SpiceRack

Privacy Policy for SpiceRack

Last Updated: December 24, 2025

Introduction

Welcome to SpiceRack. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and associated services (collectively, the "Service"). Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

Information We Collect

Information You Provide to Us

Account Information:

  • Email address (required for email/password registration)
  • Display name (optional)
  • Password (stored as a salted hash, never in plain text)
  • Social media account identifiers (if you sign in with Google, Apple, or Facebook)

User-Generated Content:

  • Recipes (names, descriptions, ingredients, cooking steps, cooking times)
  • Recipe images and photos
  • Pantry information (pantry names, ingredient lists, stock quantities, brands, barcodes, expiration dates)
  • Custom ingredient categories and organization preferences
  • Grocery lists (items, quantities, purchase status)
  • Cooking session data (active recipes, step completion, timestamps)
  • AI chat conversations (your messages, AI responses, conversation titles, and context)
  • Custom AI instructions and preferences you provide to personalize the AI assistant

Uploaded Content:

  • Photos of food and ingredients you upload for AI identification
  • Recipe images you attach to your recipes
  • Barcode scan data from product lookups

Information Collected Automatically

Usage and Analytics Data: We use Amplitude Analytics to collect information about how you interact with the Service, including:

  • User ID (assigned by our system)
  • Screen views and navigation patterns
  • Feature usage (e.g., recipe creation, pantry updates, AI chat interactions)
  • Error occurrences and app crashes
  • Platform information (iOS or Android)
  • App version
  • Network connectivity status
  • Timestamps of actions

Note: We have explicitly disabled cookie collection, advertiser ID collection, and auto-logging in our analytics implementation.

Device and Technical Information:

  • Device type and model
  • Operating system and version
  • IP address
  • Session duration
  • Network connectivity type

Camera and Photo Data: When you grant camera permission:

  • Photos captured for ingredient identification
  • Barcode scan data
  • EXIF metadata from uploaded images (automatically processed and removed during image optimization)

Information from Third-Party Services

Social Authentication Providers: When you sign in using Google, Apple, or Facebook, we receive:

  • Your unique identifier from that provider
  • Email address associated with that account
  • Display name (if provided by the service)

We validate authentication tokens with these providers but do not store your social media passwords.

Product Database: When you scan a barcode, we query the OpenFoodFacts public API to retrieve product names and brand information. These queries include the barcode number and our app identifier.

How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Maintain the Service:

  • Create and manage your user account
  • Authenticate your identity and manage sessions
  • Sync your data across devices
  • Store and organize your recipes, pantries, and grocery lists
  • Process and store your uploaded images
  • Enable pantry sharing and collaboration features

To Provide AI-Powered Features:

  • Generate recipe suggestions based on your pantry ingredients
  • Provide cooking assistance through our AI chat assistant
  • Identify ingredients from photos you upload
  • Generate recipe content based on your requests
  • Personalize AI responses using your custom instructions

For AI features, we send your chat messages, uploaded images, pantry data, and custom instructions to OpenAI's API. OpenAI processes this data according to their own privacy policy and data processing agreements.

To Improve and Optimize the Service:

  • Analyze usage patterns to understand feature adoption
  • Identify and fix bugs and technical issues
  • Improve user experience and app performance
  • Develop new features based on usage patterns

To Enforce Usage Limits:

  • Track your usage of AI-powered features against quotas
  • Prevent abuse of the Service
  • Manage rate limiting

To Communicate with You:

  • Send you service-related notifications
  • Respond to your inquiries and support requests
  • Enforce our Terms of Service

For Legal and Security Purposes:

  • Comply with legal obligations
  • Protect against fraud and unauthorized access
  • Enforce our rights and agreements

How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following circumstances:

With Third-Party Service Providers:

  • OpenAI: We send your chat messages, uploaded images, pantry ingredient lists, custom AI instructions, and conversation history to OpenAI to provide AI-powered recipe generation and chat assistance. OpenAI processes this data according to their Privacy Policy and API Data Usage Policies. As of our last update, OpenAI does not use data submitted via their API to train their models unless you explicitly opt in.

  • Amplitude Analytics: We share user IDs, usage events, screen views, and platform information with Amplitude to analyze app usage and improve the Service. Amplitude processes this data according to their Privacy Policy.

