Privacy Policy

Effective Date: April 12, 2026

Thyme is a grocery planning app built to make your household run smoothly. We take your privacy seriously. This policy explains what information we collect, how we use it, and the choices you have.

1 Information We Collect

We collect only what we need to make Thyme work well for you.

Account & Personal Information

Name and email address — used to create and manage your account
Home address — used to find nearby grocery stores and estimate distances
Family member names — optional; used to personalize shopping lists and meal planning
Shopping day preferences — the days of the week you prefer to shop

Grocery & Shopping Data

Grocery lists — items you add, check off, or archive
Purchase history — items purchased, quantities, store, and date (inferred from receipt scans or manual entry)
Barcode scans — product barcodes scanned in the app (processed locally on your device; product lookup data is sent to OpenFoodFacts)
Receipt scans — images you photograph are sent to Google Gemini AI for text extraction, then immediately discarded. Thyme does not store your receipt images.

Health & Allergy Information

Allergy profiles — allergens you or your family members have flagged (e.g., peanuts, gluten, dairy)
This is sensitive information. It is stored securely and used only to surface allergen warnings and filter unsafe products. It is never shared with advertisers.

Store Busyness Reports

When you optionally report how busy a store is, we record the store, your reported busyness level, and the timestamp. These reports are aggregated anonymously to help other Thyme users time their trips.

Usage Data

Standard technical data including device type, operating system version, app version, and general usage patterns (which screens you visit, how often you open the app). This data is used to improve Thyme and diagnose bugs.
We do not collect your precise GPS location. Store lookups use your home address.

2 How We Use Your Information

Grocery predictions & smart lists — purchase history is analyzed to suggest items you regularly buy and predict when you might run out.
Allergen alerts — your allergy profiles are matched against product ingredient data to warn you before adding unsafe items to your list.
FDA recall notifications — we check openFDA recall data against your purchase history to alert you if a product you've bought has been recalled.
Store discovery — your home address is passed to the Google Places API to find grocery stores near you.
Store busyness insights — aggregated, anonymized busyness reports help you choose less crowded shopping times.
Account management — your email is used to send account-related communications (sign-in links, receipts for ThymePro subscriptions, important policy updates). We use Resend to send these emails.
App improvements — usage data helps us understand what features are working well and what needs improvement.

We do not sell, rent, or trade your personal information — not to advertisers, grocery chains, data brokers, or anyone else.

3 Third-Party Services

Thyme relies on the following third-party services to function. Each service receives only the data necessary to perform its role.

Service	Purpose	Data Shared	Privacy Policy
Supabase	Database & authentication (cloud storage)	All user account data, grocery lists, purchase history, allergy profiles	supabase.com/privacy
Google Gemini AI	Receipt scanning & ingredient analysis	Receipt images (for text extraction only; see Section 4)	policies.google.com/privacy
Google Places API	Nearby grocery store discovery	Your home address or search query	policies.google.com/privacy
OpenFoodFacts	Product ingredient & nutrition data	Product barcode or name (no personal identifiers)	openfoodfacts.org/privacy
openFDA	Food recall information	Product names from your purchase history (no personal identifiers sent to FDA)	open.fda.gov/privacy
Resend	Transactional email delivery	Your email address and email content	resend.com/privacy
QuaggaJS	Barcode scanning (camera-based)	Runs entirely on your device. No data is sent to any external server by QuaggaJS.	N/A — local processing only

4 AI Processing

Receipt Scanning (Google Gemini AI)

When you scan a receipt, the image is sent to Google's Gemini AI API to extract item names, quantities, and prices as text. Once Thyme receives the extracted text data, the image is not retained by Thyme's servers. Google processes this image under their own privacy policy and API terms.

Receipt images are transmitted to Google's servers for processing. Do not scan receipts containing sensitive financial information you would not want transmitted over the internet, such as full card numbers or bank account details.

Ingredient Analysis (Google Gemini AI)

Thyme uses Gemini to identify ingredients and potential allergens from product descriptions and scanned items. Ingredient analysis queries are sent with product names and descriptions only — no personally identifiable information (such as your name or allergy profile) is sent directly to Google's AI. Your allergy matching is performed on Thyme's own servers using your profile.

AI-Generated Suggestions

Thyme may use your purchase history and shopping patterns (stored in Supabase) to generate shopping list suggestions. These inferences happen within Thyme's infrastructure and are not shared externally.

5 Data Storage & Security

Provider: All user data is stored with Supabase, hosted in the United States (AWS us-east-1 region).
Encryption at rest: Data is encrypted at rest by Supabase's infrastructure.
Encryption in transit: All communication between the app and Supabase uses TLS/HTTPS.
Row Level Security (RLS): Supabase Row Level Security policies are enforced so that each user can only access their own data. No user can read another user's grocery lists, allergy profiles, or purchase history.
Authentication: Account access is protected by Supabase Auth, which supports magic-link email sign-in and secure session tokens.
Data minimization: We collect only what is necessary. Receipt images are not retained after AI processing. Raw receipt data is not stored.

Despite our efforts, no internet-based system is 100% secure. If you believe your account has been compromised, contact us immediately at hello@usethyme.app.

6 Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information Thyme holds about you.
Correction: Request that we correct inaccurate information in your account.
Deletion: Delete your entire account and all associated data directly in the app at Profile → Delete Account. This permanently removes your account, grocery lists, purchase history, allergy profiles, and all other personal data from our systems.
Export (Data Portability): Request an export of your data in a machine-readable format by emailing us at hello@usethyme.app.
Opt-out of communications: You can opt out of non-essential emails by following the unsubscribe link in any email we send.
Restriction of processing: In certain circumstances you may request we restrict how we process your data while a dispute is resolved.

California Residents (CCPA)
If you are a California resident, you have the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. Thyme does not sell personal information. To exercise any CCPA rights, contact us at hello@usethyme.app.

European Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal information is processed under the lawful bases of contract performance (providing the service you signed up for) and legitimate interest (improving the app, security). You have the rights listed above plus the right to lodge a complaint with your local data protection authority.

We will respond to requests within 30 days. To exercise your rights, email hello@usethyme.app from the address associated with your account.

7 Children's Privacy

Thyme is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at hello@usethyme.app and we will promptly delete the account and associated data.

Family member names you optionally add for household planning are stored as part of your adult account. We do not create separate accounts or profiles for minors.

8 Cookies & Local Storage

Thyme uses browser local storage (not tracking cookies) in the following ways:

Supabase authentication tokens: When you sign in, Supabase stores a session token in your browser's local storage to keep you logged in. This token is used only to authenticate your requests to Thyme's backend.
App state preferences: Local storage may also save minor UI preferences (such as your last-viewed screen) to improve your experience. This data never leaves your device.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use fingerprinting or cross-site tracking technologies.

9 Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Effective Date" at the top of this page. For material changes — those that significantly affect how we handle your data — we'll send a notification to your registered email address at least 14 days before the change takes effect.

Continued use of Thyme after any changes take effect constitutes your acceptance of the updated policy.

10 Contact Us

If you have questions, concerns, or requests about this Privacy Policy or your personal data, please reach out:

Thyme
hello@usethyme.app
usethyme.app