PRIVACY POLICY

Pantry Run

Last Updated: January 4, 2026

Effective Date: January 4, 2026

1. INTRODUCTION

Welcome to Pantry Run. This Privacy Policy explains how Holomana LLC ("we," "us," or "our") collects, uses, shares, and protects information when you use the Pantry Run service ("Service") at pantry.run or through our mobile application.

Your Privacy Matters: We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy describes:

  • What information we collect and why
  • How we use your information
  • When and with whom we share information
  • Your rights and choices regarding your information
  • How we protect your information

Privacy-First Design: Pantry Run is designed with privacy in mind. We do not use analytics tracking, we do not sell your data, and we collect only the minimum information necessary to provide the Service.

California Residents: If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA). Please see Section 10 for details on your CCPA rights.

Agreement: By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. INFORMATION WE COLLECT

We collect several types of information from and about users of our Service:

2.1 Information You Provide Directly

Account Information: When you create an account, we collect:

  • Email address (required, used as your username)
  • Full name (optional, if provided by your OAuth provider or entered by you)
  • Profile picture/avatar URL (if provided by Google or Apple when you sign in)
  • Authentication provider type (whether you signed in with Google, Apple, or email/password)

Shopping Lists and Content: When you use the Service, we collect:

  • Shopping list names and descriptions
  • Food items, quantities, and categories you enter
  • Notes you add to items
  • Item completion status
  • List sharing and membership information (if you share lists with other users)

Communications: If you contact us for support or feedback, we collect:

  • Your email address and name
  • The content of your messages
  • Any attachments you send

2.2 Information Collected Automatically

Usage Information: When you use the Service, we automatically collect:

  • Pages you visit within the Service
  • Time and duration of your sessions
  • Device information (device type, operating system, browser type and version)
  • IP address and general location (city/region level based on IP address, not precise GPS location)
  • Authentication events (login times, OAuth provider used)

Important: We do NOT use analytics services like Google Analytics, Mixpanel, or similar third-party tracking tools. Usage information is collected only through our own infrastructure logs for security and service operation purposes.

Browser Storage: The Service stores information locally in your browser to improve performance and enable offline functionality:

  • Authentication Tokens: JSON Web Tokens (JWT) stored in browser memory for session management (managed by AWS Amplify)
  • Local Preferences: Browser localStorage stores your preferences including:
    • Currently selected shopping list
    • Theme preference (dark/light mode)
    • PWA installation prompt dismissal status
  • Offline Data: Browser IndexedDB (using Dexie library) stores a local copy of your shopping lists and items to enable offline functionality. This data remains on your device and syncs with our servers when you're online.

Note on Cookies: The Service does NOT use traditional HTTP cookies. We use modern browser storage mechanisms (localStorage and IndexedDB) for session management and offline functionality. Some browsers may classify localStorage as "cookies" in their settings, but these are not tracking cookies and are essential for the Service to function.

2.3 Third-Party Authentication

If you sign in using Google or Apple:

  • Google: We receive your email address, name, and profile picture from Google. Your use of Google Sign-In is subject to Google's Privacy Policy at https://policies.google.com/privacy
  • Apple: We receive your email address and optionally your name from Apple. Your use of Sign in with Apple is subject to Apple's Privacy Policy at https://www.apple.com/legal/privacy/

We do not have access to your Google or Apple account credentials. Authentication is handled securely by Google and Apple, and we receive only the information you authorize them to share with us.

2.4 Information We Do NOT Collect

We want to be clear about what we DON'T collect:

  • We do NOT use analytics services or tracking pixels
  • We do NOT collect precise geolocation data (GPS coordinates)
  • We do NOT track you across other websites
  • We do NOT collect payment information (the Service is currently free)
  • We do NOT sell your personal information to third parties
  • We do NOT collect store preferences, budget information, nutritional data, recipes, purchase history, or price comparisons
  • We do NOT access your device's camera, microphone, contacts, or photos (unless you explicitly upload content)
  • We do NOT use advertising tracking cookies

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

To Provide and Improve the Service:

  • Create and manage your account
  • Authenticate you when you sign in
  • Store and display your shopping lists
  • Enable offline functionality
  • Sync your data across devices
  • Remember your preferences (theme, selected list)
  • Provide customer support
  • Improve Service functionality and user experience
  • Develop new features
  • Debug and fix technical issues

For Security and Fraud Prevention:

  • Detect and prevent fraudulent, abusive, or illegal activity
  • Protect the security and integrity of the Service
  • Monitor for security incidents and unauthorized access
  • Enforce our Terms of Service

For Legal Compliance:

  • Comply with applicable laws and regulations
  • Respond to legal requests and prevent harm
  • Protect our rights and property

With Your Consent:

  • For any other purpose disclosed to you when we collect the information
  • With your explicit consent for specific uses

Marketing Communications: We do not currently send marketing or promotional emails. If we decide to do so in the future, we will update this Privacy Policy and provide you with the ability to opt out of such communications.

4. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

4.1 Service Providers

We use the following third-party service providers who have access to your information only to perform specific tasks on our behalf:

Amazon Web Services (AWS):

  • Purpose: Cloud infrastructure, hosting, database, and authentication services
  • Services Used:
    • S3 and CloudFront for hosting the application
    • DynamoDB for database storage
    • Cognito for authentication and user management
    • API Gateway for secure API access
  • Data Processing Location: AWS us-west-2 (Oregon, USA)
  • AWS Privacy Policy: https://aws.amazon.com/privacy/

Google (for OAuth sign-in only):

  • Purpose: Authentication via Google Sign-In
  • Data Shared: Google provides your email, name, and profile picture when you choose to sign in with Google
  • Google Privacy Policy: https://policies.google.com/privacy

Apple (for OAuth sign-in only):

  • Purpose: Authentication via Sign in with Apple
  • Data Shared: Apple provides your email and optionally your name when you choose to sign in with Apple
  • Apple Privacy Policy: https://www.apple.com/legal/privacy/

These service providers are obligated to protect your information and not use it for other purposes. We have selected providers that maintain high security and privacy standards.

4.2 Legal Requirements

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:

  • Comply with legal obligations, court orders, or government requests
  • Enforce our Terms of Service or other agreements
  • Protect the rights, property, or safety of Holomana LLC, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

4.3 Business Transfers

If Holomana LLC is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will notify you via email and/or a prominent notice on our Service of any such change in ownership or control of your personal information.

4.4 Shared Shopping Lists

If you choose to share a shopping list with other users, the users you share with will be able to view and edit that list according to the permissions you grant. We facilitate this sharing but do not use or access shared list data beyond what's necessary to provide the sharing functionality.

4.5 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may share statistics about Service usage, but this information will not identify you individually.

4.6 With Your Consent

We may share your information for any other purpose with your explicit consent.

5. DATA SECURITY

We take the security of your information seriously and implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, use, or disclosure.

Security Measures We Use:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS (TLS/SSL) and secure WebSocket (WSS) protocols via AWS CloudFront and API Gateway
  • Encryption at Rest: All data stored in our database (AWS DynamoDB) is encrypted at rest using AWS default encryption
  • Secure Authentication: Authentication is managed by AWS Cognito with industry-standard OAuth 2.0 and OpenID Connect protocols
  • Password Security: If you use email/password authentication, your password is hashed using secure algorithms and never stored in plain text
  • Access Controls: Strict access controls limit who can access user data within our infrastructure
  • Infrastructure Security: We use AWS infrastructure which maintains SOC 2, ISO 27001, and other security certifications
  • Regular Security Updates: We keep all software dependencies and infrastructure components up to date with security patches

Local Data Security: Data stored locally in your browser (localStorage and IndexedDB) is protected by your browser's same-origin policy and is accessible only to the Pantry Run application. You are responsible for securing your device and browser.

No Guarantee: However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information using industry-standard practices, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account password.

Security Incidents: In the event of a data breach that affects your personal information, we will notify you in accordance with applicable laws, including the California Consumer Privacy Act and other data breach notification laws.

6. DATA RETENTION

How Long We Keep Your Information:

  • Account Information: We retain your account information for as long as your account is active or as needed to provide you the Service
  • Shopping Lists: We retain your shopping lists for as long as your account is active or until you delete them. When you delete a list, it is removed immediately from active storage.
  • Deleted Accounts: When you delete your account, we immediately delete your account information and shopping lists from our active systems. Your data cannot be recovered after deletion.
  • Server Logs: We retain server logs and usage information for up to 90 days for security and operational purposes
  • Customer Support Communications: We retain customer support communications for up to 1 year

Backup Systems: Deleted information may persist in backup systems for up to 30 days before being permanently purged from backups. This is a technical limitation of our backup infrastructure.

