<- Back to App

Privacy Policy

Last updated: May 5, 2026

1. Information We Collect

Account Information: Email address, company name (operators), phone number (optional, for SMS alerts), and a securely hashed password.

Usage Data: Product scans, purchases, favorites, points earned, and feature interaction analytics for reliability and product improvement.

Device & Push Tokens: Device type, OS, browser, and your web-push subscription endpoint when you enable back-in-stock alerts. Push tokens are stored encrypted in our database and used solely to deliver notifications you opted into.

Location: Operator machine locations (latitude/longitude) for route optimization. We do not track personal device location.

Barcode Scans: Product barcodes scanned through HealthScan are used for product lookup and nutritional analysis only — never sold or shared.

Payment Information: Subscription payments are processed by Stripe. We never see or store your card numbers; we receive only a customer ID and subscription status.

2. How We Use Your Information

  • Provide and maintain the vending management service
  • Send back-in-stock push notifications and downtime SMS alerts you opted into
  • Process loyalty points and operator subscriptions
  • Generate operator dashboards, route plans, and sales analytics
  • Provide nutritional analysis through HealthScan
  • Detect and prevent fraud, abuse, and unauthorized access

3. Data Sharing

We do not sell your personal information. We share limited data with the following processors strictly to operate the service:

  • Supabase — primary database, authentication, encrypted at rest
  • Vercel — application hosting and edge delivery
  • Stripe — subscription payment processing
  • Twilio — outbound SMS alerts (only if you provide a phone number and enable SMS)
  • Apple/Google/Mozilla push services — encrypted notification delivery (only if you enable web push)
  • Cantaloupe / SeedLive — vending machine telemetry and payment integration (operator side only)
  • Law enforcement — only when legally required

4. Data Security

TLS 1.2+ in transit, encryption at rest, bcrypt-hashed passwords, Row Level Security on every database table so operators can only access their own data, and per-feature opt-in for sensitive flows (push, SMS).

5. Data Retention & Deletion

Account data is retained while your account is active. You can permanently delete your account and all associated data at any time from Account Settings → Danger Zone → Delete My Account. Deletion is immediate and irreversible: it removes your profile, favorites, push subscriptions, points history, machines, products, inventory, transactions, route stops, incidents, and your sign-in record. We retain anonymized aggregate analytics (no personal data) and any records we are legally required to keep for tax or fraud-prevention purposes.

6. Your Rights

You may access, correct, export, or delete your personal data at any time. Operators can export full inventory and transaction history as CSV from the dashboard. Consumers can export account data as JSON from the Account page.

7. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

8. International Users

The service is operated from the United States. By using it, you consent to the transfer of your information to the US for processing.

9. Contact

Privacy questions or data requests: privacy@coastalvending912.com