Privacy Policy

CookBooks ("CookBooks", "we", "us", or "our") provides an AI-powered recipe generation service available at cookbooks.ink and related subdomains (the "Service"). We respect your privacy and are committed to protecting the personal information you share with us.

This Privacy Policy describes the personal data we collect, why we collect it, how we use and share it, and the rights you have. It applies to all visitors, registered users, and paying subscribers of the Service. By using the Service, you acknowledge that you have read and understood this policy.

CookBooks is operated as an independent service by the developer responsible for cookbooks.ink. We act as the "controller" (for the purposes of the EU General Data Protection Regulation and UK GDPR) and "business" (for the purposes of the California Consumer Privacy Act as amended by the CPRA) of the personal information processed through the Service.

For any privacy-related questions or requests, you can contact us at privacy@mail.cookbooks.ink.

We collect only the information we need to operate the Service, process your requests, and improve your experience. The categories of information we collect are:

a. Information you provide directly

• Account information: your email address, password (stored only as a salted hash), and the display name you choose. If you register or sign in with Google, we receive your name, email address, and profile picture from Google.
• Cooking preferences and dietary information: ingredients, cuisines, dietary restrictions, portion sizes, difficulty levels, and any other preferences you supply when generating or transforming recipes.
• Allergy and health-related dietary data: if you provide information about food allergies or medical dietary requirements, this constitutes health data and is treated as special category personal data under UK GDPR Article 9. We process this data solely to personalise recipe generation for your safety.
• Recipe content: recipes you save to your collection, edits you make to them, and any notes, tags, or feedback you add.
• Payment information: if you subscribe to a paid plan, your payment card details are collected and processed directly by our payment processor, Stripe, Inc. We do not store your full card number. We receive only a tokenised reference, the last four digits, card brand, billing country, and subscription status.
• Correspondence: messages you send to our support or privacy addresses.

b. Information collected automatically

• Device and usage data: your IP address (truncated where possible), browser type and version, operating system, device type, referring URL, pages viewed, actions taken within the Service, and approximate location derived from your IP.
• Cookies and similar technologies: see Section 8 for details on the cookies we use and your choices.
• Authentication tokens: session tokens issued when you sign in, used solely to keep you logged in securely.

c. Information from third parties

If you sign in with Google, we receive the profile information listed above from Google, subject to the permissions you grant during sign-in. We do not request access to your Gmail messages, Drive files, calendar, contacts, or any other Google Workspace data.

We use the information we collect for the following purposes:

• To create, maintain, and secure your account.
• To generate personalised recipes and recommendations based on the inputs you provide.
• To save your recipe collection and sync it across your devices.
• To process subscription payments and manage your billing relationship.
• To respond to your questions, feedback, and support requests.
• To detect, prevent, and address fraud, abuse, or security incidents.
• To understand how the Service is used, diagnose bugs, and improve features. We use aggregated or de-identified usage data for these purposes wherever possible.
• To send you transactional messages (for example, password resets, subscription receipts, and important service updates).
• To comply with legal obligations and enforce our Terms of Service.

We do not use your personal information for advertising, we do not sell or rent it to data brokers, and we do not use it to train generalised artificial-intelligence models for purposes unrelated to providing the Service to you.

A core feature of the Service is the generation of recipes and recommendations using large language models provided by OpenAI, L.L.C. ("OpenAI"). When you generate or transform a recipe, the cooking preferences and ingredient lists you enter are transmitted to OpenAI for processing.

We designed this flow to minimise the data sent to OpenAI:

• We do not send your name, email address, account identifier, IP address, or any other direct identifier to OpenAI.
• Requests are sent in an anonymised form; OpenAI receives the recipe- generation prompt and nothing else that we use to identify you.
• If you choose to include personal information within the text of a prompt (for example, writing your name into an ingredient field), that content will be transmitted as part of the prompt. Please avoid entering personal information in free-text fields.
• Where you have provided allergy or health-related dietary information, this data may be included in anonymised recipe generation prompts sent to OpenAI. No name, email address, or other direct identifier is included.
• OpenAI processes prompts under its own API terms and, at the time this policy was written, does not use API inputs to train its foundation models. You should review the OpenAI Privacy Policy for their current practices.

Recipes are generated by a language model and may contain inaccuracies, unusual combinations, or ingredients that do not match your dietary needs or allergies. Always review the output carefully before cooking, and refer to our Terms of Service for the full AI-content disclaimer. Although we use your allergy profile to guide recipe generation, AI outputs must always be manually verified before cooking, particularly for allergen-sensitive individuals.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR (and the equivalent UK GDPR):

• Performance of a contract (Art. 6(1)(b)): to create your account, deliver the Service you request, and process your subscription.
• Legitimate interests (Art. 6(1)(f)): to keep the Service secure, prevent abuse, understand aggregated usage, and improve our features. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): for optional cookies and analytics that are not strictly necessary, and for any marketing communications you opt into. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other legal requirements.
• Explicit consent (Art. 9(2)(a)): for allergy and health-related dietary data, which is special category data under UK GDPR. This consent is collected separately during onboarding at the point the data is entered. You may withdraw this consent at any time from your profile settings, which will result in deletion of your allergy and health data.

