Privacy Policy

1. Introduction

ChompPrompt (“we,” “our,” or “us”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the “Service”).

This policy complies with the California Consumer Privacy Act (CCPA), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Apple App Store Guidelines, and ISO/IEC 27701 privacy information management standards.

Geographic Availability: The Service is currently available only in the United States and Canada.

Effective Date: May 4, 2026

2. Data Controller

ChompPrompt is a product of CarbonHands LLC, which operates as the data controller for personal information collected through our Service.

3. Information We Collect

3.1 Information You Provide

• Account Information: When you sign in with Apple, we receive your Apple ID, email address (if shared), and display name.
• Recipe Data: Recipes you create, save, import from URLs, or generate using AI, including titles, ingredients, instructions, and images.
• User Content: Text prompts you submit for AI recipe generation and personalization.
• Shared Content: Recipes you choose to share publicly via share links, and content shared within households.
• Grocery Data: Shopping lists and grocery-related information you provide.
• Meal Planning Data: Dietary preferences, meal intent, cooking goals, health goals, and scheduling preferences you provide.
• Household and Social Data: Household membership, invite codes, profile information, and social interactions such as follows, cookbooks, and challenge participation.

3.2 Automatically Collected Information

• Device Information: Device type, operating system version, unique device identifiers, and app version.
• Behavioral and Usage Data: Information about how you use the Service, including but not limited to features accessed, actions taken, content viewed, recipe interactions, session patterns, and usage patterns. This data may be linked to your user account.
• Taste Profiles: We automatically build personalized taste profiles from your behavior, including preferences for cuisines, proteins, cooking techniques, cook times, avoided ingredients, and other patterns. These profiles are used to personalize your experience.
• Location Data: With your permission, we collect your geographic coordinates to provide weather-based meal suggestions and to locate nearby grocery stores for delivery services.
• Calendar Data: With your permission, we access your device calendar to support meal planning and scheduling features.
• Push Notification Tokens: We collect device push notification tokens to send you notifications.
• Diagnostic Data: Error reports, crash logs, performance data, and technical information that may include account identifiers and device information for debugging and service improvement.

We may collect additional categories of information not specifically listed above as needed to operate and improve the Service. This Privacy Policy provides representative examples of data collection but is not exhaustive.

3.3 Information from Third Parties

• Apple Sign-In: Authentication data provided by Apple when you sign in.
• Recipe Sources: When you import recipes from URLs, we extract publicly available recipe data from those websites.
• Weather Data: We receive weather information based on your location from third-party weather services to inform meal suggestions.

4. How We Use Your Information

We process your information based on legitimate interests, contractual necessity, and your consent. We use your data for purposes including, but not limited to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Store and sync your recipes across devices
• Generate AI-powered recipes, meal plans, and food images based on your prompts
• Log and retain information about your AI interactions for service improvement and quality assurance
• Build and maintain personalized taste profiles to improve recipe recommendations
• Provide proactive meal planning and auto-scheduling based on your preferences and context
• Deliver weather-informed meal suggestions based on your location
• Cache extracted recipe data to improve performance
• Facilitate grocery delivery through integrated third-party services
• Enable recipe sharing, household collaboration, and social features
• Generate aggregate and trending content based on usage patterns
• Send push notifications
• Manage subscriptions and enforce usage limits
• Analyze product usage patterns to improve features and user experience
• Monitor errors, crashes, and performance to ensure service reliability
• Internal administration and customer support
• Respond to your inquiries and support requests
• Detect, prevent, and address technical issues and abuse
• Comply with legal obligations

We may use your information for purposes not specifically listed above that are consistent with the context in which it was collected or as otherwise disclosed to you.

5. AI Processing and Third-Party Services

5.1 AI Service Providers

We use third-party AI services, including OpenAI's API services, for text generation, image generation, and content processing. The specific AI models, providers, and capabilities used may change at any time as technology evolves.

Data processed through AI services may include:

• Text prompts for recipe generation and personalization
• Recipe metadata for food image generation
• Web page content from URLs you submit for recipe extraction (our servers fetch and process content from those websites on your behalf)
• Grocery text for item categorization
• Taste profiles (including cuisine preferences, protein preferences, cooking time preferences, and ingredient avoidances) and meal context for personalized suggestions

Prompt Logging: We may log and retain information about your interactions with AI features, including prompts, requests, and generated outputs, for service improvement, abuse prevention, and quality assurance purposes.

Caching: To improve service performance and reduce costs, we may cache recipe data extracted from URLs. Your personal saved recipes are stored separately and are not affected by this caching.

The specific data processed through AI services depends on the features you use and may change as we enhance the Service. OpenAI and other AI providers process data according to their respective privacy policies and data usage terms.

5.2 Supabase (Infrastructure Provider)

We use Supabase for authentication, database, and file storage services. Supabase processes your data in accordance with their Privacy Policy and maintains SOC 2 Type II compliance.

