Privacy Policy

Last updated: 2026-03-28

Epidot Solutions AB, reg. no. 559159-4501 ("EpiHem", "we", "us", "our") is responsible for the processing of your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection legislation. This privacy policy describes what data we collect, how we use it, and what rights you have.

1. Data Controller

Epidot Solutions AB
Reg. no.: 559159-4501
Location: Sundsvall, Sweden
Email: privacy@epihem.com

2. What Data Do We Collect?

2.1 Account Information

When you sign in with Google Sign-In or Apple Sign-In via Firebase Authentication, we collect and store:

• Email address
• Display name
• Profile photo URL
• Firebase user ID

2.2 Household Data

Data you create within the app is stored on our servers:

• Checklists and shopping lists
• Receipts and receipt images (including OCR-scanned data)
• Meal plans and recipes
• Calendar events
• Projects and budgets
• Household membership information

2.3 Receipt Images

Receipt images you upload are stored on our servers. Images are processed using OCR technology (optical character recognition) and AI to extract items and amounts. Images are retained for as long as the receipt exists in your account. Images are sent to our AI services for analysis and returned immediately. Images are not permanently stored beyond the time required for processing and are not used to train AI models.

2.4 Recipe Images

Recipe images you upload are stored on our servers, separate from receipt images. Images are retained for as long as the recipe exists in your account (including 30 days in trash). When permanently deleted, the image is removed.

When you import a recipe, the content is processed by AI technology to extract the recipe name, servings, cook time, instructions, and ingredients. Content is processed in memory and is not permanently stored. Your data is not used to train AI models.

2.5 Push Notifications

If you enable push notifications, we store a device token via Google Firebase. This token is used solely to deliver notifications to your device.

2.6 Telemetry and Error Reporting

We use a telemetry service to collect anonymous usage statistics and error reports. This data includes:

• De-identified user flows (which pages/features are used)
• Error messages and stack traces for technical issues
• Device information (operating system, app version)
• Performance metrics (response times, load times)

Telemetry data is not linked to your identity and is used solely to improve the service.

2.7 Payment and Subscription Data

Premium subscriptions are managed through Google Play Store and Apple App Store. We do not receive or store payment card details. We receive subscription status information (active, expired, trial) from the respective app store.

2.8 Cookies

Our web client uses two cookies for telemetry:

• ai_session - tracks your session duration (expires after 30 minutes)
• ai_user - an anonymous identifier for counting unique visitors (expires after 1 year)

These cookies do not contain personal data and are used solely for anonymous telemetry and error reporting. We do not use any marketing or third-party tracking cookies.

3. Legal Basis for Processing

• Performance of contract (Article 6(1)(b) GDPR) - to provide the service you signed up for.
• Legitimate interest (Article 6(1)(f) GDPR) - for anonymous telemetry and error reporting to improve the service.
• Consent (Article 6(1)(a) GDPR) - for push notifications that you actively enable.

4. How Do We Use Your Data?

• Provide, maintain, and improve the EpiHem service
• Synchronize household data between members in real-time
• Send push notifications (if enabled)
• Diagnose and resolve technical issues

5. Data Sharing

We never sell your personal data. We do not share your data with third parties for marketing purposes.

We use the following service providers (data processors) to deliver the service:

• Microsoft Azure (Sweden Central) - servers, database, storage, AI processing, OCR, and telemetry
• Google Firebase - authentication (Google/Apple Sign-In) and push notifications (FCM)

All data processing agreements comply with GDPR requirements. Server infrastructure is located in the Azure Sweden Central region (Sweden).

Our primary server infrastructure is located in Azure Sweden Central (Sweden). Some of our service providers (Google Firebase) may process data outside the EU/EEA, including in the United States. Such transfers are protected by EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework. We ensure that all international transfers comply with GDPR requirements.

In the event of a merger, acquisition, or sale of all or a portion of our business, your personal data may be transferred as part of the transaction. We will notify you via the app or email of any change in data controller.

6. Household Members' Responsibility for Shared Data

Within a household, members may enter information about third parties, such as contact details for schools, doctors, or other individuals. You are responsible for ensuring you have the right to share such information and that the relevant person has been informed where necessary. EpiHem is not responsible for third-party data that users enter into household data.

7. Retention and Deletion

Your data is stored for as long as you have an active account. Household data is shared with other household members and managed according to the household lifecycle.

When you delete your account, your personal data (profile, email, login data) is permanently deleted within 14 days. Data created within the household (e.g., checklists, receipts, meal plans) belongs to the household and may remain for other members, but will be disassociated from your identity.

8. Your Rights

Under GDPR, you have the right to:

• Request access to your personal data
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Request restriction of processing
• Object to processing based on legitimate interest
• Request data portability - receive your data in a machine-readable format
• Withdraw consent for push notifications at any time

Contact us at privacy@epihem.com to exercise your rights. We will respond within 30 days.

9. Account Deletion

See our dedicated Delete account and data page for a full description of the deletion process, timeline, and what gets deleted.

You can delete your account directly in the app under Settings. Your personal data (profile, email, login data) will be permanently deleted. You can also request deletion by email to privacy@epihem.com.

Household data (checklists, receipts, meal plans, calendar events, etc.) belongs to the household and is not deleted when an individual member removes their account. If you want all data created within the household to be permanently deleted, the entire household must be removed by the household owner.

10. Children

EpiHem is not directed at children under 16. We do not knowingly collect personal data from children. If we discover that a child under 16 has created an account, we will delete the data immediately.

11. Security

We take appropriate technical and organizational measures to protect your data, including encrypted communication (TLS), access controls, regular security reviews, and backups.

In the event of a personal data breach, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours as required by GDPR. If the breach poses a high risk to your rights and freedoms, we will also notify you directly.

12. Automated Decision-Making

We do not make automated decisions that have legal or similarly significant effects on you. OCR processing of receipt images is a technical aid that extracts text - you can always review and correct the result manually.

13. Supervisory Authority

If you believe we are processing your personal data incorrectly, you have the right to file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): www.imy.se.

14. Changes

We may update this policy. For material changes, we will notify you via the app or email. The latest version is always available on this page.

15. Contact

Epidot Solutions AB
Reg. no.: 559159-4501
Location: Sundsvall, Sweden
Email: privacy@epihem.com