Privacy Policy
Last updated April 11, 2026
1. Who We Are
Shelfli is a mobile application developed and operated by an independent developer based in Italy. For the purposes of the EU General Data Protection Regulation (GDPR), the developer acts as the data controller for the personal data processed through the App.
You can reach us at support@shelfli.app for any privacy-related questions.
2. What Data We Collect
We collect only the data necessary to provide you with the Shelfli service. Here is a summary:
| Data | Purpose |
|---|---|
| Email address | Account creation, login, password resets |
| Username | Display name within kitchens |
| Password (hashed) | Account authentication — we never store your password in plain text |
| Kitchen data | Kitchen names, members, invite codes — to power shared household features |
| Product data | Product names, barcodes, expiry dates, categories, notes — the core of the service |
| Product photos (optional) | If you choose to attach a photo to a product, the image is stored in Firebase Storage and shown to other members of the same kitchen so everyone can recognise the product. Photos are resized to a small thumbnail and metadata such as GPS location is removed before upload |
| Preferences | Language, theme, reminder settings — stored locally on your device |
| Subscription status | Whether you are on the free or Plus tier — to manage feature access |
| Crash diagnostics | Error stack traces, app version/build, operating system, current screen, and a pseudonymous internal user ID — to detect and fix bugs |
3. What We Do Not Collect
We do not collect your precise location, contacts, call logs, browsing history, or any data unrelated to the App's functionality. When you scan a product barcode, it is looked up against an open database (Open Food Facts) — no personal data is sent in that request. Expiry-date text recognition from a product image happens entirely on your device and the image used for that step is never sent to any server. Separately, if you choose to attach a product photo so other members of your kitchen can see it, that single photo is uploaded to Firebase Storage as described in §2 and §5 — this only happens when you explicitly attach a photo.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data on the following legal bases:
- Contract performance — Processing your account and product data is necessary to provide you with the Shelfli service you signed up for.
- Legitimate interest — We may process limited data for service improvement and security, always balanced against your privacy rights.
- Consent — Where required (e.g., optional notifications), we ask for your explicit consent, which you can withdraw at any time.
5. Third-Party Services
Shelfli uses the following third-party services to operate. Each service has its own privacy policy governing how it handles data:
Firebase (Google)
We use Firebase for account authentication (Firebase Auth), cloud data storage (Cloud Firestore), and image storage (Cloud Storage for Firebase). Your account data and kitchen/product data are stored on Firebase servers. Product photos that you choose to attach to items are stored in Cloud Storage and are access-controlled so that only members of the same kitchen can read them. Firebase is operated by Google and data may be processed in the EU or other regions where Google maintains infrastructure. See Firebase Privacy.
RevenueCat
If you subscribe to Shelfli Plus, RevenueCat manages the subscription lifecycle (purchase verification, renewal tracking). RevenueCat receives a pseudonymous app user ID and subscription status — it does not receive your email or personal details directly from us. See RevenueCat Privacy.
Open Food Facts
When you scan a barcode, we query the Open Food Facts open database to retrieve product information (name, category, image). Only the barcode number is sent — no personal or account data. See Open Food Facts Privacy.
Google ML Kit (on-device)
Expiry date recognition from product photos is performed entirely on your device using Google ML Kit's text recognition. No images or text data leave your device for this feature.
Sentry
We use Sentry for crash reporting and error diagnostics in the mobile app. Sentry receives technical information such as error stack traces, app version/build, platform/OS details, the current screen, and a pseudonymous internal user ID so we can investigate and fix bugs. We do not intentionally send your email address, username, product names, notes, OCR text, invite codes, or raw barcode values in crash reports. See Sentry Privacy.
6. Data Storage and Transfers
Your data — including any product photos you attach — is stored on Firebase (Google Cloud) servers. While we aim to keep data within the European Economic Area, Google may process data in other regions in accordance with its data processing agreements and appropriate safeguards (such as Standard Contractual Clauses) as required by the GDPR.
Local preferences and reminder schedules are stored on your device only and never leave it.
7. Data Retention
We retain your data for as long as your account is active and you continue to use Shelfli. If you request account deletion, your personal data and associated content (account record, kitchens, products, history) will be permanently removed within 30 days of confirmation.
Product photos stored in Firebase Storage are removed automatically when their parent product is deleted. Photos that become orphaned because their kitchen or account was deleted are cleaned up on a best-effort basis and may persist for longer; you can contact us at support@shelfli.app to request immediate removal of any specific photo.
If you simply uninstall the App without requesting deletion, your data remains on our servers until you request its removal.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access — You can request a copy of the personal data we hold about you.
- Rectification — You can ask us to correct inaccurate data.
- Erasure — You can request deletion of your data (see our Account Deletion page).
- Restriction — You can ask us to temporarily restrict processing of your data.
- Portability — You can request your data in a structured, commonly used format.
- Objection — You can object to processing based on legitimate interest.
To exercise any of these rights, contact us at support@shelfli.app. We will respond within 30 days as required by law. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or your local supervisory authority.
9. Children's Privacy
Shelfli is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@shelfli.app.
10. Security
We take reasonable measures to protect your data, including using encrypted connections (HTTPS), Firebase Security Rules to restrict data access, and hashed password storage. However, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within the timeframes required by the GDPR (72 hours for authority notification).
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make significant changes, we will notify you through the App or by other appropriate means. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
For any questions, concerns, or requests related to your privacy or this policy, please contact us at support@shelfli.app.