Privacy Policy

Last Updated: April 28, 2026

1. Introduction

This Privacy Policy explains how RecipLab collects, uses, discloses, and protects your personal data when you use our website and mobile application (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Data Protection (LOPDGDD).

2. Data Controller

The data controller responsible for your personal data is:

You can contact us at any time using the email above for questions about this Policy or to exercise your data rights (see Section 9).

3. Information We Collect

3.1 Personal Data

We may collect personally identifiable information, such as:

  • Name and email address (via Clerk authentication)
  • Profile information
  • Subscription and purchase status (we do not receive or store credit card details — payments on iOS are handled by Apple, payments on the web by our payment processor)

3.2 Usage Data

We may collect information about your interactions with the Service, including:

  • Recipes generated and saved
  • Grocery lists created
  • Device information (IP address, browser type, operating system, device identifiers)
  • Log data, crash reports, and usage patterns

3.3 Content Data

We collect the photos, videos, and text you upload for recipe generation. This content is processed by our AI providers to deliver the Service.

4. How We Use Your Information & Legal Bases (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Performance of contract (Art. 6(1)(b)): to provide, operate, and maintain the Service; process subscriptions; deliver AI-generated recipes from your inputs.
  • Legitimate interests (Art. 6(1)(f)): to improve, secure, and personalize the Service; detect and prevent fraud and abuse; produce aggregated/anonymized analytics.
  • Consent (Art. 6(1)(a)): for optional analytics, marketing communications, and (where applicable) cookies that require consent. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other legal obligations.

We do not use your private content (recipes, photos) to train third-party generic AI models. Anonymized, aggregated usage data may be used to improve the Service.

5. Third-Party Processors (Sub-processors)

We rely on the following third-party processors to operate the Service. Each is bound by a Data Processing Agreement and processes your data only on our instructions:

  • Clerk (USA) — authentication, account management.
  • RevenueCat (USA) — mobile subscription management.
  • Apple Inc. (USA / Ireland) — iOS In-App Purchase processing.
  • OpenAI (USA) — AI recipe generation from your inputs (text, images, transcripts).
  • Sentry (USA) — error monitoring and crash reporting.
  • Hetzner (Germany / EU) — cloud hosting and storage.

We may also disclose your information when required by law, to respond to valid requests by public authorities, or in connection with a merger, sale, or acquisition of all or part of our business.

6. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. When we transfer your personal data outside the EEA, we rely on appropriate safeguards under GDPR Chapter V, including:

  • The EU-U.S. Data Privacy Framework for U.S. processors that are certified.
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to processors not covered by a Commission adequacy decision.
  • Supplementary technical and organizational measures where required.

You may request a copy of the relevant transfer mechanism by contacting us at the address above.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this Policy:

  • Account and profile data: while your account is active and for up to 30 days after deletion to allow recovery and for security/audit purposes.
  • Recipe and content data: deleted within 30 days of account deletion.
  • Subscription / billing records: retained as required by Spanish tax and accounting law (typically 6 years).
  • Crash logs and analytics: anonymized or deleted within 90 days.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including encryption in transit (TLS), access controls, and regular security review. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.

9. Your Data Rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data ("right to be forgotten"). You can delete your account directly in the app under Profile → Delete Account.
  • Restrict or object to processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority.

To exercise these rights, contact us at reciplab.info@gmail.com. We will respond within one month.

10. Children's Privacy

The Service is not intended for use by children under 13. We do not knowingly collect personal data from children under 13. If you become aware that a child has provided us with personal data without parental consent, please contact us so we can delete it.

11. Third-Party Links

The Service may contain links to third-party websites that are not owned or controlled by RecipLab. We are not responsible for the privacy practices of such third parties.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights: