PRIVACY POLICY:

BETTERCARTE LLC ("TUMMY" or “THETUMMYAPP”)

Effective Date: March 16, 2026

================================================================================

BetterCarte LLC ("BetterCarte," "Tummy,", “TheTummyApp,” "we," "our," or "us") is a Delaware limited liability company with business operations in Texas and Florida. We are committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our website, mobile application, and related services (collectively, the "Services"). This Privacy Policy applies to all users of the Services, including diners, restaurant operators, and visitors to our website.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. If you do not agree to this Privacy Policy, do not access or use the Services. This Privacy Policy is incorporated into and governed by our Terms of Service, available at thetummyapp.com/termsofservice.

1. INFORMATION WE COLLECT

1.1. Information You Provide Directly.

From Diners: When you create an account or use the Services, we may collect your name, email address, phone number, date of birth or age confirmation, dietary needs, food allergies, intolerances, sensitivities, and dietary preferences (such as vegan, gluten-free, kosher, halal, low-FODMAP, ketogenic, and similar designations), location data (when you grant permission), and any other information you voluntarily provide through your profile or communications with us.

From Restaurants: When a restaurant registers or participates in the Services, we may collect business name, business address, contact information, menu data, ingredient and allergen information, sourcing and preparation details, hours of operation, and other information provided through the Tummy onboarding and data collection process, including data submitted as part of the Tummy Verified program.

From All Users: When you contact us, submit feedback, respond to surveys, or communicate with us through any channel, we collect the content of those communications.

1.2. Information Collected Automatically. When you access or use the Services, we automatically collect certain information, including: (a) device information such as device type, operating system, unique device identifiers, browser type, and browser version; (b) log data such as IP address, access times, pages viewed, features used, links clicked, and referring URL; (c) location data, including approximate location derived from IP address and, with your permission, precise GPS location from your mobile device; (d) usage data such as search queries, restaurants viewed, dishes viewed, dietary profile interactions, and feature engagement; and (e) information collected through cookies, pixels, web beacons, and similar tracking technologies as described in Section 6 of this Privacy Policy.

1.3. Information from Third-Party Sources. We may receive information about restaurants from publicly available sources, third-party data providers, restaurant-published menus, and other publicly accessible databases. We may also receive information if you log in through a third-party authentication service (such as Apple Sign-In or Google Sign-In), in which case we receive the information you authorize that service to share.

2. HOW WE USE YOUR INFORMATION

2.1. We use the information we collect for the following purposes:

(a) To provide, operate, and maintain the Services, including matching diners with compatible dishes and restaurants based on dietary profiles and preferences.

(b) To personalize your experience, including dietary recommendations and restaurant suggestions.

(d) To communicate with you, including transactional messages (such as account verification, security alerts, and service updates), responses to inquiries, and, where you have opted in, promotional and marketing communications.

(e) To provide restaurants with aggregated, anonymized analytics and insights about diner preferences and dietary trends. Individual diner identities are not shared with restaurants.

(f) To improve, develop, and optimize the Services, including through internal analytics, research, testing, troubleshooting, and product development.

(g) To ensure the security and integrity of the Services, including detecting and preventing fraud, abuse, and unauthorized access.

(h) To comply with applicable laws, regulations, legal processes, and governmental requests.

(i) To enforce our Terms of Service and protect the rights, property, and safety of BetterCarte LLC, our users, and the public.

2.2. AI and Algorithmic Processing. The Services use artificial intelligence and algorithmic systems to match diners with compatible dishes, generate content (including restaurant descriptions, informational summaries, and educational materials), and analyze dietary data. Your dietary profile, preference data, and usage data may be processed by these AI systems. AI-generated results and content may contain errors, omissions, or inaccuracies. For more information, see Sections 2.5 and 2.6 of our Terms of Service.

3. HOW WE SHARE YOUR INFORMATION

3.1. With Restaurants. We share aggregated, anonymized analytics and dietary trend data with restaurants participating in the Services. We do not share individual diner names, contact information, or personally identifiable information with restaurants unless you explicitly direct us to do so (for example, by making a reservation or sending a direct inquiry through the platform).

3.2. With Service Providers. We share information with third-party service providers who perform services on our behalf, including cloud hosting and infrastructure, email delivery, SMS delivery, analytics and data processing, customer support tools, payment processing (if applicable), and security and fraud prevention. These service providers are contractually obligated to use your information only for the purposes of providing services to us and are required to maintain appropriate security measures.

3.3. Aggregated and Anonymized Data. Tummy may compile, use, and share aggregated or anonymized data derived from user and restaurant information. This data does not identify individual users or restaurants and may include dietary preference trends, market insights, allergen prevalence statistics, and similar analytics. We may share or license such anonymized data to third parties, including partners, researchers, industry stakeholders, and advertisers, for purposes such as analytics, reporting, product improvement, academic research, or market research. No personally identifiable information is included in aggregated or anonymized data sets.