Legal Retention: We may retain certain information for longer periods if required by law, to resolve disputes, or to enforce our agreements.

7. YOUR RIGHTS AND CHOICES

You have several rights and choices regarding your information:

7.1 Access and Update Your Information

You can access and update your account information at any time by logging into your account. You can update your name, email address, and profile picture through your account settings. If you need assistance, contact us at privacy@pantry.run.

7.2 Delete Your Information

Delete Shopping Lists: You can delete individual shopping lists at any time through the Service. Deleted lists are removed immediately.

Delete Your Account: You can delete your entire account and all associated data by emailing privacy@pantry.run with the subject line "Delete My Account". We will verify your identity and immediately delete your account and all associated data from our active systems. Once deleted, your data cannot be recovered.

Note: Deleted data may persist in backup systems for up to 30 days due to technical limitations of our backup infrastructure, but will be inaccessible and will be permanently purged from backups within that timeframe.

Local Browser Data: You can clear locally stored data (localStorage and IndexedDB) at any time through your browser settings. Note that clearing this data will log you out and remove offline access to your shopping lists until you sign in again.

7.3 Opt Out of Communications

Currently, we send only essential service-related communications (such as account security notifications). You cannot opt out of these communications as they are necessary for the Service to function.

If we introduce promotional emails in the future, we will provide clear opt-out mechanisms.

7.4 Browser Storage Management

You can control browser storage through your browser settings:

  • Clear localStorage: Most browsers allow you to clear site data, which will remove your preferences
  • Clear IndexedDB: This will remove offline cached data but won't affect your server-stored lists
  • Disable storage: Note that disabling localStorage will prevent you from using the Service, as it's essential for authentication

7.5 Third-Party Authentication Controls

If you signed in with Google or Apple, you can manage what information they share with Pantry Run through their respective account settings:

  • Google: Visit https://myaccount.google.com/permissions
  • Apple: Visit Settings > Apple ID > Sign in with Apple on your iOS device

7.6 Do Not Track

Some browsers have a "Do Not Track" feature. Because we do not track you across websites or use third-party analytics, your Do Not Track preference is already respected by default. We do not engage in the tracking behaviors that Do Not Track is designed to prevent.

8. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites. This Privacy Policy applies only to Pantry Run. We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.

Third-Party Authentication: When you use Google or Apple sign-in, you are interacting directly with those services, and their privacy policies apply to that interaction. We receive only the information you authorize them to share with us.

9. CHILDREN'S PRIVACY

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@pantry.run and we will delete such information from our systems.

For Users Ages 13-18: If you are between 13 and 18 years old, you should review this Privacy Policy with your parent or guardian and make sure you both understand it.

10. CALIFORNIA RESIDENTS - YOUR CCPA RIGHTS

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

10.1 Right to Know

You have the right to request that we disclose:

  • The categories of personal information we collected about you
  • The categories of sources from which we collected your personal information
  • The business or commercial purpose for collecting your personal information
  • The categories of third parties with whom we share your personal information
  • The specific pieces of personal information we collected about you

10.2 Right to Delete

You have the right to request that we delete your personal information, subject to certain exceptions (e.g., to complete a transaction, comply with legal obligations, detect security incidents).

10.3 Right to Opt-Out of Sale

We do NOT sell your personal information. You do not need to opt out because we do not engage in this practice. We have never sold personal information and have no plans to do so.

10.4 Right to Non-Discrimination

You have the right to not receive discriminatory treatment for exercising your CCPA rights. We will not:

  • Deny you the Service
  • Charge different prices or rates
  • Provide a different level or quality of service
  • Suggest that you will receive different treatment for exercising your CCPA rights

10.5 How to Exercise Your CCPA Rights

To exercise your right to know or right to delete, please submit a request by:

  • Email: privacy@pantry.run with subject line "CCPA Request"
  • Mail: Holomana LLC, Attn: Privacy/CCPA Request, PO Box 2789, Mammoth Lakes, CA 93546

Verification: To protect your privacy, we will verify your identity before processing your request. We will:

  • Confirm your email address matches the email associated with your account
  • Ask you to verify account details such as when you created your account or your recent activity
  • May request additional verification for requests involving sensitive information

Authorized Agent: You may designate an authorized agent to make a CCPA request on your behalf. We will require written proof of the agent's authorization and may still require you to verify your identity directly with us.

