Privacy Policy
Users of the Foodli Platform (Food Business Operators — B2B)
Version 2.0 — March 2026 · Pursuant to Arts. 13–14 of Regulation (EU) 2016/679 (GDPR)
1. Data Controller
The Controller of the personal data collected through the Foodli platform is:
Sicilean S.r.l.
Via Roma n. 95 — 91021 Campobello di Mazara (TP), Italy
VAT and tax code: 02898760810 | REA: TP - 204826
Registered with the Companies Register of Trapani on 08/05/2024
PEC: sicilean@pec.it
Privacy e-mail: privacy@sicilean.tech
Legal references: Arts. 13–14 GDPR · Italian Legislative Decree 196/2003
2. Sicilean's Dual Role
Sicilean has a dual role with respect to personal data in the Foodli context:
- Controller for the data you provide in the contractual relationship (registration, profile, billing, use of the platform). This notice covers this role only.
- Processor (Art. 28 GDPR) for third-party personal data (employees, collaborators, customers) that may appear in uploaded content. In that case the DPA attached to the Terms and Conditions applies.
3. Data Processed, Purposes and Legal Bases
Legal references: Art. 6 GDPR · Art. 5 GDPR
3.1 Registration and authentication
Legal basis: Art. 6(1)(b) GDPR — contract
First name, last name, e-mail, password (encrypted). With OAuth: data provided by Google/Facebook/Apple. Required to create and manage the account.
3.2 OAuth authentication (Google, Facebook, Apple)
Legal basis: Art. 6(1)(b) GDPR
Sicilean does not receive or store OAuth provider passwords. Tokens are managed by Supabase Auth.
3.3 Onboarding — Personal profile
Legal basis: Art. 6(1)(b) GDPR
First name, last name, phone (optional).
3.4 Onboarding — Business profile
Legal basis: Art. 6(1)(b) GDPR
Company name, brand name, category, description (optional), website (optional).
3.5 Billing and tax data
Legal basis: Art. 6(1)(b) + 6(1)(c) GDPR — contract + legal obligation
VAT number, billing address, SDI/PEC. Electronic invoices are transmitted to the SDI via Aruba S.p.A. (authorised intermediary, Italy). Ref.: Italian Legislative Decree 127/2015.
3.6 Subscription and payment management
Legal basis: Art. 6(1)(b) + 6(1)(c) GDPR
Card data does not pass through Sicilean — handled exclusively by Stripe Inc. (PCI-DSS L1).
3.7 Uploaded content (menus, dishes, images, locations)
Legal basis: Art. 6(1)(b) GDPR
Menus in "published" status are publicly accessible via /menu/[shortLink]. The FBO is solely responsible for published content.
3.8 PostHog analytics (only with prior consent)
Legal basis: Art. 6(1)(a) GDPR + Art. 122 Italian Legislative Decree 196/2003 — consent
Pages visited, UI interactions, session data. All forms are masked. EU server (eu.i.posthog.com) — no transfer outside the EEA.
3.9 Menu view statistics (internal aggregates)
Legal basis: Art. 6(1)(b) GDPR
Aggregated counter by date — no identifiable visitor data.
3.10 Contractual communications and support
Legal basis: Art. 6(1)(b) + 6(1)(f) GDPR
E-mails and communications relating to the contract, technical notices, support.
3.11 Security and fraud prevention
Legal basis: Art. 6(1)(f) GDPR — legitimate interest
Authentication logs, Vercel infrastructure logs (IP, URL, timestamp). Retention max 90 days.
3.12 Referral programme (if enabled)
Legal basis: Art. 6(1)(b) GDPR
Unique referral code, usage counter, status.
3.13 Marketing communications
Legal basis: Art. 6(1)(a) GDPR + Art. 130 Italian Legislative Decree 196/2003 — consent (if introduced)
Sicilean does not currently send marketing communications. If introduced, only with explicit opt-in consent.
3.14 Google Analytics (only with prior consent)
Legal basis: Art. 6(1)(a) GDPR + Art. 122 Italian Legislative Decree 196/2003 — consent
Advanced web analytics. IP anonymised. Google LLC DPF certified. Active only if consent is given via the cookie banner.
3.15 AI features — @sicilean/ai-sdk (when enabled)
Legal basis: Art. 6(1)(b) GDPR (contractual feature) / Art. 6(1)(a) GDPR (optional features)
Anonymised prompts sent via @sicilean/ai-sdk gateway to OpenRouter Inc. (USA, SCC). Logs max 90 days. Features under progressive development.
4. Recipients and sub-processors
Legal references: Art. 28 GDPR
| Provider | Role | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage | USA (EU region available) | SCC |
| Stripe Inc. | Payments and subscriptions | USA | DPF + SCC |
| Vercel Inc. | Hosting, CDN, edge | USA | SCC |
| PostHog Inc. | Analytics (only with consent) | USA/UK — EU server | No transfer outside EEA |
| Google LLC | OAuth + Analytics (with consent) | USA | DPF + SCC |
| Meta Platforms Inc. | Facebook OAuth | USA | SCC |
| Apple Inc. | Apple OAuth | USA | SCC |
| OpenRouter Inc. | AI gateway (when active) | USA | SCC |
| Aruba S.p.A. | SDI e-invoicing intermediary | Italy | No transfer outside EEA |
For the full list with details and safeguards, see the Sub-processors section or write to privacy@sicilean.tech.
5. Transfers of Data Outside the EEA
Legal references: Arts. 44–49 GDPR · SCC Decision 2021/914/EU · DPF Decision 2023/1795/EU
Transfers to US providers take place through:
- Standard Contractual Clauses (SCC) — Decision 2021/914/EU for Supabase, Vercel, Meta, Apple, OpenRouter and Google (where DPF does not apply).
- EU–US Data Privacy Framework (DPF) — for Google LLC and Stripe Inc. (certifications verifiable at dataprivacyframework.gov).
- PostHog processes data only on EU servers (
eu.i.posthog.com) — no transfer outside the EEA. - Aruba S.p.A. operates exclusively in Italy — no transfer outside the EEA.
6. Retention Period
Legal references: Art. 5(1)(e) GDPR · Italian Presidential Decree 633/1972
| Data category | Period |
|---|---|
| Account and profile data | Contract term + 30 days |
| Operational data (menus, dishes, images) | Contract term + 30 days |
| Billing and tax data | 10 years (legal obligation) |
| Stripe transactional data | 10 years (legal obligation) |
| Aruba SDI invoices | 10 years (substitute storage) |
| Security logs | 90 days (operational) / 12 months (incidents) |
| PostHog analytics (if consent) | Max 12 months or withdrawal of consent |
| Google Analytics (if consent) | Max 14 months or withdrawal of consent |
| AI/prompt logs | Max 90 days, then anonymisation |
7. Your Rights
Legal references: Arts. 15–22 GDPR · Art. 77 GDPR
You may exercise them at any time by writing to privacy@sicilean.tech or via PEC sicilean@pec.it. Response within 30 days.
- Art. 15 — Access: Obtain a copy of the personal data processed.
- Art. 16 — Rectification: Correct inaccurate data or complete incomplete data.
- Art. 17 — Erasure: Obtain erasure of data (except legal obligations for tax data — 10 years).
- Art. 18 — Restriction: Request suspension of processing.
- Art. 20 — Portability: Receive data in a structured format (CSV/JSON).
- Art. 21 — Objection: Object to processing based on legitimate interest.
- Art. 7(3) — Withdraw consent: Withdraw consent for analytics via the “Manage cookie preferences” link in the footer.
- Art. 77 — Complaint to the supervisory authority: www.garanteprivacy.it — urp@gpdp.it
8. Cookies and Tracking
For full information, please refer to the Cookie Policy. Analytics cookies (PostHog, Google Analytics) are activated only with explicit consent.
9. Data Security
Legal references: Art. 32 GDPR
- Encryption in transit TLS/HTTPS and at rest AES-256
- bcrypt password hashing (Supabase Auth)
- Row Level Security (RLS) on PostgreSQL — multi-tenant isolation
- RBAC with signed JWTs
- Input masking in session recordings
- Data breach: notification to the supervisory authority within 72 hours (Art. 33 GDPR) + notification to data subjects if high risk (Art. 34 GDPR)
10. Minors
Foodli services are intended exclusively for professionals aged 18 or over. Sicilean does not collect data from minors. Reports: privacy@sicilean.tech.
11. Automated Decisions and Profiling
Sicilean does not use decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22 GDPR). AI features provide suggestions but do not produce binding decisions.
12. Changes to this Notice
Legal references: Art. 13(3) GDPR
In case of material changes (new purposes, new sub-processors), Sicilean will notify by e-mail with at least 15 days' notice. Planned changes: progressive integration of Google Analytics and AI features — the notice will be updated before activation.
13. Contacts
E-mail: privacy@sicilean.tech
PEC: sicilean@pec.it
Mail: Sicilean S.r.l. — Via Roma n. 95 — 91021 Campobello di Mazara (TP)
Registered mail subject line: “GDPR rights exercise — Foodli”
Data Processing Agreement (DPA)
Art. 28 Regulation (EU) 2016/679 — Version 1.0 — March 2026
Legal references: Art. 28 GDPR
Art. 1 — Subject matter
This DPA sets out the rights and obligations of Sicilean as Processor for third-party personal data (employees, customers, etc.) entered by the Customer on the Foodli platform.
Art. 2 — Controller instructions
Sicilean processes data only on the Customer's instructions: secure storage, menu publication, backup, technical support, legal obligations.
Art. 3 — Staff confidentiality
Only strictly necessary staff are authorised; all are bound by contractual and statutory confidentiality duties.
Art. 4 — Security measures
TLS 1.2/1.3 in transit, AES-256 at rest, RLS on PostgreSQL, signed JWTs, daily Supabase backups, MFA for infrastructure access.
Art. 5 — Sub-processors
The Customer expressly authorises the sub-processors listed in Annex A. Sicilean will notify additions or replacements with 30 days' notice. The Customer may object within 30 days.
Art. 6 — Assistance with data subject rights
Sicilean assists the Customer for Arts. 15–22 GDPR. Response within 5 business days. The platform provides export (CSV/JSON) and deletion features.
Art. 7 — Data breach
Sicilean notifies the Customer within 48 hours of becoming aware. The Customer notifies the supervisory authority within 72 hours (Art. 33 GDPR). Sicilean assists with DPIA (Art. 35 GDPR) within 15 business days.
Art. 8 — Audit
The Customer may verify via sub-processor certifications, on-site inspection (30 days' notice) or standard questionnaires (response 20 days).
Art. 9 — Transfers outside the EEA
Transfers take place via SCC and DPF as set out in Annex A. If invalidated, Sicilean adopts alternative measures within the statutory deadline.
Art. 10 — Deletion and return
After termination: 30 days to export data, then definitive erasure (including backups within an additional 90 days). Tax data retained 10 years by legal obligation. Written certification on request within 15 days.
Art. 12 — Applicable law
GDPR and Italian law. Jurisdiction: Campobello di Mazara (TP).
Annex B — Processing details (Art. 28(3) GDPR)
- Subject matter:
- Provision of the Foodli SaaS service — creation, management and publication of digital menus with allergens.
- Duration:
- Contract term + 30 days for export (except tax data: 10 years).
- Type of data:
- Names of employees/collaborators in uploaded content; location contact data; images with identifiable individuals (discouraged).
- Categories of data subjects:
- Employees/collaborators of the FBO; customers with allergies recorded manually; third parties whose data the Customer enters.
Sub-processors and transfers outside the EEA
Version 1.1 — March 2026 — Review: every 12 months or when the chain changes
Legal references: Art. 28 GDPR · SCC 2021/914/EU · DPF 2023/1795/EU
Supabase Inc.
- Role:
- PostgreSQL database, authentication (Supabase Auth), image storage
- Country:
- USA (EU Frankfurt region available)
- Data:
- All account, profile, operational, image and auth log data
- Safeguard:
- SCC Module 2 — Decision 2021/914/EU
- Note:
- Configure EU Region to remove transfer outside the EEA.
Stripe Inc.
- Role:
- Payments, subscriptions, billing portal
- Country:
- USA + EU (Ireland)
- Data:
- Billing data (name, address, VAT). Sicilean does not receive card data.
- Safeguard:
- DPF + SCC
- Note:
- PCI-DSS L1.
Vercel Inc.
- Role:
- Next.js hosting, CDN, edge computing
- Country:
- USA + EU edge nodes
- Data:
- Data in transit, infrastructure logs (IP, URL, timestamp)
- Safeguard:
- SCC Module 2
- Note:
- Log retention max 90 days.
PostHog Inc.
- Role:
- Analytics, session recording, error monitoring (only with consent)
- Country:
- EU — eu.i.posthog.com
- Data:
- PostHog identifier, pages, interactions, errors, session (maskAllInputs)
- Safeguard:
- No transfer outside the EEA
- Note:
- Only with explicit consent via the cookie banner.
Google LLC
- Role:
- OAuth + Google Analytics (with consent)
- Country:
- USA + EU datacentres
- Data:
- OAuth: name, e-mail. Analytics: aggregated browsing, anonymised IP.
- Safeguard:
- DPF + SCC
- Note:
- Analytics only with consent. IP anonymised.
Meta Platforms Inc.
- Role:
- Facebook OAuth
- Country:
- USA (EU DPC: Meta Ireland)
- Data:
- Name, e-mail (only if logging in with Facebook)
- Safeguard:
- SCC
- Note:
- Involved only if “Sign in with Facebook” is used.
Apple Inc.
- Role:
- Apple OAuth
- Country:
- USA + EU datacentres
- Data:
- Name (opt.), e-mail or Apple relay (only if logging in with Apple)
- Safeguard:
- SCC
- Note:
- Apple may generate relay e-mails to protect privacy.
OpenRouter Inc.
- Role:
- AI gateway — LLM prompt processing (when AI features are active)
- Country:
- USA
- Data:
- Anonymised prompts, generated response. Not used to train models.
- Safeguard:
- SCC
- DPA:
- To be concluded when AI features go into production
- Note:
- Active only when AI features are used. Logs max 90 days.
Aruba S.p.A.
- Role:
- SDI e-invoicing intermediary (Aruba E-Invoicing)
- Country:
- Italy (Bibbiena AR)
- Data:
- Company name, VAT, SDI/PEC, address, invoice amounts
- Safeguard:
- No transfer outside the EEA
- Note:
- Substitute storage 10 years under Italian Legislative Decree 127/2015.
For updates, copies of safeguards (SCC, DPF) or objection to new sub-processors, write to privacy@sicilean.tech or via PEC sicilean@pec.it. Changes to the sub-processor chain are communicated with 30 days' notice.