  • Cloud Storage Provider (Cloudflare R2): Recipe and ingredient images you upload are stored on Cloudflare's R2 object storage service and distributed via a content delivery network (CDN) for fast access. Images are organized in user-specific folders and are accessible via public URLs once uploaded.

  • Authentication Providers: When you sign in with Google, Apple, or Facebook, we validate your authentication tokens with these providers. We do not share your app data with these providers beyond authentication.

  • OpenFoodFacts: When you scan a barcode, we query the OpenFoodFacts public API with the barcode number to retrieve product information. This is a public, community-maintained database.

With Other Users (When You Choose to Share):

  • When you share a pantry with other users, they can view and edit the ingredients, stock, and grocery items in that shared pantry
  • Pantry members can see the names and IDs of other members with access to the same pantry
  • Users you invite to shared pantries can see your user ID and display name in the member list

For Legal Reasons: We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, legal requests)
  • Enforcement of our Terms of Service or this Privacy Policy
  • Protection of our rights, property, or safety, or that of our users or the public
  • Investigation of fraud, security issues, or technical problems

Business Transfers: If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Data Retention

We retain your information for as long as your account is active or as needed to provide you the Service. Specific retention practices:

Account Data:

  • Retained until you delete your account
  • When you delete your account, we permanently delete your user record, recipes, pantries, ingredients, grocery lists, cooking sessions, chat conversations, and authentication sessions

Uploaded Images:

  • Stored in cloud storage until you delete the associated recipe or content
  • Note: Images may require separate cleanup and may persist briefly after account deletion

Chat History:

  • Retained until you delete individual conversations or your entire account
  • Soft-deleted conversations are marked as inactive but retained in the database

Analytics Data:

  • Retained by Amplitude according to their retention policies
  • We cannot delete historical analytics data after it has been sent to third-party services

Backup and Logs:

  • System logs and backups may retain information for a limited period for security and operational purposes

Legal Obligations:

  • We may retain certain information if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution)

Data Security

We implement reasonable security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards:

  • HTTPS encryption for all data transmitted between your device and our servers
  • Password hashing using salted algorithms (passwords are never stored in plain text)
  • Secure session token management with automatic expiration (14 days)
  • Secure credential storage using device keychain/keystore
  • User data isolation (users can only access their own data and shared pantries)
  • OAuth token validation with social authentication providers

Organizational Safeguards:

  • Access controls limiting who can access user data
  • Regular security assessments and updates
  • Monitoring for unauthorized access

Third-Party Security:

  • We use reputable third-party services (Cloudflare, OpenAI, Amplitude) that maintain their own security practices

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

Your Data Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability:

  • You can access your account information, recipes, pantries, and other data through the app
  • Currently, we do not offer automated data export, but you may contact us to request a copy of your data

Correction and Update:

  • You can update your display name and custom AI instructions in the app settings
  • You can edit or delete your recipes, pantries, ingredients, and grocery lists at any time

Deletion:

  • You can delete individual recipes, conversations, or content items
  • You can delete your entire account through the app settings, which will permanently remove your data (see Data Retention section for details)
  • Soft-deleted items may be retained in the database but marked as deleted

Withdraw Consent:

  • You can revoke camera permissions through your device settings
  • You can unlink social authentication providers (you must maintain at least one authentication method)
  • You can stop using AI features at any time

Opt-Out of Analytics:

  • Currently, we do not offer an opt-out for Amplitude analytics while using the Service
  • You may contact us to request data deletion or restriction

GDPR Rights (European Economic Area Users): If you are in the EEA, you have additional rights under the General Data Protection Regulation:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

CCPA Rights (California Residents): If you are a California resident, you have rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to know whether your personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to deletion of personal information
  • Right to non-discrimination for exercising your rights

To Exercise Your Rights: Contact us at the information provided in the "Contact Us" section below. We will respond to your request within the timeframes required by applicable law.

Children's Privacy

The Service is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly.

International Data Transfers

SpiceRack is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

These countries may have data protection laws that differ from the laws of your country. By using the Service, you consent to the transfer of your information to the United States and other countries.

For users in the European Economic Area (EEA), we rely on appropriate safeguards for international data transfers, such as:

  • Standard Contractual Clauses with our service providers
  • Adequacy decisions by the European Commission
  • Your explicit consent

Third-Party Services and Links

The Service may contain links to third-party websites or integrate with third-party services not operated by us. This Privacy Policy applies only to the Service. We are not responsible for the privacy practices of third-party services.

