← Back

🔐 Privacy Policy

Last updated: 5 April 2026  ·  Chef's Companion by limpo.se

1. Who we are

Chef's Companion is operated by Limpo (limpo.se), based in Sweden. For GDPR purposes, Limpo is the data controller for account and usage data. Each tenant (restaurant or kitchen) is the data controller for the content they store (recipes, staff records, HACCP logs, etc.).

Contact: martin@limpo.se

2. What data we collect

• Account data: name, email address, hashed password (bcrypt + SHA-256 pre-hash).
• Business data: restaurant/business name, URL slug.
• Usage data: actions recorded in the audit log (which records were created, updated, or deleted, by whom, and when).
• Technical data: IP address associated with audit log events, stored for a maximum of 90 days then automatically nullified.
• Kitchen content: recipes, menus, purchase orders, HACCP temperature logs, cleaning schedules, staff rota, ingredients — all entered by you.

3. Why we collect it (lawful basis)

• Contract performance — your name and email are needed to provide the service and send account notifications.
• Legitimate interest — IP address logging for a 90-day window to investigate security incidents.
• Legal obligation — audit logs may be required for food-safety compliance (HACCP records have a minimum retention period under EU food hygiene regulations).

4. How long we keep data

• Account data: for as long as your account is active. Erased on request (see section 7).
• IP addresses in audit log: automatically nullified after 90 days by a nightly background job.
• HACCP temperature logs: minimum 12 months as required by EU Regulation (EC) No 852/2004. We recommend keeping them for at least 3 years.
• Deleted records: soft-deleted (flagged, not removed) to preserve audit integrity. Hard deletion available on request.

5. Who we share data with

We do not sell or rent your data. We may share it with:

• Hosting infrastructure: Hetzner (Germany) — servers where the application runs. Data stays within the EU.
• Email delivery: used only to send transactional emails (account approval, welcome, notifications). No marketing without explicit consent.
• Legal authorities: only if required by law.

6. Cookies and tracking

We use the following cookies:

• tcc_refresh — httpOnly, SameSite=Strict — stores your session refresh token. Essential for staying logged in. Expires after 30 days.

We do not use advertising cookies, Google Analytics, or any third-party tracking.

7. Your rights (GDPR)

Under GDPR you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate data (you can update your name and email in Settings).
• Erasure ("right to be forgotten") — permanently delete your account and pseudonymise all personal data. Your audit history is retained in anonymised form.
• Restriction — ask us to stop processing your data while a dispute is resolved.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interest.

8. Data security

• Passwords are hashed with bcrypt (cost 12) over a SHA-256 pre-hash — never stored in plain text.
• Sessions use short-lived RS256 JWTs (15-minute access tokens) with rotating refresh tokens.
• All data is stored on EU-based servers (Hetzner, Germany).
• HTTPS is enforced in production.

9. Children's data

Chef's Companion is a professional B2B tool intended for adults. We do not knowingly collect data from anyone under 16.

10. Changes to this policy

We may update this policy. Material changes will be notified by email or an in-app notice. Continued use of the service after notification constitutes acceptance.

11. Supervisory authority

If you have concerns about our data handling you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY — Integritetsskyddsmyndigheten) or your local EU data protection authority.