Access controls: Role-based access to personal data

1. Regular updates: Security patches and system updates

Supabase Security Features

Our primary data processor, Supabase, implements:

1. SOC 2 Type II compliance

1. Database-level encryption with AES-256

1. Network isolation and VPC security

1. Regular security audits and penetration testing

1. Backup and disaster recovery procedures

Organizational Measures

1. Data minimization: We collect only necessary information

1. Access limitation: Personal data access on need-to-know basis

1. Staff training: Regular privacy and security awareness

1. Incident response: Procedures for handling potential breaches

Data Retention

We retain your personal data only as long as necessary:

Account Data

1. Active accounts: Data retained while your account remains active

1. Deleted accounts: All personal data deleted immediately upon account deletion

1. Inactive accounts: We may contact inactive users before any deletion

Technical Data

1. Authentication tokens: 1 hour (access tokens) to 1 week (refresh tokens)

1. Usage logs: Maximum 26 months (Google Analytics standard, when implemented)

1. Security logs: Maximum 12 months for fraud prevention

Communication Data

1. Support inquiries: Retained for 2 years to improve service quality

1. Marketing communications: Until you unsubscribe or delete your account

Third-Party Advertising

We may display advertisements on our website through third-party advertising services. These services help us generate revenue to maintain and improve Cibarious while keeping our core features free.

How Third-Party Advertising Works

Google AdSense (when implemented) When you visit our website and consent to advertising cookies through our InMobi consent dialog, Google AdSense may:

1. Display personalized advertisements based on your interests and browsing behavior

1. Use cookies and similar tracking technologies to collect information about your visit

1. Share data with Google's advertising partners to serve relevant ads across the web

1. Track ad performance, impressions, and user interactions

Data Collected by Advertising Services

Third-party advertisers may collect:

1. Cookie identifiers: Unique identifiers stored in your browser

1. Device information: Browser type, operating system, screen resolution

1. Usage data: Pages visited, time spent on site, referring URLs

1. Advertising data: Ad views, clicks, and interaction patterns

1. Approximate location: Country or region-level geolocation based on IP address

This data collection is governed by the third-party advertiser's own privacy policies.

Your Control Over Advertising

You have multiple ways to control advertising on our website: Consent Management

1. Use our InMobi consent dialog (displayed on first visit) to accept or reject advertising cookies

1. Update your preferences at any time through the cookie settings link in our footer

1. Withdraw consent without affecting your access to core website features

Ad Personalization

1. Visit Google Ad Settings to manage personalized advertising

1. Opt out of interest-based advertising through the NAI Consumer Opt-Out

1. Use browser settings to block third-party cookies (may affect website functionality)

Do Not Track

1. We respect Do Not Track (DNT) browser signals where technically feasible

1. Note that third-party advertisers may have their own DNT policies

Advertising Without Consent

If you decline advertising cookies:

1. You will still see advertisements, but they will not be personalized

1. Ads will be contextual (based on page content) rather than behavioral (based on your browsing history)

1. Your website experience and access to features will not be affected

Third-Party Privacy Policies

Our advertising partners have their own privacy policies that govern how they collect and use your data:

1. Google AdSense: Google Privacy Policy

1. Google Advertising: How Google uses information from sites or apps that use our services

We encourage you to review these policies to understand how third-party advertisers handle your information.

Your Rights Under GDPR

As a data subject, you have the following rights:

Access and Portability

1. Right of access: Request information about data we hold about you

1. Data portability: Receive your data in a structured, machine-readable format (planned feature)

Correction and Deletion

1. Rectification: Correct inaccurate or incomplete personal data

1. Erasure: Request deletion of your personal data (immediate upon account deletion)

Processing Limitations

1. Restrict processing: Limit how we process your data in certain circumstances

1. Object to processing: Object to processing based on legitimate interests

1. Withdraw consent: Withdraw consent for analytics, marketing, or other consent-based processing

Exercising Your Rights

To exercise these rights:

1. Log into your account to update basic information

1. Contact us directly at [email protected] for complex requests

1. Use cookie settings to manage analytics and advertising consent

We will respond to valid requests within 30 days and free of charge.

Age Restrictions

Cibarious is intended for users aged 18 and older. We do not knowingly collect personal information from minors under 18. If we become aware that we have collected personal data from a minor, we will delete such information promptly. If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately.

Marketing Communications

Newsletter and Updates

1. Separate opt-in: Marketing communications require explicit, separate consent

1. Clear identification: All marketing emails clearly identify Cibarious as sender

1. Easy unsubscribe: One-click unsubscribe link in every marketing email

1. Preference management: Manage communication preferences in your account

No Spam Policy

We never:

1. Send unsolicited marketing emails

1. Share your email with third-party marketers

1. Use pre-checked boxes for marketing consent

1. Make service access conditional on marketing consent

Data Breach Notification

In the unlikely event of a data breach:

1. Authority notification: We will notify relevant supervisory authorities within 72 hours

1. User notification: You will be informed without undue delay if the breach poses high risk

1. Mitigation measures: We will take immediate steps to minimize impact

1. Prevention improvements: We will strengthen security to prevent similar incidents

Our primary service provider, Supabase, maintains incident response procedures and will notify us of any security incidents affecting your data.

Third-Party Links

Our website may contain links to third-party services or websites. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you visit.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements. When we make material changes:

1. Effective date will be updated at the top of this policy

1. Website notification may be displayed for significant changes

1. Email notification for substantial changes affecting your rights (if you're subscribed)

1. Continued use of our service after changes indicates acceptance

We encourage you to review this policy periodically.

Supervisory Authority

If you have concerns about our data processing practices, you have the right to lodge a complaint with your local data protection authority: For EU residents: Your local Data Protection Authority For Italian residents: Garante per la protezione dei dati personali (https://www.gpdp.it)

Contact Information

For any questions about this Privacy Policy or our data practices: Email: [email protected] Website: www.cibarious.org Response time: We aim to respond within 3 business days Data Protection Inquiries: Same contact information above Data Controller: Francesco Paolo Maria Di Salvia Location: Corso Vittorio Veneto SNC - 84020 Valva (SA) - Italy

---

This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), ePrivacy Directive, and other applicable data protection laws. We apply these standards globally to ensure consistent privacy protection for all users. Last reviewed: November 5, 2025