By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Data Usage and Security policy

Effective date: July 23rd, 2025

Contact us if you want to report a security vulnerability.

About us

We are I-Challenge BV (hereafter ‘We’ or ‘Shelfion’),
BE 1002343560
Suzanne Tassierstraat 1
9052 Zwijnaarde, Gent
Belgium

We provide the shelf-life prediction app (hereafter the “Application” or “App”).

Goal of this policy

This information security policy (hereafter the “Security Policy”) explains at high level how We ensure the confidentiality, integrity and availability of the Application.

This Security Policy informs and sensibilizes:

  • our customers on how we deal with security,
  • our suppliers, so that they know what is expected from them,
  • our staff and our service providers, so that they remain aware of the importance of proper handling of data and IT systems.

Organization

The following functions in Shelfion are involved in shaping the Security Policy:

  • The CEO / founder is responsible for the security.
  • The staff is responsible to implement the security measures and advices the CEO.

Security bug fixing

Shelfion makes it a priority to ensure that customers’ systems cannot be compromised by exploiting vulnerabilities in the Application.

Security bug fix Service Level Objectives (SLO)

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported
  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 26 weeks of being reported

Critical vulnerabilities

When a critical security vulnerability is discovered by Shelfion or reported by a third party, Shelfion will issue a new, fixed release for the current version of the affected product as soon as possible.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Shelfion will include a fix in the next scheduled release.

Cloud hosting

  • Shelfion cloud services are hosted and delivered by Google cloud. Google is responsible for the security of its actual data centers and the Google cloud. Shelfion is responsible for monitoring, managing and securing the Shelfion Cloud.
  • Google manages the data centers that host the Shelfion Cloud.
  • Shelfion Cloud production data is hosted in the EU.
  • Google manages the security of the cloud. Google has been certified by third-party organizations, and manages many compliance programs to comply with laws and regulations. A list of such certifications and compliance statements can be found here.

Technical measures

At a glance, the following technical measures are taken to protect our Application and the data We process. For security reasons, we do not disclose details.

SOFTWARE VULNERABILITY MITIGATION

  • Software is scanned regularly against known security vulnerabilities and security alerts.
  • Mitigation actions are taken against possible attacks (XSRF, XSS, reflected CSS, SQL injection, etc.) on the Application.
  • Protection of the Application REST endpoints.
  • Software hardening.

ARCHITECTURE, DEVELOPMENT AND TESTING

  • Software development is done according to good industry practices (clean code, clean architecture, TDD, DRY principle, patterns, reviews, branching, repositories, etc.).
  • Core functionalities in our software have a high unit test coverage level.
  • We follow the API guides and best practices provided by the software library vendors.
  • We take actions to detect and mitigate software flaws (unit testing, BDD testing, CI/CD automated integration, etc.).
  • Software bugs are prioritized based on the impact they have on our customers. Software bugs that generate a security vulnerability are taken up with the highest priority.

DATA STORAGE

  • Customer data at rest is encrypted using industry-standard encryption by our cloud service provider.
  • Data is backed up on a daily basis.
  • Customer data provided via support requests is only retained temporarily for the duration of the intervention and only used to investigate and solve the service request (and if applicable, solve the underlying root problem)

SYSTEM ACCESS AND PROTECTION

  • We use software to detect and mitigate threats (virus, malware, phishing, etc.).
  • Our networks are protected against access by unauthorized third parties.
  • Roles and permissions are given to users on a need-to-know basis, with individual access (no shared users).
  • Access is given with the minimal level of privileges needed.
  • Only a few members of the team have access to the production environment for the purposes of maintaining our services and assisting our customers.
  • Passwords must have a minimal complexity and are rotated. Where useful, 2-factor authentication is used.
  • Connections with our systems are secured with HTTPS using TLS.
  • Physical access to our premises is restricted to authenticated personnel and visitors.
  • Sensitive printed information is destroyed instead of being thrown away.

EXTERNAL SOFTWARE

  • Only approved software is installed on our systems.
  • Software used on our systems is kept up to date.

Data usage

PURPOSE OF DATA PROCESSING

Recipe data is used exclusively to generate shelf-life predictions based on ingredients, production parameters and formulations provided by the customer.

NO SECONDARY USE

We do not use recipe data for any purpose other than generating predictions for the respective customer. Data is never shared, sold, or repurposed for commercial or internal use.

AGGREGATED INSIGHTS ONLY

We may perform anonymous, aggregated analysis to understand general trends in prediction demand — for example, identifying that many customers use a certain ingredient for predictions. This helps us assess whether to develop new models for such ingredients. These insights are never based on individual recipe data.

DATA PROTECTION

All customer data is treated as confidential and is secured in accordance with applicable regulations (e.g. GDPR, see also Privacy policy).

OWNERSHIP

All intellectual property related to recipe data remains fully owned by the customer at all times.

OPTIONAL EXPERIMENTAL TESTING & DATA COLLECTION

Customers may choose to participate in an experimental testing program, where we use our proprietary testkits to generate empirical shelf-life data for specific ingredients or formulations.

  • This data is used to develop and improve predictive models, this test data will be aggregated and anonymized for internal research and development purposes.
  • No identifying information about the customer or their specific formulations will be included in any shared or analyzed dataset.
  • Participation in this program is voluntary.
  • By agreeing to participate in the experimental testing, the customer explicitly agrees to the terms outlined in this section.

Staff training and sensibilization

  • Management of Shelfion stresses the importance of security and sets a good example internally.
  • We use sensibilization videos and training materials on security, phishing, etc.

Suppliers

We are committed to work with reliable partners and suppliers who take appropriate security measures.

We make clear and written agreements with suppliers who provide services or products that access our IT systems or data.

Data processing and privacy

Shelfion understands the importance and is committed to ensure the privacy of personally identifiable information. For more information, please see our Privacy Policy.

Changes

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.