Privacy Policy

1. Controller

Kevin Baur, BSc
Hochstraß 542
3033 Klausen-Leopoldsdorf
Austria
Email: pelican@kevin-baur.com

Controller within the meaning of the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and – for users from Switzerland – the revised Swiss Data Protection Act (revFADP).

2. Overview

Pelican is an order-planning app for professional kitchens. We process personal data exclusively to provide the app and the associated website, to fulfil the contract with the business, and to comply with legal obligations. The following sets out which data we process, on what legal basis, and which service providers (processors) are involved.

3. Website Hosting

This website is delivered via Cloudflare Pages (Cloudflare, Inc., USA). When the site is accessed, technically necessary server log data is processed (including IP address, time, requested resource, user agent) to ensure delivery and security. The legal basis is our legitimate interest in secure operation (Art. 6(1)(f) GDPR). The website does not use tracking cookies or any web analytics tool.

4. What Data We Process in the App

• Account and profile data: name, email address, password (stored encrypted), assigned role (e.g. head chef/member).
• Organization and team data: business/kitchen, departments, memberships, invitations.
• Content data: order lists, items, quantities, categories, suppliers/representatives, order history and optionally recorded prices.
• Voice recordings: audio from voice input for speech recognition (see Section 5).
• Push tokens: device token for push notifications (see Section 8).
• Usage and log data: technical logs for provision, error analysis and security.

5. Voice Input and AI-Assisted Recognition (OpenAI)

If you use voice input, your audio recording is transmitted to OpenAI (OpenAI, L.L.C., USA) for processing. There, the recording is transcribed (speech recognition) and then analyzed to extract the item, quantity, unit and category and to match it against the product catalog. The recognized entries are added to your order list.

• Transfer to the USA: Processing takes place on servers in the USA (see Section 10).
• Legal basis: consent (Art. 6(1)(a) GDPR), obtained before the first use of voice input, as well as performance of the contract (lit. b). Consent is voluntary and can be withdrawn at any time.
• Alternative: you can always type items in manually without using the voice function.
• Note: please do not dictate any special categories of personal data or confidential content that goes beyond pure order planning.

6. Authentication and Database (Supabase)

Accounts, authentication and the database are operated via Supabase (Supabase, Inc.). The account, organization and content data referred to in Section 4 is stored here. Access is secured by access rules at database level (Row Level Security), so that each business sees only its own data. The legal basis is performance of the contract (Art. 6(1)(b) GDPR). The hosting region used is aimed at a location in the EU (Frankfurt); for any processing outside the EU, the safeguards in Section 10 apply.

7. Payment Processing (Lemon Squeezy as Merchant of Record)

Payment is made exclusively via the external platform Lemon Squeezy (Merchant of Record). The payment and billing data (e.g. name, billing address, payment method) is collected and processed directly by Lemon Squeezy; we receive no complete payment data. To activate the business, we receive via a signed callback (webhook) only the information necessary for assignment (e.g. business identifier, subscription/payment status, access end date). As Merchant of Record, Lemon Squeezy also remits the applicable sales tax. The legal basis is performance of the contract (Art. 6(1)(b) GDPR).

8. Push Notifications (Expo)

When order lists change, the app may send push notifications. For this, a device token is processed via the Expo service. You can disable push notifications at any time in the app or in your device settings (opt-out). The legal basis is our legitimate interest in functioning team collaboration (Art. 6(1)(f) GDPR) or your consent via the system prompt (lit. a).

9. Processors Used

• Supabase, Inc. – database, authentication, backend.
• OpenAI, L.L.C. – transcription and analysis of voice recordings.
• Lemon Squeezy – payment processing as Merchant of Record.
• Expo – sending push notifications.
• Cloudflare, Inc. – delivery of this website.

Where required, data processing agreements (DPAs) pursuant to Art. 28 GDPR are concluded with these providers.

10. Transfer to Third Countries (USA)

Some of the services mentioned process data in the USA or other third countries. For these transfers we rely on appropriate safeguards pursuant to Art. 44 et seq. GDPR – in particular the EU Commission's Standard Contractual Clauses (SCC) and, insofar as the providers are certified, the EU-US Data Privacy Framework (DPF). Despite these safeguards, a lower level of data protection compared to the EU may exist in third countries.

11. Legal Bases

Processing is carried out to perform the contract (Art. 6(1)(b) GDPR), on the basis of legitimate interests (lit. f), on the basis of your consent (lit. a, in particular for voice processing), and to fulfil legal obligations (lit. c).

12. Retention Period and Deletion

We store personal data only for as long as necessary for the stated purposes or due to statutory retention periods. Accounts and associated data can be removed via the account deletion function integrated into the app. After the end of the contract or deletion, the data is deleted or anonymized within a reasonable period. [Specific periods are still to be added, e.g. deletion of business data X days after the end of use; statutory retention of billing data.]

13. Your Rights

You have the right to information, rectification, erasure, restriction of processing, data portability and objection. You can withdraw consent given at any time with effect for the future. A message to pelican@kevin-baur.com is sufficient to exercise these rights.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

• Austria: Austrian Data Protection Authority, dsb.gv.at
• Germany: the respective competent state or federal data protection authority
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch

15. Note for Users from Switzerland

For data subjects in Switzerland, the revised Data Protection Act (revFADP) additionally applies. GDPR terms are to be applied mutatis mutandis to the revFADP; the corresponding provisions of the revFADP take the place of the GDPR legal bases.

16. Cookies and Local Storage

This website does not use any marketing or analytics cookies. In the activation portal, a technically necessary authentication token is stored locally in the browser (local storage) for login. This serves solely for login and is not passed on for advertising or tracking purposes.

17. Changes to This Policy

We adapt this Privacy Policy when the legal situation, the services used or features change. The version published on this page applies in each case.

As of: June 2026

← Back to home