Privacy Policy

Effective: April 13, 2026 · Last updated: April 13, 2026

Introduction

Loavenly (“we,” “our,” “us”) provides a cloud-based food bank management platform (“Service”) to nonprofit organizations and eligible recipient agencies (“Customers”). This Privacy Policy describes how we collect, use, and protect personal information when you use the Service or visit our website.

Information We Collect

Information You Provide

  • Account information (name, email, organization)
  • Client data entered by Customers (names, addresses, household size, visit history)
  • Volunteer information
  • Contact information (phone, email for support)
  • Content you submit through forms or email

Information Automatically Collected

  • Log data (IP address, browser type, access times)
  • Usage data (features used, pages viewed, aggregated interactions)
  • Device information (operating system, screen size)
  • Cookies and similar technologies strictly necessary to authenticate you and run the Service

Information From Third Parties

  • Authentication providers (e.g., email+password via Supabase Auth)
  • Address validation services (Google Places API) — only the query you type is sent, never identifying client data

How We Use Information

We use personal information to:

  • Provide and improve the Service
  • Authenticate users and maintain sessions
  • Send administrative notifications (security alerts, product changes)
  • Comply with legal obligations
  • Generate required government reports (USDA TEFAP / EFAP)
  • Analyze usage patterns in aggregated form
  • Prevent fraud and abuse

We Do Not Sell Personal Information

Loavenly does not sell personal information and has never sold personal information in the preceding twelve months. We do not share personal information for cross-context behavioral advertising.

Data Sharing and Disclosure

Service Providers (Subprocessors)

We share personal information only with service providers that process it on our behalf:

  • Supabase — database and authentication (SOC 2 Type II)
  • Vercel — application hosting (SOC 2 Type II)
  • Resend — transactional email delivery
  • Google — address autocomplete (Places API)
  • Cloudflare — DNS and DDoS protection
  • Sentry — error monitoring (PII is filtered before submission)

Legal Requirements

We may disclose personal information when necessary to:

  • Comply with court orders, subpoenas, or legal process
  • Protect our legal rights and the rights of others
  • Prevent fraud, illegal activity, or threats to safety
  • Respond to government or regulatory requests

Customer Direction

Customers (food banks) control their client data. We process data as instructed by Customers under our Data Processing Agreement. Customers are responsible for their own privacy notices to end users.

Your Privacy Rights (California Residents)

Under the California Consumer Privacy Act (CCPA/CPRA), you have the right to:

  1. Know — Request disclosure of the categories and specific pieces of personal information collected about you
  2. Access — Request a copy of your personal information
  3. Delete — Request deletion of your personal information, subject to legal retention requirements
  4. Correct — Request correction of inaccurate information
  5. Opt-Out — Opt out of the sale or sharing of personal information (we do not sell)
  6. Non-Discrimination — You will not be discriminated against for exercising any of these rights

To exercise these rights, submit a request through one of these methods:

We will respond within 45 days of receiving a verified request. This period may be extended by an additional 45 days with notice when reasonably necessary. Before fulfilling a request we may need to verify your identity — typically by matching information you provide against information already in your account.

Data Retention

Client and visit records are retained for seven (7) years to support USDA TEFAP compliance audits. The federal requirement is three years from the close of the federal fiscal year; Loavenly exceeds this so Customers have a longer audit trail.

  • Active data: retained during the Service period
  • Compliance records: seven (7) years from creation
  • Activity logs: seven (7) years
  • Account termination: 30-day data export grace period, then archival per the retention schedule
  • Deletion requests: honored outside the retention schedule upon verified request, unless we are legally required to keep the data

Data Security

We implement industry-standard security measures, including:

  • Encryption at rest (database) and in transit (TLS 1.2+)
  • Row-level security (RLS) policies enforcing multi-tenant isolation
  • Role-based access control with the principle of least privilege
  • Authentication via Supabase Auth with secure session cookies
  • Continuous logging and monitoring
  • Automated dependency vulnerability scanning
  • Regular security review and incident response procedures

Data Breach Notification

In the event of a security breach affecting unencrypted personal information, we will notify affected individuals and the California Attorney General (where required) in accordance with California Civil Code § 1798.82 and any other applicable law. Notification will be made without unreasonable delay and no later than 30 days from confirmation of the breach, unless a longer period is required by law enforcement.

Children's Privacy

The Service is intended for authorized food bank staff and volunteers. Accounts may only be created by individuals 18 or older. Food bank clients of any age may be served by Customers, but accounts are created and managed by authorized staff — not by clients themselves.

International Data Transfers

Personal information is stored in the United States. If you access the Service from outside the U.S., your information will be transferred to U.S. servers and processed there.

Accessibility

Loavenly conforms to WCAG 2.1 Level AA. See our accessibility statement for details.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to account holders and by a notice on our website at least 30 days before taking effect. Continued use of the Service after changes take effect constitutes acceptance.

Contact Us

Questions about this Privacy Policy, or to exercise your privacy rights: