Alfred
Privacy Policy
01 Who We Are
Alfred is operated by Alfredapp, based in Vigo, Spain.
For questions about this Privacy Policy, contact us at appalfred2026@gmail.com.
Alfredapp acts as the data controller for the personal data described in this policy, as defined under the EU General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018 on Personal Data Protection (LOPDGDD).
02 What Data We Collect
We collect only the data necessary to provide the Alfred service.
2.1 Data you provide directly
| Data | Purpose |
|---|---|
| Username | Account authentication |
| Password (hashed, never stored in plain text) | Account authentication |
| Company / business name | Associating your account with your organisation |
| Contact email address | Account recovery, legal notices, service communications |
2.2 Data collected automatically
| Data | Purpose |
|---|---|
| Authentication tokens (JWT, stored in device secure storage) | Keeping you signed in between sessions |
| Device platform (iOS / Android) | Bug diagnosis and platform-specific support |
| App version | Bug diagnosis and compatibility checks |
| Error logs (anonymised stack traces) | Identifying and fixing crashes |
2.3 Data we do NOT collect
We do not collect precise GPS location. We do not access your camera, microphone, or contacts unless you explicitly use a feature that requires it. We do not collect advertising identifiers (IDFA, GAID). We do not sell your data to third parties — ever.
03 How We Use Your Data
We use the data listed in §2 solely to:
- Authenticate your identity and authorise access to your organisation's data.
- Display your business's operational data within the app.
- Diagnose and fix technical problems.
- Comply with legal obligations.
- Send essential service communications (e.g. critical security notices, policy updates).
We do not use your data for advertising, profiling, or sale to third parties.
04 Legal Basis for Processing
If you are in the European Economic Area (EEA), we process your personal data on the following legal bases under GDPR Article 6:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Error logs and bug diagnosis | Legitimate interests — improving service reliability (Art. 6(1)(f)) |
| Legal compliance and record-keeping | Legal obligation (Art. 6(1)(c)) |
| Essential service communications | Legitimate interests — maintaining the service relationship (Art. 6(1)(f)) |
05 Data Storage and Security
5.1 Where data is stored
Your data is stored on servers provided by Render.com, which may be located in the European Union or the United States. See §7 for information on international data transfers.
5.2 Security measures
- Passwords are hashed using a strong one-way algorithm before storage.
- Authentication tokens use HS256-signed JWTs with a short expiry (15 minutes in production).
- All data in transit is encrypted with TLS 1.2 or higher.
- Authentication tokens on your device are stored in the OS secure storage via
flutter_secure_storage. - Database credentials are stored as environment variables, never in source code.
5.3 Retention
We retain your account data for as long as your account is active. If you request deletion, we will purge your personal data within 30 days, except where retention is required by law (e.g. for tax or accounting obligations).
06 Data Sharing
We do not sell, rent, or trade your personal data.
We share data only with:
| Recipient | Reason | Data shared |
|---|---|---|
| Render.com (hosting) | Runs the Alfred backend servers | All app data as part of server operation |
| Your organisation's account administrator | They manage your account within Alfred | Your username, role, and activity within their company |
No other third parties receive your data. In the event of a merger, acquisition, or business restructuring, we will notify you before your data is transferred to a new controller.
07 International Data Transfers
Our hosting provider Render.com may process data on servers located in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) approved by the European Commission — to protect your personal data in accordance with GDPR Chapter V.
For more information about the safeguards applied to international transfers, contact us at appalfred2026@gmail.com.
08 Your Rights
Under GDPR and applicable Spanish data protection law, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — ask us to delete your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email appalfred2026@gmail.com. We will respond within 30 days (extendable by a further two months for complex requests, with prior notification).
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the supervisory authority in your country of residence within the EEA.
09 Cookies and Tracking
Alfred is a native mobile application. We do not use browser cookies.
We do not use third-party analytics SDKs (e.g. Firebase Analytics, Mixpanel, or similar). Error logs are collected exclusively through our own backend infrastructure.
10 Children's Privacy
Alfred is a business-to-business application intended for employees and managers of food-service businesses. It is not directed at children under 16 (or a higher minimum age where required by local law). We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
11 Changes to This Policy
We will notify you of material changes by updating the Last updated date above and displaying an in-app notice where changes are significant. For changes that materially affect your rights, we will provide at least 30 days' advance notice before the new version takes effect.
Continued use of Alfred after the effective date constitutes acceptance of the updated policy.
12 Contact & Complaints
Alfredapp
Email: appalfred2026@gmail.com
Location: Vigo, Spain
For complaints or to exercise your data rights, please email us. We will respond within 30 days. If you are not satisfied with our response, you may escalate to the AEPD or your local EEA supervisory authority.