Back to Suppa

Legal

Privacy Policy

Privacy Policy

**Last updated: March 10, 2026**

Suppa ("we," "us," or "our") operates the Suppa mobile application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

  • **Account Information.** When you create an account, we collect your email address and password (stored as a salted hash). If you sign in via Google or Apple, we receive your name and email from that provider.
  • **Profile Information.** Your display name, if you choose to provide one.
  • **Dietary Preferences.** Allergies, dietary restrictions, disliked ingredients, excluded ingredients, favorite cuisines, skill level, spice tolerance, default servings, and maximum cook time.
  • **Recipes and Meal Plans.** Recipes you create, import, save, or add to your queue, including ingredients, steps, equipment, and images.
  • **Grocery Lists.** Items derived from your queue and any custom items you add, including check-off state.
  • **Cooking Sessions.** Session progress, step completion, timer usage, ingredient substitutions, and optional conversation logs from voice-assisted cooking.
  • **Feedback and Ratings.** Recipe ratings, tags, and free-text comments you submit.
  • **Memory and Preferences.** Notes and preferences you ask the AI assistant to remember on your behalf, stored as user-controlled text.
  • **Assistant Conversations.** Messages you exchange with the AI planning assistant, including tool-use interactions.
  • **Shared Plans.** When you create or join a shared household plan, we store plan membership, shared queue items, and shared grocery lists.

1.2 Information Collected Automatically

  • **Device and Usage Data.** Device type (phone or tablet), operating system version, app version, and anonymized interaction events via error-tracking tools (Sentry).
  • **Network Information.** We detect online/offline status locally on your device to enable offline queueing. We do not log your IP address for analytics, though our hosting provider (Vercel, Supabase) may log IP addresses in standard server access logs for security purposes.
  • **Authentication Tokens.** We issue JWTs and refresh tokens to maintain your session. These are stored on your device and rotated automatically.

1.3 Information We Do NOT Collect

  • We do not collect precise geolocation data.
  • We do not access your contacts, photos, or calendar.
  • We do not use advertising identifiers or run targeted ads.
  • We do not sell your personal information.

2. How We Use Your Information

We use the information we collect to:

  • **Provide the Service.** Generate meal plans, recipes, grocery lists, and cooking guidance tailored to your preferences.
  • **Power AI Features.** Your dietary preferences, memory notes, past feedback, and conversation history are sent to third-party AI providers (Anthropic Claude, Google Gemini) to generate personalized recommendations and cooking assistance. We send only the minimum context needed for each request.
  • **Enable Voice Cooking.** If you use voice-assisted Cook Mode, audio is processed via the OpenAI Realtime API. Audio is streamed in real time and is not stored by us after the session ends.
  • **Enable Collaboration.** Shared plan features let household members share queues and grocery lists.
  • **Improve the Service.** Aggregated, de-identified usage patterns help us fix bugs and prioritize features.
  • **Communicate with You.** Send password reset emails and essential service notifications. We do not send marketing emails without your opt-in consent.
  • **Maintain Security.** Rate limiting, account lockout, and SSRF prevention protect your account and our infrastructure.

3. Third-Party Services

We use the following third-party services that may process your data:

ServicePurposeData Shared
**Supabase**Database hosting (PostgreSQL)All stored user data (encrypted at rest)
**Vercel**Application hostingServer requests, IP addresses in access logs
**Anthropic (Claude)**AI meal planning and recipe generationPreferences, conversation messages, memory notes
**Google (Gemini)**AI recipe and planning featuresPreferences, conversation context
**OpenAI (Realtime API)**Voice-assisted cookingAudio streams during active voice sessions
**Sentry**Error trackingAnonymized crash reports, device metadata
**Brave Search**Recipe web searchSearch queries (e.g., "Thai curry recipe")
**RevenueCat**Subscription managementPurchase status, product IDs, transaction identifiers
**Email Provider**Password reset emailsEmail address
**Google Sign-In / Apple Sign-In**AuthenticationEmail, name (as authorized by you)

Each third-party service is governed by its own privacy policy. We encourage you to review them.

4. Data Retention

  • **Account Data.** Retained while your account is active. When you delete your account, your data is soft-deleted immediately and permanently purged by an automated cleanup process.
  • **Cooking Sessions.** Stale sessions (inactive for an extended period) are cleaned up automatically via scheduled maintenance.
  • **Conversations.** Assistant conversation history is retained until you delete a conversation or your account.
  • **Authentication Tokens.** Refresh tokens expire automatically and are cleaned up on a rolling basis.
  • **Rate Limiting Records.** Expire automatically after their time window closes.

5. Data Export and Deletion

  • **Export.** You can export a copy of your personal data at any time through the app's Settings screen or via the `/api/profile/export` endpoint.
  • **Deletion.** You can delete your account through the app. Account deletion removes your profile, preferences, recipes, meal plans, grocery lists, cooking sessions, feedback, memory, and conversation history. Deletion cascades to all related data.
  • **Shared Plans.** If you are the owner of a shared plan, deleting your account will delete the shared plan and its associated data for all members. Members should be notified before you delete your account.

6. Data Security

We implement reasonable technical and organizational measures to protect your data:

  • Passwords are hashed using industry-standard algorithms (bcrypt).
  • Authentication uses JWT with token rotation and refresh token families for revocation detection.
  • API routes enforce authentication checks before processing requests.
  • Rate limiting and account lockout protect against brute-force attacks.
  • SSRF prevention guards against server-side request forgery on URL imports.
  • Input sanitization prevents XSS and injection attacks.
  • Database connections use encrypted channels (TLS).

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • **Access** the personal data we hold about you.
  • **Correct** inaccurate or incomplete data.
  • **Delete** your personal data (see Section 5).
  • **Export** your data in a portable format (see Section 5).
  • **Object** to or restrict certain processing of your data.
  • **Withdraw consent** where processing is based on consent.

To exercise these rights, contact us at the address below.

8.1 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. **We do not sell personal information.**

8.2 European Residents (GDPR)

If you are in the EEA/UK, our legal bases for processing are: (a) performance of our contract with you (providing the Service), (b) legitimate interests (security, improvement), and (c) your consent (where applicable). You may lodge a complaint with your local data protection authority.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the app and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at:

**Email:** privacy@suppa.cooking