Vakil Ventures, LLC, doing business as BagRescue ("BagRescue," "we," "us," or "our"), operates the website at bagrescue.com and the BagRescue service. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our service.

BagRescue is an independent service and is not affiliated, associated, authorized, endorsed by, or in any way officially connected with Too Good To Go or any of its subsidiaries or affiliates.

By accessing or using our service, you agree to this Privacy Policy. If you do not agree, please do not use our service.

We collect the following categories of information:

Account Information

When you create an account, we collect your name and email address through our authentication provider (Logto, self-hosted). We assign you a unique user identifier.

Too Good To Go Account Information

If you choose to link your Too Good To Go account, we collect your Too Good To Go email address and authentication tokens (access token, refresh token). We never collect or store your Too Good To Go password. All Too Good To Go credentials are encrypted at rest using AES-256-GCM encryption before storage.

Payment Information

Payments are processed by Stripe. We do not directly collect or store your credit card number or bank account details. We store your Stripe customer ID and subscription information to manage your plan.

Store Monitoring Data

We store the names and identifiers of Too Good To Go stores you choose to monitor, your monitoring preferences (auto-reserve, auto-purchase, pickup schedule), and your order history (detected, reserved, completed, and failed orders).

User-Generated Content

If you submit reviews, you may provide text (ratings, titles, descriptions) and photographs. Review images are stored on Cloudflare R2 and served from a dedicated subdomain. Submitted reviews are subject to moderation before publication.

Referral Data

If you participate in the referral program, we store your referral code, referral link usage, and reward history. When a new user signs up via a referral link, we store a referral cookie (bagrescue_ref, 30 days) to attribute the referral and record the relationship between referrer and referee. To prevent fraud, we also associate the referred user's Too Good To Go email address with their referral record.

Cancellation & Feedback Data

If you cancel your subscription, we may ask for your reason for cancelling and an optional comment. This feedback is stored to help us improve the service. We also record whether a retention offer (such as a discount or subscription pause) was shown and whether it was accepted.

Usage Data

We maintain activity logs of events related to your account (e.g., bag detections, reservation attempts, purchases). We also collect notification preferences and general usage patterns to improve the service.

We use cookies and similar technologies for the following purposes:

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using the service.

We use the information we collect to:

• Provide, maintain, and improve the BagRescue service, including store monitoring, notifications, auto-reserve, and auto-purchase
• Authenticate your identity and manage your account securely
• Process payments and manage your subscription through Stripe
• Send you notifications about bag availability and order status
• Analyze usage patterns to improve the service and user experience
• Track marketing attribution to understand how users find our service
• Communicate with you about service updates, security alerts, and support
• Send you re-engagement and win-back emails if your account becomes inactive or your subscription is cancelled, unless you have opted out of marketing emails
• Detect and prevent fraud, abuse, and unauthorized use of the Service, including referral program abuse and multi-account exploitation

We take the security of your data seriously and implement multiple layers of protection:

• Encryption at rest: All Too Good To Go credentials are encrypted using AES-256-GCM encryption before being stored in our database.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted via SSL/TLS, terminated at Cloudflare.
• Self-hosted infrastructure: Our authentication system and database are self-hosted, giving us full control over your data.
• API key authentication: Internal communication between our services is secured with API key authentication.
• Residential proxy routing: Too Good To Go requests are routed through residential proxies with sticky sessions, which also serves as a privacy measure by not directly exposing our server infrastructure.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

We do not sell, rent, or trade your personal information. We share information with the following third-party services ("sub-processors") that are integral to our operations:

• Stripe: Payment processing and subscription management
• Amazon SES: Transactional email delivery (email address, name)
• Too Good To Go API: Store monitoring, bag availability, and purchasing (using your linked Too Good To Go credentials)
• Cloudflare: DNS, CDN, SSL/TLS termination, and DDoS protection. All traffic between your browser and our servers passes through Cloudflare's network
• Google Analytics: Usage analytics and site improvement
• Meta (Facebook) Pixel: Conversion tracking and advertising attribution for Meta Ads campaigns
• Reddit Pixel: Conversion tracking and advertising attribution for Reddit Ads campaigns
• Cloudflare R2: Cloud object storage for user-uploaded content such as review images
• Logto (self-hosted): Authentication and identity management. Self-hosted on our own infrastructure

