Privacy Policy

Information We Collect

We collect information in the following categories:

• Account details — name, display name, email address, and password (stored securely via our authentication provider).
• Contact and security information — email and, where applicable, phone number used for one-time passcodes and account verification.
• Payment and billing details — collected directly by our third-party payment processor on our behalf; we do not store full card numbers.
• User-generated content — recipes, photos, notes, dietary preferences, party or event details, pantry items, meal plans, and any metadata you choose to share (publicly or privately) inside the Services.
• Imported content — recipe data and metadata retrieved from external sources such as YouTube or public web pages when you use our import features.
• Usage and analytics data — pages viewed, features used, actions taken, session duration, and similar behavioral signals collected automatically.
• Device and technical data — IP address, browser type and version, operating system, device identifiers, and referral URLs.
• Cookies and similar technologies — session tokens, preference cookies, and analytics identifiers stored in your browser or device.
• Support communications — messages you send us through in-app forms or email.

How We Collect Information

• Directly from you — when you register, fill out forms, upload content, or contact support.
• Automatically — through cookies, server logs, analytics SDKs, and similar tracking technologies as you navigate the Services.
• From third-party sources — when you connect external services (for example importing a recipe from YouTube), we receive the data those services share with us in accordance with their own terms.
• From our service providers — infrastructure, authentication, and analytics partners may pass us derived signals (for example whether a session is authenticated).

How We Use Information

We process personal information to provide and continuously improve the Services, personalize your experience, and protect our community. Specific purposes include:

• Authenticating you, maintaining your account, and syncing your preferences across devices.
• Generating, analyzing, and refining AI-assisted recipes, nutritional estimates, meal plans, and planning tools.
• Enabling community features such as shared recipes, parties, and collaborative meal planning.
• Processing payments, managing subscriptions, and preventing fraud or misuse.
• Sending transactional emails (account verification, billing notices, security alerts) and, where you have opted in, product updates or promotional messages.
• Conducting product analytics to understand how features are used and identify improvements.
• Improving the performance, safety, and reliability of our AI-powered features and third-party integrations.
• Complying with legal obligations and protecting the rights, property, and safety of Kitchmate and our users.

Tools and Third-Party Integrations

To deliver and operate the Services, we work with trusted service providers. Each provider has its own privacy practices; we encourage you to review them. Current and planned categories of providers include:

• Hosting and infrastructure — our application and serverless functions run on cloud hosting platforms (such as Vercel) and our database and file storage are managed by a cloud backend provider (such as Supabase / PostgreSQL).
• Authentication — user identity and session management is handled by our backend provider's authentication system, which may include email/password, magic link, and OAuth (Google sign-in).
• AI and large language model providers — we send recipe prompts and related context to AI API providers (such as OpenAI and potentially other AI providers) to power generation, suggestions, and smart features. We do not send identifiable personal data to AI providers unless strictly necessary for the feature you are using.
• Email delivery — transactional and notification emails are delivered via an email API provider (such as Resend).
• Payment processing — subscription billing and payments are handled by a third-party processor (such as Stripe or a similar provider). Payment card data is handled entirely by the processor and is not stored by Kitchmate.
• External content APIs — when you import recipes, we may call third-party APIs (such as the YouTube Data API) to retrieve publicly available metadata. Your use of linked content is also subject to the originating platform's terms.
• Analytics and monitoring — we may use product analytics tools (such as PostHog, Mixpanel, or similar) and application monitoring services (such as Sentry or similar) to understand usage patterns and diagnose errors. These tools may collect anonymized or pseudonymized usage events.
• Storage and media — user-uploaded images and other media may be stored in cloud object storage (such as Supabase Storage or a dedicated CDN/storage provider).

As Kitchmate grows, we may onboard additional providers in the same categories above. We apply due diligence to ensure any new provider meets appropriate data protection standards before sharing user data with them.

