Privacy Policy

Too Fresh To Waste ("we", "us", or "our") operates the Too Fresh To Waste food-rescue marketplace platform (the "Service"). This Privacy Policy explains what personal data we collect, how we use it, and the rights you have under applicable law — including the Tunisian Loi organique n° 2004-63 relative à la protection des données à caractère personnel enforced by the Instance Nationale de Protection des Données Personnelles (INPDP), and standards aligned with the EU General Data Protection Regulation (GDPR) for users accessing our platform from the European Union.

By using our Service you agree to the collection and use of data as described in this policy. If you do not agree, please do not use the Service.

1. Data We Collect

1.1 Account Information

• Full name and display name
• Email address (used for authentication and transactional emails)
• Phone number (for SMS verification where applicable)
• Password (stored as a bcrypt hash — never in plain text)
• Profile photo (optional)
• Account role (consumer, merchant, or admin)

1.2 Location Data

With your explicit permission, we collect your device's approximate GPS coordinates to show you nearby food-rescue offers. You may revoke location permissions at any time in your device or browser settings. Precise location data is used only to compute proximity and is not stored beyond your active session.

1.3 Transaction Data

• Orders placed, including offer details, price paid, and pickup timestamps
• Payment references (we do not store full card numbers)
• Loyalty points balance and transaction history

1.4 Device & Technical Data

• IP address and approximate geographic region
• Browser type and version, operating system
• Device identifiers (mobile app only)
• Pages visited, session duration, and clickstream data (analytics)

1.5 Merchant / Business Information

• Business name, address, and category
• Commercial registration number
• Bank account or payout details (for revenue disbursements)
• Food listing photos and descriptions

2. How We Use Your Data

3. Data Storage & Security

Your data is stored in a MongoDB Atlas database with:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Write-concern majority with journaling enabled in production
• Role-based access control — only authorised backend processes can read/write
• All API traffic served exclusively over HTTPS — plain HTTP requests are automatically redirected
• Passwords hashed with bcrypt (cost factor 12) — we never store or transmit plain-text passwords
• Session tokens issued as short-lived JSON Web Tokens (~15 min access, ~7 day refresh) stored in HttpOnly cookies — inaccessible to JavaScript
• Regular security audits and dependency vulnerability scanning

While we implement industry-standard safeguards, no method of transmission over the internet is 100% secure. Please use a strong, unique password and enable two-factor authentication when available.

4. Third-Party Services

We share data only with trusted processors strictly necessary to operate the Service:

• Google Analytics 4 — anonymous usage analytics. IP addresses are anonymised. You may opt out via browser extensions or cookie settings.
• Email delivery provider — sends transactional emails (verification, order confirmations). Email addresses are shared only for delivery purposes.
• Payment processor — handles payment authorisation. We do not store raw card data; the processor is PCI-DSS compliant.
• Cloud infrastructure providers — host our servers and databases under data-processing agreements.

We do not sell your personal data to any third party, ever.

5. Data Retention

• Active account data: retained for as long as your account is open
• Deleted accounts: data anonymised or purged within 30 days of deletion request, except where we are legally required to retain records
• Transaction records: retained for 5 years to comply with Tunisian commercial and tax law
• Analytics data: aggregated and anonymised after 14 months

6. Your Rights

Under Tunisian data protection law (INPDP) and, where applicable, the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest, including direct marketing
• Withdraw consent — at any time, for processing based on consent (e.g., location access, marketing emails)

To exercise any right, email support@toofreshtowaste.com with your request. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the INPDP at www.inpdp.nat.tn.

7. International Data Transfers

Our primary infrastructure is operated in Tunisia. Some third-party processors (e.g., analytics) may process data outside Tunisia. In such cases we rely on standard contractual clauses or the processor's adequacy certification to ensure an equivalent level of protection.

8. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, please contact us immediately and we will take steps to delete it.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or a prominent notice on the platform at least 7 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

10. Contact Us

For privacy-related questions or to exercise your rights, contact our Data Protection Team: