Privacy Policy

• Photos you upload for review
• Business names and dish names you provide
• Account information if you sign in (name, email, profile photo via your social login provider)
• Basic usage analytics (page views, feature usage)

• AI analysis: your photos are sent to Google Gemini to generate review scores and verdicts
• Public display: reviews (including photos and scores) are published on the GrubGrade feed and business pages
• Aggregate statistics: review scores are aggregated to produce business-level ratings

• Consent — AI photo processing via Google Gemini (you are asked for explicit consent before your first snap)
• Consent — Analytics cookies (opt-in via cookie banner)
• Legitimate interest — Publishing reviews and aggregate business scores to serve the public interest in food delivery accountability
• Contract — Account management and authentication via Clerk

You may withdraw consent for AI processing and analytics at any time from your Account page. Withdrawal does not affect the lawfulness of processing before withdrawal.

GrubGrade uses Google Gemini (via the Google Generative Language API) to analyse food delivery photos and generate quality review scores.

• When you submit a snap, your photo is sent to Google's Generative Language API for real-time analysis
• Photos are processed by Google to generate scores (presentation, completeness, portion size) and a written verdict
• GrubGrade does not control Google's data retention policies for content submitted via their API. Google's API terms of service apply to data processed through their service
• If a reference (menu) image is provided, both the reference and delivery photos are sent to Google for comparison analysis
• EXIF metadata (GPS location, device info, timestamps) is stripped from all photos before they are sent to Google or stored

You will be asked for explicit consent before your first snap is processed by AI. You may withdraw consent at any time from your Account page. Consent records are stored server-side to meet GDPR Art. 7(1) requirements.

We use the following third-party services to operate GrubGrade:

• Clerk - authentication and account management
• Google Gemini - AI-powered photo analysis and review generation
• Vercel - hosting, image storage (Vercel Blob), and analytics
• Railway - PostgreSQL database hosting

• Reviews and photos — Retained for the lifetime of the public review record. On account deletion, your photos are removed and reviews are anonymised (no link to your identity)
• Account data — Retained while your account is active. Deleted within 30 days of a deletion request
• Audit logs — Security and moderation logs retained for 12 months, then automatically purged
• Rate limiting data — Temporary entries automatically cleaned up within 24 hours of expiry
• Consent records — Retained for the duration required to demonstrate compliance (minimum 3 years)

Your data may be processed outside the UK/EEA by the following services:

• Google Gemini API — Photos are sent to Google's servers (US) for AI analysis. Google operates under Standard Contractual Clauses (SCCs) as approved by the UK ICO
• Vercel — Hosting and image storage (US/global edge). Vercel complies with GDPR via SCCs and their Data Processing Addendum
• Clerk — Authentication services (US). Clerk provides a GDPR-compliant DPA with SCCs
• Railway — Database hosting (US/EU). Railway supports GDPR compliance and offers EU-based regions