Privacy Policy
Effective 2026-05-19. This policy describes how Latimal handles the data you provide while using the dish-embed API.
1. The short version
We don't use your menu data to train our models. We don't sell your data. We keep operational logs (which contain hashes of your inputs, not raw text) for 30 days. We collect the minimum we need to bill you and keep the service running.
2. What we collect
Account data: name, company, email, and (optionally) billing details when you purchase a credit pack. Razorpay handles payment card data; we do not see or store full card numbers.
API request data: the text you submit to endpoints like
Operational logs: per request, we log timestamp, endpoint, customer ID, item count, latency, HTTP status, and a SHA-256 hash of the request body. These logs are used to bill correctly, detect abuse, and debug. They are retained for 30 days and then deleted.
API request data: the text you submit to endpoints like
/embed, /dedup, /search, /report is processed in memory and the response returned. The raw input text is not retained.Operational logs: per request, we log timestamp, endpoint, customer ID, item count, latency, HTTP status, and a SHA-256 hash of the request body. These logs are used to bill correctly, detect abuse, and debug. They are retained for 30 days and then deleted.
3. What we do NOT do
- We do not use customer inputs to train, fine-tune, or evaluate our models.
- We do not sell or share customer data with third parties for advertising or marketing.
- We do not store raw API request bodies past the response.
4. Sub-processors
We rely on a small set of vendors to operate the service:
- Hetzner — primary compute (servers located in Germany / Finland).
- Razorpay — payment processing for Indian customers (handles card / UPI data directly).
- Cloudflare — DNS and edge protection for our domains.
- Google Workspace — email and document storage.
5. Data residency
Compute is hosted in the EU (Hetzner). For customers with specific residency requirements (e.g. data must stay in the US, EU, or India), contact us — on-prem and dedicated-region deployments are available on the Enterprise tier.
6. Security
API traffic is encrypted in transit via TLS 1.2+. API keys are stored as SHA-256 hashes; the raw key is shown to you once at issuance and cannot be recovered. The billing database is backed up daily to encrypted off-site storage. Access to production is restricted to the founder.
7. Your rights
You can request access to, correction of, or deletion of the personal data we hold about you by emailing
[email protected]. We will respond within 30 days. To delete your account, request it via the same address and we will deactivate your keys and remove your account record (operational logs older than 30 days are already purged automatically).8. Children
The dish-embed API is a B2B developer tool not directed at individuals under 18. We do not knowingly collect data from anyone under 18.
9. Changes
Material changes to this policy will be communicated by email and reflected by an updated effective date above.
10. Contact
Questions or requests:
[email protected].