Privacy Policy

Account data: When you create an account, we collect your name, email address, and (if using social login) your Google or Apple ID. We store a hashed version of your password — we never store plain text passwords.

Ingredient checks: When you use the ingredient checker, we store the ingredient text (anonymously, without linking to your account) to improve our database and track unknown ingredients. Photo uploads are processed in real-time and are not stored after analysis.

Payment data: Payments are processed by Stripe. We do not store your credit card details. We only store your Stripe customer ID and subscription status.

Usage data: We use cookies and similar technologies to understand how you use the site (see Cookies section below).

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Account creation, subscription management, payment processing, and providing the ingredient checker service.
• Consent (Art. 6(1)(a)): Analytics cookies, marketing cookies, and any optional data collection. You can withdraw consent at any time via Cookie Settings in the footer.
• Legitimate interest (Art. 6(1)(f)): Service improvement through anonymous, aggregated usage data; fraud prevention and security.
• Legal obligation (Art. 6(1)(c)): Retaining payment and tax records as required by Romanian law.

Essential cookies (always active):

• uc_com_token — authentication session token (JWT, expires after 2 hours)
• uc_com_cookie_consent — stores your cookie preferences

Analytics cookies (require your consent):

• _ga, _ga_* — Google Analytics 4 — anonymous traffic statistics, session tracking. Retention: 14 months.

Marketing cookies (require your consent):

• _fbp — Facebook Pixel — advertising measurement. Retention: 90 days.
• _gcl_* — Google Ads — conversion tracking. Retention: 90 days.

We implement Google Consent Mode v2. No analytics or marketing cookies are set until you give explicit consent. You can change your preferences at any time via Cookie Settings in the footer.

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Ingredient check logs: Anonymous verification logs are retained for up to 24 months for service improvement, then automatically purged.
• Payment records: Retained for 10 years as required by Romanian fiscal legislation.
• Cookie consent records: Retained for 12 months, then consent must be re-obtained.
• Analytics data: Google Analytics data retention is set to 14 months.

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access (Art. 15) — request a copy of the personal data we hold about you
• Rectification (Art. 16) — request correction of inaccurate data
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
• Portability (Art. 20) — request your data in a machine-readable format
• Restrict processing (Art. 18) — request that we limit how we use your data
• Object (Art. 21) — object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)) — withdraw consent for analytics/marketing cookies at any time via Cookie Settings in the footer, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at contact@ultracurly.com. We will respond within 30 days (extendable to 60 days for complex requests, with prior notification).

Your data may be processed by third-party services located outside the European Economic Area (EEA):

• Stripe (USA) — EU-US Data Privacy Framework certified
• Google (USA) — EU-US Data Privacy Framework certified
• Anthropic (USA) — processes ingredient photos temporarily for OCR; no data is stored after analysis

All transfers rely on adequacy decisions or Standard Contractual Clauses (SCCs) as required by Chapter V of the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with: