Legal
Privacy Policy
Last updated 2026-05-22
1. Data controller
The data controller for Foodtruckin is Commonwealth Creative LLC, the operator of Foodtruckin. References to “we,” “us,” or “Foodtruckin” in this Policy mean the data controller. You can reach us at support@foodtruckin.co.
2. What we collect
We collect only what we need to provide the Service:
- Account data — email address, name, and authentication identifiers from your chosen sign-in provider (currently Google).
- Tenant data — the content you publish to your tenant site: business name, location, events, menu, gallery images, testimonials.
- Integration data — when you connect Google Workspace, we receive an OAuth refresh token (stored encrypted at rest) so we can sync Sheets, Drive, and Photos on your behalf.
- Billing data — Stripe handles your card. We store only the customer and subscription identifiers Stripe returns, plus invoice timing.
- Server logs — IP address, user agent, request paths, and timestamps; retained no longer than 30 days.
3. How we use it
We use the information above to operate the Service: authenticate you, render your tenant site, sync your connected integrations, send transactional email (sign-in confirmations, billing receipts), bill your subscription, and investigate abuse or security incidents. We do not sell personal data and we do not use your tenant content to train AI models.
4. Sub-processors
We rely on a small set of sub-processors to run the Service:
- Supabase — authentication, Postgres database, and storage.
- Stripe — payment processing and the customer billing portal.
- Google — your connected Workspace account (Sheets, Drive, Photos, Business Profile) when you opt in to those integrations.
- Hetzner — cloud hosting (Europe-based) for the Foodtruckin application servers.
5. Cookies
We use first-party cookies that are strictly necessary to keep you signed in and remember the tenant context. We do not use third-party advertising cookies and we do not run cross-site tracking.
6. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email support@foodtruckin.co. We will respond within 30 days.
7. Data retention
We retain account and tenant data for as long as your account is active. If you cancel your subscription, we retain the data for up to 90 days so you can reactivate without losing it; after that we delete it on request or as part of routine purges. Billing records are retained for seven (7) years to meet tax and accounting obligations.
8. Security
We encrypt data in transit (TLS) and at rest. OAuth refresh tokens are encrypted with AES-256-GCM using a key separate from the database. Access to production systems is limited to operations staff with multi-factor authentication.
9. Children
The Service is not directed to children under 13. If you believe a child has provided personal data to us, contact support@foodtruckin.co and we will delete it.
10. Changes
We may update this Policy from time to time. Material changes will be announced by email or in-product notice at least seven (7) days before they take effect.