Privacy Policy

This policy explains how Unicorn Mom("we", "us") collects, uses, stores and protects your personal information. It is drafted in line with the South African Protection of Personal Information Act, 2013 ("POPIA").

If you have questions, contact us at privacy@unicornmom.app.

The responsible party for the personal information processed through this service is the operator of Unicorn Mom, contactable at privacy@unicornmom.app. The same email address reaches our designated Information Officer.

We collect only what we need to run the service.

Information you give us

• Account details: email address (required to sign in), optional name, optional phone number, an optional password (stored only as a salted bcrypt hash), an optional profile photo.
• Recipes and meal-planning data: recipes you add, edit, save or upload (titles, ingredients, methods, tags, photos); your weekly meal plans, cooking history, notes, pantry inventory, shopping-list state.
• Friend connections: people you connect with on the service, and pending invites you send.

Information we receive automatically

• Aggregate visit data via Vercel Web Analytics: page views, approximate country, broad device family. Cookieless and does not store any identifier that can be linked back to you.
• Aggregate referral click data when you arrive through a shared link or short URL: a daily-rotating one-way IP hash (we never store your raw IP), a bucketed user-agent family (never the full user-agent string), country only (never city or finer), and the host that referred you. Used to count clicks per referral code, not to track individuals.
• Performance data via Vercel Speed Insights: Core Web Vitals (page load timings, interaction latency) sampled anonymously across visits.

Information from third parties

None. We don't buy, rent or otherwise receive personal data about you from other services.

• To provide and operate the service (recipe storage, meal planning, shopping list, friend connections).
• To send transactional emails (sign-in links, password reset notices).
• To attribute one-time referral signups to the person who invited you, so the inviter sees their connections.
• To improve the service using aggregate, non-identifying analytics.
• To respond to your queries when you contact us.

We do not use your personal information for advertising, ad targeting, or third-party marketing.

• Consent for account creation and recipe data — you actively provide it on sign-up and through use of the service.
• Performance of a contract for the day-to-day delivery of the service you signed up for.
• Legitimate interest for aggregate analytics, which carries no personal identifiers.

We share personal information only with service providers strictly necessary to run Unicorn Mom. We do not sell or rent it to anyone.

• Vercel Inc. (USA) — hosting, edge networking, web analytics and speed insights. Functions may run in regions outside South Africa.
• Amazon Web Services (Cape Town, af-south-1) — primary database storage. Your account data, recipes, plans and pantry are stored on AWS RDS infrastructure located in South Africa.
• Resend (USA) — transactional email delivery (sign-in links, password resets). They receive only the email address and message body strictly required to deliver the email.
• Vercel Blob (USA) — storage for uploaded recipe and profile images.

Some of the providers above operate from outside South Africa. POPIA Section 72 permits these transfers when (a) the recipient is subject to laws or contractual rules upholding comparable protection, (b) the transfer is necessary to perform the contract you have with us, or (c) you have consented.

By using Unicorn Mom you consent to these transfers for the purposes described above.

We use the minimum set of cookies needed to run the service.

• Session cookie — keeps you signed in. HttpOnly, expires when you sign out or after a defined session period.
• Theme cookie — remembers your light/dark theme preference.
• Referral pending cookie (um_pending_ref) — HttpOnly and cryptographically signed. Carries a referral code from the click-through into signup so the inviter is correctly credited. Not personal information on its own.
• Visitor cookie (um_v) — only set with your explicit analytics consent, which we do not currently solicit. Inactive today.

Vercel Web Analytics and Speed Insights do not use cookies or store any persistent identifier.

• Account and recipe data: until you delete your account, then for up to 30 additional days in backups.
• Aggregate referral click data: 12 months.
• Email sign-in tokens: until consumed or 30 minutes after issuance, whichever is sooner. Only a SHA-256 hash of the token is ever stored.
• Password reset tokens: same as sign-in tokens.
• Vercel Web Analytics data: retained by Vercel for ~1 month.

• All traffic between you and the service is encrypted in transit (HTTPS, TLS 1.2+).
• Your data is encrypted at rest in AWS RDS.
• Passwords are stored as salted bcrypt hashes, never in plain text.
• Session cookies are signed and HttpOnly to mitigate cross-site scripting.

No system is perfectly secure. If we ever discover a breach affecting your personal information we will notify you and the Information Regulator as required by POPIA Section 22.

POPIA gives you the following rights with respect to your personal information. You can exercise any of them by emailing us at privacy@unicornmom.app.

• Access: request a copy of the personal information we hold about you.
• Correction: ask us to correct anything that's wrong or out of date.
• Deletion: ask us to delete your account and the personal information attached to it, subject to any legal retention obligations.
• Objection: object to specific kinds of processing.
• Withdraw consent: where processing is based on your consent, you can withdraw it at any time.
• Complain to the Regulator: see Section 11 below.

If we cannot resolve a concern to your satisfaction, you have the right to lodge a complaint with the Information Regulator:

• JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Telephone: 010 023 5200
• Email: complaints.IR@justice.gov.za
• General queries: inforeg@justice.gov.za

Unicorn Mom is intended for adults responsible for family meal planning. We do not knowingly collect personal information from children under 18 without the demonstrable consent of a parent or legal guardian. If you believe a child has provided us with personal information, contact us at privacy@unicornmom.app and we will delete it.

We may update this policy from time to time. Material changes will be communicated through the service or by email. The "last updated" date at the top reflects the current version.

Questions, complaints, requests to exercise any of the rights described above: privacy@unicornmom.app.