Nugget

Privacy Policy

Last updated: December 15, 2025

At Nugget, we take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our restaurant discovery platform. By using Nugget, you agree to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address (required)
  • Password (encrypted and stored securely)
  • Full name (optional, but shown publicly if you post reviews)
  • Profile picture (via Google OAuth or direct upload)
  • User role (customer, restaurant owner, local hero, or admin)

1.2 Usage and Behavioral Information

We collect information about how you use our platform:

  • Saved searches: Search queries, filters (cuisine type, dietary preferences, price level, amenities), and precise location coordinates (latitude/longitude) of where you searched
  • Favorites: Which restaurants you bookmark
  • Reviews and ratings: Your written reviews, star ratings, and visit dates (this information is public)
  • Restaurant interactions: Aggregate counts of page views, phone clicks, website clicks, and direction requests
  • Dietary preferences and cuisine interests stored in your profile

1.3 Location Information

We collect location data in the following ways:

  • Saved search locations: When you save a search, we store the precise GPS coordinates (latitude/longitude) of the search area
  • IP-based location (requires consent): We use your IP address to determine your approximate location (nearest city) to show relevant local restaurants. This only happens if you accept functional cookies. Your IP address is never stored; we only cache the detected city name locally in your browser.
  • Browser geolocation (with permission): When you click "Use current location," your browser will ask for permission to share your precise GPS coordinates. This is only used to find restaurants near you and is never stored.
  • City/region: Used for restaurant discovery and local hero assignments

1.4 Payment Information

If you subscribe to a paid plan, we collect:

  • Stripe customer ID (used to manage your subscription)
  • Stripe subscription ID
  • Subscription plan type and status
  • Billing period dates
  • Important: We do NOT store your credit card numbers or payment card details. All payment processing is handled securely by Stripe.

1.5 Communications and Submissions

  • Contact form submissions: Name, email, phone number (optional), subject, and message
  • Restaurant suggestions: Restaurant details you submit including name, cuisine, address, phone, website, and your reasoning
  • City requests: Cities you request us to add and your reasoning
  • Local hero applications: Your experience, motivation, preferred cities, and social media handles

1.6 Restaurant Owner Information

If you register as a restaurant owner, we collect:

  • Business information (restaurant names, addresses, descriptions)
  • Ownership verification details
  • Analytics preferences
  • Marketing campaign settings
  • Coupon and promotion details

1.7 Technical Information

  • IP address
  • Browser type and version
  • Device type
  • Operating system
  • Session duration and timestamps

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • Create and manage your account
  • Process authentication and maintain secure sessions
  • Display personalized restaurant recommendations based on your preferences and search history
  • Save your favorite restaurants and search queries
  • Enable you to post reviews and ratings
  • Facilitate restaurant discovery using location-based searches

2.2 Payment and Subscription Management

  • Process subscription payments through Stripe
  • Manage billing cycles and renewal dates
  • Handle subscription upgrades, downgrades, and cancellations
  • Maintain payment records for tax and legal compliance

2.3 Analytics and Improvement

  • Track restaurant page views, phone clicks, website clicks, and direction requests (aggregated data only)
  • Analyze usage patterns to improve platform features
  • Understand which cuisines and features are most popular
  • Optimize search algorithms and recommendation systems

2.4 Communications

  • Send transactional emails (password resets, subscription confirmations, account notifications)
  • Send marketing communications only if you opt-in during signup or in your account settings
  • Respond to your contact form inquiries and support requests
  • Notify you about changes to our services or policies

2.5 Safety and Security

  • Detect and prevent fraudulent activity
  • Monitor for security threats and suspicious behavior
  • Enforce our Terms of Service
  • Comply with legal obligations

3. Third-Party Services and Data Sharing

We do not sell your personal information to third parties. However, we share certain information with trusted service providers to operate our platform:

3.1 Google Services

We use Google for authentication and restaurant data:

  • Google OAuth: When you sign in with Google, we receive your Google ID, email address, full name, and profile picture. Your Google login credentials are never stored on our servers.
  • Google Places API: We send your search queries, location coordinates, and search preferences to Google to retrieve restaurant information including names, addresses, phone numbers, opening hours, photos, ratings, and Google Maps URLs.
  • Data shared: Search queries, precise location coordinates (latitude/longitude), restaurant names for lookup
  • Privacy policy: Google Privacy Policy

3.2 Stripe Payment Processing

All payment processing is handled by Stripe:

