RekoTori

Privacy Policy

Last updated: 27 April 2026

Data Controller

The RekoTori service is operated by MKstack (business ID 3610698-2). We are committed to protecting the privacy of our users in accordance with the EU General Data Protection Regulation (GDPR). The competent supervisory authority for data protection is the Office of the Data Protection Ombudsman of Finland (tietosuoja.fi); you have the right to lodge a complaint there at any time.

Definitions

The following terms are used in this policy:

  • Customer — a registered user who places orders.
  • Producer — a registered user representing a food-selling company.
  • Group — a local REKO circle with its own admins, events and members.
  • Event — a single REKO pickup occasion to which producers add offerings.
  • Order — one customer's purchase from one producer at one event.

What Data We Process

We process the following data to operate the service:

Account data

Email address, password hash (Supabase Auth) and Google or Facebook login identifier if you use them.

Profile data

Display name, profile picture, locale preference and notification settings.

Order data

The products you ordered, quantities, prices, optional message to the producer, order status and timestamps.

Memberships

Your group memberships (role, status, joined date) and an optional favourite group.

Producer and company data

If you are a producer, we process the company name, business ID, address, email, phone, website, photos, payment methods (cash, MobilePay, bank transfer, card, other) and production-method descriptions.

Notifications and messages

In-app notifications and an email notification queue (recipient, type, delivery status).

Logs and technical data

For security and fraud prevention we keep audit logs (action, actor, target, timestamp), error reports (Sentry: error report, user identifier, page context) and server logs (Vercel: IP address, user agent, timestamp).

Purposes and Legal Bases

We process data for the following purposes on the GDPR Article 6 grounds shown:

  • Performance of a contract (Art. 6(1)(b)): account creation, forwarding orders to producers and arranging pickup.
  • Legitimate interest (Art. 6(1)(f)): security, fraud prevention, audit logging, service improvement and basic usage statistics.
  • Consent (Art. 6(1)(a)): optional email notifications, which you can opt out of at any time in the notification settings on your profile.
  • Legal obligation (Art. 6(1)(c)): possible authority requests, e.g. relating to food safety.

Authentication

You can log in with email and password or with a Google or Facebook account. From OAuth providers we receive your name, email address and profile picture — not your password or other data. Google and Meta may, under their own privacy policies, transfer login-related metadata to the United States under the EU–US Data Privacy Framework.

Sharing Between Users

We do not sell or share your personal data with advertising or analytics companies. However, the service requires certain data to be visible to other users:

  • A producer sees the customer's name and any order message for orders that the customer has placed with that producer.
  • If a producer manually enters a walk-in customer's order, the producer also stores the customer's name and the phone number provided for that order.
  • A producer can separately request a customer's email address and login provider through the app, but only when the customer has an active order with that producer at the same event. Such requests are rate-limited (60/hour soft limit, 200/hour hard limit) and recorded in our audit log.
  • A producer may only use the customer's contact information to fulfil that order. Marketing, onward disclosure and any other use is prohibited by the Terms of Service.
  • Customers see the producer's company name, business ID, address, contact details, description and accepted payment methods (e.g. cash, MobilePay, bank transfer). Specific payment details such as IBAN or MobilePay number are only shown after the customer has placed an order, in the order confirmation and their own orders.
  • A group admin sees the display name, role and status of members in their own group for group management.
  • Platform administrators have technical access to audit logs and data for security investigations and serious abuse cases.

Sub-processors and Data Transfers

We use the following sub-processors to operate the service:

  • Supabase (database, authentication, file storage) — servers in the EU (Frankfurt).
  • Vercel (service hosting, access logs) — EU regions.
  • Sentry (error monitoring) — EU region; processes error reports and the user identifier to help us diagnose issues.
  • Google OAuth — for login; possible transfer to the United States under the DPF arrangement.
  • Meta/Facebook OAuth — for login; possible transfer to the United States under the DPF arrangement.
  • Emails are sent through Supabase Auth's default provider (e.g. confirmation and password-reset messages).

Storage and Security

Data is stored on Supabase servers in the EU. We use TLS in transit, encryption at rest, database-level row-level security (RLS), audit logs, and rate limits on sensitive endpoints such as customer-information lookup.

Retention Periods

  • Account data, profile data and memberships are retained for as long as your account is active.
  • Audit logs are retained for 12 months and then automatically purged.
  • When you delete your account: profile, memberships and your company memberships are deleted immediately. Your confirmed orders are cancelled and reserved quantities are released before deletion. Existing order records are retained anonymously for the producer's bookkeeping and tax obligations — your identifying information is removed from the order row.
  • If you are the only member of a company, the company is marked inactive (soft delete) and its products are deactivated.

Cookies and Local Storage

We only use cookies and local storage that are essential to the operation of the service. We do not use tracking, advertising or profiling cookies, nor third-party analytics.

  • Supabase session cookies — keep you logged in.
  • NEXT_LOCALE cookie — remembers your language preference (1 year).
  • auth_redirect cookie — short-lived, redirects you to the right place after login (e.g. invite links).
  • localStorage: shopping cart contents (rekotori-cart) in your browser, and the response to the location prompt so we don't ask again.

Your Rights

Under the GDPR you have the right to:

  • Access your personal data (download as JSON from your profile page).
  • Correct inaccurate data on the profile page.
  • Request deletion of your data (you can do this yourself on the profile page).
  • Receive your data in a portable format (the same JSON export).
  • Object to processing or request restriction of it.
  • Withdraw any consent you have given, e.g. to email notifications, at any time.
  • Lodge a complaint with the Office of the Data Protection Ombudsman of Finland (tietosuoja.fi) if you believe we are processing your data in breach of the GDPR.

Most rights are available directly under "Data management (GDPR)" on your profile page. For other requests please contact info@rekotori.fi.

If you do not have a RekoTori account but a producer entered your contact details into a manual order (e.g. a phoned-in order), you can request erasure of your data by contacting info@rekotori.fi.

Minors

The service is intended for users aged 16 and over. Creating an account for a person under 16 requires the consent of a guardian and an account created by the guardian. We do not knowingly collect data from users under 16; if such data is detected it will be deleted.

Transfers Outside the EU

Our primary systems (Supabase, Vercel, Sentry) operate within the EU/EEA. When you log in via OAuth, Google and Meta may process data in the United States under the EU–US Data Privacy Framework and Standard Contractual Clauses.

Data Breaches

If the security of your personal data is compromised, we will notify the Office of the Data Protection Ombudsman within 72 hours of becoming aware, in accordance with GDPR Article 33. If the breach poses a high risk to your rights, we will also notify you directly without undue delay.

Changes to This Policy

We may update this privacy policy as needed. Significant changes will be announced in the service and, where appropriate, by email before they take effect.

Contact

For privacy questions and to exercise your rights, please contact:

MKstack
info@rekotori.fi