Privacy Policy

1. Who We Are

Allergen Maps LLC ("AllergenMaps," "we," "us," or "our") operates the AllergenMaps website and related services (the "Service"). We are an Indiana limited liability company. Privacy and legal inquiries may be directed to legal@allergenmaps.com. For general questions, reach us at allergenmaps@gmail.com.

2. What This Policy Covers

This Privacy Policy describes the limited information we collect when you use the Service, how we use it, and the choices you have. The Service is currently in beta — access requires an invitation code. You do not need to register a personal account to search medications or browse ingredient data.

3. Information We Collect

Information you provide voluntarily

• Contact form submissions — your name, email address, and message when you contact us through the site.
• Survey responses — if you complete the beta survey, your responses are stored to help us improve the Service.
• Issue reports — details you submit via the "Report Issue" feature.
• API registration — organization name and email address for developers who request API access.

Information collected automatically

• Server logs — our hosting provider (Vercel) automatically records standard web server logs including IP address, browser type, pages visited, and request timestamps. These logs are used for security monitoring and performance analysis.
• API usage logs — for API key holders, we log endpoint calls, response times, and status codes to enforce usage limits and detect abuse. Logs do not include patient-identifiable information.
• Usage events — anonymized interaction events such as searches performed, medication pages viewed, filter selections made, and compare views initiated. These are associated with an anonymous session identifier (not your identity) and stored in our database to help us understand how the Service is used and improve it. We do not link usage events to personally identifiable information.

Local browser storage

We use your browser's localStorage and sessionStorage to support site functionality. None of these values are transmitted to our servers except where explicitly noted. No cookies are set by AllergenMaps for tracking or advertising purposes.

localStorage (persists across sessions):

• A flag recording that you have accepted our Terms of Use
• Your allergen and dietary filter selections, if you configure them via the filter panel (stored so your preferences persist across visits)

sessionStorage (cleared when the tab closes):

• An anonymous, randomly generated session identifier used to associate analytics events within a single browsing session — not linked to any personal identity

Authenticated users of the admin panel or PMS demo interface have additional short-lived session tokens stored in localStorage and sessionStorage as part of those authenticated workflows. These are not present on public-facing pages.

4. How We Use Information

We use the information described above to:

• Improve the accuracy, coverage, and usability of the Service
• Respond to contact form inquiries and issue reports
• Administer API access and enforce usage terms
• Monitor for abuse, security threats, and technical issues
• Understand aggregate usage patterns (e.g., most-searched medications)

Legal basis for processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

• Contact form submissions & issue reports — Legitimate interest (responding to user inquiries and improving the Service)
• Survey responses — Consent (you voluntarily opted in and explicitly confirmed consent before submitting)
• API registration data — Contract performance (necessary to fulfill the API Terms of Service you agreed to)
• Server logs & API audit logs — Legitimate interest (security monitoring, abuse detection, and service reliability)
• Anonymized usage events — Legitimate interest (understanding how the Service is used; events are not linkable to any individual identity)

5. What We Do Not Do

• We do not sell, rent, or share personal information with third parties for marketing purposes
• We do not build individual user profiles or track you across sessions using persistent identifiers
• We do not serve targeted advertising
• We do not collect Protected Health Information (PHI) as defined under HIPAA

6. Health Information and HIPAA

AllergenMaps is an informational reference tool and is not a HIPAA Covered Entity or Business Associate. We do not collect, store, or process Protected Health Information (PHI).

Please do not submit patient names, medical record numbers, health plan identifiers, or any other PHI through the Service. The allergen selections and medication searches you perform are not associated with any patient identity in our systems.

If you are a healthcare provider using the Service or API to support clinical workflows, you are solely responsible for ensuring your use complies with applicable HIPAA requirements within your own systems.

7. Third-Party Service Providers

We use the following third-party services to operate the Service:

• Vercel — web hosting and deployment. Vercel may log standard server request data including IP addresses.
• Supabase — database and backend services. Survey responses, contact form data, API key information, and anonymized usage events are stored in Supabase-hosted infrastructure.
• Sentry — error monitoring in production. When an application error occurs, Sentry captures the error details to help us diagnose and fix issues. Error reports are automatically scrubbed to remove API keys and authorization tokens before transmission. Sentry processes this data under a Data Processing Agreement with AllergenMaps. Legal basis: legitimate interest (maintaining service reliability and diagnosing errors). Sentry retains error event data for approximately 90 days.

These providers process data on our behalf under their own privacy and security terms. We do not authorize them to use your data for their own purposes beyond providing services to us.

8. Data Retention

We retain information for the following periods:

• Server logs — Up to 90 days for security and operational purposes
• Contact form submissions & issue reports — Up to 2 years, or until deletion is requested
• Survey responses — Retained to track feedback trends; you may request deletion at any time
• API usage logs — 12 months for usage monitoring and abuse detection
• API registration data — Retained for the duration of API access and up to 12 months after termination
• Anonymized usage events — May be retained indefinitely; they cannot be linked to any individual identity in our current systems
• Browser localStorage & sessionStorage — Persists in your browser until you clear it; this data is stored only on your device and is not transmitted to our servers (except where explicitly noted in §3)

To request deletion of information you submitted, contact us at legal@allergenmaps.com.

9. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children. By using the Service, you represent that you are at least 13 years of age.

If you are a parent or guardian and believe your child under 13 has submitted personal information to us (such as through the contact form or beta survey), please contact us at legal@allergenmaps.com and we will promptly delete it.

10. Your Privacy Rights

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know what personal information we have collected about you and how it is used
• Delete personal information we have collected from you (with certain exceptions)
• Opt out of sale — we do not sell personal information, so no opt-out is required
• Non-discrimination — we will not discriminate against you for exercising your rights

EU / EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you may have the following rights regarding personal data we hold about you:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate personal data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit processing of your personal data in certain circumstances
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at legal@allergenmaps.com. We will respond within 30 days. Note that because the Service is primarily anonymous and does not require accounts, we may have limited ability to identify or retrieve data associated with a specific individual beyond information you explicitly submitted (e.g., contact form, survey).

Limitations on erasure: The right to erasure does not apply to data that cannot be linked to your identity — such as anonymized usage events or aggregate analytics. Server logs containing IP addresses are retained for up to 90 days for security purposes; deletion of individual log entries within that window may not be technically feasible. We will always delete explicitly submitted data (contact form, survey responses, API registration) upon verified request.

11. Data Breach Notification

If we confirm a security breach that results in unauthorized access to personal data we hold, we will notify affected individuals and relevant authorities in compliance with applicable law:

• EU/EEA residents (GDPR) — We will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals (per GDPR Art. 33). We will notify affected individuals without undue delay where the breach is likely to result in high risk (per GDPR Art. 34). Notifications will describe the nature of the breach, its likely consequences, and any recommended protective measures.
• California residents (CCPA) — We will notify affected residents in the most expedient time possible and without unreasonable delay.
• Other users — We will provide reasonable notice as required by applicable state law.

Notifications will be sent to the email address you provided (e.g., via contact form or API registration), where applicable. For questions about data security, contact legal@allergenmaps.com.

12. Updates to This Policy

We may update this Privacy Policy as the Service evolves. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or data deletion requests regarding this Privacy Policy, contact: