Privacy Policy
Last updated: April 13, 2026 · Effective upon launch
DRAFT — legal review required
This policy covers CCPA, data retention, Stripe/Twilio pass-through, and the scraped-profile provision. It has not been reviewed by counsel. Before public launch, have a lawyer verify (a) CCPA compliance language for your California user base, (b) children's privacy (COPPA) disclaimers, (c) international data-transfer clauses if you plan to expand, and (d) the specifics of the public-records sourcing provision.
This policy explains what personal information Kitse collects, how we use it, who we share it with, and the rights you have over your data.
1. Information we collect
From you directly
- Account info: phone number (verified via OTP), email address (optional), display name, profile bio, photo.
- Seller info: business or legal name, EIN or SSN last 4, tax address, permit type and number, food-handler certificate number, delivery bands and fees.
- Order info: items ordered, delivery address, buyer-submitted notes, geolocation coordinates when you use "Use my current location" at checkout.
- Communication: messages you send through the platform, contact-form submissions.
Automatically
- Session cookies: a single HTTP-only cookie (
mf_session) used to keep you logged in. No third-party analytics cookies are set today.
- Server logs: IP address, user-agent, request path, and timestamp for security and debugging. Retained for 14 days.
From third parties
- Public permit records: to seed the map with real chefs at launch, we have imported publicly available MEHKO and cottage-food permit data from state and county agencies. This data includes business name, permit number, address, and (in some cases) photos. If you are a chef whose information appears on Kitse and you did not create the listing, you can claim it or request removal at any time — see §7 below.
2. How we use your information
| What | Why |
|---|
| Phone / email | Sign you in, send order receipts and delivery confirmations |
| Tax info (EIN/SSN last 4) | Issue 1099-K tax forms when your annual payouts cross the IRS threshold |
| Delivery address + coords | Calculate delivery fee from the right tier of your chosen seller's mileage bands |
| Profile bio, photos, permit | Display your Seller profile and signal trust to Buyers |
| Order history | Seller dashboard, buyer favorites, support, and payout accounting |
3. Who we share it with
Kitse does not sell your personal information. We share limited data with the following service providers only to run the platform:
| Provider | What they receive | Why |
|---|
| Stripe | Payment card, billing address, order total | Process payments. Kitse never stores full card numbers. |
| Twilio | Phone number, one-time verification code | Send SMS OTP for sign-in |
| SMTP provider | Email address, message body | Send transactional email (receipts, delivery confirmations, password resets) |
Between Sellers and Buyers, we share only what's necessary to complete an order: your delivery address goes to the Seller; the Seller's pickup or delivery details are shared with you after they confirm.
We may share data with law enforcement if compelled by valid subpoena or required by law.
4. Data retention
- Active accounts: kept while your account is active.
- Server logs: 14 days.
- Order records: 7 years (for tax and dispute history).
- Deleted accounts: personally identifying fields are replaced with placeholders within 30 days; aggregate order data is retained for accounting.
5. Your rights
Regardless of where you live, you can:
- Download your data — a JSON export of everything we store about your account, orders, products, and payouts. Available from your seller dashboard under "Privacy" or by emailing privacy@kitse.co.
- Delete your account — your profile is removed, identifying fields on your orders are anonymized, and your session is killed. Some records (order history for accounting, payouts for 1099 reporting) are retained in anonymized form.
- Correct inaccurate information — edit it yourself from your dashboard, or email us.
- Opt out of marketing email — every marketing email has an unsubscribe link. Transactional emails (receipts, delivery confirmations) cannot be opted out of as long as you have active orders.
6. California residents (CCPA / CPRA)
Kitse operates primarily in California. Under the CCPA/CPRA you have the specific rights to:
- Know what categories of personal information we collect, where it comes from, why, and who we share it with (all of which are disclosed above).
- Access a copy of the information we hold about you.
- Correct inaccurate information.
- Delete your information, subject to legal exceptions (e.g., we may retain some order history for tax purposes).
- Opt out of "sale" or "sharing" — Kitse does not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination — exercising any right will not result in lesser service.
To exercise any of these rights, email privacy@kitse.co or use the in-app buttons on your dashboard. We aim to respond within 45 days.
7. Profiles sourced from public records
Some Seller profiles at launch were built from publicly available MEHKO (Microenterprise Home Kitchen Operation) and cottage-food permit records published by state and county health agencies. These profiles display information that is already public — business name, permit number, approximate address, and (where available) photo — but they are marked as unclaimed and cannot accept orders until the chef claims them.
If you are a chef whose profile appears on Kitse and:
- You want to claim it — visit your profile page and click "Claim this profile."
- You want it removed — email privacy@kitse.co with your name, business, and permit number. We will remove the listing within 7 days.
- You want to correct information — same contact, or claim the profile and edit it directly.
We believe curating public permit data into a discovery map serves both chefs and buyers, but we recognize not every chef wants to be listed. Removal is free, fast, and with no questions asked.
8. Children
Kitse is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, contact privacy@kitse.co and we will delete it.
9. Security
We use HTTPS for all traffic, HTTP-only cookies for sessions, and standard hashing for sensitive fields where appropriate. Data at rest is stored on managed infrastructure with standard access controls. No system is perfectly secure — if you become aware of a vulnerability, please disclose it responsibly to security@kitse.co.
10. Changes to this policy
We may update this policy as the platform evolves. Material changes will be posted with an updated "Last updated" date and, for significant changes, communicated via email.
11. Contact
For privacy-related questions or to exercise your rights: privacy@kitse.co
For general questions: support@kitse.co