Privacy Policy — Harthena

In plain English: Harthena is a family app. We collect only what we need to run the service. We do not sell your data, advertise to you, or share personal information with third parties except the service providers listed below. Your children's data is treated with the highest level of care.

1. Who we are

Harthena is operated by Family Digital Solutions Ltd (Companies House: 17223355) ("we", "us", "our"). We are the data controller responsible for your personal data under UK GDPR and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) under registration number ZC151768.

Our registered address is: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UNITED KINGDOM.

You can contact us about data protection matters at: privacy@harthena.com.

If you are resident in the European Union, the same rights and protections apply to you under EU GDPR (Regulation 2016/679). Where we refer to "UK GDPR" throughout this policy, we mean UK GDPR and the Data Protection Act 2018. EU residents' rights are materially identical.

2. What personal data we collect

We collect only the data necessary to operate Harthena. Below is a full account of what we collect and why.

Family account data (collected at registration)

Family name — used to identify your family within the app.
Unique family code (shortcode) — a short identifier for your family's account, used in invite links.
Parent name(s) — used to display who is managing the account.
Parent email address(es) — used to send transactional service emails (account confirmations, subscription receipts, security notices) and, where you have given consent, a structured onboarding email sequence (up to 9 emails over the first 30 days) to help you get started with Harthena. We do not email children directly.
Email consent flag — whether you have opted in to receive emails from us beyond strictly transactional messages, including the onboarding sequence.
Referral code — if you share or use a referral link, we store a unique referral code linked to your family account and, where applicable, the referring family account. Used solely to attribute referral rewards; no personal details of the referring family are visible to you or vice versa.

Children's profile data (entered by parents)

Child's first name or nickname — used to personalise the child's in-app experience. We recommend using a first name or nickname only; we do not require surnames.
Child's date of birth (optional) — used to automatically determine age-appropriate content settings within the app. You may enter a full date or select an age band manually instead; a precise date is not required.
PIN (hashed) — a numeric PIN used by children to access their account. The PIN is stored as a cryptographic hash; we cannot read it in plaintext.
Allowance configuration — amounts, frequency, and savings-split settings, all set by parents.
Spending and savings records — transactions approved by parents, savings goals set by the child, and wishlist items.
Chore assignments — tasks assigned by parents.
Shopping requests — items requested by children, pending parent approval.

Subscription and billing data

Stripe customer and subscription identifiers — reference IDs linking your family account to your Stripe subscription. We do not store card numbers, sort codes, or bank details; these are held entirely by Stripe.
Subscription status and period — whether your plan is active, in trial, cancelled, or past due.
Billing events log — a record of subscription events (e.g., "payment succeeded", "subscription cancelled") used for support and tax purposes.
Stripe card fingerprint — a cryptographic hash generated by Stripe that identifies the physical payment card associated with your subscription (not the card number itself). Used to detect and prevent abuse of discount and resubscription offers. We never see or store card numbers.

Technical and usage data

Hashed IP address — a one-way hash of your IP address, stored in our audit log to detect and prevent abuse. We cannot reverse a hashed IP to identify you individually.
Session data — a short-lived session token stored in your browser's sessionStorage (not a cookie; see Section 10) and used to authenticate API requests. It is cleared when you close the browser tab.
Server-side request logs — standard web server logs (HTTP method, URL path, response code, timestamp). These are retained for 30 days for security and diagnostic purposes. They do not include request body content.
Push notification subscription data — if you enable push notifications in your browser, your browser-generated push endpoint and associated cryptographic keys are stored on our servers to deliver notifications to your device. Used solely for notification delivery; removed when you revoke permission or delete your account.

Meal planning and recipe data (paid plan)

Recipe search queries — text queries sent to the Spoonacular API. These are not linked to your identity at the Spoonacular end; only your server's IP address is visible to Spoonacular.
Recipe images (optional photo import) — if you use the photo-to-recipe feature, the image you upload is sent to Anthropic's Claude AI for text extraction and is not retained by Anthropic beyond the immediate API request (see Section 7).
Saved meal plans — stored in your family account on our servers.