3.4. For Legal Purposes. We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of BetterCarte LLC, our users, or the public; (d) detect, prevent, or address fraud, security issues, or technical problems; or (e) respond to an emergency involving danger of death or serious physical injury.

3.5. Business Transfers. If BetterCarte LLC is involved in a merger, acquisition, sale of assets, reorganization, bankruptcy, or similar transaction, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

3.6. With Your Consent. We may share your information with third parties when you have provided explicit consent to do so.

3.7. We Do Not Sell Personal Information. Tummy does not sell your personally identifiable information to third parties for monetary consideration. To the extent that any sharing of data is considered a "sale" under applicable state privacy laws (such as the sharing of data for targeted advertising), you have the right to opt out as described in Section 8 of this Privacy Policy.

4. COOKIES AND TRACKING TECHNOLOGIES

4.1. We use cookies, pixels, web beacons, local storage, and similar tracking technologies to collect information about your interactions with the Services. These technologies help us operate the Services, remember your preferences, analyze usage patterns, and deliver relevant content.

4.2. Types of cookies we use: (a) Essential cookies, which are required for the Services to function and cannot be disabled; (b) analytics and performance cookies, which help us understand how users interact with the Services, including through third-party analytics providers such as Google Analytics; (c) functional cookies, which remember your preferences and settings; and (d) advertising and targeting cookies, which may be used to deliver relevant advertising or measure advertising effectiveness, if applicable.

4.3. Managing Cookies. You can manage or disable cookies through your browser settings. Please note that disabling essential cookies may impair the functionality of the Services. For more information about cookies and how to manage them, visit allaboutcookies.org.

4.4. Do Not Track Signals. Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how to respond to DNT signals, and we do not currently respond to DNT signals. However, you may exercise your privacy rights as described in Section 8 of this Privacy Policy.

5. DATA RETENTION

5.1. We retain your personal information for as long as your account is active or as reasonably necessary to provide the Services, fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

5.2. Specific retention periods: (a) Active account data (profile, dietary preferences, usage history) is retained for the duration of your account and for 90 days following account deletion to allow for recovery requests, after which it is deleted or anonymized. (b) Transactional and communication records (emails, support tickets, SMS consent records) are retained for 3 years or as required by applicable law. (c) Server logs and analytics data are retained for up to 24 months and then aggregated or deleted. (d) Restaurant data submitted through the Tummy Verified program is retained as described in Section 9 of our Terms of Service. (e) Aggregated and anonymized data may be retained indefinitely, as it does not identify individuals.

5.3. When personal information is no longer needed, we will securely delete or anonymize it in accordance with our data retention procedures.

6. DATA SECURITY

6.1. Tummy implements reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls and authentication requirements, regular security assessments, and employee training on data protection practices.

6.2. No method of electronic transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

6.3. In the event of a data breach that compromises your personal information, Tummy will notify affected users and applicable regulatory authorities as required by the data breach notification laws of Delaware (6 Del. C. § 12B-102), Texas (Tex. Bus. & Com. Code § 521.053), Florida (Fla. Stat. § 501.171), and any other applicable jurisdiction. Notification will be provided within the timeframes required by applicable law.

7. CHILDREN'S PRIVACY

7.1. The Services are intended for users aged 16 and older. Tummy does not knowingly collect, use, or disclose personal information from anyone under the age of 16.

7.2. If we become aware that we have collected personal information from a user under the age of 16, we will take prompt steps to delete that information and terminate the associated account.

7.3. If you are a parent or guardian and believe your child under 16 has provided personal information to Tummy, please contact us at legal@thetummyapp.com so we can take appropriate action.

8. YOUR PRIVACY RIGHTS

8.1. General Rights. Depending on your location and applicable law, you may have the following rights regarding your personal information: (a) the right to access and obtain a copy of the personal information we hold about you; (b) the right to correct inaccurate personal information; (c) the right to delete your personal information, subject to certain exceptions; (d) the right to restrict or object to certain processing of your personal information; (e) the right to data portability (receiving your data in a structured, machine-readable format); (f) the right to opt out of the sale or sharing of your personal information; (g) the right to opt out of targeted advertising; and (h) the right to withdraw consent, where processing is based on consent.

8.2. How to Exercise Your Rights. You can exercise your privacy rights by: (a) accessing your account settings to update, correct, or delete your profile information and dietary preferences; (b) emailing us at legal@thetummyapp.com with a description of your request; or (c) using any opt-out mechanisms provided within the Services. We will respond to verifiable requests within the timeframes required by applicable law (generally within 45 days, with a possible 45-day extension for complex requests). We may need to verify your identity before processing your request.

8.3. Non-Discrimination. We will not discriminate against you for exercising your privacy rights. However, certain features of the Services may require personal information to function (for example, dietary matching requires your dietary profile), and deleting this information may limit your ability to use those features.

8.4. Authorized Agents. In certain jurisdictions, you may designate an authorized agent to submit privacy requests on your behalf. The agent must provide proof of authorization, and we may still require verification of your identity.

