Skip to main content
HACCPLAN
Back to haccplan.com
Draft policy. This page is a scaffold pending legal review. Treat as informational only until replaced.

PRIVACY POLICY

Effective 2026-06-04

1. Who we are

HACCPlan ("we", "us") is a software-as-a-service platform for food manufacturers to maintain production records, supplier verification documents, and inspector-ready compliance binders. Contact us at support@haccplan.com with any privacy question or request.

2. What we collect

  • Account data. Name, email, password (hashed), company name, contact phone, and any facility identifier (e.g., SFC licence, FDA FFR) you provide.
  • Production records. Every record you enter into HACCPlan — batch records, shipping records, monitoring readings, cleaning logs, supplier approvals, mock-recall exercises, and related attachments (photos, COA PDFs).
  • Usage telemetry. IP, user-agent, the routes you visit inside the app, and aggregate timing data via Vercel Speed Insights. Used for performance and outage triage.
  • Cookies + sessions. Authentication cookies from Supabase (session token, refresh token). Strictly necessary; no third-party tracking cookies.

3. How we use it

  • To operate the service (store + retrieve your records).
  • To respond to support requests you initiate.
  • To meet our legal obligations (e.g., responding to a lawful subpoena).
  • To send transactional emails (account creation, password reset, invitation acceptance). No marketing emails without opt-in.

4. Who we share it with

We use a small number of subprocessors to run HACCPlan. Each is contractually bound to the same confidentiality posture you have with us.

  • Supabase — database and authentication hosting (us-east region by default).
  • Vercel — application hosting and edge CDN.
  • Anthropic — for the optional photo / COA scan-to-record feature. Images you submit go to Anthropic only when you invoke a scan; raw images are not retained by us beyond the request.

We do not sell or rent your data to any third party.

5. How long we keep it

Production records (raw lots, batches, shipments, monitoring, deviations, cleaning logs, supplier records) are retained for the longer of: (a) two yearsafter the record is created, matching SFCR §91 and 21 CFR §117.315; or (b) the retention period mandated by your jurisdiction's recordkeeping rules. Account data is retained while your account is active and for 90 days after closure for reactivation, then deleted unless legally retained.

6. Your rights

Depending on jurisdiction (Canada PIPEDA, US CCPA, EU GDPR), you have the right to access the data we hold about you, request correction, request deletion (subject to retention obligations above), and request a copy of your records in a portable format. Email privacy@haccplan.com and we will respond within 30 days.

7. Security

All traffic is encrypted in transit (TLS 1.2+). Stored data is encrypted at rest by Supabase. Passwords are never stored in plaintext. Cross-tenant isolation is enforced at the database layer via Postgres row-level security. We log unusual access patterns and respond to anomalies during business hours.

8. Changes to this policy

We will post material changes here and notify account administrators by email at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.