RateMyCollegeDining (“Company,” “we,” “us,” or “our”) operates the Rate My Campus Food website and progressive web application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, please do not access or use the Service. This Privacy Policy is incorporated into and forms part of our Terms of Service.

1. Information We Collect

1.1 Account Information

When you create an account through Google OAuth, we receive and store the following from Google: your email address, display name, and profile avatar URL. We use your email domain to associate your account with a college or university.

1.2 Profile Information

You may optionally provide additional profile information, including a custom display name and a short bio (up to 160 characters). This information is provided voluntarily and is publicly visible to other users.

1.3 User-Generated Content

We collect and store content you submit through the Service, including: photographs of food (“Plates”), written reviews, comments, upvotes, downvotes, likes, and follow relationships with other users. If you choose to post anonymously, your identity is not publicly displayed alongside the content, but we retain the association internally for abuse prevention and legal compliance purposes.

1.4 Usage Data

We automatically collect information about how you access and use the Service, including: pages and features you visit, timestamps of activity, referral URLs, interactions with content (views, taps, scrolls), and feature usage patterns. This data is used for analytics and service improvement.

1.5 Device Information

We collect standard technical information transmitted by your browser and device, including: browser type and version, operating system, screen resolution, device type (mobile or desktop), language preference, and timezone. This information is derived from standard HTTP headers and JavaScript APIs and is used for compatibility, analytics, and security purposes.

1.6 Location Signals

The Service offers an “I’m here” toggle that allows you to broadcast your presence at a specific dining location. This information is visible to other users. The Service may optionally request your device’s location (via the browser Geolocation API) to detect whether you are near a dining hall and offer a one-tap check-in. This geolocation check is performed entirely on your device; your coordinates are never transmitted to or stored on our servers. You can deny the browser location prompt at any time and the feature will simply not activate. We do not perform background location tracking.

1.7 Push Notification Tokens

If you opt in to push notifications, we collect your Web Push API subscription information (endpoint URL, public key, and authentication secret). This data is used solely to deliver notifications you have requested and is deleted when you unsubscribe or delete your account.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Operating the Service: Creating and managing your account, displaying your content, facilitating interactions between users, and providing core functionality.
• Personalizing Your Experience: Curating your feed based on your follow relationships, voting patterns, school affiliation, and activity history.
• Sending Notifications: Delivering push notifications about relevant activity (new comments, followers, likes, menu updates) when you have opted in.
• Preventing Abuse: Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity, and enforcing our Terms of Service.
• Analytics and Improvement: Analyzing usage trends, measuring feature engagement, diagnosing technical issues, and improving the Service.
• Communication: Sending you service-related announcements, updates, security alerts, and administrative messages.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do NOT sell your personal data to third parties. We have never sold personal data and have no plans to do so.

3. How We Share Your Information

3.1 Public Information

The following information is publicly visible to all users of the Service: your display name, avatar, bio, posted reviews, Plates, comments, vote totals on your posts, your followers and following lists, and your “I’m here” status when active. Your email address is never publicly displayed.

3.2 Anonymous Posts

When you post content anonymously, your identity is not revealed to other users. However, we retain the internal association between anonymous content and your account for abuse prevention, content moderation, and legal compliance. We may disclose the identity behind anonymous posts if required by law or a valid legal process.

3.3 Service Providers

We share data with third-party service providers who assist us in operating, maintaining, and improving the Service. These providers process data on our behalf and are contractually obligated to use it only for the purposes we specify:

• Supabase (hosted on Amazon Web Services): Database hosting, user authentication, and file storage for uploaded images.
• Google: OAuth authentication provider. Google receives confirmation of successful authentication; we do not share additional user data with Google beyond the OAuth flow.
• Vercel: Web hosting, content delivery network (CDN), and serverless function execution.

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including court orders, subpoenas, government investigations, or regulatory inquiries. We may also disclose information when we believe in good faith that disclosure is necessary to: (a) protect our rights, property, or safety; (b) protect the rights, property, or safety of our users or the public; (c) prevent or detect fraud, security issues, or technical problems; or (d) comply with applicable law.

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of our assets, or similar transaction, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal information.

3.6 Aggregated and Anonymized Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for any purpose, including analytics, research, marketing, and business development. This data may include aggregate usage statistics, trend reports, and anonymized demographic data.

4. Data Storage and Security

4.1 Storage Location

Your data is stored on infrastructure provided by Supabase, which operates on Amazon Web Services (AWS) data centers located in the United States. By using the Service, you consent to the storage and processing of your data in the United States.

4.2 Security Measures

We implement reasonable administrative, technical, and physical security measures to protect your information, including:

• Encryption of data in transit using TLS (Transport Layer Security);
• Encryption of data at rest within our database and storage systems;
• Row-level security (RLS) policies to ensure users can only access data they are authorized to view;
• Separation of service-role keys (server-side only) from client-side API keys;
• Regular review of security practices and access controls; and
• Secure authentication through Google OAuth with token-based session management.

4.3 No Guarantee

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your data. You acknowledge that you provide your information at your own risk and that we are not responsible for circumvention of any privacy settings or security measures contained on the Service.

5. Data Retention

• Account Data: Your account information (email, name, avatar) is retained for as long as your account exists. Upon account deletion, this data is permanently removed from our active systems.
• User Content: Posts, reviews, comments, Plates, and associated votes/likes are retained while your account is active. When you delete your account, your User Content is cascading-deleted from our active databases.
• Usage Analytics: Aggregated and anonymized usage data may be retained indefinitely for analytics, trend analysis, and service improvement. This data is not individually identifiable.
• Push Notification Subscriptions: Your push notification subscription data is deleted when you unsubscribe from notifications or delete your account.
• Backup Retention: Copies of your data may persist in encrypted backups for a limited period (typically up to 30 days) after deletion from active systems. Backups are automatically rotated and overwritten.
• Legal Holds: We may retain data for longer periods if required by applicable law, legal proceedings, or governmental investigations, even after account deletion.

6. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We support the following rights for all users:

6.1 Access

You have the right to request a copy of the personal data we hold about you. You can view most of your data directly in the Service through your profile and account settings.

6.2 Correction

You have the right to correct inaccurate or incomplete personal data. You can edit your display name, bio, and avatar through the Service at any time.

6.3 Deletion

You have the right to request deletion of your personal data. You can delete your account through the Service’s account settings, which triggers a cascading deletion of your profile, posts, comments, and associated data from our active systems.

6.4 Data Export

You have the right to request an export of your personal data in a machine-readable format. To request an export, contact us at the email address listed in Section 13.

6.5 Opt Out of Notifications

You can disable push notifications at any time through your device’s browser settings or through the Service’s notification preferences. Opting out of push notifications does not affect your ability to use the Service.

6.6 Revoke Google OAuth

You can revoke the Service’s access to your Google account at any time through your Google Account settings. Revoking OAuth access will prevent you from signing in but will not automatically delete your account or data. To delete your data, you must also delete your account through the Service.

7. California Consumer Privacy Act (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions, security).
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor such requests regardless.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, provide a different level of service, or suggest that you will receive a different level of quality because you exercised your rights.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA.

Categories of Personal Information Collected (preceding 12 months):

• Identifiers (email address, display name, account ID);
• Internet or other electronic network activity (usage data, interactions, browser type);
• Audiovisual information (photographs uploaded by users); and
• Inferences drawn from the above (school affiliation based on email domain, content preferences).

To exercise your CCPA rights, contact us at the email address listed in Section 13. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

8. General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the following additional provisions apply:

8.1 Data Controller

RateMyCollegeDining is the data controller responsible for your personal data. Our contact information is provided in Section 13.

8.2 Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Consent: You provide consent when creating an account through Google OAuth and when opting in to push notifications. You may withdraw consent at any time.
• Performance of Contract: Processing is necessary to provide the Service as described in our Terms of Service.
• Legitimate Interests: We process data for analytics, service improvement, abuse prevention, and security, where these interests are not overridden by your data protection rights.
• Legal Obligation: We may process data to comply with applicable laws and regulations.

8.3 Your GDPR Rights

In addition to the rights described in Section 6, you have the right to:

• Object: You may object to our processing of your personal data based on legitimate interests.
• Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances.
• Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format and have it transmitted to another controller.
• Withdraw Consent: Where we rely on consent as the lawful basis for processing, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

8.4 Data Protection Officer

For questions about data protection or to exercise your GDPR rights, please contact our Data Protection Officer at the email address listed in Section 13.

8.5 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EEA member state, UK, or Switzerland where you reside or where you believe a breach of data protection law has occurred.

8.6 International Data Transfers

Your personal data is transferred to and processed in the United States. The United States may not provide the same level of data protection as your home jurisdiction. We rely on appropriate safeguards, including standard contractual clauses approved by the European Commission and, where applicable, the UK Information Commissioner’s Office, to lawfully transfer personal data outside the EEA/UK. By using the Service, you consent to the transfer of your data to the United States.

9. Children’s Privacy

The Service is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. In compliance with the Children’s Online Privacy Protection Act (COPPA) and similar laws:

• We do not knowingly solicit data from or market to children under 13;
• If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will take prompt steps to delete such information from our systems;
• If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us immediately at the email address in Section 13, and we will delete the information; and
• Users between the ages of 13 and 18 must have parental or guardian consent to use the Service.

10. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not operated by us (e.g., university dining websites, external review platforms). We are not responsible for the privacy practices, content, or security of any third-party sites or services. We encourage you to review the privacy policies of any third-party site you visit. The inclusion of any link does not imply our endorsement, sponsorship, or recommendation of the linked site or its content.

11. Cookie Policy

We use a minimal set of cookies and similar technologies, as follows:

11.1 Essential Cookies

We use cookies set by Supabase for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. They include session tokens and authentication state indicators. These cookies do not track your activity across other websites.

11.2 No Tracking Cookies

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. We do not participate in ad networks or serve targeted advertisements.

11.3 No Third-Party Advertising Cookies

The Service does not display third-party advertisements and therefore does not set or allow third-party advertising cookies.

11.4 Local Storage

The Service may use browser local storage and IndexedDB for caching purposes as part of its Progressive Web App (PWA) functionality. This data is stored locally on your device, is not transmitted to our servers, and can be cleared through your browser settings.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page;
• Provide notice through the Service (such as an in-app notification or banner); and
• Where required by applicable law (e.g., GDPR), obtain your consent to material changes before they take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, including exercising any of your rights described herein, please contact us at:

We will respond to all privacy-related requests within 30 days (or sooner if required by applicable law, such as the 45-day CCPA window or 30-day GDPR window).