Privacy Policy

For website, account, billing, security, support, marketing, and customer relationship data, Compass Food Technologies Inc. is the controller of personal data.

Where Compass processes personal data on behalf of a Customer under a written agreement, Compass may act as a processor or service provider for that Customer. In that case, Compass's Data Processing Agreement, available on request, and the Customer's documented instructions govern that processing.

This Policy applies to:

1. Visitors to compassfoodtechnologies.com.
2. People who create or use Compass DaaS accounts.
3. Customer administrators, developers, billing contacts, security contacts, and support contacts.
4. People who contact Compass through forms, email, sales channels, or support channels.
5. API usage logs and security logs associated with Compass DaaS.

This Policy does not replace a Customer's own privacy notice for its end users. Customers are responsible for telling their own users how Customer products use Compass DaaS outputs.

Compass collects the following categories of personal data, depending on how you interact with us.

Account data includes name, work email address, company name, role, authentication identifiers, account status, plan, customer ID, API key metadata, support tier, and account preferences.

Billing data includes billing contact information, subscription plan, Stripe customer ID, invoice metadata, payment status, tax information, and transaction records. Compass uses Stripe for payment processing. Compass does not store full payment card numbers.

API usage data includes request ID, API key hash or key metadata, client ID, tier, method, endpoint, path, sanitized query parameters, hashed IP address, user agent, status code, response time, timestamp, region, quota usage, and usage counters. Compass does not intentionally log full API keys, request bodies, response bodies, passwords, tokens, or secrets in normal API request logs.

Security and abuse data includes IP address or hashed IP address, user agent, request patterns, rate-limit events, authentication failures, suspicious activity signals, abuse-event records, suspension or rate-limit actions, audit logs, and incident details.

Support and correspondence data includes messages you send to Compass, contact form submissions, support tickets, email content, meeting notes, attachments you choose to provide, and related metadata.

Marketing and optional analytics data includes newsletter or launch-list preferences, campaign source, form source, consent status, unsubscribe status, and basic engagement data. Compass does not use advertising cookies on the public site.

Device and website data includes browser type, device type, language, approximate location inferred from IP address, pages visited, session events needed for security or operation, and cookies or similar technologies needed for session, authentication, and abuse prevention.

Compass collects personal data directly from you when you create an account, contact us, subscribe, request support, submit a form, or use the API. Compass also receives data from service providers such as Stripe for billing status, Brevo for transactional email and contact-list operations, Vercel for site hosting logs, Google Cloud Platform and Firebase for hosting and account infrastructure, Cloudflare Turnstile for bot prevention, and other subprocessors listed on the Subprocessors page.

Customers may submit restaurant records, restaurant identifiers, or user-profile fields to the API. Customers must not submit sensitive personal data, health data, children's data, payment card data, passwords, or other data requiring special safeguards unless a written agreement with Compass expressly permits it.

Where the GDPR or UK GDPR applies, Compass relies on the following legal bases under Article 6.

Compass balances legitimate interests against individual rights and expectations. You may object to processing based on legitimate interests where applicable.

Compass uses API logs to operate the Service, enforce quotas, investigate errors, detect abuse, respond to support requests, improve documentation, measure reliability, and secure the platform. Compass aims to minimize personal data in logs. Current request logging is designed to hash IP addresses, hash API keys, avoid full API keys, avoid request and response bodies, and strip sensitive query parameters such as tokens, secrets, passwords, and authorization values.

API usage logs are not used to sell personal data. Compass may use aggregated or de-identified usage metrics to understand endpoint adoption, plan usage, reliability, and capacity needs.

Compass does not sell personal data. Compass does not share personal data for cross-context behavioral advertising. Compass may share personal data with service providers and subprocessors that help operate Compass DaaS, subject to contracts and appropriate safeguards.

Compass maintains the current subprocessor list at https://compassfoodtechnologies.com/legal/subprocessors. Compass will provide reasonable notice before adding or replacing material subprocessors where required by a DPA, order form, or applicable law.

Compass may also disclose personal data if required by law, legal process, security investigation, rights enforcement, corporate transaction, or with your consent.

Compass keeps personal data only for as long as needed for the purposes described in this Policy, unless a longer period is required or permitted by law.

Compass may retain de-identified, aggregated, or non-personal data without time limit. Restaurant data and Compass-created scoring outputs are not Customer account data and may remain in the Compass dataset subject to source restrictions and applicable law.

Compass Food Technologies Inc. is based in the United States, and many subprocessors are based in the United States. Personal data may be transferred between the United States, the European Economic Area, the United Kingdom, and other regions where Compass or its subprocessors operate.

Where the GDPR, UK GDPR, or Swiss data protection law requires a transfer mechanism, Compass will use an adequacy decision, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, or another valid transfer mechanism. Compass will apply supplementary measures where appropriate, such as encryption in transit, access controls, data minimization, vendor review, and contractual limits on processing.

Compass uses only the cookies and similar technologies needed to run the site, portal, account flows, security checks, and abuse prevention. These may include session cookies, authentication cookies, CSRF or security tokens, and Cloudflare Turnstile technologies.

Compass does not use advertising cookies on the public site. Compass does not permit third-party advertising trackers for cross-context behavioral advertising. If Compass introduces optional analytics or non-essential cookies, Compass will provide notice and obtain consent where required, especially for EEA and UK visitors.

Depending on your location, you may have rights to:

1. Access personal data Compass holds about you.
2. Correct inaccurate or incomplete personal data.
3. Delete personal data.
4. Restrict or object to processing.
5. Receive a portable copy of personal data where the right applies.
6. Withdraw consent where processing is based on consent.
7. Opt out of sale or sharing of personal data under CCPA/CPRA. Compass does not sell personal data and does not share personal data for cross-context behavioral advertising.
8. Appeal certain privacy-rights decisions where applicable law provides an appeal right.
9. Lodge a complaint with a data protection authority or consumer protection regulator.

To make a request, email privacy@compassfoodtechnologies.com. Compass may need to verify your identity or authority before responding. If Compass processes your personal data on behalf of a Customer, Compass may direct your request to that Customer or assist the Customer under the DPA.

Compass does not sell personal information. Compass does not share personal information for cross-context behavioral advertising. Compass does not knowingly use or disclose sensitive personal information for purposes that would require a right to limit under California law.

The categories of personal information Compass may collect are described in Section 3. The purposes are described in Section 5. The categories of recipients are described in Section 7. Retention periods are described in Section 8.

California residents may request access, deletion, correction, portability, and opt-out rights by emailing privacy@compassfoodtechnologies.com. Compass will not discriminate against you for exercising privacy rights.

Customers are responsible for their own privacy notices, consent flows, legal bases, end-user disclosures, and data protection obligations. Customers must not send Compass personal data unless they have the rights and legal bases to do so. Customers must not send sensitive personal data, health data, children's data, payment card data, or other restricted data unless a written agreement expressly permits it.

Customers that use Compass output in end-user-facing dietary, allergy, medical, nutritional, religious, ethical, or food-safety contexts must provide their own clear disclaimers and verification instructions to end users. Compass output is informational only and is not medical, nutritional, dietary, allergy, religious, ethical, or food-safety advice.

Compass uses reasonable technical and organizational measures intended to protect personal data, including TLS for data in transit, API-key authentication, access controls, rate limiting, log minimization, audit logging, bot prevention, and vendor controls. No system is perfectly secure. If you believe your account, API key, or data has been compromised, contact security@compassfoodtechnologies.com.

Compass DaaS is not directed to children. Users must be at least 16 in the EEA or UK, and at least 13 elsewhere, unless a higher age applies under local law. Compass does not knowingly collect personal data from children. If you believe a child provided personal data to Compass, contact privacy@compassfoodtechnologies.com.

Compass may update this Policy from time to time. Compass will provide reasonable notice of material changes through the website, customer portal, email, documentation, or another reasonable method. The "Effective date" above shows when the current version takes effect.

Privacy inquiries and requests: privacy@compassfoodtechnologies.com

Legal notices: legal@compassfoodtechnologies.com

Security reports: security@compassfoodtechnologies.com

Abuse reports: abuse@compassfoodtechnologies.com

Mailing address: Compass Food Technologies Inc., 131 Continental Dr, Suite 305, Newark, New Castle County, Delaware 19713, United States.