This page describes the sub-processors, security measures and data flows that support the Ingredily Service. It supplements our Privacy Policy. If you are a business customer requiring a signed Data Processing Agreement, contact hello@ingredily.com.
1. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Lovable Cloud (Supabase) | Database, auth, file storage | EU (Ireland) |
| Cloudflare, Inc. | CDN, edge runtime, DDoS protection | Global edge |
| OpenAI, L.L.C. | Ingredient verdict generation | USA (SCCs + UK IDTA) |
| Google LLC (Gemini API) | Ingredient verdict generation | USA (SCCs + UK IDTA) |
| SparkPost (MessageBird) | Transactional email delivery | USA / EU |
2. Technical & organisational measures
- TLS 1.2+ for all data in transit; AES-256 at rest.
- Row-Level Security on every user data table.
- Service-role keys stored as server-only secrets, never shipped to the browser.
- Principle of least privilege for staff access; audit logging of admin actions.
- Automated daily database backups, 7-day point-in-time recovery.
- Vulnerability scanning on dependencies; secret leakage scanning on code commits.
- Breach response: notify the ICO within 72 hours where required by Art. 33 UK GDPR.
3. Data minimisation when calling AI providers
When we ask an AI model to evaluate an ingredient list, we send the ingredient text and the minimum profile flags required for personalization (e.g. "pregnant: true", "ckd: true"). We do not send your email, name or any other identifier.
4. Retention & deletion
See the retention table in our Privacy Policy. On account deletion we remove your profile, scan history and consent records, and request deletion at our sub-processors within 30 days.
5. International transfers
Transfers outside the UK/EEA are covered by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with supplementary measures (encryption, access controls).
6. Contact
Data protection enquiries: hello@ingredily.com.