Response Time: We will respond to your CCPA request within 45 days. For deletion requests, once we verify your identity, we will immediately delete your data from our active systems. For "right to know" requests, we will provide your data within the 45-day timeframe. If we need more time (up to 90 days total), we will notify you of the reason and extension period.

10.6 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

10.7 Categories of Personal Information We Collect

For CCPA purposes, in the past 12 months, we have collected the following categories of personal information:

Category Examples Collected? Source Business Purpose Shared With
Identifiers Email address, name, account ID YES Directly from you, Google/Apple OAuth Provide Service, authentication AWS (infrastructure)
Personal information (Cal. Civ. Code ยง 1798.80(e)) Name, email YES Directly from you, Google/Apple OAuth Provide Service AWS (infrastructure)
Commercial information Shopping list contents YES Directly from you Provide Service AWS (infrastructure)
Internet/network activity Pages visited, session duration, IP address YES Automatically collected Service operation, security AWS (infrastructure)
Geolocation data General location (city/region from IP) YES Automatically collected Service operation AWS (infrastructure)
Sensory information Profile picture/avatar YES Google/Apple OAuth (optional) Display in account AWS (infrastructure)
Professional/employment information None NO N/A N/A N/A
Education information None NO N/A N/A N/A
Inferences User preferences (theme, selected list) YES From your usage Remember preferences Stored locally in browser
Sensitive Personal Information None NO N/A N/A N/A

Note: We do NOT collect biometric data, health/medical information, precise GPS geolocation, audio/visual recordings (except optional profile pictures), or sensitive personal information as defined by CCPA.

11. INTERNATIONAL USERS

Pantry Run is operated in the United States and uses infrastructure located in the United States (AWS us-west-2, Oregon). The Service is available to users worldwide, but please be aware that:

  • Your information will be transferred to and stored in the United States
  • The United States may have different data protection laws than your country
  • By using the Service, you consent to the transfer of your information to the United States

European Users (GDPR): If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis for Processing: We process your data based on your consent (when you create an account) and our legitimate interest in providing the Service
  • GDPR Rights: You have rights similar to CCPA rights, including the right to access, rectify, erase, restrict processing, data portability, and object to processing
  • Data Protection Officer: For GDPR-related inquiries, contact privacy@pantry.run
  • EU Representative: We currently do not have an EU representative. If our EU user base grows significantly, we will appoint one and update this policy.

Other International Users: If you are located outside the United States or EU, you may have rights under your local data protection laws. Contact us at privacy@pantry.run to exercise those rights.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes: When we make material changes, we will notify you by:

  • Updating the "Last Updated" date at the top of this Privacy Policy
  • Displaying a prominent notice on the Service
  • If we have your email address, we may send you an email notification

Your Acceptance: Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the Service and may delete your account.

Review Regularly: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Material Changes: If we make material changes that significantly affect your privacy rights (such as beginning to sell data or using third-party analytics), we will provide at least 30 days advance notice and obtain your consent where required by law.

13. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Holomana LLC

Attn: Privacy Officer

PO Box 2789

Mammoth Lakes, CA 93546

Email: privacy@pantry.run

  • For CCPA Requests: privacy@pantry.run (subject line: "CCPA Request")
  • For GDPR Requests: privacy@pantry.run (subject line: "GDPR Request")
  • For General Privacy Questions: privacy@pantry.run

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

14. SUMMARY OF KEY POINTS

For your convenience, here's a quick summary of our privacy practices:

Topic Summary
What we collectEmail, name (optional), avatar (optional), shopping lists, preferences, basic usage data
What we DON'T collectAnalytics/tracking data, precise location, payment info, browsing history across sites
Third-party servicesAWS (infrastructure), Google/Apple (sign-in only)
Analytics & trackingNONE - We do not use Google Analytics or similar services
CookiesNO traditional cookies - We use localStorage and IndexedDB for functionality
Do we sell data?NO - We have never sold data and never will
Your rightsAccess, delete, export your data anytime
California residentsCCPA rights: know, delete, opt-out of sale (we don't sell)
Data retentionImmediate deletion upon request; 30 days in backups only
SecurityHTTPS encryption, AWS infrastructure, no third-party tracking
InternationalOpen to all users, data stored in US (Oregon)
Children13+ only, COPPA compliant
Contactprivacy@pantry.run

This summary is for convenience only. Please read the full Privacy Policy above for complete details.

BY USING PANTRY RUN, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.