Privacy Policy

01 — Information We Collect

Information We Collect

Account Information

When you register, we collect your name, email address, and password (managed securely through Clerk Authentication). We do not store your password directly — Clerk handles credential management on our behalf.

Restaurant Profile Information

If you register as a restaurant, we collect: business name, address, city, state, phone number, cuisine type, website URL, a written description of your restaurant, and any photos you upload including a profile logo and banner image.

Creator Profile Information

If you register as a creator or influencer, we collect: display name, city, state, a written biography, your content niche or category, and any profile photo you upload.

Social Media Account Data

If you choose to connect your Instagram or TikTok account, we collect:

• Your social media username and handle
• Your public follower count at the time of connection and during periodic syncs
• An OAuth access token issued by Instagram (Meta) or TikTok to authenticate on your behalf

We do not collect your social media passwords. We do not post to your accounts without your explicit action. Access tokens are stored securely and used only to sync your follower count with your profile on We All Eat.

Campaign and Application Data

We collect information you provide when creating campaigns (restaurants) or submitting applications (creators), including campaign descriptions, compensation details, written application messages, uploaded campaign images, and post URLs submitted as deliverables.

Location Information

Restaurants may use our Google Places integration to look up and confirm their business address. We collect the place name, formatted address, city, state, and geographic coordinates returned by Google Maps at the time of search. We do not continuously track your device location.

Communications

We collect messages sent through any contact forms or support channels on the platform.

Usage and Technical Data

We and our hosting provider (Vercel) may automatically collect standard server log data including your IP address, browser type, operating system, referring URLs, pages visited, and timestamps. This is standard practice for operating any web service.

Cookies and Session Data

We use cookies and similar technologies to maintain your login session. These are set by Clerk, our authentication provider. You can disable cookies in your browser settings, but doing so will prevent you from staying logged in.

02 — How We Use Your Information

How We Use Your Information

We use the information we collect to:

• Create and maintain your account
• Display your profile to other users on the platform (restaurants see creator profiles; creators see restaurant campaign details)
• Facilitate connections between restaurants and creators through campaigns and applications
• Sync your social media follower count to display on your creator profile
• Process and store images you upload (hosted on Supabase Storage)
• Send you transactional notifications about your campaigns or applications (email and in-app)
• Respond to your support requests or questions
• Detect and prevent fraud, abuse, or violations of our Terms of Service
• Operate, maintain, and improve the platform
• Comply with legal obligations

We do not use your information to run third-party advertising. We do not sell your personal data to data brokers or advertisers.

03 — How We Share Your Information

How We Share Your Information

With Other Users

Your profile information is shared with other users of the platform as part of normal marketplace operation. Creator profiles (name, city, niche, follower count, social handles) are visible to restaurants when they review applicants. Restaurant profiles (business name, location, campaign details) are visible to logged-in creators browsing campaigns. You control what you choose to include in your profile.

With Service Providers

We share data with the following trusted third-party services that operate on our behalf:

• Clerk — authentication and user session management. clerk.com/privacy
• Supabase — database hosting (PostgreSQL) and file storage. supabase.com/privacy
• Vercel — website hosting and deployment. vercel.com/legal/privacy-policy
• Google — restaurant address lookup via Google Places API. policies.google.com/privacy
• Meta (Instagram) — optional social account connection via Instagram Graph API. privacycenter.facebook.com
• TikTok — optional social account connection via TikTok API. tiktok.com/legal/page/us/privacy-policy
• Resend — transactional email delivery. resend.com/privacy

Each of these providers has their own privacy policy governing their data practices. We only share the minimum data necessary for each service to function.

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights or safety of We All Eat, our users, or the public.

Business Transfers

If We All Eat is acquired, merged, or undergoes a change of ownership, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the platform before your data becomes subject to a different privacy policy.

We do not sell your personal information.

04 — Social Media Integrations

Social Media Integrations

Connecting your Instagram or TikTok account is entirely optional. If you choose to connect:

What we access

We request only the permissions necessary to read your public profile and follower count. For Instagram, this uses the Instagram Graph API under Meta's platform policies. For TikTok, this uses the TikTok Login Kit and User Info APIs.

What we store

Your social media handle, your follower count at the time of sync, and an OAuth access token that allows us to re-sync your follower count periodically. Access tokens are stored encrypted in our database.

What we do not do

We do not read your private messages, post content on your behalf, access your followers' personal information, or use your social data for advertising purposes.

Revoking access

You can disconnect your Instagram or TikTok account at any time from your creator profile settings. When you disconnect, we immediately delete your stored OAuth token. Your follower count may remain on your profile until you manually remove it.

Your use of Instagram's API is also subject to Meta's Terms of Service and Data Policy. Your use of TikTok's API is also subject to TikTok's Terms of Service and Privacy Policy.

05 — Data Retention

Data Retention

We retain your account information and profile data for as long as your account is active. If you delete your account, we will delete your personal profile data within 30 days, except where we are required to retain it for legal, tax, or fraud prevention purposes.

Campaign and application records may be retained for up to 12 months after a campaign closes to support dispute resolution and platform integrity. Anonymized or aggregated data derived from platform activity may be retained indefinitely.

OAuth tokens for Instagram and TikTok are deleted immediately upon disconnection from your profile settings or upon account deletion.

Uploaded images stored in Supabase Storage are deleted within 30 days of account deletion.

06 — Data Security

Data Security

We take the security of your data seriously. We use industry-standard practices including:

• HTTPS encryption for all data in transit
• Encrypted storage for OAuth access tokens
• Role-based access controls limiting which parts of our systems can access which data
• Authentication managed by Clerk, which implements secure session handling and credential management
• File storage managed by Supabase with access controls on all uploaded media

No method of electronic transmission or storage is 100% secure. While we implement strong safeguards, we cannot guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately at privacy@wealleat.com.

07 — Your Rights and Choices

Your Rights and Choices

Access and Correction

You can view and update most of your personal information directly within your account profile settings at any time.

Account Deletion

You may delete your account at any time. Contact us at privacy@wealleat.com to request deletion. We will process your request within 30 days.

Social Account Disconnection

You can disconnect your Instagram or TikTok account at any time from your profile settings. This immediately revokes our access token and stops all future data syncing.

California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell
• Request deletion of your personal information
• Opt out of the sale of your personal information (we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

To submit a California privacy rights request, contact us at privacy@wealleat.com.

European Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the GDPR including: the right to access, rectify, erase, restrict processing of, and port your personal data, as well as the right to object to processing and to withdraw consent. To exercise these rights, contact us at privacy@wealleat.com. You also have the right to lodge a complaint with your local data protection authority.

08 — Children's Privacy

Children's Privacy

We All Eat is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are between 13 and 18, you must have your parent or legal guardian's permission to use the platform.

If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@wealleat.com and we will delete the information promptly.

09 — Influencer Marketing Disclosures

Influencer Marketing Disclosures

We All Eat facilitates collaborations between restaurants and creators in which creators receive free meals, monetary compensation, or other value in exchange for content creation. Under U.S. Federal Trade Commission (FTC) guidelines, creators are required to clearly disclose when content has been sponsored, gifted, or otherwise compensated.

By using We All Eat, creators acknowledge their responsibility to comply with applicable FTC disclosure requirements and any platform-specific rules on Instagram and TikTok. We All Eat does not assume liability for a creator's failure to make required disclosures, but we encourage all creators to include clear language such as “#ad,” “#sponsored,” or “#partner” in their posts where applicable.

10 — Changes to This Policy

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email (sent to the address on your account) or by displaying a notice on the platform before the changes take effect.

Your continued use of We All Eat after changes are posted constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the Service and may request account deletion.