Breaking Bread AI, Co. — Privacy Policy

1) Who we are

“Breaking Bread AI” (“BBAI”, “we”, “us”, “our”) provides software that helps organizations facilitate small‑group, in‑person meet‑ups and measure engagement. Our services are offered via our mobile/desktop app, web admin, APIs, and related sites (collectively, the “Service”).

**Contact:** hello@breakingbread.ai

2) Scope & roles

This policy explains how we process personal data when:

• You use our apps and websites as an individual (“End Users”); and/or
• Your employer/club/organization invites you to use BBAI (“Enterprise Users”).

**Controller vs. Processor.**

For our direct‑to‑consumer features, BBAI is the **data controller**.

For Enterprise deployments, BBAI generally acts as a **data processor** to the organization, which is the **controller**. In those cases, the organization’s privacy notice governs and our Data Processing Addendum (DPA) applies. (DPA available upon request.)

3) Personal data we collect

Exact elements depend on configuration and your choices. Categories may include:

• **Identifiers & account info:** name, email, phone, photo/avatar, username, device identifiers, IP address.
• **Profile & preferences (you choose):** interests, goals, personality sliders, availability windows, city/region.
• **Home address (optional):** if you opt to host a meet‑up at home, you may share your home address with invitees.
• **Meet‑Up logistics:** calendar availability, chosen venues, dietary needs/allergies, accessibility needs, RSVP status, group assignments, attendance, plus‑one details (e.g., whether kids/partners/friends are joining).
• **Communications & content:** messages (see Section 8), comments, reactions, pre/post survey responses, ratings, support tickets.
• **Community content:** profile picture and optional photos you share from gatherings; community admins may upload a **Community Engagement Policy** (code of conduct/house rules) viewable within their community.
• **Usage & device data:** app events, diagnostics/crash logs, browser/app version, OS, referrers, cookies/SDK data.
• **Payment data:** transaction metadata; card details are handled by our processor and not stored in full by BBAI.
• **Sensitive data (optional/consented):** allergies/health info, demographic attributes. These fields are **optional** and only processed with your affirmative consent for the limited purposes described below.

4) Sources of data

• **You** (account/profile, surveys, messages, photos).
• **Your organization** (roster/entitlements such as name, email, department).
• **Integrations you connect** (Google/Apple/SSO for auth; Google/Microsoft for calendar availability).
• **Vendors** (analytics, crash/security signals).

5) Why we use data (purposes) and legal bases

We use data to:

• **Provide the Service**: account creation, authentication, matching, scheduling, notifications, support. _Legal bases_: contract necessity; legitimate interests; consent where required.
• **Matching & recommendations**: to form small groups using interests, personality sliders, availability, past attendance/surveys, and plus‑one info. _Legal bases_: consent for any sensitive attributes; contract necessity/legitimate interests for non‑sensitive attributes.
• **Surveys & outcomes**: to measure belonging/engagement and provide **aggregate‑level** insights to organizations (no individual survey results). _Legal bases_: legitimate interests; consent for any sensitive attributes.
• **Security & integrity**: monitor, prevent, and respond to fraud, abuse, or safety concerns. _Legal bases_: legitimate interests; legal obligations.
• **Improve the Service**: diagnostics, A/B tests, de‑identified trend analysis. _Legal bases_: legitimate interests; consent where required for cookies/SDKs.
• **Communications**: transactional messages (e.g., reminders). Marketing communications are **opt‑in** via the in‑app Settings. _Legal bases_: consent where required; legitimate interests.
• **Compliance**: tax, accounting, regulatory responses, and legal claims. _Legal bases_: legal obligations; legitimate interests.

Automated decision‑making & profiling

Our matching algorithm suggests groupings; it is **not** used to make decisions with legal or similarly significant effects. You can skip optional inputs (e.g., sensitive fields).

