Effective Date: 11/19/2025

This Privacy Policy describes how ChibiCart ("we," "us," or "our") collects, uses, and protects your information when you use our Progressive Web Application. We are committed to protecting your privacy and complying with applicable data protection laws, including GDPR.

1. Information We Collect

1.1 Personal Information

• Account Data: Email address, display name, profile picture (if provided via Google Sign-In)
• Authentication Data: User ID, authentication tokens, sign-in method preferences
• Shopping Lists: List names, items, quantities, categories, completion status
• AI-Generated Content: Custom images generated for your items

1.2 Technical Information

• Device Information: Browser type, operating system, screen resolution, device type
• Usage Analytics: Feature usage, page views, session duration, user interactions (anonymized)
• Performance Data: App performance metrics, error logs, crash reports
• Voice Data: Temporary voice recordings for voice input (processed locally, not stored)

1.3 Automatically Collected Data

• Cookies and Local Storage: Authentication tokens, app preferences, offline data cache
• Firebase Analytics: User behavior patterns, feature adoption, retention metrics
• PWA Installation Data: Installation events, launch methods, display modes

2. How We Use Your Information

2.1 Service Provision

• Provide core shopping list functionality and data synchronization
• Generate AI-powered manga-style item illustrations
• Process voice input for item addition
• Manage credit allocation and usage tracking
• Enable offline functionality through local data caching

2.2 Service Improvement

• Analyze usage patterns to improve user experience
• Monitor app performance and fix technical issues
• Develop new features based on user behavior insights
• Optimize AI generation quality and speed

2.3 Communication

• Send important service updates and security notifications
• Provide customer support and respond to inquiries
• Notify about new features or significant changes

3. Legal Basis for Processing (GDPR)

• Contract Performance: Processing necessary to provide ChibiCart services
• Legitimate Interest: Analytics, security, and service improvement
• Consent: Voice input processing, optional analytics features
• Legal Obligation: Compliance with applicable laws and regulations

4. Data Sharing and Third Parties

4.1 Service Providers

• Google Firebase: Authentication, database, storage, analytics, AI services
• Google Cloud: Infrastructure, AI image generation (Gemini)
• Vercel/Netlify: Application hosting and content delivery

4.2 Data Sharing Principles

• We do not sell, rent, or trade your personal information
• Third-party access is limited to service provision only
• All service providers are bound by strict data protection agreements
• Data sharing complies with GDPR and other applicable privacy laws

4.3 Legal Disclosure

We may disclose your information if required by law, court order, or to protect our rights and safety.

5. Data Security and Protection

• Encryption: All data transmitted using HTTPS/TLS encryption
• Firebase Security: Industry-standard security rules and authentication
• Access Controls: Role-based access with minimal privilege principles
• Regular Audits: Security assessments and vulnerability monitoring
• Data Minimization: We collect only necessary data for service provision

6. Data Retention

• Account Data: Retained while your account is active
• Shopping Lists: Retained until you delete them or close your account
• Analytics Data: Automatically deleted after 26 months (Firebase default)
• Voice Data: Processed locally and immediately discarded
• AI Images: Retained until manually deleted by user
• Deleted Account Data: Permanently removed within 30 days

7. Your Privacy Rights (GDPR)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Portability: Export your data in a machine-readable format
• Right to Restrict Processing: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for optional features

8. International Data Transfers

Your data may be processed in countries outside your residence, including the United States. We ensure adequate protection through:

• Google Cloud's GDPR compliance and data protection certifications
• Standard Contractual Clauses (SCCs) for international transfers
• Adherence to Privacy Shield principles where applicable

9. Children's Privacy

ChibiCart is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.

10. Cookies and Tracking

• Essential Cookies: Required for authentication and core functionality
• Analytics Cookies: Firebase Analytics for usage insights (anonymized)
• Local Storage: Offline data caching and user preferences
• No Third-Party Tracking: We do not use advertising or tracking pixels

11. Contact Information

For privacy-related questions or to exercise your rights, contact us:

• Email: support@chibicart.com
• Subject Line: Please include "Privacy Request" or "GDPR Request" for faster processing
• Response Time: We will respond within 30 days as required by GDPR

1. Progressive Web App (PWA) Technology

• Service Workers: Enable offline functionality and background sync
• Local Storage: Cache shopping lists and preferences for offline access
• IndexedDB: Store structured data locally for performance optimization
• Web App Manifest: Enable app installation and native-like experience

2. AI and Machine Learning

• Google Gemini AI: Generates manga-style item illustrations
• Voice Recognition: Browser-based speech-to-text (processed locally)
• Smart Suggestions: Item recommendations based on usage patterns
• Content Moderation: Automated safety filters for AI-generated content

3. Data Processing Locations

• Primary Regions: United States (Google Cloud/Firebase)
• CDN Distribution: Global content delivery for performance
• Backup Locations: Multi-region redundancy for data protection
• Local Processing: Voice input and image compression on device

4. Third-Party Integrations

• Firebase Services: Authentication, Firestore, Storage, Analytics, AI Logic
• Google Cloud AI: Image generation and processing
• Browser APIs: Web Speech API, Service Workers, Push Notifications
• CDN Services: Content delivery and performance optimization

1. Types of Cookies We Use

1.1 Essential Cookies (Always Active)

• Authentication Tokens: Keep you signed in securely
• Session Management: Maintain your app session
• Security Cookies: Prevent unauthorized access and CSRF attacks
• PWA Functionality: Enable offline features and app installation

1.2 Analytics Cookies (Can Be Disabled)

• Firebase Analytics: Understand app usage and improve features
• Performance Monitoring: Track app performance and errors
• User Experience: Analyze user journeys and feature adoption

1.3 Preference Cookies

• App Settings: Remember your preferences and customizations
• Theme Selection: Store your visual preferences
• Language Settings: Remember your language choice

2. Managing Cookies

• You can control cookies through your browser settings
• Disabling essential cookies may affect app functionality
• Analytics cookies can be disabled without affecting core features
• Clear cookies through browser settings or app logout

1. Data Controller Information

• Data Controller: ChibiCart Team
• Contact: support@chibicart.com
• Business Registration: Pending formal business entity registration
• EU Representative: Will be appointed if required based on user base

2. Lawful Basis for Processing

• Article 6(1)(b) - Contract: Core app functionality and service provision
• Article 6(1)(f) - Legitimate Interest: Analytics, security, service improvement
• Article 6(1)(a) - Consent: Optional features like voice input and advanced analytics
• Article 6(1)(c) - Legal Obligation: Compliance with applicable laws

3. Data Subject Rights

Under GDPR, you have the following rights:

• Right of Access (Article 15): Get a copy of your personal data
• Right to Rectification (Article 16): Correct inaccurate data
• Right to Erasure (Article 17): Request deletion of your data
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Export your data
• Right to Object (Article 21): Object to certain processing
• Rights Related to Automated Decision Making (Article 22): Not applicable (we don't use automated decision making)

4. Data Breach Notification

• We will notify supervisory authorities within 72 hours of becoming aware of a breach
• Users will be notified if the breach poses a high risk to their rights and freedoms
• We maintain detailed incident response procedures

5. Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our AI features and high-risk processing activities. The assessment confirms that appropriate safeguards are in place to protect user privacy.

1. How We Notify You of Changes

• Major Changes: Email notification to all users 30 days in advance
• Minor Changes: In-app notification and updated effective date
• Emergency Changes: Immediate notification for security or legal requirements
• Version History: Previous versions available upon request

2. Types of Changes

• Feature Updates: New features or service improvements
• Legal Compliance: Changes required by law or regulation
• Security Enhancements: Updates to protect user data and privacy
• Business Changes: Modifications to business model or operations

3. Your Options

• Accept Changes: Continue using ChibiCart under new terms
• Reject Changes: Delete your account before changes take effect
• Contact Us: Discuss concerns about proposed changes
• Data Export: Download your data before account deletion

4. Effective Date and Version

• Current Version: 2.0 (Comprehensive Update)
• Effective Date: 11/19/2025
• Previous Version: 1.0 (Basic Privacy Policy)
• Next Review: 11/19/2026

1. Data Protection Compliance

• GDPR: General Data Protection Regulation (EU)
• CCPA: California Consumer Privacy Act (US)
• PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
• Privacy Shield: EU-US Privacy Shield Framework principles

2. Security Standards

• HTTPS/TLS: All data transmission encrypted
• Firebase Security: Google Cloud security standards
• Regular Audits: Quarterly security assessments
• Incident Response: 24/7 security monitoring

3. Accessibility

• WCAG 2.1: Web Content Accessibility Guidelines compliance
• Screen Reader Support: Compatible with assistive technologies
• Keyboard Navigation: Full functionality without mouse
• Color Contrast: Meets accessibility standards

4. Industry Standards

• PWA Standards: Progressive Web App best practices
• Mobile First: Responsive design principles
• Performance: Core Web Vitals optimization
• SEO: Search engine optimization standards

Legal Disclaimer

This document has been prepared to comply with applicable data protection and privacy laws. However, it should be reviewed by qualified legal counsel before deployment in production. Laws vary by jurisdiction and may change over time.