We do not sell your personal information. We share personal information only with the service providers ("sub-processors") that help us operate the Service, and only to the extent necessary for them to perform their function. Each sub-processor is bound by contractual confidentiality and data-protection obligations.

We may also disclose personal information:

• to comply with applicable law, a valid legal process, or a binding governmental request;
• to enforce our Terms of Service or investigate potential violations;
• to protect the rights, property, or safety of CookBooks, our users, or the public;
• in connection with a merger, acquisition, reorganisation, or sale of assets, in which case we will notify affected users and any successor will be bound by this policy.

We use a small number of cookies and similar technologies:

• Strictly necessary cookies keep you signed in and maintain your session. These cannot be disabled without breaking the Service.
• Preference cookies remember settings such as your dark-mode choice.
• Analytics cookies help us understand, in aggregate, how users interact with the Service so we can improve it. Where required by law, these cookies are set only after you give consent.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning correctly.

We keep your personal information only for as long as we need it for the purposes described in this policy:

• Account data is retained for as long as your account is active.
• Saved recipes, preferences, and cooking history are retained for as long as your account is active, and are deleted shortly after you delete your account.
• Billing records are retained for the period required by applicable tax and accounting laws (typically six to ten years).
• Server and security logs are retained for up to 90 days for operational and security purposes.
• Backups containing your data are rotated on a regular schedule and overwritten within 30 days.
• Allergy and health data is deleted immediately upon withdrawal of consent or account deletion, whichever is sooner.

When you request deletion of your account, we will delete or anonymise your personal information within 30 days, except where we are required to keep it by law or to defend legal claims.

We use appropriate technical and organisational measures to protect your personal information, including:

• TLS encryption in transit for all traffic to and from the Service.
• Encryption at rest for account credentials and stored data.
• Passwords stored as salted cryptographic hashes, never in plain text.
• Role-based access controls and least-privilege principles for internal systems.
• Regular review of sub-processor security practices.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by applicable law.

a. All users

You can access and update most of your information directly from your account settings. You can delete your account at any time, which will remove your personal information from our active systems (subject to the retention periods described in Section 9).

b. EEA, UK, and Swiss residents

Under the GDPR and UK GDPR you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion ("right to be forgotten");
• request restriction of processing;
• object to processing based on our legitimate interests;
• receive a copy of your data in a portable format;
• withdraw consent at any time for health data processing, after which your allergy and health data will be deleted and the Service will continue without allergy-based filtering;
• lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner's Office).

c. California residents (CCPA / CPRA)

If you are a California resident you have the right to:

• know the categories and specific pieces of personal information we have collected about you;
• know the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share personal information;
• request deletion of your personal information;
• correct inaccurate personal information;
• limit the use of sensitive personal information (we do not process sensitive personal information for purposes beyond those allowed by the CPRA);
• opt out of the "sale" or "sharing" of personal information - we do not sell or share personal information as those terms are defined by the CPRA;
• not be discriminated against for exercising any of these rights.

d. How to exercise your rights

Send a request to privacy@mail.cookbooks.ink from the email address associated with your account. We will respond within the timeframes required by applicable law (typically 30 days, with one 60-day extension if the request is complex). We may need to verify your identity before acting on your request.

Our sub-processors may operate in countries outside your country of residence, including the United States. Where we transfer personal data outside the EEA, the UK, or Switzerland, we rely on legally recognised transfer mechanisms such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, and we take additional measures where required to ensure an adequate level of protection. Where allergy or health-related data is included in anonymised prompts sent to OpenAI for recipe generation, such transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

The Service is intended for users 13 years of age or older. Entering into a paid subscription requires you to be at least the age of majority in your jurisdiction (18 in most places), or for a parent or legal guardian to enter into the subscription on behalf of a minor.

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at privacy@mail.cookbooks.ink and we will take steps to delete that information.

We do not sell personal information for monetary consideration, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined by the California Consumer Privacy Act (as amended by the California Privacy Rights Act). We do not use Google user data for advertising, and we do not transfer Google user data to third parties for use in targeted advertising, credit-worthiness decisions, lending, or the training of foundation AI models.

The Service may contain links to third-party websites or services that we do not operate. This Privacy Policy does not apply to those sites, and we are not responsible for their content or privacy practices. We encourage you to read the privacy policy of every site you visit.

We may update this Privacy Policy from time to time to reflect changes to the Service, to our data practices, or to the law. When we make a material change, we will update the "Last updated" date at the top of this page and, where required, notify you by email or through an in-product notice before the change takes effect. Continued use of the Service after an update means you accept the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us: