Recipe AppSign in

Privacy Policy

Last updated: April 27, 2026 Effective date: April 27, 2026

This Privacy Policy describes how GHAX Inc. ("we," "us") collects, uses, and shares information when you use Recipe App (the "Service") at recipeapp.io and book.recipeapp.io.

This policy is intended to comply with the principles of GDPR (EU/UK) and CCPA (California) where they apply. If you have questions, email privacy@recipeapp.io.

1. Information we collect

Information you give us

  • Account info — your name, email address, and password (stored only as a salted hash; we never see your plain password)
  • Recipe content — titles, ingredients, instructions, notes, tags, attribution, photos, and any text you ingest from external sources
  • Payment info — collected and stored by Stripe, not by us. We receive only a customer ID and subscription status.
  • Communications — anything you send to support, billing, feedback, or other email addresses

Information collected automatically

  • Usage data — pages visited, features used, approximate timestamps. Used to improve the product.
  • Technical data — IP address, browser type, device type, operating system, referring URL
  • Cookies — we set one HTTP-only authentication cookie when you sign in (__Secure-better-auth.session_token). It contains an opaque session token, not personal data, and expires after 30 days. We do not use third-party advertising cookies.

Information from third parties

  • Stripe sends us subscription status and customer IDs when you upgrade, change plans, or cancel
  • Anthropic returns the AI-generated structured recipe and macros when you trigger ingestion or estimation. They do not return any personal data we did not send them.

2. How we use your information

We use your information to:

  • Operate and maintain the Service (authenticate you, store your recipes, run searches, generate AI outputs)
  • Process payments and manage subscriptions
  • Send transactional emails (verification, password reset, billing receipts)
  • Send occasional product update emails (you can opt out at any time)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve the product (we look at aggregated, non-identifying usage patterns)

We do not sell your personal information. We do not use your recipe content to train AI models.

3. Third parties we share with

We share data only with the following service providers, each of whom is contractually required to protect it:

ProviderPurposeData shared
Anthropic (Claude API)AI parsing of recipes and macro estimationThe text/image/transcript you submit for ingestion. Per Anthropic's commercial terms, your API content is not used to train their models.
StripePayment processingEmail, name, payment method (collected directly by Stripe)
VercelHosting, serverless functions, CDNAll HTTP traffic and uploaded photos (Vercel Blob)
NeonPostgres databaseAll recipe and account data
ResendTransactional email deliveryYour email, name, and email body content
Go High Level (HighLevel)CRM / contact managementEmail, name, source, signup tag
CloudflareDNS resolution and DDoS protectionIP address (transient, for routing)

We may also share information when legally required (subpoena, court order), to protect rights or safety, or in connection with a merger or asset sale (in which case we'll notify you and you may delete your account).

4. Where your data lives

  • Account and recipe data: Neon Postgres, US-East region
  • Photos: Vercel Blob, US-East region
  • Backups: encrypted, retained for up to 30 days

If you are in the EU/UK, your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) where required.

5. Retention

  • Account and recipes: kept as long as your account is active
  • After account deletion: removed from our production database immediately; purged from backups within 30 days; some metadata (e.g. anonymized billing records) may be retained longer for accounting and legal compliance, typically 7 years
  • Logs: retained for up to 90 days, then deleted
  • Email logs (Resend): 30-day delivery history; longer retention is configurable

6. Security

We protect your data with industry-standard measures, including:

  • TLS 1.2+ encryption for all traffic
  • Encrypted storage at rest (Postgres + Blob)
  • Hashed passwords (bcrypt via Better-Auth)
  • Per-user data scoping at the database query level
  • Encrypted environment variables and API keys
  • Limited admin access, audit-logged

No system is perfectly secure. If we experience a breach affecting your data, we will notify you without undue delay and as required by applicable law.

7. Your rights

Depending on where you live, you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — fix anything that's wrong
  • Deletion — ask us to permanently delete your data ("right to be forgotten" under GDPR; "right to delete" under CCPA)
  • Export — receive your data in a portable format (JSON)
  • Opt out of marketing — unsubscribe link in every product-update email; transactional emails (verification, billing) cannot be opted out of while you're a subscriber
  • Object to processing — for any processing based on our legitimate interest
  • Lodge a complaint with your local data protection authority

To exercise any right, email privacy@recipeapp.io from the email address on your account. We respond within 30 days.

8. Children

The Service is not directed at children under 13, and we do not knowingly collect data from children under 13 (under 16 for EU/UK residents). If you believe we have collected data from a child, email privacy@recipeapp.io and we'll delete it promptly.

9. Cookies and tracking

We use:

  • One session cookie (__Secure-better-auth.session_token, HTTP-only, secure, 30-day expiry) — required for sign-in
  • Cloudpulse / GHL tracking script on the marketing site (recipeapp.io) for funnel analytics. This script collects pageview events and approximate IP-based location. It does not run inside the app at book.recipeapp.io.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker.

You can disable cookies in your browser; doing so will prevent sign-in.

10. International users

If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the U.S. By using the Service, you consent to that transfer.

11. AI processing disclosure

When you use any AI-assisted feature (paste text, photo, link, YouTube, voice, or macro estimation), the relevant content is sent to Anthropic's API for processing. Specifically:

  • Photo ingestion: the image bytes
  • URL ingestion: the fetched page text or YouTube description and transcript
  • Text ingestion: the text you pasted
  • Voice dictation: the transcribed text (transcription happens in your browser; the text is sent to Anthropic)
  • Macros: the recipe title, servings, and ingredient list

Anthropic processes this content to generate the AI response and, per their commercial terms, does not use it to train their models. They retain content for up to 30 days for trust and safety review.

12. Changes to this policy

We may update this policy. Material changes will be communicated by email at least 14 days before they take effect. The "Last updated" date at the top will always reflect the most recent revision.

13. Contact

For privacy questions, requests, or complaints, email privacy@recipeapp.io or write to:

GHAX Inc. Attn: Privacy [Mailing address — fill in before going public]

GHAX Inc., a New York corporation. Operating Recipe App at recipeapp.io.