Privacy Policy

Last updated: February 2026

1. Who we are

Autumn ("we", "us") is a Chrome browser extension and web application that scores grocery products based on your health conditions and recommends healthier alternatives. We are a UK-based company committed to protecting your privacy.

2. What data we collect

We collect the following categories of data:

Special category health data (Article 9 UK GDPR): Health conditions (e.g., Type 2 Diabetes, Hypertension), medications (e.g., Metformin, Warfarin), and dietary requirements. This data is collected only with your explicit consent.

Account data: Email address (for authentication), household size, and dietary preferences.

Usage data: Anonymised basket analysis counts and swap acceptance rates (only if you consent to anonymised data use).

3. Legal basis for processing

Health conditions and medication data are special category data under Article 9 of UK GDPR. We process this data solely on the basis of your explicit consent, collected during onboarding before any health data is stored. You can withdraw consent at any time by deleting your account.

4. How we store and protect your data

All data is stored on UK/EEA servers provided by Supabase (EU region). Health data is encrypted in transit (TLS 1.3) and at rest (AES-256). Additionally, health condition and medication fields use column-level encryption via Supabase Vault (pgsodium). Access to health data is restricted by Row Level Security (RLS) policies — only you can read or modify your own data.

5. Data sharing

We do not share your personal data or health data with any retailer or any third party. The extension operates entirely between your browser and our servers. We do not sell data. We do not display advertising.

6. Data retention

Your data is retained for as long as you have an active account. If you delete your account, all personal data (including health data) is permanently deleted within 30 days. Anonymised aggregate statistics (which cannot identify you) may be retained indefinitely.

7. Your rights

Under UK GDPR, you have the right to: access your data, rectify inaccurate data, erase your data ("right to be forgotten"), restrict processing, data portability, object to processing, and withdraw consent at any time. To exercise any of these rights, contact us at privacy@joinautumn.com or use the "Delete my account" option in your account settings.

8. Cookies and local storage

The extension uses browser local storage (IndexedDB) to cache product scores for performance. This cache contains no health data and can be cleared from the extension settings. The web app uses essential cookies for authentication only. We do not use tracking cookies or analytics that identify individual users.

9. Contact

For privacy enquiries, data access requests, or complaints, contact us at privacy@joinautumn.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.