  • Data shared with Stripe: Your email address, user ID (as metadata), subscription plan type, billing period dates
  • What Stripe collects: Payment card details (stored only by Stripe, never by us), billing addresses, transaction history
  • Why we use Stripe: To securely process subscription payments and manage billing
  • Privacy policy: Stripe Privacy Policy

3.3 Mapbox Mapping Services

  • Data shared with Mapbox: Location coordinates, search queries for geocoding, map viewport information
  • Why we use Mapbox: To display interactive maps, convert addresses to coordinates, and show restaurant locations
  • Privacy policy: Mapbox Privacy Policy

3.4 Restaurant Partners

  • Aggregate analytics: Restaurant owners who subscribe to our platform can view aggregated analytics about their listings (total views, clicks, engagement) but cannot see individual user identities
  • No personal data shared: We do not share your email address, name, or contact information with restaurant owners

3.5 Other Users (Public Information)

  • Public reviews: When you post a restaurant review, your name (if provided), rating, review text, and visit date are visible to all users, including those not logged in
  • Private information: Your email address, saved searches, favorites, and contact form submissions are never public

3.6 Legal Requirements

We may disclose your information if required by law, court order, or to:

  • Comply with legal processes
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of Nugget, our users, or the public
  • Prevent fraud or security threats

4. Public vs. Private Information

It's important to understand which information is public and which is private:

Public Information (visible to everyone)

  • Restaurant reviews you write (including your name, rating, review text, and visit date)
  • Restaurant ratings and likes you submit
  • Your profile name (only if you post public reviews)

Private Information (only visible to you and admins)

  • Email address
  • Saved searches and search history
  • Favorited restaurants
  • Dietary preferences and cuisine interests
  • Contact form submissions
  • Subscription and payment details
  • Local hero or restaurant owner applications

5. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

  • Active accounts: Your account data is retained while your account is active
  • Reviews and ratings: Retained indefinitely to maintain the integrity of our restaurant ratings system. Reviews remain visible even if you delete your account (attributed to "Former User")
  • Subscription data: Retained for 7 years after cancellation for tax, accounting, and legal compliance purposes
  • Saved searches and favorites: Deleted when you remove them or delete your account
  • Contact form submissions: Retained for 2 years for customer service purposes
  • Analytics data: Aggregated analytics retained indefinitely; individual tracking data deleted after 2 years
  • Deleted accounts: Personal data permanently deleted within 30 days of account deletion (except as noted above)

6. Cookies and Session Management

We use authentication tokens and browser storage to maintain your session:

What We Use

  • Authentication tokens: JWT (JSON Web Tokens) stored as HTTP-only cookies to keep you logged in securely
  • Session cookies: Essential cookies that expire when you close your browser
  • Local storage: Browser storage for user preferences and cached data

What We Don't Use

  • Third-party advertising cookies
  • Cross-site tracking cookies
  • Marketing or analytics cookies from external services

Important: If you disable cookies in your browser, you will not be able to log in or use many features of our platform, as authentication requires cookie storage.

7. Data Security

We implement comprehensive security measures to protect your personal information:

Security Measures

  • Encryption in transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
  • Encryption at rest: Your data is encrypted when stored in our database
  • Password protection: Passwords are hashed using industry-standard algorithms and never stored in plain text
  • Row-level security: Database-level access controls ensure users can only access their own data
  • OAuth security: Google sign-in reduces password exposure and leverages Google's security infrastructure
  • Payment security: PCI DSS-compliant payment processing through Stripe; we never handle credit card numbers

Limitations

While we implement strong security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we continuously monitor and improve our security practices.

Security Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of discovering the breach
  • Describe the nature of the breach and what information was compromised
  • Explain the steps we're taking to address the breach and prevent future incidents
  • Provide guidance on how you can protect yourself
  • Comply with all applicable data breach notification laws

8. Your Rights and Choices

You have several rights regarding your personal information:

8.1 Access and Update

  • View your data: Access your profile, saved searches, favorites, and reviews at any time by logging into your account
  • Update your information: Edit your profile name, email, preferences, and other account details in your account settings
  • Correct inaccuracies: Contact us to correct any inaccurate information we hold about you

8.2 Delete and Remove

  • Delete saved searches: Remove individual saved searches from your account
  • Remove favorites: Unfavorite restaurants at any time
  • Delete reviews: Remove or edit your restaurant reviews
  • Delete account: Request full account deletion by contacting us. Your personal data will be deleted within 30 days (note: public reviews may be retained as "Former User" to maintain rating integrity)

