DormEats icon DormEats Get the app
Legal

Privacy Policy

Effective date: May 20, 2026

This Privacy Policy explains how DormEats ("DormEats", "we", "us", or "our") handles information when you use the DormEats mobile app on iOS or Android, the in-browser web demo at dormeats.arjunjv.com, and the DormEats marketing website (together, the "Service").

DormEats is an indie project operated by Arjun J. Verma. It is currently in beta and is offered as a free service for college students. We can be reached at [email protected].

Short version. DormEats does not have user accounts. Your preferences live on your phone in local storage. When you ask for a recommendation, your preferences are sent to our server and forwarded to an AI provider to generate that recommendation, and then discarded after a short-lived in-memory cache window. We use Firebase Analytics and Crashlytics to understand how the app is used and to fix bugs. We do not sell your data, run ads, or use it for advertising profiling.

1. Who this Policy applies to

This Policy applies to anyone who installs the DormEats mobile app, opens the DormEats web demo, or visits the DormEats marketing site. You must be at least 13 years old to use DormEats. See Section 9 for more on children's privacy.

2. Information we collect

We've split this into three buckets based on where your information actually goes, because that distinction matters more than the labels apps usually use.

2.1 Information stored only on your device

During onboarding and when you update Settings, the app saves the following on your device using the local Hive database. None of this is written to our server's database; it is only sent to our server when you request a meal recommendation (see Section 2.2).

  • Your college and (optionally) your living area on campus
  • Your ranking of dining halls by convenience
  • Dietary restrictions you select (e.g., vegetarian, vegan, halal, gluten-free)
  • Allergies you type in (free text) and any "other dietary restrictions" notes
  • Food preferences (cuisines, food types, and custom entries you add)
  • Nutrition goals you select (e.g., "High Protein")
  • Food items you mark as liked or disliked, with the date you added them
  • Your meal notification preferences
  • A local cache of recent menus and the most recent AI recommendations

This data stays on your device until you delete it, uninstall the app, or use the "Start Over" button in Settings.

2.2 Information sent to our server when you request a recommendation

When you open the For You tab, refresh a recommendation, or receive an upgraded meal notification, the app sends a POST /api/v1/recommend request to our backend at dormeats-api.arjunjv.com that includes:

  • Your college ID, the requested meal type, and the date
  • The dietary, allergy, food-preference, nutrition-goal, liked/disliked, and dining hall ranking fields described in Section 2.1

The server uses this information only to build an AI prompt and to look up cached results. We do not write the request body to our database. The AI's response is held in a short-lived in-memory cache keyed by a hash of your preferences so that identical follow-up requests do not require another AI call. Cached entries are dropped when their menu date is more than one day in the past or more than seven days in the future, and the entire cache is cleared whenever the backend process restarts.

2.3 Information shared with AI providers

To generate a recommendation, the server forwards the prompt — which contains your preferences from Section 2.2 and the menu data for the requested college and date — to one of the AI providers listed in Section 5. We use a failover chain, so a request may go to a different provider if the first one is unavailable. We do not control how those providers log or process the prompts they receive; please consult their privacy policies for details.

2.4 Information collected automatically

Analytics and crash reporting. The mobile app and web demo use Google Firebase Analytics and Firebase Crashlytics to understand how the app is used and to diagnose bugs. These services automatically collect:

  • A Firebase install ID (a random identifier assigned to your install)
  • Device model, operating system, OS version, language, time zone, and app version
  • An approximate location derived from the IP address (city-level, by Google)
  • App events (e.g., "onboarding completed", "recommendation viewed", "menu viewed", "notification tapped"), some of which include your college ID, the meal type, and counts (e.g., number of liked items)
  • Two user properties tagged to your install: your college ID and (if set) your living area ID
  • Crash reports and non-fatal error reports, including stack traces and the above device context

We have disabled Firebase Analytics features that would link your install to advertising identifiers. Specifically, we deny consent for ad storage, ad user data, and ad personalization signals; on iOS we set the relevant Info.plist keys to prevent IDFV/IDFA collection. As a result, DormEats does not show the App Tracking Transparency prompt because we do not track you across apps or websites.

Network metadata. Like any web service, our backend receives standard request metadata when you contact it. We use:

  • Cloudflare as a DNS provider and reverse proxy in front of the API. Cloudflare receives the request's IP, headers, and URL and may retain them per Cloudflare's own policies for security and performance.
  • Caddy as a reverse proxy on our server, used to enforce a per-IP rate limit. Caddy operates with transient operational logs only.
  • Application-level rate limiting. The /recommend endpoint reads the IP address from the CF-Connecting-IP, X-Forwarded-For, or X-Real-IP headers (or falls back to a hash of the User-Agent and other request headers) and keeps a short-lived counter in memory to enforce a per-IP limit. This data is not persisted and is lost on process restart.

Local notifications and background refresh. Meal notifications are scheduled and delivered entirely on your device by the operating system. We do not register your device with Apple Push Notification service or Firebase Cloud Messaging, and our server cannot push notifications to you. Background refresh tasks contact our backend in the same way the foreground app does.