We may also disclose your information if required to:

• Comply with applicable law or legal process
• Protect the rights, property, or safety of BagRescue, our users, or others
• Enforce our Terms of Service or other agreements
• In connection with a merger, acquisition, or sale of all or a portion of our assets

• Account data: Retained for as long as your account is active. When you delete your account, your account is soft-deleted (marked as deleted), your Stripe subscription is canceled, and monitoring of your stores stops. Your Too Good To Go credentials are preserved in encrypted form during the 30-day soft-delete period so that your connection can be seamlessly restored if you reactivate. During this period, you may reactivate your account by simply logging back in. After 30 days, your account is permanently purged: all Too Good To Go credentials are permanently deleted, personal information (name, profile image) is anonymized, and associated records (monitored stores, activity logs, orders, preferences, reviews) are deleted. We retain your email address, account creation date, deletion date, and subscription history after purging for fraud and trial-abuse prevention, legal compliance, and aggregate revenue reporting.
• Too Good To Go credentials: You can unlink your Too Good To Go account at any time, which immediately and permanently deletes your encrypted Too Good To Go tokens from our database.
• Activity logs: Order history, activity logs, and monitored store records associated with your account are deleted when your account is permanently purged (30 days after deletion).
• Referral data: Referral records, including the associated Too Good To Go email address, are retained after account deletion for fraud and abuse prevention purposes.
• Cancellation feedback: Retained after account deletion and purging for service improvement purposes. Feedback is not associated with identifiable information after account purging.
• UTM cookies: Automatically expire after 30 days.
• Analytics data: Subject to Google Analytics' data retention policies.

In the event of a security breach that results in the unauthorized access, disclosure, or loss of your personal data, we will:

• Notify affected users via email within 72 hours of confirming the breach
• Notify applicable regulatory authorities as required by law (including EU supervisory authorities within 72 hours for GDPR-covered data)
• Describe the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
• Describe the measures taken or proposed to address the breach, including mitigation steps such as invalidating stored Too Good To Go credentials

You have the right to:

• Access your data: View your account information, monitored stores, and order history through the dashboard.
• Unlink Too Good To Go: Disconnect your Too Good To Go account at any time from the settings page, which deletes your stored Too Good To Go credentials.
• Delete your account: Delete your account from the settings page. Your account will be soft-deleted for 30 days (during which you can reactivate by logging back in), then permanently purged. Upon purging, your personal information is anonymized and associated data (stores, orders, activity) is deleted. Your email address and subscription history are retained for fraud prevention and legal compliance as described in Section 7.
• Opt out of notifications: Manage your notification preferences from the settings page.
• Control cookies: Manage or disable cookies through your browser settings.

To exercise any of these rights or for any privacy-related questions, contact us at [email protected].

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to your use of the Service:

Lawful Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have requested (account management, store monitoring, auto-purchase)
• Consent: Where you have explicitly consented to specific processing activities, such as linking your Too Good To Go account or enabling marketing cookies. You may withdraw consent at any time
• Legitimate interest: Processing necessary for our legitimate interests (service improvement, fraud prevention, security monitoring), where those interests are not overridden by your rights
• Legal obligation: Processing required to comply with applicable laws

Your Additional Rights Under GDPR

In addition to the rights listed in Section 9, you have the right to:

• Data portability: Request a copy of your personal data in a structured, commonly used, machine-readable format
• Restrict processing: Request that we limit the processing of your personal data in certain circumstances
• Object to processing: Object to processing based on legitimate interests
• Withdraw consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint: File a complaint with your local data protection supervisory authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it
• Right to delete: You may request deletion of your personal information, subject to certain legal exceptions
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
• No sale of personal information: We do not sell your personal information as defined by the CCPA. We do not sell, rent, or trade personal information to third parties for monetary or other valuable consideration

To exercise your CCPA rights, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days.

BagRescue is not directed at children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

Your information is stored and processed in the United States. If you are accessing BagRescue from outside the United States, please be aware that your information may be transferred to, stored, and processed in a country where data protection laws may differ from those in your jurisdiction.

For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data to the United States, where applicable. By using our Service, you acknowledge and consent to these transfers. You may request a copy of the applicable SCCs by contacting us at [email protected].

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this page periodically. Your continued use of the service after changes are posted constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us at:

[email protected]