Data we do NOT collect

We do not collect children's surnames or email addresses.
We do not collect location data.
We do not use cookies for tracking or analytics. We use PostHog analytics (localStorage only, EU servers, no personal data) — see Section 10.
We do not carry out behavioural profiling or targeted advertising.
We do not use automated decision-making that produces legal or similarly significant effects.

3. How we use your data and our legal basis

UK GDPR requires us to identify a lawful basis for each type of processing. Our lawful bases are:

Processing activity	Lawful basis	Details
Creating and managing your family account	Contract (Art. 6(1)(b))	Necessary to perform our agreement with you to provide the Harthena service.
Processing subscription payments	Contract (Art. 6(1)(b))	Necessary to fulfil your paid subscription agreement.
Sending transactional emails (receipts, security alerts, service notices)	Contract (Art. 6(1)(b))	Necessary to perform the service and fulfil legal notification obligations.
Sending optional product updates or news	Consent (Art. 6(1)(a))	Only sent where you have opted in. You may withdraw consent at any time via the unsubscribe link in any email.
Security monitoring, fraud prevention, abuse detection	Legitimate interests (Art. 6(1)(f))	To protect users and the integrity of the service. We have assessed that our security interests are not overridden by your rights, particularly given the minimal data retained (hashed IPs only).
Retaining billing records for tax and legal compliance	Legal obligation (Art. 6(1)(c))	UK tax law (HMRC) requires financial records to be kept for a minimum of 6 years.
Responding to data subject rights requests	Legal obligation (Art. 6(1)(c))	Required by UK GDPR to process and respond to your rights requests.
Sending recipe queries to Spoonacular (paid plan)	Contract (Art. 6(1)(b))	Necessary to provide the recipe search feature you have paid for.
Processing recipe images via Claude AI (paid plan, optional)	Contract (Art. 6(1)(b))	You explicitly trigger this feature; the image is processed solely to extract recipe data for you.

4. Children's data and the UK Children's Code

Harthena is designed for families and is used by children. We take children's privacy with the utmost seriousness and comply with the UK ICO's Age Appropriate Design Code (Children's Code) and equivalent EU protections.

How children's accounts work

Children do not register independently. All children's profiles are created and managed by a parent or guardian. By creating a child's profile in Harthena, you confirm you are that child's parent or legal guardian and that you consent on the child's behalf to the data processing described in this policy.

Our commitments for children's data

Data minimisation: We collect only the minimum data necessary — a first name or nickname, an optional date of birth (for age-appropriate settings), a PIN, and family activity records.
No direct marketing to children: We do not contact children by email or any other channel. All communications go to the parent email address.
No profiling or behavioural advertising: Children's data is never used for profiling, advertising, or any purpose beyond operating the app.
No data sharing for commercial purposes: Children's data is never sold or shared with third parties for commercial gain.
No location tracking: We do not collect location data from children or parents.
Privacy by default: All child account settings default to the most privacy-protective option. No data beyond what is strictly necessary is collected.
Parental control: Parents have full visibility and control over all data associated with their children's profiles, including the ability to delete data at any time.

5. Who we share your data with

We do not sell your data. We share data only with the following categories of third-party service providers ("processors") who act under our instructions and are bound by appropriate data processing agreements:

Stripe — Payment processing

Stripe Technology Europe Limited (incorporated in Ireland, a subsidiary of Stripe, Inc.) processes subscription payments. Stripe receives your payment card details directly; we never see or store them. Stripe also stores your billing history and subscription status. Stripe is bound by its own privacy policy at stripe.com/gb/privacy and is certified under PCI DSS. Stripe may set cookies on its own checkout pages (see Section 10).

Resend — Transactional email

Resend, Inc. (US-based) delivers transactional emails to parent email addresses (e.g., registration confirmations, subscription receipts). Resend processes email addresses and email content for delivery purposes only. We have a Data Processing Agreement with Resend that includes Standard Contractual Clauses for international data transfers. Resend's privacy policy is at resend.com/legal/privacy-policy.

Railway — Cloud hosting and infrastructure

Railway Corp hosts our application servers and PostgreSQL databases in the EU West (Amsterdam) region. All family data stored by Harthena resides within the European Economic Area. We have a Data Processing Agreement with Railway. Railway is SOC 2 compliant. Railway's privacy policy is at railway.app/legal/privacy.

