Privacy Policy

Last updated: 2026-05-09

Epidot Solutions AB, reg. no. 559159-4501 ("EpiHem", "we", "us", "our") is responsible for the processing of your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection legislation. This privacy policy describes what data we collect, how we use it, and what rights you have.

1. Data Controller

Epidot Solutions AB
Reg. no.: 559159-4501
Location: Sundsvall, Sweden
Email: privacy@epihem.com

2. What Data Do We Collect?

2.1 Account Information

When you sign in with Google Sign-In or Apple Sign-In via Firebase Authentication, we collect and store:

• Email address
• Display name
• Profile photo URL
• Firebase user ID

2.2 Household Data

Data you create within the app is stored on our servers:

• Checklists and shopping lists
• Receipts and receipt images (including OCR-scanned data)
• Meal plans and recipes
• Calendar events
• Projects and budgets
• Household membership information

2.3 Receipt Images

Receipt images you upload are stored on our servers and retained for as long as the receipt exists in your account. To extract items and amounts, images are processed using OCR technology (optical character recognition) and AI. The AI services run in Microsoft Azure within the EU. Images are sent to our AI provider for analysis, where they are processed only for the duration of the request, are not permanently stored by the provider, and the AI provider does not use your data to train its models.

2.4 Recipe Images

Recipe images you upload are stored on our servers, separate from receipt images. Images are retained for as long as the recipe exists in your account (including 30 days in trash). When permanently deleted, the image is removed.

When you import a recipe, the content is processed by AI technology to extract the recipe name, servings, cook time, instructions, and ingredients. The AI services run in Microsoft Azure within the EU. Content is processed in memory and is not permanently stored by the AI provider, and the AI provider does not use your data to train its models.

2.5 Push Notifications

If you enable push notifications, we store a device token via Google Firebase. This token is used solely to deliver notifications to your device.

2.6 Telemetry and Error Reporting

We use Application Insights (Microsoft Azure) to collect anonymous usage statistics and error reports. This data includes:

• De-identified user flows (which pages/features are used)
• Error messages and stack traces for technical issues
• Device information (operating system, app version)
• Performance metrics (response times, load times)

Telemetry data is not linked to your identity and is used solely to improve the service.

2.7 Payment and Subscription Data

Premium subscriptions are handled via Apple App Store (iOS), Google Play Store (Android), or Stripe Payments Europe (only for payment via the web app at app.epihem.com). We do not receive or store payment card details. We receive subscription status information (active, expired, trial) from the respective app store.

2.8 Cookies

EpiHem does not use cookies for telemetry, marketing, or tracking.

3. Legal Basis for Processing

• Performance of contract (Article 6(1)(b) GDPR): to provide the service you signed up for.
• Legitimate interest (Article 6(1)(f) GDPR): for anonymous telemetry and error reporting to improve the service.
• Consent (Article 6(1)(a) GDPR): for push notifications that you actively enable.

4. How Do We Use Your Data?

• Provide, maintain, and improve the EpiHem service
• Synchronize household data between members in real-time
• Send push notifications (if enabled)
• Diagnose and resolve technical issues

5. Data Sharing

We never sell your personal data and we never will. We do not share your data with third parties for marketing purposes. EpiHem is funded entirely by subscriptions: no ads, no marketing tracking, and no third-party sharing beyond the data processors listed below.

We use the following service providers (data processors) to deliver the service:

• Microsoft Azure (Sweden Central): servers, database, storage, AI processing, OCR, and Application Insights (anonymous error reporting and performance data)
• Google Firebase: authentication (Google/Apple Sign-In) and push notifications (FCM)
• Apple Distribution International (Ireland): payment processing for Premium subscriptions purchased via the iOS app
• Google Commerce Limited (Ireland): payment processing for Premium subscriptions purchased via the Android app
• Stripe Payments Europe (Ireland): payment processing for Premium subscriptions purchased via the web app at app.epihem.com (not used by iOS or Android apps)
• RevenueCat (RevenueCat Inc., USA): handles subscription state and validations between the App Store, Google Play, and our application. We share your anonymous user ID and subscription status. RevenueCat acts as a data processor under DPA. More info: revenuecat.com/privacy

All data processing agreements comply with GDPR requirements. Server infrastructure is located in the Azure Sweden Central region (Sweden).

Our primary server infrastructure is located in Azure Sweden Central (Sweden). Some of our service providers (Google Firebase, plus Apple, Google, and Stripe via their Irish entities) may process data outside the EU/EEA, including in the United States. Such transfers are protected by EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework. We ensure that all international transfers comply with GDPR requirements.

In the event of a merger, acquisition, or sale of all or a portion of our business, your personal data may be transferred as part of the transaction. We will notify you via the app or email of any change in data controller.

6. Household Members' Responsibility for Shared Data

Household data is shared only with the members that you or another household owner has actively invited. Each household's data is logically isolated from other households at multiple layers. Inside EpiHem, only a small number of people have access for support and operations, and only when needed. Administrative actions are logged.

Within a household, members may enter information about third parties, such as contact details for schools, doctors, or other individuals. You are responsible for ensuring you have the right to share such information and that the relevant person has been informed where necessary. EpiHem is not responsible for third-party data that users enter into household data.

7. Retention and Deletion

Your data is stored for as long as you have an active account. Household data is shared with other household members and managed according to the household lifecycle.

When you delete your account, your personal data (profile, email, login data) is permanently deleted within 14 days. Data created within the household (e.g., checklists, receipts, meal plans) belongs to the household and may remain for other members, but will be disassociated from your identity.

Statutory retention of accounting records: if you have paid for a Premium subscription, we are required under the Swedish Bookkeeping Act (1999:1078) to retain the underlying billing records (payments, invoices, and supporting accounting information) for up to seven (7) years. Such records are detached from your active account but kept in our bookkeeping for the statutory period.

8. Your Rights

Under GDPR, you have the right to:

• Request access to your personal data
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Request restriction of processing
• Object to processing based on legitimate interest
• Request data portability: receive your data in a machine-readable format
• Withdraw consent for push notifications at any time

To exercise these rights: data export via Settings → Data export, account deletion via Settings, or contact us at privacy@epihem.com for any other request. We respond within 30 days.

9. Account Deletion

See our dedicated Delete account and data page for a full description of the deletion process, timeline, and what gets deleted.

You can delete your account directly in the app under Settings. Your personal data (profile, email, login data) will be permanently deleted. You can also request deletion by email to privacy@epihem.com.

Household data (checklists, receipts, meal plans, calendar events, etc.) belongs to the household and is not deleted when an individual member removes their account. If you want all data created within the household to be permanently deleted, the entire household must be removed by the household owner.

10. Children

EpiHem is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we discover that a child under 13 has created an account, we will delete the data immediately.

11. Security

We apply appropriate technical and organizational measures to protect your data, including encryption in transit and at rest, multiple layers of access control, and ongoing security work. We never see your password. Sign-in is handled by Apple or Google.

In the event of a personal data breach, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours as required by GDPR. If the breach poses a high risk to your rights and freedoms, we will also notify you directly.

12. Automated Decision-Making

We do not make automated decisions that have legal or similarly significant effects on you. OCR processing of receipt images is a technical aid that extracts text. You can always review and correct the result manually.

13. Supervisory Authority

If you believe we are processing your personal data incorrectly, you have the right to file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): www.imy.se.

14. Changes

We may update this policy. For material changes, we will notify you via the app or email. The latest version is always available on this page.

15. Contact

Epidot Solutions AB
Reg. no.: 559159-4501
Location: Sundsvall, Sweden
Email: privacy@epihem.com