8.5. Appeals. If we deny your privacy request, you may appeal by contacting us at legal@thetummyapp.com with the subject line "Privacy Appeal." We will respond to appeals within the timeframes required by applicable law.

9. STATE-SPECIFIC PRIVACY DISCLOSURES

9.1. Delaware (Delaware Personal Data Privacy Act, effective January 1, 2025). If you are a Delaware resident, you have the right to: confirm whether we are processing your personal data; access your personal data; correct inaccuracies; delete your personal data; obtain a portable copy of your data; and opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Tummy limits data collection to what is reasonably necessary for the purposes disclosed in this Privacy Policy. Tummy does not process sensitive personal data without your consent. To exercise your rights, contact us at legal@thetummyapp.com.

9.2. Texas (Texas Data Privacy and Security Act, effective July 1, 2024). If you are a Texas resident, you have the right to: confirm whether we are processing your personal data; access your personal data; correct inaccuracies; delete personal data you have provided or that we have obtained about you; obtain a portable copy of your data; and opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Tummy has implemented procedures to honor consumer rights requests and maintain data security in accordance with Texas law. We conduct data protection assessments for processing activities that present a heightened risk of harm, including processing of sensitive data and processing for targeted advertising. To exercise your rights, contact us at legal@thetummyapp.com.

9.3. Florida (Florida Digital Bill of Rights, effective July 1, 2024). If you are a Florida resident, you have the right to: confirm whether we are processing your personal data; access your personal data; correct inaccuracies; delete your personal data; and opt out of the processing of your personal data for targeted advertising or the sale of personal data. Tummy obtains affirmative consent before processing sensitive personal data, including health-related data such as dietary restrictions, food allergies, and intolerances. We do not sell biometric or geolocation data without explicit consent. To exercise your rights, contact us at legal@thetummyapp.com.

9.4. California. Although Tummy does not currently operate in California, if you are a California resident accessing the Services, you may have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). These rights include: the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your privacy rights. Tummy does not sell personal information for monetary consideration. To the extent any data sharing constitutes a "sale" or "share" under the CCPA/CPRA, you may opt out by contacting us at legal@thetummyapp.com. In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, phone number); internet or electronic network activity information; geolocation data; and inferences drawn from the above (dietary matching and preferences). We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

9.5. Other States. Privacy laws are evolving across the United States. If you reside in a state with privacy legislation that provides rights beyond those described above, those rights are not waived by this Privacy Policy and apply to the extent required by applicable law. Contact us at legal@thetummyapp.com to exercise any applicable rights.

10. SENSITIVE PERSONAL DATA

10.1. Certain information we collect may be classified as "sensitive personal data" under applicable state privacy laws, including dietary restrictions, food allergies, intolerances, and other health-related dietary information.

10.2. We process sensitive personal data only with your affirmative consent, which you provide when you create a dietary profile and enter your allergens, restrictions, and preferences. You may withdraw this consent at any time by deleting your dietary profile or your account.

10.3. We use sensitive personal data solely for the purpose of providing the core Services — specifically, matching you with compatible dishes and restaurants based on your dietary needs. We do not sell sensitive personal data. We do not use sensitive personal data for advertising or marketing purposes.

11. INTERNATIONAL USERS

11.1. The Services are primarily intended for use within the United States. If you access the Services from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States.

11.2. The United States may not provide the same level of data protection as your home jurisdiction. By using the Services, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy and applicable U.S. law.

11.3. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data transfer restrictions, we will take reasonable steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which we process it.

12. THIRD-PARTY LINKS AND SERVICES

12.1. The Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of any third party.

12.2. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services.

13. MARKETING AND COMMUNICATIONS PREFERENCES

13.1. You may receive transactional communications from us related to your account (such as verification codes, security alerts, and service notifications) regardless of your marketing preferences. These communications are necessary for the operation of the Services and are not promotional in nature.

13.2. Where you have opted in, we may send you promotional or marketing communications via email or SMS. You may opt out of marketing communications at any time by: (a) using the "unsubscribe" link in any marketing email; (b) adjusting your communication preferences in your account settings; or (c) contacting us at support@thetummyapp.com.

13.3. Opting out of marketing communications does not affect transactional communications. Please allow up to 10 business days for opt-out requests to take effect.

14. CHANGES TO THIS PRIVACY POLICY

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make changes, we will update the "Effective Date" at the top of this document.

14.2. For material changes that significantly affect how we collect, use, or share your personal information, we will provide notice through the app, by email to the address associated with your account, or by other reasonable means at least 15 days before the changes take effect.

14.3. Your continued use of the Services after any modifications constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Services and may delete your account.

15. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

BetterCarte LLC

A Delaware Limited Liability Company

All Inquiries: info@thetummyapp.com

Website: thetummyapp.com/contact

If you are not satisfied with our response to a privacy concern, you may have the right to lodge a complaint with the applicable data protection or consumer protection authority in your jurisdiction.