Spoonacular — Recipe search API (paid plan only)

Spoonacular (US-based) provides recipe search and nutritional data. When you use the recipe search feature, your search query (a food or recipe name — no personal data) is sent to Spoonacular's API. Your server's IP address is visible to Spoonacular as part of normal network communication; no personal account data is transmitted. Spoonacular's privacy policy is at spoonacular.com/food-api/docs.

Anthropic (Claude AI) — Recipe photo import and URL OCR (paid plan, optional)

Anthropic, PBC (US-based) provides AI services used for our photo-to-recipe and recipe URL import features. When you upload a food photo or import a recipe from a JavaScript-rendered website, the resulting image is sent to Anthropic's Claude AI API for text and data extraction. The image is processed in real time; Anthropic does not retain or train on data submitted via its API. No personal data is included in the image request beyond the image content itself. Anthropic's privacy policy is at anthropic.com/privacy.

ScreenshotOne — Recipe page rendering (paid plan, optional)

ScreenshotOne (US-based) provides a page-rendering service used as part of our recipe URL import feature, specifically for JavaScript-rendered recipe websites (such as supermarket sites) that cannot be parsed directly. When you import a recipe from such a site, the recipe URL is sent to ScreenshotOne, which renders the page and returns an image for Claude AI to extract the recipe data from. No personal data is transmitted to ScreenshotOne — only the recipe page URL. This feature is quota-gated and available on paid plans only. ScreenshotOne's privacy policy is at screenshotone.com/privacy-policy.

Cloudflare R2 — Meal image storage (paid plan)

Cloudflare, Inc. (US company, operating through Cloudflare Ireland Ltd for EU/UK customers) provides object storage for meal images you upload or import as part of the meal planning feature. Meal images are stored in a Cloudflare R2 bucket with the jurisdiction set to "European Union (EU)" in the Cloudflare dashboard — images are stored within the EEA and do not leave it. Cloudflare never accesses your stored images for any purpose beyond storage and delivery. Cloudflare's privacy policy is at cloudflare.com/privacypolicy.

Disclosure required by law

We may disclose your data where required to do so by law, court order, or lawful government request. We will notify you of any such request unless we are legally prohibited from doing so.

6. International data transfers

Harthena is based in the United Kingdom. Some of our service providers are based outside the UK and the European Economic Area (EEA). When we transfer personal data internationally, we ensure appropriate safeguards are in place as required by UK GDPR Article 46 and EU GDPR Article 46.

Provider	Country	Safeguard
Stripe Technology Europe Limited	Ireland (EEA)	UK-EU adequacy decision applies. No special safeguard required for UK→EU transfers.
Resend, Inc.	United States	Standard Contractual Clauses (SCCs) incorporated in our Data Processing Agreement.
Spoonacular	United States	No personal data transmitted; only food search queries. SCCs or equivalent apply for any incidental processing.
Anthropic, PBC	United States	Standard Contractual Clauses (SCCs) incorporated in our API terms. No personal data included in image requests.
ScreenshotOne	United States	Only recipe page URLs (public web addresses) are transmitted — no personal data. SCCs or equivalent apply for any incidental processing.
Cloudflare, Inc. (R2 storage — Cloudflare Ireland Ltd)	European Union (EEA)	R2 bucket jurisdiction set to "European Union (EU)" in Cloudflare dashboard — data is stored and processed within the EEA only. No transfer outside the EEA/UK occurs. UK–EU adequacy decision applies.

You can request a copy of the relevant Standard Contractual Clauses by contacting us at privacy@harthena.com.

7. How long we keep your data

Data category	Retention period	Reason
Family account and all associated data	Until deletion request, then permanent erasure within 30 days	Active service provision.
Parent email addresses	Duration of account. Nulled immediately on unsubscribe from marketing.	Service communication; privacy by design on unsubscribe.
Billing event records (amounts, dates, event types)	6 years from the end of the tax year in which the transaction occurred	HMRC statutory requirement for financial records.
Stripe customer and subscription IDs	6 years (linked to billing records above)	HMRC statutory requirement.
Server request logs	30 days rolling	Security and diagnostics only.
Audit log (hashed IP, action, timestamp)	Anonymised after 90 days (user ID and IP hash removed); anonymised records retained indefinitely	Security monitoring. Anonymisation removes all linkable identifiers after 90 days.
Cancellation attempt records	Retained on legitimate interest basis; all personally identifiable fields anonymised when your account data is erased	Fraud and abuse prevention; used to verify that discount eligibility rules have been followed (Art. 6(1)(f)).
Erasure requests (confirmation record)	3 years	Demonstrating compliance with rights requests.

