Spice Hut
Official Privacy Policy
Privacy Policy
Spice Hut Mobile Application
Need help, want to submit feedback, or report an issue?
Open Support Form1. Overview
Spice Hut ("Spice Hut", "we", "us", "our") is committed to protecting personal information handled through the Spice Hut mobile application and related services (the "App"). This Privacy Policy explains what personal information we collect, how we use, disclose, retain, and protect it, what app permissions are requested, and your rights under Canadian privacy laws.
2. Canadian Privacy Framework
We align our privacy practices with applicable Canadian requirements, including:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Applicable provincial private-sector privacy laws (including Québec, Alberta, and British Columbia private-sector requirements)
- Applicable anti-spam/electronic messaging requirements (including CASL, where applicable)
3. Accountability and Privacy Contact
Spice Hut is responsible for personal information in its custody or control, including information processed by third-party service providers.
Privacy Contact
Email: syed.spicehut@gmail.com
Phone: +1-(778) 963-0444
Mailing Address: 642 Panatella Blvd NW Calgary AB
Support Form: Open Support Form
4. Information We Collect
4.1 Information You Provide
- Account data: name, email, phone number, password (stored as hash)
- Profile data: profile picture and profile edits
- Address/location data: saved addresses, latitude/longitude, delivery location details
- Order data: items, quantities, prices, tax, delivery fee, status, special instructions, customer contact linked to order
- Support data: communications and support messages
4.2 Information Collected Automatically
- App/API interaction and request metadata needed for operation and security
- Device/OS context needed for compatibility and troubleshooting
- Limited technical logs for diagnostics and reliability
4.3 Sensitive Information
In this app context, sensitive categories may include precise geolocation, account credentials, order history tied to addresses, and phone numbers used for OTP verification. We apply additional safeguards to these categories.
5. How We Collect Information
- Directly from you (registration, login, profile, orders, addresses)
- From device permissions you grant (e.g., location, camera, photos)
- From integrated service providers (e.g., maps/geocoding, SMS OTP)
- From backend processing of your authenticated app actions
6. Purposes of Collection, Use, and Disclosure
- Service delivery: account creation, authentication, profile and address management
- Order fulfillment: order processing, branch routing, delivery calculations, order updates
- Security: OTP verification, abuse prevention, account/session protection
- Operations: troubleshooting, reliability, and service improvements
- Legal compliance: compliance with legal obligations, terms enforcement, lawful requests
7. Consent (Canada)
We rely on consent and reasonable business purposes recognized under Canadian privacy standards.
- Express consent: optional permissions (location/camera/photos), OTP verification flow, and optional promotional communications
- Implied consent: operational processing needed to provide services you request
- Withdrawal: you may withdraw consent for optional processing via app/device settings (feature limitations may apply)
8. Full App Permissions Inventory
8A. Android Permissions
| Permission | Purpose | Required or Optional | Notes |
|---|---|---|---|
| android.permission.INTERNET | Backend API connectivity, maps/geocoding requests, app networking | Required | Core app operation |
| android.permission.ACCESS_FINE_LOCATION | Precise location for delivery checks and location selection | Optional | User controlled |
| android.permission.ACCESS_COARSE_LOCATION | Approximate location support | Optional | User controlled |
| android.permission.CAMERA | Take profile photo in edit profile flow | Optional | User initiated |
| android.permission.READ_MEDIA_IMAGES | Select profile image from gallery on Android 13+ | Optional | Media access only |
| android.permission.READ_EXTERNAL_STORAGE (maxSdkVersion 32) | Legacy gallery image access on older Android versions | Optional | Backward compatibility |
| android.permission.WRITE_EXTERNAL_STORAGE (maxSdkVersion 28) | Legacy compatibility for older Android storage behavior | Optional | Backward compatibility |
Not declared in current Android manifest: background location, microphone, contacts, SMS-read permissions.
8B. iOS Privacy Usage Declarations
| iOS Usage Key | Purpose | Required or Optional | Notes |
|---|---|---|---|
| NSLocationWhenInUseUsageDescription | Nearby branches, delivery availability, and address accuracy while app is in use | Optional | In-use only |
| NSCameraUsageDescription | Capture profile photos | Optional | User initiated |
| NSPhotoLibraryUsageDescription | Select profile photos from photo library | Optional | User initiated |
| NSPhotoLibraryAddOnlyUsageDescription | Save photos from app when applicable | Optional | Add-only scope |
Not declared in current iOS config: background location, microphone, contacts, calendar permissions.
9. Third-Party Services and Data Sharing
We may disclose personal information to third-party providers acting on our behalf under contractual safeguards.
- Maps/geocoding provider: Google Maps Platform APIs
- SMS OTP provider: Twilio (when configured for production usage)
- Cloud/backend infrastructure: hosting, database, and operational support services
We disclose only what is reasonably required for each service function. We do not sell personal information.
10. Cross-Border Processing
Some providers may process information outside your province or outside Canada. Where cross-border processing occurs, we apply contractual and technical safeguards appropriate to data sensitivity.
11. Data Retention and Deletion
We retain personal information only as long as required for identified purposes and legal obligations.
- Account/profile data: while account remains active and for limited follow-up periods as required
- Order records: as required for operations, disputes, audits, and legal/tax obligations
- OTP/security logs: limited retention for anti-abuse and security controls
- Session/auth data: based on your sign-in persistence and security settings
Where deletion is requested and legally permitted, we delete or anonymize eligible data.
12. Safeguards
- TLS/HTTPS encryption in transit
- Password hashing
- Access controls and least-privilege approach
- Authentication controls and secure storage practices
- Monitoring/logging for abuse prevention
No security method is absolute; we maintain incident response procedures and continuously improve controls.
13. Your Rights (Canada)
Subject to applicable law, you may have rights to request access, correction, withdrawal of consent, deletion (where applicable), and information on service providers/cross-border handling.
To submit a privacy request, contact syed.spicehut@gmail.com. We may verify identity and respond within legally required timelines.
14. Children and Minors
The App is intended for users meeting legal age requirements in their jurisdiction. If you believe a minor submitted data improperly, contact us so we can investigate and take appropriate action.
15. Cookies, Local Storage, and App Tokens
As a mobile app, Spice Hut uses app/device storage mechanisms (including secure storage and preference storage) for session, authentication, and settings functionality. These mechanisms support operation and security.
16. Automated Decision-Making
The App may use automated logic for operational workflows such as delivery eligibility and order routing. If you have concerns regarding an outcome, contact support/privacy channels for review.
17. Breach Response and Notification
Where a breach creates a real risk of significant harm, we follow applicable Canadian legal requirements for notification and record keeping.
18. Policy Changes
We may update this Privacy Policy due to legal, operational, or technical changes. Material changes will be communicated through appropriate notice channels, including in-app notice where suitable.
19. Canadian Regulator Contacts
- Office of the Privacy Commissioner of Canada: www.priv.gc.ca | 1-800-282-1376
- Québec CAI: www.cai.gouv.qc.ca
- Ontario IPC: www.ipc.on.ca
- BC OIPC: www.oipc.bc.ca
- Alberta OIPC: oipc.ab.ca