Skip to content
Back to Suppa

Legal

Privacy Policy

Privacy Policy

Last updated: May 1, 2026

Suppa ("we," "us," or "our") operates the Suppa mobile application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information. When you create an account, we collect your email address and password (stored as a salted hash). If you sign in via Google or Apple, we receive your name and email from that provider.
  • Profile Information. Your display name, if you choose to provide one.
  • Dietary Preferences. Allergies, dietary restrictions, disliked ingredients, excluded ingredients, favorite cuisines, skill level, spice tolerance, default servings, and maximum cook time.
  • Recipes and Meal Plans. Recipes you create, import, save, or add to your meal plan, including ingredients, steps, equipment, and images.
  • Grocery Lists. Items derived from your meal plan and any custom items you add, including check-off state.
  • Cooking Sessions. Session progress, step completion, timer usage, ingredient substitutions, and optional conversation logs from voice-assisted cooking.
  • Feedback and Ratings. Recipe ratings, tags, and free-text comments you submit.
  • Memory and Preferences. Notes and preferences you ask the AI assistant to remember on your behalf, stored as user-controlled text.
  • Assistant Conversations. Messages you exchange with the AI planning assistant, including tool-use interactions.
  • Shared Plans. When you create or join a shared household plan, we store plan membership, shared meal plan items, and shared grocery lists.

1.2 Information Collected Automatically

  • Device, Usage, and AI Trace Data. Device type (phone or tablet), operating system version, app version, product analytics events (PostHog), LLM analytics traces (PostHog), and crash/error diagnostics (Sentry). Product analytics events measure feature usage, activation, conversion, and reliability. LLM analytics traces help us debug and improve AI features and may include the prompts, assistant conversation context, tool-use interactions, model responses, token counts, latency, costs, and error details sent or returned during AI requests.
  • Network Information. We detect online/offline status locally on your device to enable offline queueing. We do not log your IP address for analytics, though our hosting provider (Vercel, Supabase) may log IP addresses in standard server access logs for security purposes.
  • Approximate Location (Weather Context). When you interact with the AI assistant, we derive your approximate location from your IP address (provided by our hosting provider) to fetch local weather and seasonal context for meal suggestions (for example, "it's a cold and rainy day — lean toward warming meals"). The latitude and longitude we store are rounded to one decimal place (roughly 11 km of resolution — neighborhood- or city-level, not address-level) and cached once per day per user. We do not access your device's GPS or precise location.
  • Authentication Tokens. We issue JWTs and refresh tokens to maintain your session. These are stored on your device and rotated automatically.

1.3 Information We Do NOT Collect

  • We do not collect precise geolocation data (we do not access your device's GPS). See Section 1.2 for the approximate, IP-derived location we use to fetch weather context.
  • We do not access your contacts or precise calendar data. We access your camera, photo library, or reminders only when you choose an import/export action that needs that permission.
  • We do not use advertising identifiers or run targeted ads.
  • We do not sell your personal information.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service. Generate meal plans, recipes, grocery lists, and cooking guidance tailored to your preferences.
  • Power AI Features. Your dietary preferences, memory notes, past feedback, and conversation history are sent to third-party AI providers (Anthropic Claude, Google Gemini, and OpenAI where applicable) to generate personalized recommendations, parse recipes, provide cooking assistance, and generate supporting recipe assets. We send only the minimum context needed for each request.
  • Provide Local Weather Context. Once per day per user, we send your approximate (IP-derived, rounded) coordinates to Open-Meteo to fetch a local weather forecast. The resulting summary (for example, "cool and rainy, mid-spring") is included as context for the AI assistant so its meal suggestions can reflect the season and weather. No identifying information is sent to Open-Meteo.
  • Enable Voice Cooking. If you use voice-assisted Cook Mode, audio is processed via Google Gemini Live. Audio is streamed in real time and is not stored by us after the session ends.
  • Enable Collaboration. Shared plan features let household members share meal plans and grocery lists.
  • Improve the Service. Aggregated usage patterns and diagnostic data help us fix bugs, understand beta activation/conversion, measure reliability, and prioritize features.
  • Communicate with You. Send password reset emails and essential service notifications. We do not send marketing emails without your opt-in consent.
  • Maintain Security. Rate limiting, account lockout, and SSRF prevention protect your account and our infrastructure.

3. Third-Party Services

We use the following third-party services that may process your data:

| Service | Purpose | Data Shared | |---------|---------|-------------| | Supabase | Database hosting (PostgreSQL) | All stored user data (encrypted at rest) | | Vercel | Application hosting | Server requests, IP addresses in access logs | | Anthropic (Claude) | AI meal planning and recipe generation | Preferences, conversation messages, memory notes | | Google (Gemini) | AI recipe import, planning features, and voice-assisted cooking | Preferences, conversation context, recipe import content, audio streams during active voice sessions | | OpenAI | Recipe image generation and semantic embeddings | Recipe prompts, generated image prompts, and text used for search/recommendation embeddings | | PostHog | Product and LLM analytics | App/device metadata, interaction events, AI request metadata, prompts, assistant conversation context, tool-use interactions, model responses, token counts, latency, costs, and error details | | Sentry | Error tracking | Anonymized crash reports, device metadata | | Brave Search | Recipe web search | Search queries (e.g., "Thai curry recipe") | | Open-Meteo | Local weather forecast for assistant context | Approximate coordinates (rounded to ~11 km) and timezone — no account identifier | | RevenueCat | Subscription management | Purchase status, product IDs, transaction identifiers | | Email Provider | Password reset emails | Email address | | Google Sign-In / Apple Sign-In | Authentication | Email, name (as authorized by you) |

Each third-party service is governed by its own privacy policy. We encourage you to review them.

4. Data Retention

  • Account Data. Retained while your account is active. When you delete your account, your data is soft-deleted immediately and permanently purged by an automated cleanup process.
  • Cooking Sessions. Stale sessions (inactive for an extended period) are cleaned up automatically via scheduled maintenance.
  • Conversations. Assistant conversation history is retained until you delete a conversation or your account.
  • Authentication Tokens. Refresh tokens expire automatically and are cleaned up on a rolling basis.
  • Rate Limiting Records. Expire automatically after their time window closes.

5. Data Export and Deletion

  • Export. You can export a copy of your personal data at any time through the app's Settings screen or via the /api/profile/export endpoint.
  • Deletion. You can delete your account through the app. Account deletion removes your profile, preferences, recipes, meal plans, grocery lists, cooking sessions, feedback, memory, and conversation history. Deletion cascades to all related data.
  • Shared Plans. If you are the owner of a shared plan, deleting your account will delete the shared plan and its associated data for all members. Members should be notified before you delete your account.

6. Data Security

We implement reasonable technical and organizational measures to protect your data:

  • Passwords are hashed using industry-standard algorithms (bcrypt).
  • Authentication uses JWT with token rotation and refresh token families for revocation detection.
  • API routes enforce authentication checks before processing requests.
  • Rate limiting and account lockout protect against brute-force attacks.
  • SSRF prevention guards against server-side request forgery on URL imports.
  • Input sanitization prevents XSS and injection attacks.
  • Database connections use encrypted channels (TLS).

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your personal data (see Section 5).
  • Export your data in a portable format (see Section 5).
  • Object to or restrict certain processing of your data.
  • Withdraw consent where processing is based on consent.

To exercise these rights, contact us at the address below.

8.1 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information.

8.2 European Residents (GDPR)

If you are in the EEA/UK, our legal bases for processing are: (a) performance of our contract with you (providing the Service), (b) legitimate interests (security, improvement), and (c) your consent (where applicable). You may lodge a complaint with your local data protection authority.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the app and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: privacy@suppa.cooking