2.5 Website

The DormEats marketing site loads typography from Google Fonts (fonts.googleapis.com). When your browser loads those fonts, Google receives your IP address and User-Agent string. The marketing site does not set tracking cookies and does not run analytics. The "Request my school" form on the homepage opens a pre-filled draft in your local email client; no data is sent to our servers unless you choose to send that email.

3. How we use information

  • To generate personalized dining hall recommendations
  • To display menus, your preferences, and saved liked/disliked items
  • To deliver locally scheduled meal notifications if you enable them
  • To rate-limit abusive traffic and protect the Service
  • To monitor crashes, debug issues, and understand which features are used (Firebase Analytics + Crashlytics)
  • To respond to messages you send us

We do not sell your information, share it with data brokers, use it for advertising, build advertising profiles, or transfer it to anyone for cross-context behavioral advertising.

4. Legal basis (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, our legal bases for processing under the GDPR / UK GDPR are:

  • Performance of a contract / pre-contract for processing preferences sent to /recommend so we can return a recommendation you requested.
  • Legitimate interests for security measures (rate limiting, abuse prevention), analytics, and crash reporting that help us keep the Service reliable and improve it. You can object to these uses by contacting us.

DormEats is currently primarily intended for use in the United States. Our servers are located in San Jose, California. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our subprocessors operate.

5. Subprocessors and third parties

The following third parties may receive information described above so that we can run the Service.

ProviderPurposeData they receive
Oracle Cloud (San Jose, CA) Hosting the backend server All /recommend requests, IP metadata
Cloudflare DNS, reverse proxy, DDoS protection IP address, request headers, URL
MongoDB Atlas Database for menus and college data No personal data; only menu and college records
Google Gemini API AI menu enrichment and AI recommendations Recommendation prompts (preferences + menus); menu enrichment prompts contain no user data
Cerebras AI recommendations and menu enrichment Recommendation prompts (preferences + menus); menu enrichment prompts contain no user data
OpenRouter (Nvidia Nemotron, free tier) AI recommendations and menu enrichment (failover) Recommendation prompts (preferences + menus); menu enrichment prompts contain no user data
Google Firebase (Analytics + Crashlytics) Product analytics and crash reporting Install ID, device info, event names + properties listed in 2.4, crash reports
Google Fonts Web typography on the marketing site IP address, User-Agent (when your browser loads the font CSS)
Apple App Store / Google Play App distribution Whatever the store collects under its own privacy policy
Heads up about OpenRouter's free tier. OpenRouter has publicly stated that prompts sent to its free models may be logged and used to improve those models. Because OpenRouter is one of the AI providers in our recommendation failover chain, your recommendation prompt — which includes your preference fields from Section 2.1 — may be processed under those terms when OpenRouter is the active provider. If you would prefer not to have your preferences forwarded to OpenRouter, please do not use the For You tab or meal recommendations while we are in beta. We may revisit this configuration in the future.

6. Data retention

  • On-device data (Section 2.1): retained until you delete it, uninstall the app, or tap "Start Over" in Settings.
  • Recommendation requests: AI prompts are not written to our database. The resulting recommendation is held in a per-process in-memory cache and dropped when its menu date falls outside the retention window (more than 1 day before "today" or more than 7 days after) or when the backend restarts.
  • Firebase Analytics events: retained according to the Firebase project settings (currently the Firebase default for our project). Firebase install IDs are reset whenever you use "Start Over" or reinstall the app.
  • Crashlytics reports: retained according to Firebase's default crash report retention.
  • Rate-limit counters and operational logs: transient; not persisted by us.

7. Security

All traffic to our API and website uses HTTPS. We enforce edge-level DDoS protection through Cloudflare and per-IP rate limiting through Caddy. Application-level rate limits restrict abusive use of the recommendation endpoint. We use industry-standard cloud services (Oracle Cloud, MongoDB Atlas, Google Firebase) for the parts of our stack we do not host ourselves. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your rights

8.1 Everyone

Because almost all of your data lives on your device, the easiest way to exercise data rights is to tap Settings → Start Over in the app, which clears your preferences, cached recommendations, and scheduled notifications, and also resets the Firebase Analytics install identifier. Uninstalling the app removes everything that remains.

See /data-deletion for step-by-step instructions to delete your DormEats data.

8.2 California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.

To exercise these rights, email [email protected] or use the "Start Over" button described above. We will not discriminate against you for exercising your rights.

8.3 EEA / UK residents (GDPR / UK GDPR)

You have the right to request access to, correction of, deletion of, or portability of your personal information, the right to object to or restrict certain processing, and the right to lodge a complaint with your local supervisory authority. To exercise these rights, email [email protected]. Because we do not maintain accounts, we may need additional information from you to identify which requests are yours (e.g., your Firebase install ID, which can be found by emailing us from the device that has the app installed).

9. Children's privacy

DormEats is intended for users who are at least 13 years old. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided information to us, please contact [email protected] and we will delete it.

10. Changes to this Policy

We may update this Policy from time to time. When we do, we will change the "Effective date" at the top and, for material changes, attempt to surface a notice in the app. Continued use of the Service after a change takes effect means you accept the updated Policy.

11. Contact

DormEats is operated by Arjun J. Verma. For any privacy questions, requests, or complaints, email [email protected].

Questions or requests? Email [email protected].