8.3 Marketing Communications

  • Opt-out of marketing emails: Click the "Unsubscribe" link at the bottom of any marketing email
  • Update preferences: Manage your communication preferences in your account settings
  • Transactional emails: You cannot opt out of transactional emails (password resets, subscription confirmations) as these are necessary for the service

8.4 Data Portability

You can request a copy of your data in a machine-readable format by contacting us. We will provide:

  • Your profile information
  • All saved searches and favorites
  • All reviews and ratings you've submitted
  • Subscription history
  • Contact form submissions

8.5 Subscription Management

  • Cancel anytime: Cancel your subscription at any time from your subscription page
  • Downgrade: Switch from a paid plan to the free tier
  • Refunds: Subject to our refund policy (contact support for details)

9. User Roles and Access

Our platform has different user roles with varying access levels:

Customer (Default)

  • Search for and discover restaurants
  • Save searches and favorite restaurants
  • Post reviews and ratings
  • View their own data only

Restaurant Owner

  • Manage multiple restaurant listings
  • View analytics for their restaurants (aggregate data only, not individual user information)
  • Create and manage coupons and promotions
  • Upload photos and update restaurant details
  • Run marketing campaigns

Local Hero (Community Curator)

  • Edit and create restaurant listings in assigned cities
  • Review and approve restaurant suggestions
  • Curate local restaurant content
  • Access to Local Hero dashboard with performance metrics

Administrator

  • Access to all user data for platform management and support
  • Review contact form submissions and user applications
  • Manage user roles and permissions
  • Platform-wide analytics and monitoring

Important: Restaurant owners can only see aggregated analytics (total views, clicks) and cannot identify individual users who viewed their listings. Your identity remains private.

10. Analytics and Tracking

We track certain metrics to improve our platform and help restaurant owners understand their visibility:

What We Track

  • Restaurant page views: How many times a restaurant profile is viewed
  • Click tracking: Phone number clicks, website clicks, direction requests (aggregated counts only)
  • Search patterns: Popular cuisines, price ranges, and amenities (anonymized)
  • Feature usage: Which platform features are most used to guide improvements

What We Don't Track

  • Third-party analytics tools (no Google Analytics, no Facebook Pixel)
  • Cross-site tracking or advertising pixels
  • Detailed browsing behavior outside of our platform
  • Individual user journeys shared with restaurant owners

11. User-Generated Content

When you post reviews, ratings, or other content on our platform:

Content Ownership

  • You retain ownership: You own the content you create
  • License to us: By posting content, you grant us a non-exclusive, worldwide, royalty-free license to use, display, distribute, and modify your content for the purpose of operating our platform
  • Public visibility: Reviews and ratings are public and may be indexed by search engines

Content Moderation

  • We reserve the right to remove content that violates our Terms of Service
  • Content that is offensive, defamatory, or violates others' rights may be removed
  • We may moderate reviews to ensure authenticity and quality

12. Children's Privacy

Our platform is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. We do not verify age during signup, and parents should monitor their children's internet use.

If we discover that we have collected personal information from a child under 13, we will delete that information immediately. If you believe we have collected information from a child under 13, please contact us.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our servers and service providers may be located in different jurisdictions. By using our platform, you consent to the transfer of your information to these locations.

Transfer Safeguards

For transfers of personal data from the European Economic Area (EEA) and the United Kingdom to countries outside these regions, we implement appropriate safeguards to protect your information:

  • Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses adopted by the European Commission for transfers of personal data to third countries that do not provide an adequate level of data protection
  • UK International Data Transfer Agreement/Addendum: For transfers from the UK, we supplement the SCCs with the UK Addendum to the EU Commission's Standard Contractual Clauses, as required by UK data protection law
  • Service Provider Agreements: Our third-party service providers (Google, Stripe, Mapbox) have implemented appropriate technical and organizational measures, and where required, have entered into SCCs or rely on adequacy decisions

Adequacy Decisions: Where data is transferred to countries recognized by the European Commission or UK government as providing adequate protection (such as through an adequacy decision), we rely on that recognition as the legal basis for transfer.

You may request a copy of the safeguards we have in place by contacting us through our contact page.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Sale and Sharing of Personal Information

We do not sell or share your personal information. Specifically:

  • No sale: We do not sell personal information to third parties for monetary or other valuable consideration
  • No sharing for cross-context behavioral advertising: We do not share personal information with third parties for cross-context behavioral advertising purposes
  • No third-party advertising networks: We do not use advertising cookies, tracking pixels, or integrate with ad networks that would constitute "sharing" under CPRA

Sensitive Personal Information

We collect the following categories of sensitive personal information:

  • Precise geolocation data: GPS coordinates when you save searches or use location-based features
  • Account login credentials: Your password (encrypted)

Use of Sensitive Personal Information: We use sensitive personal information only for purposes that are necessary to provide the services you requested and for other permitted business purposes under CPRA, including:

  • Performing services requested by you (restaurant searches based on your location)
  • Ensuring security and integrity of our systems
  • Short-term, transient use (displaying search results)
  • Verifying and maintaining service quality

Because we use sensitive personal information only for these permitted purposes, you do not have a right to limit its use under CPRA Section 1798.121.

Your California Privacy Rights

  • Right to know: Request details about the personal information we collect, use, disclose, and sell/share (including categories and specific pieces of information)
  • Right to delete: Request deletion of your personal information, subject to certain exceptions
  • Right to correct: Request correction of inaccurate personal information we maintain about you
  • Right to opt-out of sale/sharing: While we do not sell or share personal information, you have the right to opt out if our practices change
  • Right to limit use of sensitive personal information: We use sensitive information only for permitted purposes, so this right does not apply
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

Retention Periods

We retain personal information for the periods described in Section 5 (Data Retention) of this policy. For California residents, we provide specific retention details:

  • Account data: Retained while account is active
  • Precise geolocation: Retained in saved searches until you delete them or your account
  • Transaction data: 7 years for tax compliance

Exercising Your Rights

To exercise these rights, please contact us through our contact page or email us. We will respond within 45 days (extendable by an additional 45 days if necessary). You may designate an authorized agent to make requests on your behalf by providing written authorization.

15. European Privacy Rights (GDPR and UK GDPR)

If you are located in the European Economic Area (EEA) or UK, you have additional rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract: To provide services you've requested (account creation, subscription management, restaurant discovery features)
  • Consent: For marketing communications and optional features such as precise location tracking (you can withdraw consent anytime)
  • Legitimate interests: To improve our services, prevent fraud, ensure platform security, and conduct analytics to enhance user experience
  • Legal obligation: To comply with applicable laws and regulations, including tax and financial record-keeping requirements

Your GDPR Rights

  • Right of access: Obtain a copy of your personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your data ("right to be forgotten"), subject to certain legal exceptions
  • Right to restrict processing: Limit how we use your data in certain circumstances
  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent: Withdraw consent for data processing at any time (this does not affect the lawfulness of processing before withdrawal)
  • Right not to be subject to automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects
  • Right to lodge a complaint: File a complaint with your local data protection authority (supervisory authority)

Data Protection Authorities

If you are located in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority:

  • UK residents: Information Commissioner's Office (ICO) - ico.org.uk
  • EEA residents: Contact your national data protection authority - find yours at EDPB Member List

UK Representative

If Nugget does not have an establishment in the United Kingdom, we will appoint a UK Representative in accordance with Article 27 of the UK GDPR. If a UK Representative has been appointed, their contact details will be provided here. Until such time, please direct all UK GDPR inquiries to our contact page.

EEA Representative

If Nugget does not have an establishment in the European Economic Area, we will appoint an EEA Representative in accordance with Article 27 of the GDPR. If an EEA Representative has been appointed, their contact details will be provided here. Until such time, please direct all GDPR inquiries to our contact page.

Exercising Your Rights

To exercise these rights, please contact us through our contact page with "GDPR Request" or "UK GDPR Request" in the subject line. We will respond within one month of receiving your request. In complex cases, we may extend this period by two additional months, in which case we will notify you of the extension and the reasons for the delay.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Post the new policy on this page
  • Notify you via email if the changes materially affect your rights
  • Provide a summary of key changes when appropriate

We encourage you to review this Privacy Policy periodically. Your continued use of our platform after changes are posted constitutes your acceptance of the updated policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:

  • Contact form: Visit our contact page
  • Data protection inquiries: For GDPR or CCPA requests, please specify this in your message
  • Security concerns: If you discover a security vulnerability, please report it immediately

We aim to respond to all inquiries within 7 business days, and within 30 days for formal data subject requests.

By using Nugget, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with this policy, please do not use our platform.