StreetEat Privacy Policy

Last Updated: January 24, 2026

1. Introduction

This Privacy Policy explains how StreetEat ("we", "us", or "our") collects, uses, and protects your information when you use our platform as a vendor.

2. Information We Collect

Account Information:

• Email address
• Business name and description
• Location data
• Menu items and pricing
• Profile images and photos

Transaction Data:

• Order history
• Payment information (processed securely through third-party providers)
• Promo code usage

Usage Data:

• App usage statistics
• Device information
• Location data (when you update your vendor location)

3. How We Use Your Information

We use your information to:

• Provide and maintain the StreetEat platform
• Process transactions and subscriptions
• Display your vendor profile to customers
• Send important updates about your account
• Improve our services
• Prevent fraud and ensure platform security

4. Information Sharing

With Customers: Your business name, description, menu, location, and profile images are visible to all StreetEat users.

With Service Providers: We share information with third-party services that help us operate the platform, including:

• Payment processors (Stripe)
• Cloud hosting providers (Firebase, Google Cloud)
• Analytics services

We do NOT:

• Sell your personal information to third parties
• Share your data for marketing purposes without consent

5. Data Security

While we implement reasonable security measures to protect your information, please note that the platform is provided "AS-IS" and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

6. Your Data Rights

You have the right to:

• Access your personal data
• Update or correct your information through your account settings
• Request deletion of your account (available in Settings)
• Export your data

Note: Deleting your account will permanently remove your vendor profile and all associated data. This action cannot be undone.

7. Data Retention

We retain your personal information only as long as necessary to provide our services and comply with legal obligations. Our data retention periods are designed to balance service needs with data minimization principles required by privacy laws.

Key Retention Periods:

• Active Vendor Account: While your account is active + 30 days after deletion (grace period for account recovery)
• Precise Location Data (GPS): 90 days OR until you disable location tracking (whichever comes first)
• Customer Reviews: 3 years after your account deletion (then anonymized to remove your identity while preserving review content)
• Consent Records (Email/SMS/Cookies): 3 years after consent withdrawal (required by CAN-SPAM, TCPA, and CCPA)
• Financial Records: 7 years (required by IRS tax regulations)
• Age Verification: 7 years (record-keeping requirements)

Automated Deletion:

We use automated processes to enforce our retention policy:

• Location history older than 90 days is automatically deleted daily
• Soft-deleted accounts are permanently removed after 30 days
• Reviews are automatically anonymized 3 years after vendor account deletion
• Inactive email subscribers (no engagement for 2+ years) are automatically unsubscribed

What Happens After Account Deletion:

When you delete your account:

• 30-Day Grace Period: You can recover your account by contacting support
• After 30 Days: Your account and associated data are permanently deleted, including:
  • Vendor profile and business information
  • Menu items and pricing
  • Location history
  • Privacy and notification settings
• Data We Retain: We may retain the following for legal compliance:
  • Financial transaction records (7 years - IRS requirement)
  • Consent records (3 years - privacy law compliance)
  • Anonymized reviews (transparency and consumer protection)

For our complete Data Retention Policy, including exceptions and legal hold procedures, please see our Data Retention Policy.

8. Location Data

Location data is collected and shared with customers when you update your vendor location. This helps customers find you. You control when and how often you update your location.

9. Children's Privacy

StreetEat is not intended for use by individuals under the age of 18. We do not knowingly collect information from children.

10. Data Processing Agreement

For Vendors: By creating a vendor account, you accept our Data Processing Agreement (DPA), which governs how StreetEat processes customer and vendor data on your behalf.

Key Points of the DPA:

• Your Role as Data Controller: As a vendor, you are the data controller for your customers' personal data (names, orders, delivery addresses). You are responsible for obtaining customer consent and complying with applicable data protection laws.
• StreetEat's Role as Data Processor: StreetEat acts as a data processor, processing customer data on your behalf to facilitate orders, payments, and communications. We only process data according to your instructions and our Terms of Service.
• Security Measures: We implement industry-standard security measures including encryption (TLS 1.2+, AES-256), access controls, multi-factor authentication, regular security audits, and intrusion detection systems.
• Subprocessors: We engage third-party subprocessors (Google Cloud, Stripe, Vercel, map providers) to help provide our services. See our Subprocessors List for details. We provide 30 days' advance notice before adding new subprocessors.
• Data Breach Notification: We will notify you within 72 hours if we become aware of any data breach affecting your personal data. You are responsible for notifying your customers and regulatory authorities as required by law.
• Data Subject Rights: We assist you in fulfilling customer rights requests (access, deletion, correction, opt-out) through our data export and account deletion features.
• Data Retention: We retain personal data according to our Data Retention Policy (see Section 7 above) and delete data within 30 days of account deletion, subject to legal requirements.
• Audit Rights: You may audit our data processing practices with 30 days' advance notice, no more than once per year (unless triggered by a breach).

Vendor Responsibilities: As a data controller, you must:

• Obtain necessary consents from your customers for data processing
• Provide clear privacy notices to your customers
• Respond to customer data rights requests (we will assist)
• Comply with all applicable data protection laws (CCPA, state privacy laws, etc.)
• Notify customers and regulators of data breaches (we will notify you within 72 hours)

For complete details, please review the full Data Processing Agreement.

11. Third-Party Services

Our platform integrates with third-party services (Firebase, Stripe, Google Maps, etc.). These services have their own privacy policies, and we are not responsible for their practices. For a complete list of our subprocessors, see our Subprocessors List.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or your data, please contact us through the app's support channels.

14. International Data Transfers and Data Residency

Primary Data Storage Location

StreetEat primarily stores and processes your data in the United States using Google Cloud Platform's Firebase services in the us-central1 region (Council Bluffs, Iowa).

Cross-Border Data Transfers

Your data may be transferred to and processed in countries other than your own, including:

• Switzerland: GPS coordinates are sent to MapTiler AG (our map tile provider) located in Switzerland for map rendering. Switzerland is recognized by the EU as providing adequate data protection under GDPR Article 45.
• United States: All other data is stored and processed in the United States.

International Safeguards

When your data is transferred internationally, we ensure it is protected through:

• Standard Contractual Clauses (SCCs): We have executed Standard Contractual Clauses approved by the European Commission with all our third-party processors.
• Encryption: All data transfers use TLS 1.2+ encryption (HTTPS).
• GDPR Adequacy Decisions: Data transfers to Switzerland are covered by the EU's adequacy decision recognizing Swiss data protection laws as equivalent to GDPR.

Third-Party Processors and Locations

We work with the following third-party service providers to operate our platform:

• Google Cloud / Firebase (United States): Database, authentication, cloud storage, hosting
• Stripe (United States): Payment processing and vendor payouts
• Vercel (United States + Global CDN): Web application hosting and edge functions
• MapTiler (Switzerland): Map tile rendering and vendor location display
• Mapbox (United States): Alternative map provider (optional)

For a complete list of our data processors, their locations, and data processing agreements, please see our Subprocessors List.

Data Residency Details

For detailed information about where your data is stored, processed, and transferred, including backup locations, disaster recovery procedures, and international data transfer safeguards, please see our Data Residency Documentation.

Your Rights Regarding International Transfers

If you are located outside the United States, you retain all privacy rights (access, deletion, correction, opt-out, portability) regardless of where your data is stored. Standard Contractual Clauses ensure GDPR-equivalent protection even for data stored in the United States.

Changes to Data Storage Locations

We will provide 30 days' advance notice before making any material changes to our data storage locations or adding new international data processors. You will have the right to object to such changes and terminate your account if you do not agree.