Third-Party Services We Use:

  • OpenAI (for AI features)
  • Amplitude (for analytics)
  • Cloudflare R2 (for image storage)
  • Google, Apple, Facebook (for authentication)
  • OpenFoodFacts (for barcode lookups)

We encourage you to review the privacy policies of any third-party services you interact with:

  • OpenAI Privacy Policy: https://openai.com/privacy/
  • Amplitude Privacy Policy: https://amplitude.com/privacy
  • Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
  • OpenFoodFacts: https://world.openfoodfacts.org/privacy

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Updating the "Last Updated" date at the top of this policy
  • Posting a notice in the app
  • Requiring you to accept the new policy before continuing to use the Service (for significant changes)

Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

Data Controller and Contact Information

For the purposes of data protection laws, the data controller responsible for your personal information is:

SpiceRack Email: [email protected]

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For GDPR-related inquiries or to exercise your data rights, please use the contact information above and specify "GDPR Request" or "Data Rights Request" in your subject line.

Cookies and Tracking Technologies

The Service does not use cookies for tracking or analytics purposes. We have explicitly disabled cookie collection in our analytics implementation.

The Service does use:

  • Session tokens stored in your device's secure keychain for authentication
  • Local storage (AsyncStorage, WatermelonDB) to store your data locally on your device for offline functionality
  • Analytics SDKs (Amplitude) that may collect device and usage information as described in this policy

Your California Privacy Rights

California Civil Code Section 1798.83 permits California residents to request certain information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Under the California Consumer Privacy Act (CCPA):

  • We do not sell your personal information
  • We share information with service providers as described in the "How We Share Your Information" section
  • You have the right to opt-out of sales (though we do not sell data)
  • You have the right to request disclosure of information collected and shared
  • You have the right to request deletion of your information
  • You have the right to non-discrimination for exercising your rights

To exercise these rights, contact us at [email protected].

European Economic Area (EEA) Users

If you are located in the EEA, the legal basis for collecting and using your personal information depends on the data and the context:

Legal Bases for Processing:

  • Contract Performance: Processing necessary to provide the Service you requested (e.g., account creation, data sync, recipe storage)
  • Consent: You have given clear consent for specific purposes (e.g., camera access for barcode scanning, AI features)
  • Legitimate Interests: Processing necessary for our legitimate interests (e.g., analytics to improve the Service, security and fraud prevention)
  • Legal Obligations: Processing necessary to comply with legal requirements

You have the right to withdraw consent at any time, though this will not affect the lawfulness of processing before withdrawal.

Do Not Track

Some web browsers and devices offer "Do Not Track" (DNT) settings. Because there is no common industry standard for DNT signals, the Service does not currently respond to DNT signals. However, we have minimized tracking by disabling cookies and advertiser ID collection in our analytics.

Automated Decision-Making

The Service uses AI (OpenAI's models) to generate recipe suggestions, identify ingredients from photos, and provide cooking assistance. These AI features make suggestions based on the information you provide, but you are not subject to automated decisions that significantly affect you without human review. You always have the choice to use or ignore AI-generated content.

Biometric Information

The Service does not collect or process biometric information (such as facial recognition or fingerprint data). If you use biometric authentication on your device to unlock the app, this is handled entirely by your device's operating system and is not transmitted to or stored by SpiceRack.

Notification and Communication Preferences

Currently, the Service does not send marketing communications or promotional emails. Any communications you receive from us will be service-related (e.g., Terms of Service updates, security alerts).

We do not currently offer email or push notifications for app features, but if we add these features in the future, we will provide options to manage your communication preferences.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law. Notifications will be sent via email to the address associated with your account or through in-app notifications.

Aggregated and De-Identified Data

We may create aggregated or de-identified data from your information that cannot reasonably be used to identify you. We may use and share this aggregated data for any purpose, including analytics, research, and service improvement, without restriction.

Compliance and Certifications

We are committed to complying with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR) for EEA users
  • California Consumer Privacy Act (CCPA) for California residents
  • Other applicable U.S. state and federal privacy laws

We work with third-party service providers who maintain their own compliance certifications and privacy frameworks.

By using SpiceRack, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.