Privacy Policy

Biltong Buddy (“we”, “us”, or “our”) operates the Biltong Buddy progressive web application and associated services, available at biltongbuddy.app. Biltong Buddy is a food tracking app for hobbyist and small-scale biltong makers to log drying progress, monitor weight loss, and record recipes.

This Privacy Policy explains what personal data we collect, why we collect it, how it is stored and protected, and what rights you have over it. We are committed to being transparent and straightforward — no legal jargon where plain English will do.

For the purposes of UK GDPR, we are the data controller. Our designated contact for privacy matters is reachable at [email protected].

By creating an account or using Biltong Buddy, you agree to the collection and use of data as described in this policy. If you do not agree, please do not use the app.

We collect information in three ways: directly from you when you use the app, automatically as you use the service, and from third-party authentication providers if you choose to sign in with Google.

We use the data we collect for the following purposes:

• Providing the core service — storing and displaying your batches, pieces, and recipes so you can track your biltong drying progress.
• Account management — authenticating your identity and communicating essential account information (e.g. password resets, security alerts).
• Improving the app — using aggregate usage data and error reports to identify and fix bugs, prioritise features, and improve performance.
• Notifications — if you opt in, sending push notifications or emails about your active batches (e.g. drying milestones). You can withdraw this consent at any time from your account settings.
• Security and fraud prevention — monitoring for unusual access patterns or abuse of our systems.
• Legal compliance — retaining records as required by applicable law, and responding to lawful requests from authorities.

We do not use your data for advertising, and we do not sell it to third parties for any purpose.

All Biltong Buddy data is stored in Supabase, a managed PostgreSQL database platform. Supabase stores your data on managed cloud infrastructure. Your data is encrypted in transit using HTTPS (TLS 1.2+) and encrypted at rest using AES-256.

Access to your data within the database is controlled by Row-Level Security (RLS) policies enforced at the database layer. This means even our own application code cannot read another user’s data — the database itself enforces that each user can only access their own records.

Our backend API runs on Railway infrastructure. API endpoints require valid authentication tokens for all user-specific operations. Tokens are short-lived and refreshed automatically by Supabase Auth.

Biltong Buddy uses a small number of third-party services to operate. Each of these services has its own privacy policy and data handling practices. We have selected providers that meet our security and privacy standards.

Nerdbase is based in the United Kingdom and your data is processed under UK GDPR and the Data Protection Act 2018. Some of the third-party providers we rely on (listed in Section 5) are based outside the UK and the European Economic Area (“EEA”) — primarily in the United States. This means that some of your personal data may be transferred to, stored in, or accessed from countries that the UK government has not formally found to provide an “adequate” level of data protection.

Where we transfer personal data outside the UK or the EEA, we rely on one of the following lawful transfer mechanisms recognised under UK GDPR:

• UK adequacy regulations — for transfers to countries the UK government has formally recognised as providing equivalent protection (for example, the EEA member states). Transfers to the United States can also rely on the UK Extension to the EU–US Data Privacy Framework, but only where the receiving organisation is self-certified under that framework. Where it is not, we rely on the contractual safeguards described below.
• The UK International Data Transfer Agreement (IDTA), or the European Commission’s Standard Contractual Clauses with the UK Addendum, signed with the relevant processor as part of their data-processing agreement.
• Other lawful safeguards permitted by UK GDPR Articles 46–49 in the limited cases where neither of the above is available.

We review these arrangements periodically and will update this Policy if any of our processors materially change where they store or process your data. If you would like a copy of the safeguards in place for any specific transfer, please email [email protected] and we will share what we hold.

Under UK GDPR, EU GDPR, POPIA (South Africa), and similar applicable privacy laws, you have rights over your personal data. We honour these rights regardless of your jurisdiction.

To exercise any of these rights, email us at [email protected]. We will respond within one calendar month (or sooner where possible), as required under UK GDPR. For account deletion, you may also delete your account directly from within the app under Settings › Account › Delete Account.

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO). In South Africa, this is the Information Regulator.

We retain your personal data and app content for as long as your account is active. If you choose to delete your account, we will permanently delete all associated personal data — including your batches, pieces, recipes, and account information — within one calendar month (or sooner where possible) of receiving the deletion request.

Certain anonymised, aggregate data (e.g. app usage counts, feature adoption metrics) may be retained indefinitely as it cannot be used to identify you individually.

Error logs held in Sentry are automatically purged after 30 days under our current plan. Diagnostic logs we hold in our own database (used to investigate user-reported issues) are automatically purged after 30 days. Infrastructure access logs held by Cloudflare and Railway are retained per those platforms’ standard policies.

Biltong Buddy is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has created an account, please contact us at [email protected] and we will delete the account and all associated data promptly.

Users in certain jurisdictions may be subject to higher age thresholds (e.g. 16 in some EU member states for consent-based data processing). If you are below the applicable age threshold in your jurisdiction, you must have parental or guardian consent to use Biltong Buddy.

We may update this Privacy Policy from time to time to reflect changes in the app, our data practices, or applicable law. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Send an email notification to all registered users.
• Display an in-app notice the next time you open Biltong Buddy.

Your continued use of Biltong Buddy after we publish an updated policy constitutes your acceptance of those changes. If you do not agree with the updated policy, please stop using the app and delete your account.

Previous versions of this policy are available on request by emailing [email protected].

If you have any questions about this Privacy Policy, want to exercise your data rights, or have a concern about how we handle your data, please get in touch. We aim to respond to all privacy-related enquiries within 30 days.