Privacy Policy
Last updated: 25 June 2026
This Privacy Policy explains how Pineberg Studio Ltd ("we", "us", "our") handles your information when you use Spoon, our home food inventory app, and when you visit our website pineberg.studio (together, the "Services").
We are committed to collecting and using as little data as reasonably necessary to run Spoon. We do not sell your data or use it for advertising or machine learning model training.
1. Who we are
Pineberg Studio Ltd is the controller of your personal data for the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018).
Legal entity: Pineberg Studio Ltd
Registered office: LONDON (W1W 5PF) OFFICE, 167-169 GREAT PORTLAND STREET, LONDON, W1W 5PF, United Kingdom
If you have any questions about this policy or how we handle your data, you can contact us at support@pineberg.studio.
2. Data we collect
We collect the following categories of information:
- Account information – such as your email address, name (if you choose to provide it), and sign-in method (for example, Apple or Google sign-in). Your password, if you use email and password, is stored by our authentication provider in an encrypted form and is not visible to us.
- App data – information you choose to store in Spoon, such as:
- food items and inventories you create,
- expiry dates and quantities,
- preferred names for scanned products,
- household or shared inventory information, if you use sharing features,
- feedback you send from within the app (for example, feature requests or bug reports).
- Voice and AI interaction data – if you use voice features or other AI-powered features, we process:
- your speech audio. When you start a voice session, your microphone stays open and your audio is streamed in real time to our AI provider until you end the session. It is not recorded or stored on your device first, and it is not sent as separate clips,
- a snapshot of your food inventory, which we send to OpenAI at the start of each voice session so the assistant knows what you have. This covers all of your lists, including any lists shared with you (so items added by other members of a shared list are included), and for each item includes its name, quantity and expiry date, along with your list names, and
- anonymised voice command analytics, such as command type, success/failure, a random session identifier, and, in some debugging cases, a redacted short transcript.
- Device and technical information – such as device model, operating system, app version, basic log data, and error or crash reports. This information helps us keep the app reliable and secure.
- Notification tokens – a device-specific token that allows us to send push notifications about items that are expiring. This token is not a marketing channel and is only used for app notifications you enable.
We do not track your location, and we do not collect payment card details. Purchases and subscriptions are handled by Apple on our behalf.
3. How we use your data
We use your data for the following purposes:
- To provide Spoon – to create and maintain your account, store and sync your inventories, and show the correct information across your devices.
- To deliver features you choose to use – such as barcode scanning, preferred names, shared inventories, and voice entry (if you subscribe to those features). For voice and other AI features, this includes streaming your audio to our AI provider (currently OpenAI) in real time, along with a snapshot of your current inventory items, so that the assistant can understand what you say, answer questions about what you have, and respond (for example, by adding an item or speaking a confirmation back to you).
- To send reminders you request – for example, push notifications about items that are expiring, based on the reminder settings you configure.
- To keep the app secure and reliable – including monitoring for errors and misuse, and diagnosing crashes or performance issues.
- To provide support – when you contact us by email or from within the app, we use the information you provide to respond and help resolve issues.
We do not send marketing emails and we do not use your personal data to train machine learning models beyond what is necessary to process your immediate request (for example, handling a specific voice command).
4. Legal bases (UK GDPR)
Under UK data protection law, we must have a lawful basis for using your personal data. For Spoon, we generally rely on:
- Performance of a contract – to provide and support the app and its features that you choose to use.
- Legitimate interests – to keep the app secure and reliable, understand aggregate usage patterns, and improve Spoon over time, in ways that do not override your rights and freedoms.
- Consent – for optional features that clearly require it, such as push notifications or access to your camera for barcode scanning and voice input. You can withdraw consent at any time using your device settings or in-app controls.
5. How we share your data
We do not sell your personal data and we do not share it with third parties for advertising or profiling.
We share data only with service providers that help us run Spoon:
- Supabase – our managed database, authentication, and storage provider. Your data is stored in the London (UK) region.