When you request erasure or close your account, we will permanently delete all personal data within 30 days, subject to the legal retention obligations above (e.g., billing records). A confirmation of the erasure will be emailed to you.

8. Your rights

Under UK GDPR (and, for EU residents, EU GDPR), you have the following rights:

Right of access: You may request a copy of all personal data we hold about you and your family.
Right to rectification: You may ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): You may ask us to delete your data. This right may be limited where we have a legal obligation to retain data (e.g., billing records).
Right to data portability: You may request your data in a structured, machine-readable format. This right applies to data you provided to us, processed by automated means, on the basis of contract or consent.
Right to restriction: You may ask us to restrict processing of your data in certain circumstances (e.g., while a dispute is being resolved).
Right to object: You may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. We do not carry out such processing.

You can exercise many of these rights directly within the app (Settings → Data & Privacy). To make a formal request, contact us at privacy@harthena.com. We will respond within one calendar month. See also our GDPR & Data Rights page for detailed guidance.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage. Specific measures include:

All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
Encryption at rest (infrastructure layer): Our hosting provider, Railway, encrypts all data at rest on its PostgreSQL databases and application servers using AES-256 encryption at the storage layer.
Encryption at rest (application layer): Sensitive personal data fields — including children's names, dates of birth, and transaction descriptions — are additionally encrypted at the application layer using AES-256-GCM before being written to the database. The encryption key is held separately from the database itself. Even in the event of unauthorised database access, these fields cannot be read as plaintext without the application-layer key.
PINs are stored as irreversible cryptographic hashes (bcrypt); we cannot read them in plaintext.
Session tokens are short-lived and stored in browser sessionStorage (cleared on tab close), not persistent cookies.
IP addresses in our audit log are irreversibly hashed before storage.
Access to our database and infrastructure is restricted to authorised personnel.
Our infrastructure provider (Railway) is SOC 2 certified.
Payment card data is never processed or stored by us — it is handled entirely by Stripe (PCI DSS compliant).

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform affected users without undue delay where required by law.

10. Cookies and browser storage

Harthena does not set HTTP cookies on your device. We use the following browser storage mechanisms instead:

sessionStorage: We store your session token in sessionStorage. This is not a cookie — it is cleared automatically when you close the browser tab, and is not transmitted as an HTTP cookie header. It is used solely to keep you logged in during a single browsing session.
localStorage: We store one debugging preference flag in localStorage. This contains no personal data and is not transmitted to our servers.

Third-party cookies: When you visit Stripe's payment checkout pages (on Stripe's own domain, not ours), Stripe may set cookies for fraud prevention, session management, and security purposes. These are governed by Stripe's own cookie policy.

We do not use analytics cookies, advertising cookies, or cross-site tracking technologies. We use PostHog for privacy-friendly, cookie-free analytics (localStorage only, EU servers). For more detail, see our Cookie Policy.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the parent email address on your account) and update the "Last reviewed" date at the top of this page. We recommend reviewing this policy periodically.

Continued use of Harthena after a material change constitutes acceptance of the updated policy.

12. How to complain

If you are unhappy with how we have handled your personal data, please contact us first at privacy@harthena.com so we can try to resolve the matter.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

UK residents: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
EU residents: The data protection authority in your EU member state. A list is available at edpb.europa.eu.

Note: This privacy policy has been prepared to comply with UK GDPR (UK General Data Protection Regulation), the Data Protection Act 2018, EU GDPR (Regulation 2016/679), the UK ICO Children's Code, and the Privacy and Electronic Communications Regulations 2003 (PECR). It reflects Harthena's data practices as of the effective date above. We recommend seeking independent legal advice if you have specific compliance questions.