Privacy Policy

Last updated: March 4, 2026

Welcome to Umami! We take your privacy seriously and want you to understand exactly how we handle your information. This Privacy Policy explains what data we collect, why we collect it, and what your rights are. We've written this in plain language because legal jargon shouldn't be harder to digest than a seven-course tasting menu.

1. Who We Are

Umami is operated by Konnecturs LDA, based in Lisbon, Portugal. We are the data controller for your personal information when you use our apps and services:

• UmamiFinder — our consumer food discovery and social dining app
• UmamiKitchens — our restaurant engagement platform
• findumami.com — this website

For any privacy-related questions, contact us at privacy@findumami.com.

2. Information We Collect

Information You Provide

• Account information: First name, last name, username, email address, and password
• Profile details: Bio/tagline, hometown, birthday (month and day only — no year), preferred language, and your AI-generated avatar
• Food preferences: Dietary restrictions, cuisine interests, spice tolerance, adventurousness level, and price range preferences
• Content you create: Dish ratings, reviews, photos, lists, group names, and chat messages
• Contact form submissions: Name, email, and message when you reach out to us through this website

Information Collected Automatically

• Location data: GPS coordinates (when you grant permission) for restaurant discovery, eating map visualization, and photo geotagging
• Device information: Device locale/language, app version, and platform
• Usage data: Dishes logged, restaurants visited, points earned, badges achieved, and feature interactions
• Technical data: IP address, user agent string (from server logs)

Information from Third Parties

• Social login: If you sign in with Google or Apple, we receive your email, name, and account identifier
• Device contacts: With your permission, we may access your contacts to help you find friends on Umami

3. How We Use Your Information

We use your information to:

• Provide and improve our food discovery and social dining services
• Personalize dish and restaurant recommendations based on your taste profile
• Enable social features like Your Table connections, Groupers, and Fellow Eaters
• Power gamification features including points, badges, and status levels
• Process your photos using AI for content moderation and food recognition
• Generate your unique AI avatar during onboarding
• Show nearby restaurants and build your eating map
• Send push notifications about achievements, social activity, and app updates
• Respond to your messages and provide customer support
• Maintain security and prevent abuse

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data based on:

• Your consent — for location access, contact imports, AI photo processing, and push notifications
• Contract performance — to provide the services you signed up for (account features, dish tracking, social features)
• Legitimate interest — for service improvement, security monitoring, and fraud prevention

5. Who We Share Data With

We do not sell your personal data. We share data only with service providers who help us operate Umami:

• Amazon Web Services (AWS S3) — image storage, EU-North-1 region (Stockholm)
• Clarifai — AI photo analysis for content moderation and food recognition (US-based)
• OpenAI — avatar generation using text prompts only, no personal photos (US-based)
• Google — Maps display, Places search, authentication, and email delivery
• Apple — authentication on iOS
• Firebase — push notifications and legacy storage

We do not use advertising networks, external analytics platforms, or sell data to data brokers.

6. International Data Transfers

Some of our service providers (Clarifai, OpenAI) are based in the United States. When your data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses and other approved transfer mechanisms to protect your information.

7. Data Retention

We keep your personal data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain it. Server logs containing IP addresses and user agents are retained for up to 90 days for security purposes.

8. Your Rights Under GDPR

As a resident of the EU, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete information
• Erasure — request deletion of your personal data ("right to be forgotten")
• Data portability — receive your data in a machine-readable format
• Restriction — limit how we process your data
• Object — object to processing based on legitimate interest
• Withdraw consent — withdraw any previously given consent at any time

To exercise your rights, contact us at privacy@findumami.com or use the privacy settings within the app.

9. Automated Decision-Making

We use AI and automated processing in the following ways:

• Photo analysis: AI reviews uploaded photos for content moderation (safety, NSFW detection) and food identification. Flagged content is reviewed by a human moderator.
• Recommendations: Dish and restaurant suggestions are generated based on your taste profile, location, weather, and community trends. These are suggestions only and do not have legal or significant effects.
• Avatar generation: During onboarding, a unique food-character avatar is generated using AI based on text prompts — no personal photos are used.

10. Security

We implement appropriate technical and organizational measures to protect your data:

• Passwords are hashed using bcrypt
• Authentication uses JWT with access and refresh tokens
• All data is encrypted in transit via HTTPS
• Rate limiting on authentication endpoints
• Security headers via helmet.js
• UUID-based identifiers (non-sequential)
• Content moderation on all uploaded photos

11. Children's Privacy

Umami is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete that information promptly.

12. Cookies and Tracking

Our mobile apps do not use cookies or advertising trackers. This website may use essential cookies for functionality (such as remembering your preferences). We do not use third-party tracking, advertising cookies, or analytics services.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app or by email. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact & Supervisory Authority

If you have questions or concerns about this policy:

• Email: privacy@findumami.com
• Company: Konnecturs LDA, Lisbon, Portugal

You also have the right to file a complaint with the Portuguese data protection authority:

• CNPD — Comissão Nacional de Proteção de Dados
• Website: www.cnpd.pt