6) Disclosures (when we share data)

We disclose personal data as needed to run the Service:

• **Your organization (Enterprise Users):** aggregate pre/post questionnaire results, roster verification, and configuration‑specific fields as agreed in the DPA.
• **Participants you meet:** limited profile and logistics necessary to coordinate a meet‑up (e.g., first name, role, selected dietary needs, host’s address if they choose to host at home).
• **Vendors (processors)** under contract: Authentication: Google Sign-In, Sign in with Apple, Supertokens; Email/SMS: SendGrid (email); Analytics: Google Analytics 4 (GA4); Calendars: Google Calendar, Microsoft Outlook/Exchange Calendar.
• **Legal & safety:** to comply with law, enforce terms, or protect rights, safety, and property.
• **Business transfers:** if we engage in a merger, financing, or sale of assets, subject to appropriate safeguards.

We **do not sell** personal information for money and we do **not** share it for cross‑context behavioral advertising. If that ever changes, we will update this notice and provide required opt‑outs.

7) Cookies/SDKs & universal opt‑out

We use cookies and mobile SDKs for authentication, preferences, and analytics. We honor **Global Privacy Control (GPC)** signals on the web to treat them as valid opt‑out requests where applicable. You can adjust preferences in the app or your browser.

8) Messages and photos

**Messages** are **end‑to‑end encrypted (E2EE)** between participants and stored **only on your device(s)**. BBAI does **not** retain message content on our servers. We may process minimal routing metadata necessary for delivery, which is **deleted** shortly after transmission. _Note: If you back up your device or messages to a third‑party cloud, that provider’s terms apply._

**Photos & gallery**: Photos you upload may be visible to your community or group depending on your settings. You should only upload photos you have rights to share. You may delete your own uploads in‑app; copies may persist in backups for a limited time.

9) Community policies & admin uploads

Community admins can upload a Community Engagement Policy (e.g., code of conduct). Admin‑provided documents are visible to that community’s members and are processed to operate the Service.

10) Data retention

• **Account & profile**: retained while your account is active; deleted or anonymized within **30–60 days** after closure.
• **Meet‑Up logistics (including plus‑one details) & attendance**: retained **up to 12 months** after the event, then minimized or anonymized for analytics.
• **Pre/post survey raw responses**: retained **up to 12 months**; organizations receive **aggregate‑level** reporting only. De‑identified aggregates may be kept to improve algorithms.
• **Routing metadata for messages**: deleted shortly after delivery (no message content retained).
• **Diagnostic logs**: **30–180 days**.

We retain records necessary to comply with legal obligations or resolve disputes.

11) Security

We implement reasonable administrative, technical, and physical safeguards (e.g., encryption in transit, E2EE for messages, least‑privilege access, audit logging, vendor reviews). No system is 100% secure; please use strong device security and report suspected issues to **security@breakingbread.ai**.

12) International transfers

We primarily host data in **AWS (us-central)**. If data is transferred outside your jurisdiction, we use appropriate safeguards (e.g., Standard Contractual Clauses for EEA/UK transfers if we expand there).

13) Your choices & rights

Depending on your location, you may have rights to **Access/Know, Correct, Delete, Portability**, and to **Opt out** of targeted advertising, sale, and certain profiling. We honor **GPC** on the web. You may **withdraw consent** where processing is based on consent, **appeal** a denied request (where required), and **complain** to a regulator.

**How to exercise your rights.**

Use in‑app privacy controls or contact **hello@breakingbread.ai**. For California, you may use an authorized agent; we’ll verify requests as required by law.

14) Children & minors at events

The Service is for **adults 18+**. Minors may attend as part of an adult’s **plus‑one** party. If you include information about a minor (e.g., first name, age range, dietary needs) for event logistics, provide only what is necessary and only if you have the authority to do so. We do not create accounts for minors and do not use their data for marketing or profiling.

15) Organization‑level export & deletion (Enterprise)

Verified organization admins may request an export of their community’s data and/or deletion of their workspace. Upon verified request or contract termination, we will delete or de‑identify organization data within **30 days**, with backups purged on their normal cycle (up to **60** additional days).

16) AI & model usage

We do **not** use identifiable personal data or message content to train public third‑party foundation models. If we use vendor‑hosted AI, it is under processor terms that prohibit training on our data or require explicit opt‑in. We may use **de‑identified** or **aggregated** data to improve algorithms.

17) Changes

We may update this policy. If we make material changes, we’ll notify you (e.g., in‑app notice or email) and indicate the effective date. Your continued use means you acknowledge the updated policy.