Privacy Policy

When you create an account:

• Your email address and display name.
• Your password, stored only as a salted scrypt hash, we never see or store your plain password, not even temporarily.

When you use the product:

• Messages you send to Tinni and the replies Tinni gives you. Stored so you can resume conversations on your other devices.
• Products you scan with the barcode reader, plus Open Food Facts data about those products and Tinni’s verdict.
• Articles you open on the site, only the slug and the time you opened it, so your reading history makes sense.
• For Premium features (voice, scan): an anonymised usage log row with the route name, approximate token counts, and estimated cost. Used to enforce fair-use limits and stop runaway spend. We keep the log for 90 days then delete it.

Automatically, on every request:

• Your IP address is seen by Vercel (our host) and by our rate limiter. We don’t store IPs in our own database beyond the usage log mentioned above.
• Your country code (derived from IP by Vercel), stored in a browser cookie for 24 hours so the site can show the right welcome banner for visitors outside Iceland.

We use exactly two cookies. No analytics, no ad networks.

• Session cookie, signed, encrypted, HTTP-only. Keeps you logged in. Expires when you sign out or after a period of inactivity.
• Country code cookie, a two-letter country code (e.g. IS, US). Used to show the correct welcome banner. 24-hour lifetime.

Both are strictly necessary for the site to work the way it’s designed. There are no advertising, tracking, or analytics cookies of any kind.

• Providing the service, authentication, persisting your conversations, remembering your scans.
• Preventing abuse, rate limits on chat, voice, scan, and login stop individual bad actors from running up huge bills or spamming the system.
• Protecting the business, aggregated spend is monitored against a daily cap so the API bill can’t spiral out of control.
• Improving the product, we may look at conversation content in aggregate (e.g. “what are people asking Tinni?”) but only our founder can do this and we never look at individually-identified conversations unless you report a problem and ask us to.

Legal basis under GDPR / Icelandic Act No. 90/2018: performance of the contract you entered when you signed up (Art. 6(1)(b)), plus our legitimate interest in a secure, non-abused service (Art. 6(1)(f)).

We don’t sell your data. We use a small set of vendors to actually run the service:

• Anthropic, powers Tinni’s reasoning. Your message text is sent to Anthropic when you chat. Anthropic does not train on API traffic.
• OpenAI, used for voice transcription (Whisper) and as a backup for text-to-speech. Audio you record and short text snippets are sent when you use these features. OpenAI does not train on API traffic.
• ElevenLabs, primary text-to-speech provider. Text snippets are sent when we generate audio for you.
• Open Food Facts, public, community-maintained food database. When you scan a barcode, that barcode is queried against Open Food Facts.
• Supabase, hosts the Postgres database where your account, conversations, and scans live.
• Vercel, serves the website and our API routes.
• Upstash, backs the rate-limit counters with Redis. Only keys and numeric counts are stored, no personal data.
• Resend, sends transactional emails (spend alerts, and, when launched, a weekly digest if you subscribe).

Some of these vendors process data in the United States. Where that applies, the transfer is covered by Standard Contractual Clauses under GDPR Art. 46.

• Account, until you delete it.
• Conversations, scans, reading history, until you delete them, or until you delete your account. Deleting your account cascades and removes all of them.
• Usage log, 90 days, then automatic deletion.
• Server logs (Vercel), Vercel’s defaults, typically 30 days.

Under GDPR and Icelandic law you have the right to:

• Access, get a copy of the data we hold about you.
• Correction, fix inaccurate data.
• Erasure, delete your account and everything we hold. You can do this from your account page, or email us and we’ll do it within 30 days.
• Portability, receive your data in a machine-readable format.
• Objection, object to specific uses of your data.
• Complaint, complain to the Icelandic Data Protection Authority (Persónuvernd) if you believe we’ve mishandled your data.

Email hello@organic.is from the address on your account to exercise any of these rights.

Organic.is is not directed at children under 13. We don’t knowingly collect data from anyone in that age bracket. If you believe a child has created an account, email us and we’ll delete it.

Passwords are hashed with scrypt before they hit the database. All traffic is TLS-encrypted. Session cookies are encrypted and HTTP-only. API routes sit behind per-user and per-IP rate limits. Administrative access to the database is restricted to the founder and audited through Supabase.

No system is perfectly secure. If you spot a vulnerability, please report it to security@organic.is and we’ll treat it seriously.

When we materially change how we handle data, we’ll update the “last updated” date at the top of this page and, for existing users, email a summary of what changed. Continued use of the service after an update means you accept the updated policy.