Porch Pantry (the "Service") is a marketplace for home-cooked specialty batch foods, operated by Spiral Physical Therapy Inc. ("Porch Pantry," "we," "us"). This Privacy Policy describes how we collect, use, share, and protect personal information when you use our website at porchpantry.app, our web app, or any related services.
This policy applies to two kinds of users: eaters (people who order food) and cooks (people who prepare and sell food from a permitted home kitchen). Some sections apply to both; some are role-specific.
By using Porch Pantry, you agree to this Privacy Policy and to our Terms of Service.
When you create an account or use Porch Pantry, you give us:
| What | From whom | Why we ask |
|---|---|---|
| Name, email, password | Eaters & cooks | To create your account, sign you in, and contact you about orders |
| Profile photo (optional) | Eaters & cooks | So the other side of the order knows who they're transacting with |
| ZIP code, neighborhood | Eaters | To show you cooks and batches near you |
| Delivery address | Eaters who choose delivery | So the cook can deliver your order. Stored on the order record |
| Kitchen address, kitchen photo, bio, tagline | Cooks | So eaters can find your kitchen and learn who you are |
| Permit attestation (and, if requested by us, a permit document) | Cooks | To verify you have a valid MEHKO or equivalent home-kitchen permit, which is required to sell on Porch Pantry |
| Batch details — dish name, photos, ingredients, price, capacity, pickup windows, delivery radius/fee | Cooks | So eaters can browse and order what you're cooking |
| Order details — items, quantities, fulfillment type, pickup window or delivery address | Eaters | To process and fulfill your order |
| Reviews and ratings | Eaters | To help other eaters choose cooks and to give cooks feedback |
| Messages between eaters and cooks | Eaters & cooks | So you can coordinate around a specific order. Messages are visible to both parties to that order |
Porch Pantry uses Stripe to process all payments. We never see, store, or transmit your full card number. When you place an order as an eater, your card information is collected directly by Stripe through Stripe Checkout. When you onboard as a cook, Stripe Connect collects the business and identity information it needs to verify you and pay you out, including your name, address, date of birth, last four digits of your SSN (or full SSN, depending on Stripe's verification requirements), and bank account details. That information goes from you to Stripe directly — Porch Pantry receives only Stripe's verification status (whether you can accept charges and receive payouts) and a Stripe-assigned account ID. See Stripe's privacy policy for how Stripe handles your data.
When you use Porch Pantry, we automatically collect:
To show eaters cooks nearby, and to verify a delivery address is within a cook's delivery radius, we convert addresses into latitude/longitude coordinates. We do this using the public Nominatim service operated by the OpenStreetMap Foundation. When you enter a kitchen address or delivery address, that address is sent to Nominatim. We store the resulting lat/lng on your kitchen record (cooks) or order record (eater deliveries) so we don't have to re-geocode it.
We use the information described above to:
We do not sell your personal information. We do not share it with third parties for their independent advertising or marketing.
Running a marketplace requires a small number of service providers. We share what's necessary, and those providers are bound by their own contracts and privacy policies. Here's the full list of who sees what:
| Provider | What they handle | Their privacy policy |
|---|---|---|
| Stripe | Payments, payouts to cooks, identity verification of cooks, fraud screening | stripe.com/privacy |
| Supabase | Authentication, database storage of profiles, kitchens, batches, orders, reviews, messages, photos. Hosted in the United States. | supabase.com/privacy |
| Resend | Transactional email delivery (order confirmations, pickup reminders, etc.) | resend.com/legal/privacy-policy |
| Vercel | Web hosting, deployment, edge networking, server-side function execution | vercel.com/legal/privacy-policy |
| OpenStreetMap / Nominatim | Geocoding street addresses to lat/lng coordinates | OSM Foundation Privacy Policy |
We share information with these providers only to the extent they need it to perform their service. We share between Porch Pantry users (eaters and cooks) only as necessary to facilitate an order — eaters see a cook's name, kitchen photo, address area, and reviews; cooks see an eater's name and, for delivery orders, the eater's delivery address.
We may also share information when required by law (subpoena, court order, or other legal process), to protect the safety of our users or the public, or in connection with a merger, acquisition, or sale of all or substantially all of our assets — in which case we'll notify you before your information becomes subject to a different privacy policy.
We use a small number of cookies and browser-storage entries — only what's needed to keep you signed in and to remember basic preferences. Specifically:
We do not use third-party advertising cookies, retargeting pixels, or analytics SDKs that share data with advertising networks. You can clear cookies and browser storage in your browser settings; doing so will sign you out and clear your in-progress cart.
We keep account and order information for as long as your account is active and for a reasonable period afterward to satisfy legal, tax, and audit obligations — typically up to seven (7) years for transaction records. You can ask us to delete your account at any time (see Your privacy rights); we'll delete what we can while preserving the minimum we're required to keep by law (for example, certain Stripe payment records and tax-relevant order data).
We use commercially reasonable safeguards to protect your information — encrypted connections (HTTPS/TLS) for everything between your browser and our servers, encrypted storage at rest in Supabase, and access controls that limit who at Porch Pantry can see what. Stripe holds itself to PCI DSS Level 1 standards for payment data. No system is perfectly secure, though, and we can't guarantee absolute security. If we ever discover a breach that affects your information, we'll notify you and the appropriate authorities as required by law.
You can:
To exercise any of these rights, email privacy@porchpantry.app from the email address associated with your account. We'll verify your identity and respond within 30 days.
If you're a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights about your personal information. Those rights overlap substantially with the rights described in Section 8, plus:
To exercise these rights, email privacy@porchpantry.app. You can use an authorized agent to make a request on your behalf, in which case we may ask the agent to provide proof you authorized them and may verify your identity directly.
Porch Pantry is not directed to children under 18. You must be at least 18 years old to create an account and to enter into the agreements that governing the Service. We don't knowingly collect personal information from children under 13. If you believe we've collected information from a child under 13, contact us at privacy@porchpantry.app and we'll delete it.
Porch Pantry currently operates in California and serves users located in California. Our service providers (Stripe, Supabase, Resend, Vercel) are based in the United States and process data in the United States. If you're outside the United States and use the Service, your information will be transferred to and processed in the United States, which may have different data-protection laws than your country of residence.
We may update this Privacy Policy from time to time. When we make material changes, we'll post the updated policy here, update the "Effective date" at the top, and (for significant changes that affect your rights) email active users. Continued use of the Service after the new effective date means you accept the updated policy. If you don't agree, stop using the Service and ask us to delete your account.
Questions, requests, or complaints about this policy or about how we handle your information:
This policy is provided in plain English to help you understand it. Where it conflicts with applicable law, the applicable law controls.