- Apple – for sign-in (if you choose "Sign in with Apple"), subscriptions and in-app purchases, and push notifications delivered via Apple Push Notification service (APNs).
- OpenAI – for processing voice and other AI-powered features. When you use voice, we use the OpenAI Realtime API: your microphone stays open for the session and, together with a snapshot of your current inventory items, your audio is sent to OpenAI so the assistant can answer questions about what you have. A single model understands your speech and speaks its responses directly — there is no separate transcription step and no separate text-to-speech step. Audio is streamed to OpenAI and processed in real time. OpenAI may retain audio for up to 30 days for abuse monitoring, after which it is deleted. Your audio is not used to train OpenAI's models.
These providers act as processors on our behalf and may only use your data as necessary to provide their services to us, under appropriate data protection terms.
When you use the voice assistant, at the start of each session we send a snapshot of your food inventory to OpenAI so it knows what you have. This snapshot covers all of your lists, including any lists shared with you — so items added by other members of a shared list are included. For each item we send its name, quantity and expiry date, along with your list names. OpenAI handles this on the same terms as your audio (retained up to 30 days for abuse monitoring, not used to train models). The voice assistant always sends this snapshot; if you prefer not to share it, use manual entry, which does not involve OpenAI.
6. International transfers
Our primary data storage is in the United Kingdom (Supabase London region). Some of our processors may process data in other countries, including the United States (for example, OpenAI's APIs used for voice and AI features).
Where our providers process data outside the UK, we will ensure that appropriate safeguards are in place, such as standard contractual clauses or equivalent protections required by UK data protection law. For details of how OpenAI handles data sent via their APIs, please refer to their documentation and privacy materials.
7. Data retention
We keep your data for as long as it is reasonably needed:
- We keep your account and inventory data while your account is active.
- If you request deletion of your account, we remove or anonymise your personal data from our active systems. Some information may remain in backups for a limited period (currently up to 90 days) before being automatically overwritten.
- For voice command analytics, we store only anonymised records that cannot be linked back to your account. Any short debug transcripts attached to those records are cleared after around 90 days, and the analytics records themselves are deleted after around one year.
- Voice audio, and the inventory snapshot sent with it, are streamed to OpenAI and are not stored in our own systems. OpenAI may retain them separately for up to 30 days for abuse monitoring, after which they are deleted. This is separate from the anonymised analytics described above, which sit in our own database.
We may retain minimal information as necessary for our legal, accounting, or regulatory obligations (for example, records of purchases processed via Apple).
8. Security
We use reasonable technical and organisational measures to protect your data, including:
- encryption in transit (HTTPS) and at rest by our providers,
- limiting access to production systems to a small number of people who need it to run the service, and
- using managed infrastructure rather than maintaining our own servers.
No online service can be 100% secure, but we work to keep Spoon simple and reduce the amount of data we collect so there is less to protect.
9. Cookies and tracking
Our app does not use third‑party tracking or analytics. The pineberg.studio website is designed to run without marketing cookies. We may use strictly necessary cookies or similar technologies that are required to deliver the site or keep you signed in, but we do not use cookies for advertising or behavioural profiling.
10. Children
Spoon is designed to be safe to use by people of any age, but it is not specifically directed at children. We do not knowingly collect personal data from children beyond what is required to provide the app (such as an email address for an account). If you believe a child has provided us with personal data without appropriate consent where required, please contact us and we will take steps to remove the information.
11. Your rights
Depending on where you live, you may have the following rights over your personal data:
- to access a copy of your personal data,
- to ask us to correct inaccurate or incomplete data,
- to ask us to delete your data (for example, by deleting your account),
- to object to or restrict certain kinds of processing, and
- to complain to your local data protection authority.
You can exercise these rights by emailing support@pineberg.studio. We may need to verify your identity before fulfilling your request.
If you are in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Further details are available at https://ico.org.uk/.
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in the app, our providers, or applicable law. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we may also provide a notice within the app (for example, a prompt on login) asking you to review the updated policy.