How We Share Information

We do not sell personal data. We share information only as needed to operate the Services: with the infrastructure, AI, analytics, email, and payment providers listed above acting under our instructions and on our behalf. We may also disclose information to comply with applicable law, respond to lawful government or regulatory requests, or protect the rights and safety of Kitchmate and our users. If Kitchmate undergoes a merger, acquisition, or asset sale, user information may be transferred as part of that transaction, and we will notify you of any material change in ownership or use of your personal data.

Cookies and Tracking

We use cookies, local storage, and similar technologies to keep you signed in, remember preferences, secure your account, understand product usage, and personalize content. Essential cookies are required for the Services to function; analytics and preference cookies help us improve the experience. You can modify browser settings to limit or delete cookies; however, some features may not work as expected without them.

Payments

Payments are handled by third-party processors (such as Stripe or similar providers). These processors collect and store payment card data directly and are responsible for their own privacy and security practices, which comply with PCI-DSS standards. We only receive the limited confirmation details needed to manage your subscription status (for example whether your plan is active and its renewal date).

International Data Transfers

Kitchmate is based in Ontario, Canada. Data may be stored or processed in Canada, the United States, or other countries where our service providers operate data centres. When we transfer personal data across borders, we rely on appropriate safeguards such as standard contractual clauses, adequacy decisions, or other mechanisms recognized under applicable law.

Data Retention

We retain personal information for as long as your account is active or as needed to deliver the Services. Account data is deleted or anonymized within a reasonable period after you request account deletion (see Your Rights below), except where we are required to retain it for legal, accounting, fraud-prevention, or safety purposes. Anonymized or aggregated data that cannot identify you may be retained indefinitely for analytics and product improvement.

Security

We apply industry-standard safeguards including TLS encryption for data in transit, encrypted storage for sensitive data at rest, role-based access controls, and secure authentication practices. Our infrastructure providers maintain their own security certifications (such as SOC 2). No system is perfectly secure; we continuously monitor our controls and will notify affected users as required by law in the event of a data breach.

Your Choices and Rights

Depending on your location (including under GDPR for EU/EEA residents, PIPEDA/Law 25 for Canadian residents, CCPA/CPRA for California residents, and other applicable laws), you may have the right to:

• Access, correct, or update your profile information.
• Request a portable copy of your personal data.
• Restrict or object to certain types of processing.
• Withdraw consent where processing is based on consent.
• Request deletion of your account and associated personal data ("right to be forgotten").
• Opt out of marketing communications at any time.
• Lodge a complaint with a relevant data protection authority.

You can exercise most controls within your account settings. For deletion, data exports, or additional rights requests, please submit a request through the in-app support form. We will respond within the timeframe required by applicable privacy law (generally 30 days, or 45 days where an extension is permitted).

Marketing Preferences

We may send product updates, tips, or promotional messages to the email address associated with your account. You can unsubscribe at any time via the unsubscribe link in those emails or by adjusting notification settings inside the app. Withdrawing marketing consent does not affect transactional communications (such as security alerts, billing notices, or receipts), which we will continue to send as needed.

Children's Privacy

Kitchmate is available to a global audience. We do not knowingly collect personal information from children under the age of 13 (or the applicable age of digital consent in your jurisdiction) without verifiable parental consent. If you are under the relevant age threshold, please use the Services only with the permission and supervision of a parent or guardian. If we become aware that we have inadvertently collected personal data from a child below the applicable age, we will promptly delete it.

Policy Updates

We may update this Privacy Policy to reflect changes in our Services, legal requirements, or data practices. When we make material changes, we will post the revised version on this page and notify you via email or in-app notice at least 14 days before the changes take effect. The "Effective" date at the top of this page reflects when the current version became active. Continued use of the Services after that date constitutes acceptance of the updated policy.

Contact

Questions, concerns, or requests related to this Privacy Policy can be submitted through the in-app support form. This is our primary channel for privacy inquiries. We aim to acknowledge all requests promptly and resolve them within the timeframes required by applicable law.