Privacy Policy

Last updated: 2026-05-18. Version: 2026-05-18. Draft — pending lawyer review before public launch.

This Privacy Policy describes how Robotic Arm Software, LLC, a California limited liability company doing business as Repast ("Repast," "we," "us," or "our"), collects, uses, and shares information when you use the Repast website, web application, and related software (the "Service"). Robotic Arm Software, LLC is the data controller for personal information collected through the Service.

1. Information we collect

To provide the Service, we collect:

• Account information: your email address, which you provide when you sign in via email magic link.
• Profile preferences: diet type, allergies and dietary avoidances, household size, weekly budget, kitchen equipment, time preferences, preferred cuisines, and similar settings you enter during onboarding or update in your profile.
• Pantry inventory: ingredients you have on hand, either marked at onboarding or added later in your profile.
• Plan and grocery history: generated meal plans, recipe overrides, skipped meals, regenerations, and grocery checkbox state (grocery checkboxes are stored locally on your device and never sent to our servers).
• Feedback you submit: messages sent via the in-app feedback widget, including the category, your message, the page you submitted from, and a timestamp.
• Email-engagement metadata:whether weekly planning-reminder emails were delivered, opened, or bounced (via our email provider's logs).
• Acceptance records: the timestamp and version of the Terms of Service and this Privacy Policy you accepted at signup.
• Operational logs: IP addresses, request URLs, user-agent strings, and basic request metadata for security, abuse prevention, and debugging. Retained for 30 days.
• Error reports: stack traces, request URLs, and browser/OS information via Sentry. We do not capture request bodies, authentication tokens, or freeform user input in error reports.
• Anonymous usage analytics: aggregated page views, referrers, and basic device categories via Vercel Analytics. No personally-identifying information is recorded or linked to your account in analytics events.

2. How we use information

• To generate personalized meal plans and grocery lists.
• To send the weekly planning-reminder email on your preferred shopping day.
• To respond to feedback you submit and to improve the recipe library and Service based on what we learn.
• To investigate bugs, suspected abuse, and security incidents.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not share it with advertisers, data brokers, or any third party for marketing purposes.

3. Legal basis for processing

If you are in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing your personal information are: (a) contract — processing required to provide the Service you signed up for; (b) legitimate interests — operating, securing, and improving the Service; (c) consent — for any processing where consent is the appropriate basis (you may withdraw consent at any time); and (d) legal obligation — where processing is required to comply with applicable law.

4. Service providers we share data with

We use the following processors to operate the Service. Each handles only what they need to provide their function and is bound by their own privacy and security obligations:

• Supabase (database hosting): stores your account, profile, pantry, plan, and feedback data. Hosted in the United States.
• Vercel (web hosting + analytics): serves the app, processes requests, and provides anonymous usage analytics. Receives request metadata (URL, IP, user agent) for routing and serving.
• Resend (transactional email): sends sign-in magic links, weekly planning reminders, and any other transactional email. Stores email addresses and delivery logs.
• Sentry (error monitoring): receives stack traces and request metadata when errors occur. We disable request-body capture and PII scrubbing is enabled.
• PostHog (product analytics):tracks anonymized usage events (page views, signup completion, feature usage) to help us understand which parts of the Service users engage with. After you sign in, your event history is associated with your user id so we can measure retention and onboarding conversion. Session recording is disabled. We honor the "Do Not Track" browser setting — if you have DNT enabled, no events are sent.

Recipe content in the Service was authored offline (in part using AI tools, in part by hand) and is part of the static catalog. No personal information is sent to AI providers at runtime when you generate a meal plan.

5. Affiliate and grocery-delivery partners

When grocery-delivery affiliate integrations are available, the Service may offer buttons to send your grocery list to a partner (such as Instacart or MealMe). When you tap one of those buttons, we share with the selected partner only the data needed to populate your cart — primarily the list of ingredients and quantities for the current week's plan. We do not share your name, address, payment information, or full account data with grocery partners; you provide that information directly to them if you check out.

We may earn a referral or affiliate commission from purchases you complete through these partners. Their privacy practices are governed by their own privacy policies, not this one. We will disclose each affiliate relationship in the Service at or near the relevant button.

6. Cookies and local storage

• Authentication session cookie:set by Auth.js to keep you signed in. Strictly necessary; the Service won't work without it.
• Grocery checkbox state (browser localStorage): remembers which grocery items you've checked off while shopping. Stays on your device and is never sent to our servers.
• UI preferences (browser localStorage): dark/ light theme and similar non-identifying display settings.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral profiling cookies.

7. Security

The Service uses HTTPS exclusively. Authentication tokens are signed and rotated. Database access is restricted to authenticated requests. We follow common industry practices for security, but no online service is completely secure. If you suspect a security issue, email us at repast@roboticarmsoftware.com with the subject line "Security."

8. Data retention

• Account, profile, pantry, and plan data: kept while your account is active. On account deletion, removed within 30 days.
• Feedback you submit: retained indefinitely so we can improve the Service. You can request deletion at any time using the contact email below.
• Email delivery logs (Resend): 30 days.
• Operational logs: 30 days.
• Error reports (Sentry): 30 days.
• Anonymous analytics: aggregated only; raw events purged after 90 days.
• Acceptance records (ToS / Privacy version + timestamp): kept for the life of the account plus a reasonable period for legal and audit purposes after account deletion.

9. International data transfers

Repast operates from the United States, and our service providers listed in Section 4 store and process data in the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

10. Your rights — everyone

Regardless of where you live, you can:

• Access the personal information we hold about you (most of it is visible in your Profile and Settings pages; for anything else, email us).
• Correct your information (most fields are user-editable in your profile).
• Delete your account from the Settings page. Deletion is permanent and not reversible.
• Export your data in a machine-readable format (email us).
• Opt out of non-essential email — the weekly planning reminder can be paused from your Settings page.

11. Your rights — California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you specific rights regarding your personal information:

• Right to know what personal information we collect, use, share, or disclose about you.
• Right to delete personal information we collected from you, subject to limited exceptions (e.g., information we need to retain for legal compliance).
• Right to correct inaccurate personal information we hold about you.
• Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information for these purposes.
• Right to non-discrimination when you exercise any of these rights.

To exercise any of these rights, email repast@roboticarmsoftware.com with the subject line "CCPA Request." We may need to verify your identity before fulfilling the request.

12. Your rights — EU, UK, and Swiss residents (GDPR / UK GDPR)

If you are in the EU, UK, or Switzerland, you have the additional rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing, in each case as provided by applicable law. You also have the right to lodge a complaint with your supervisory authority. To exercise any of these rights, email repast@roboticarmsoftware.com with the subject line "GDPR Request."

13. Children

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. In particular, we do not knowingly collect information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA). If you believe a minor has signed up, please contact us and we will delete the account and any associated information.

14. Changes to this policy

We may update this Privacy Policy. The current version is always at this URL with a posted "Last updated" date and version identifier. For material changes, we will notify you by email or in-app notice at least 30 days before they take effect.

15. Contact

Privacy questions, data requests, and security reports: repast@roboticarmsoftware.com. Please include a subject line indicating the nature of your request (e.g., "Data Access Request," "CCPA Request," "GDPR Request," "Security").

Robotic Arm Software, LLC (California) d/b/a Repast.