5.3 Amplitude (Product Analytics)

We use Amplitude to analyze how users interact with the Service. Amplitude receives user-identified behavioral events (such as recipe views, feature usage, and session data) linked to your user ID. IP address tracking is disabled. Amplitude processes data in accordance with their privacy policy.

5.4 Sentry (Error Monitoring)

We use Sentry for crash reporting and error monitoring. Sentry may receive your user ID, email address, device information, and error stack traces to help us diagnose and fix issues.

5.5 Spoonacular API

For recipe search and discovery features, we use the Spoonacular API. Recipe data from Spoonacular is cached to improve performance. Your personal data is not shared with Spoonacular.

5.6 Instacart (Grocery Delivery)

When you use grocery delivery features, we share shopping list items, store preferences, and your approximate location with Instacart to facilitate product search and delivery. Your use of Instacart services is subject to Instacart's own terms and privacy policy.

5.7 Open-Meteo (Weather)

We send your approximate geographic coordinates to the Open-Meteo weather API to provide weather-informed meal suggestions. Open-Meteo is a free, open-source weather API that does not require authentication or track users.

5.8 Expo Push Notification Service

We use Expo's push notification service to deliver notifications to your device. Your device push token and notification content are transmitted through Expo's servers.

6. Data Storage and Security

6.1 Storage Location

Your data is stored on secure servers provided by our infrastructure providers, located in the United States. Data transfers comply with applicable data protection laws.

6.2 Security Measures

We implement industry-standard security measures aligned with ISO 27001 principles:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication via Apple Sign-In with OAuth 2.0
• Row-Level Security (RLS) ensuring users can only access their own data
• Regular security audits and vulnerability assessments
• API keys and secrets stored securely, never exposed to clients
• Secure session management with token refresh mechanisms

6.3 Data Retention

Data retention periods vary based on data type, legal requirements, and operational needs. The following provides general guidance, but actual retention may differ. We reserve the right to retain data longer when required by law, for legitimate business purposes, or to protect our rights. We may also retain anonymized or aggregated data indefinitely.

• Account Data: Retained while your account is active; deleted within a reasonable period after account deletion.
• Recipe Data: Retained until you delete individual recipes or your account.
• Shared Recipes: Public share links remain accessible unless you delete the shared recipe.
• AI Generation and Prompt Data: Processing logs, prompts, and metadata retained as needed for service operation, quality assurance, and improvement; subject to periodic cleanup and deleted upon account deletion.
• Behavioral Data and Taste Profiles: Retained while your account is active to personalize your experience; subject to our standard data retention practices.
• Cached Data: Recipe extractions and other cached content retained for a period of time to improve performance; refreshed periodically.
• Household and Social Data: Your membership and social data are deleted upon account deletion. Shared household content may persist for other household members.
• Diagnostic and Error Logs: Technical error data retained for debugging and service improvement purposes; subject to periodic cleanup.
• Third-Party Analytics: Usage data shared with analytics providers is subject to their retention policies. While we make reasonable efforts to honor deletion requests, we cannot guarantee complete removal of data from third-party systems.

7. Your Privacy Rights

Depending on your location within the United States or Canada, you have the following rights under CCPA, PIPEDA, and other applicable laws:

7.1 Rights Under CCPA (California Residents)

• Right to Know: Request disclosure of data collected, used, and shared.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: Opt out of sale of personal information (we do not sell your data).
• Right to Non-Discrimination: Equal service regardless of privacy choices.

7.2 Rights Under PIPEDA (Canadian Residents)

• Right of Access: Request access to your personal information.
• Right to Correction: Request correction of inaccurate information.
• Right to Withdraw Consent: Withdraw consent subject to legal restrictions.
• Right to Complain: File a complaint with the Privacy Commissioner of Canada.

7.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@chompprompt.com. We will respond within the timeframe required by applicable law. You may also delete your account directly within the app, which will initiate deletion of associated data in accordance with our retention practices.

8. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Service Providers: With trusted third parties who assist in operating our Service (including Supabase, OpenAI, Amplitude, Sentry, Instacart, and Expo), bound by confidentiality agreements and data processing terms.
• Public Sharing: When you choose to share a recipe publicly, the recipe content becomes accessible via the share link.
• Household Members: When you join a household, certain recipe and meal planning data may be visible to other household members.
• Legal Requirements: When required by law, subpoena, or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

9. Children's Privacy

Our Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately at privacy@chompprompt.com, and we will delete it promptly.

10. Cookies and Tracking Technologies

Our mobile app does not use cookies. Our website may use essential cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies.

App Tracking Transparency:We comply with Apple's App Tracking Transparency framework. We do not track you across other companies' apps or websites.

11. Data Storage and Transfers

Your data is stored and processed in the United States. For Canadian users, by using our Service, you consent to the transfer of your data to and processing in the United States in accordance with this Privacy Policy and applicable law.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes through the app, email, or by posting a prominent notice on our website. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at:

• Email: privacy@chompprompt.com
• Website: https://chompprompt.com/privacy

Canadian residents may also lodge a complaint with the Office of the Privacy Commissioner of Canada.