Privacy Policy

Last updated: April 11, 2026

1. Introduction

Welcome to Palora (“we,” “us,” or “our”). Palora is a community-driven dish rating platform that helps people discover what’s actually worth ordering at restaurants. We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at paloraapp.com, our iOS application, and our Android application (collectively, the “Service”). Please read this policy carefully. If you do not agree with the terms, please do not access the Service.

2. Information We Collect

Information You Provide

We collect personal information that you voluntarily provide when you register for an account or use the Service. This includes:

  • Account information: First name, last name, email address, and optional nickname (via email signup)
  • Dish ratings and reviews: Star ratings, written comments, flavor tags, texture tags, spiciness level, portion size, customizations, and visit dates
  • Photos: Images of dishes you upload with your reviews
  • Favorites: Dishes you save to your favorites list
  • Feedback: Messages you submit through the in-app feedback form
  • AI preferences: Your explicit opt-in or opt-out choice for AI-powered search features, including timestamps of consent changes

Information Collected Automatically

When you access the Service, we may automatically collect certain information, including:

  • Precise location data: With your permission, we collect your GPS location via your browser or device to show nearby dishes and restaurants. This is classified as sensitive personal information under California law (CPRA). We use precise location solely for the purpose of displaying nearby content and do not use it for any other purpose, including advertising or profiling. If GPS is unavailable or denied, we may use your IP address to determine an approximate (city-level) location instead (web only). You can revoke location access at any time through your browser or device settings.
  • Device information: Browser type, operating system, device type, and app version.
  • Usage data: Pages or screens viewed, access times, and how you interact with the Service.
  • IP address: Used for approximate geolocation (when GPS is unavailable) and security purposes such as rate limiting.

Information From Third Parties

We retrieve restaurant information (names, addresses, photos, opening hours, and other details) from the Google Places API and Google Places SDK to display on the Service. We do not receive any personal information about you from these third-party services.

Information We Do Not Collect

We do not collect or store payment card information, Social Security numbers, government-issued identification, biometric data, or information about children under 13.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: Display dish ratings, reviews, restaurant information, and nearby content based on your location
  • Account management: Authenticate your identity, maintain your session, and manage your profile
  • AI-powered features:If you have explicitly opted in, provide natural language search capabilities (e.g., “spicy pasta near me”). No personal account data is sent to AI providers — only anonymized dish and restaurant data
  • Improve the Service: Analyze usage patterns to enhance user experience, fix bugs, and develop new features
  • Communication: Respond to your feedback and support inquiries
  • Security: Detect and prevent fraud, abuse, and unauthorized access through rate limiting and input validation

We do not use your personal information for advertising, behavioral profiling, or any purpose not listed above.

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

  • Performance of a contract: To provide the Service you signed up for (account creation, ratings, reviews)
  • Consent: For precise location data and AI-powered features, which you can withdraw at any time
  • Legitimate interests: To improve the Service, ensure security, and prevent abuse, where these interests are not overridden by your rights
  • Legal obligation: To comply with applicable laws and regulations

5. Third-Party Services

We use the following third-party services to operate and improve Palora. Each has its own privacy policy governing how they handle data:

We do not use any advertising networks, social media trackers, or analytics services that track individual users. We encourage you to review the privacy policies of the services listed above.

6. Sharing Your Information

We do not sell, rent, or share your personal information for cross-context behavioral advertising or any commercial purpose. We may disclose your information only in the following situations:

  • Public content: Your dish ratings, reviews, and photos are visible to other users of the Service. Your display name or initials may appear alongside your reviews. If you delete your account, your reviews will be anonymized (your identity will no longer be associated with them).
  • Service providers: With the third-party vendors listed in Section 5, solely to the extent necessary to operate the Service. These providers are contractually obligated to protect your data.
  • Legal requirements: If required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In connection with a merger, acquisition, or sale of assets. If such a transfer occurs, we will provide notice before your personal information becomes subject to a materially different privacy policy and give you the opportunity to opt out where required by law.

7. Cookies and Tracking

Web

Palora uses only strictly necessary, first-party cookies required to operate the Service:

  • Authentication cookies: Managed by Supabase to maintain your login session. These are httpOnly, encrypted, and expire when your session ends or after a set period.
  • Referral attribution cookie:Set when you arrive via a referral link. Stores the referring user’s ID (an opaque identifier) for up to 30 days, solely to attribute your account to the correct referrer at registration. This cookie is httpOnly and not accessible to scripts. It is deleted immediately after your account is created.

We do not use advertising cookies, third-party tracking cookies, analytics cookies, or any cross-site tracking mechanisms. You can instruct your browser to refuse all cookies, but you will not be able to log in without authentication cookies.

Mobile Apps (iOS & Android)

The iOS and Android apps do not use cookies. Authentication is managed through secure session tokens stored locally on your device. No advertising identifiers (IDFA/GAID) are collected or used.

8. Data Retention and Account Deletion

We retain your personal information for as long as your account is active or as needed to provide the Service.

Account Deletion

You can delete your account at any time from the Settings screen within the iOS or Android app. You may also request deletion by emailing support@paloraapp.com.

Upon deletion:

  • Your personal account data (name, email, nickname, favorites, and feedback) is permanently and immediately deleted
  • Your authentication credentials are permanently removed from the system
  • Your ratings and reviews are retained in anonymized form— they will no longer be associated with your identity but will remain visible to preserve the integrity of community content
  • Photos associated with your reviews will remain with the anonymized reviews

We may also retain certain information as necessary to comply with legal obligations, resolve disputes, and enforce our policies.

9. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • All data transmitted via HTTPS/TLS encryption
  • Secure authentication with PKCE (Proof Key for Code Exchange) flow managed by Supabase
  • Passwords are hashed — we never store or have access to plain-text passwords
  • Row-level security (RLS) policies enforced on all database tables, ensuring users can only access their own data
  • Client-side rate limiting on authentication attempts to prevent brute-force attacks
  • Server-side input validation and sanitization on all user inputs
  • API key restrictions and host allowlisting for image loading
  • Signed URLs with expiration for all stored images — no permanent public URLs

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee its absolute security. If you become aware of a security vulnerability, please contact us immediately at support@paloraapp.com.

10. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Right to access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data (available in-app via Settings)
  • Right to deletion:Request deletion of your data (available in-app via Settings > Delete Account)
  • Right to withdraw consent: Revoke consent for location data or AI features at any time without affecting the lawfulness of prior processing
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), you have the right to know what personal information we collect, request its deletion, and opt out of the sale or sharing of your personal information.

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • Precise geolocation is collected as sensitive personal information solely to display nearby content and is not used for any other purpose
  • We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA

To exercise any of these rights, use the in-app Settings or contact us at support@paloraapp.com. We will respond to verified requests within 45 days. You will not be required to create an account to submit a request; however, we will need to verify your identity.

EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have the rights listed above and additionally the right to lodge a complaint with your local data protection supervisory authority.

International Users

Palora is operated from the United States and your data is processed and stored in the United States via Supabase’s infrastructure. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.

11. Children’s Privacy

The Service is not directed to anyone under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information within 30 days. If you believe we have inadvertently collected information from a child, please contact us immediately at support@paloraapp.com.

12. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Because Palora does not engage in cross-site tracking or behavioral advertising, your experience will be the same regardless of your DNT setting.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. For significant changes that affect how we use your personal information, we may also provide notice through the Service. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy. We encourage you to review this page periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: