Privacy Policy
Last updated: July 8, 2026 · Effective date: July 8, 2026 · Version 1.3
Prepared with reference to PIPEDA (S.C. 2000, c. 5), British Columbia's PIPA (S.B.C. 2003, c. 63), Quebec's Act respecting the protection of personal information in the private sector (CQLR c. P-39.1, as modernized by Law 25), the GDPR (Regulation (EU) 2016/679), the CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.), COPPA (15 U.S.C. §§ 6501–6506), CASL (S.C. 2010, c. 23), and App Store / Google Play data-disclosure guidance; not a substitute for review by qualified counsel in your jurisdiction.
1. Who we are
Jahanshasys, operating under the trade name "PourIt" ("PourIt," "we," "us," or "our"), is based in British Columbia, Canada and operates the PourIt mobile application, website (pourit.app), and related services (together, the "Service").
For privacy matters, Jahanshasys is the organization responsible for personal information under Canadian private-sector privacy law and, where the GDPR applies, the controller of personal data processed through the Service.
Privacy contact / Privacy Officer:
Jahanshasys (operating as PourIt)
British Columbia, Canada
Email: [email protected] (or [email protected])
2. Scope
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you use the Service. It is intended to align with:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5
- British Columbia's Personal Information Protection Act (PIPA), S.B.C. 2003, c. 63
- Quebec's Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 (as modernized by Law 25 / formerly Bill 64)
- The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, where it applies
- The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq., where it applies
- The U.S. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC COPPA Rule
- Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23, for commercial electronic messages
Which law applies depends on where you live, how we interact with you, and other facts. This policy is a transparency document, not a determination that every listed law always applies to every user.
3. Personal information we collect
The categories below are intended to match our App Store App Privacy and Google Play Data safety declarations.
3.1 Information you provide
- Account identifiers: name/display name, email address, profile photo URL (when you sign in with Google, Apple, or email registration)
- User content: favourites, personal recipes, preferences, feedback, and other content you submit
- Organization / Team data: organization membership, roles, private recipes, training records, and related team content you or your organization add
- Support correspondence: messages you send to us
- AI inputs: text you submit to the AI recipe generator (for example, ingredient preferences)
3.2 Information collected automatically
- Device and usage data: device model, OS version, app version, screen views, feature usage events, and similar analytics (Firebase Analytics)
- Crash data: crash stack traces, device state at crash time, and installation identifiers (Firebase Crashlytics)
- Authentication metadata: sign-in provider, user ID, and limited security metadata such as IP address and user agent (Firebase Authentication)
- Advertising identifiers (free tier): IDFA (iOS, subject to App Tracking Transparency) and GAID (Android) via Google AdMob, plus ad interaction data
3.3 Purchase-related information
- Pro (mobile): Apple App Store or Google Play process payment. We receive purchase confirmation data (product ID, transaction ID, purchase date). We do not receive or store full payment card numbers for these purchases.
- Team / Enterprise (web): Stripe processes payment on pourit.app. Card data is handled by Stripe. We receive transaction confirmation and billing-related details needed to provision the subscription.
3.4 Information we do not collect
- Precise location / GPS
- Contacts, photos, or microphone audio as a product feature
- Full payment card numbers (handled by Apple, Google, or Stripe)
- Personal information from children under 13 (see Section 12)
4. Purposes of collection and use
We collect and use personal information to:
- Provide, maintain, secure, and improve the Service
- Authenticate users and manage accounts
- Sync favourites, personal recipes, preferences, and Team content
- Process subscriptions and purchases (via Apple, Google, or Stripe)
- Display ads to free-tier users and measure ad performance (AdMob)
- Generate AI recipe suggestions at your request
- Analyze aggregate usage to improve features
- Monitor stability and diagnose crashes
- Respond to support requests and feedback
- Detect, prevent, and investigate abuse or security issues
- Meet legal and regulatory obligations
Under PIPEDA's limiting-collection principle (Schedule 1, Principle 4), we aim to collect only what is needed for identified purposes.
5. Legal bases (GDPR, where applicable)
Where the GDPR applies, we rely on one or more of the following bases under Article 6:
- Art. 6(1)(b) — contract: processing needed to provide the Service you request (account, recipes sync, subscription access)
- Art. 6(1)(a) — consent: where required (for example, certain advertising / tracking choices in the EEA/UK, optional communications)
- Art. 6(1)(f) — legitimate interests: security, abuse prevention, product improvement analytics, and service reliability, balanced against your rights
- Art. 6(1)(c) — legal obligation: where we must retain or disclose information to comply with law
We do not use automated decision-making that produces legal or similarly significant effects solely by automated means (GDPR Art. 22). AI recipe generation and ad personalization do not decide legal rights or eligibility for essential services.
EU/UK representative (GDPR Art. 27): if we are required to appoint an EU or UK representative because we offer the Service to data subjects in those regions without an establishment there, counsel will confirm and we will publish representative details here. We do not currently list a dedicated EU/UK representative on this page.
6. Consent and withdrawal (PIPEDA / PIPA / Law 25)
Where consent is the basis for collection, use, or disclosure, we seek knowledge and consent consistent with PIPEDA Schedule 1 Principle 3 and applicable provincial rules. You may withdraw consent subject to legal or contractual restrictions and reasonable notice (for example, by deleting your account or changing device ad/tracking settings). Withdrawal may limit features that depend on that processing.
We do not intentionally collect sensitive personal information such as health or biometric data as a product feature.
7. Third parties and processors
- Google Firebase (Authentication, Cloud Firestore, Analytics, Crashlytics, Cloud Functions) — authentication, database, analytics, crash reporting, backend operations. See Firebase privacy.
- Google AdMob — advertising for free-tier users (advertising ID / IDFA, device and ad interaction data). See Google Privacy Policy.
- Apple — Sign in with Apple; App Store billing for Pro
- Google Play — Google sign-in; Play billing for Pro
- Stripe — web payment processing for Team / Enterprise subscriptions
We do not sell personal information for money. Advertising technology may involve "sharing" or cross-context behavioral advertising as those terms are defined under California law; see Section 11.6.
Organization members may see your display name, role, and content you contribute within that organization.
We may disclose information if required by law, to protect rights/safety, or in a business transfer subject to comparable protections.
8. International transfers
Personal information may be processed on servers outside Canada (including the United States) through Google Firebase, AdMob, Apple, Google Play, and Stripe.
- Google Firebase processing is subject to Google's Firebase Data Processing and Security Terms and related cloud data processing terms.
- Where GDPR transfer rules apply, transfers may rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms used by our providers.
- Under Quebec Law 25, organizations must ensure an adequate level of protection for personal information communicated outside Quebec, including contractual measures where required. Whether a formal privacy impact assessment is required for a given transfer depends on the circumstances — counsel should confirm our operational compliance.
9. Retention
- Account and user content: for the life of the account; deleted when you delete your account (subject to short technical purge windows)
- Organization membership: until you leave the organization or delete your account (organization-owned content may remain with the organization)
- Firebase Analytics: typically up to 14 months at the event level, then aggregated (provider default; may change)
- Crashlytics: typically about 90 days (provider default; may change)
- Purchase / billing records: retained as needed for accounting, tax, and dispute resolution (commonly up to several years — exact period to confirm with counsel/accounting)
- Support correspondence: generally up to 2 years after resolution unless a longer period is needed
- Security / auth metadata: short periods as configured by Firebase for abuse prevention
After account deletion, associated Firestore user data is removed promptly. Firebase Authentication records may take additional time to purge fully under provider processes. Aggregated, de-identified analytics may be retained.
10. Security
We use commercially reasonable safeguards appropriate to the sensitivity of the information, including encryption in transit (TLS), provider encryption at rest on Firebase/Google Cloud, Firebase Authentication, and Firestore security rules that restrict access. No method of transmission or storage is completely secure.
11. Your rights
11.1 All users
- Access personal information we hold about you
- Request correction of inaccurate information
- Delete your account and associated personal data in-app (Settings → Account → Delete Account) or by emailing us
- Withdraw consent where processing is consent-based (subject to limits)
- Limit ad personalization / tracking via device settings (iOS Tracking; Android Ads settings)
Contact [email protected]. We aim to respond within 30 days, or sooner if a shorter statutory period applies.
11.2 Canada — PIPEDA
Under PIPEDA you may request access to your personal information, challenge its accuracy, and withdraw consent subject to legal limits. You may complain to our Privacy Officer and, if unsatisfied, to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
Breach notification: if a breach of security safeguards creates a real risk of significant harm, we will notify affected individuals and the Commissioner as required by PIPEDA s. 10.1, and keep breach records for at least 24 months as required by the Breach of Security Safeguards Regulations (SOR/2018-64), s. 6.
11.3 British Columbia — PIPA
As a BC-based organization, PIPA may apply. You may request access and correction, withdraw consent subject to limits, and complain to the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca). Where a privacy breach poses a real risk of significant harm, we will notify affected individuals and the OIPC as required.
11.4 Quebec — Law 25 / private-sector privacy act
Quebec residents may have rights under CQLR c. P-39.1 as modernized by Law 25, including access, rectification, withdrawal of consent, data portability in a structured commonly used technological format (where applicable), and rights related to de-indexation / cessation of dissemination in the circumstances set out in the Act. You may contact the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). Confidentiality incidents presenting a risk of serious injury are reportable under Quebec rules — operational thresholds to be confirmed with counsel.
11.5 EEA / UK — GDPR Arts. 15–22
Where GDPR applies, you may have rights to:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to certain processing (Art. 21)
- Not be subject to certain solely automated decisions with legal or similarly significant effects (Art. 22)
- Lodge a complaint with a supervisory authority in your Member State
11.6 California — CCPA / CPRA
If the CCPA/CPRA applies to you, you may have the right to know what personal information we collect, delete it, correct it, and opt out of sale or sharing of personal information.
Categories collected (typical last 12 months): identifiers (name, email, user ID); internet/network activity (usage events); approximate location derived from IP for ads/fraud prevention; commercial information (subscription status / purchase confirmations); and limited inferences for analytics or ad relevance.
We do not sell personal information for money. Free-tier advertising via AdMob may constitute "sharing" for cross-context behavioral advertising under California law. California residents can opt out of sale/sharing by: (1) limiting ad tracking in device settings; (2) emailing [email protected] with the subject line "Do Not Sell or Share My Personal Information"; or (3) using any in-app or site privacy controls we provide.
Do Not Sell or Share My Personal Information: [email protected]
Whether we currently meet CCPA "business" thresholds (revenue / volume of California consumers) is a facts-and-figures question for counsel. We provide these disclosures for transparency and good practice.
12. Children's privacy (COPPA and age rating)
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13 (COPPA, 15 U.S.C. §§ 6501–6506). If you believe a child under 13 has provided personal information, contact [email protected] and we will delete it promptly.
The App contains alcohol-related content and is rated 17+ on the App Store and Mature on Google Play. A one-time age gate asks users to confirm they are of legal drinking age in their jurisdiction before use. See our Terms of Service for eligibility rules.
13. Commercial electronic messages (CASL)
We will only send commercial electronic messages with consent as required by Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23. Transactional messages (security alerts, purchase confirmations, service notices) may be sent as needed. You can withdraw marketing consent by unsubscribing or emailing us.
14. Data breach response
If we experience a breach of security safeguards involving personal information that creates a real risk of significant harm, we will notify affected individuals and applicable regulators as required (including PIPEDA s. 10.1 and, where applicable, BC PIPA and Quebec private-sector rules), describe the incident and steps you can take, and maintain required breach records.
15. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will update the "Last updated" date and, where practicable, provide in-app or email notice before changes take effect. Continued use after the effective date means you accept the updated policy. If you do not agree, stop using the Service and delete your account.
16. Contact and complaints
Jahanshasys (operating as PourIt)
British Columbia, Canada
Privacy: [email protected]
Support: [email protected]
If you are not satisfied with our response:
- Canada (federal): Office of the Privacy Commissioner of Canada — priv.gc.ca
- British Columbia: Office of the Information and Privacy Commissioner for BC — oipc.bc.ca
- Quebec: Commission d'accès à l'information du Québec — cai.gouv.qc.ca
- EEA/UK: your local data protection supervisory authority
- California: California Privacy Protection Agency / California Attorney General privacy resources
Prepared with reference to the statutes and guidance named above; not a substitute for review by qualified counsel in your jurisdiction. Version 1.3 is a content refresh grounded in public sources — not attorney sign-off.