LEGAL

Privacy Policy

Last updated: 2026-05-08

The short version

We collect what we need to run the service: your email, your recipes, and minimal product analytics. We don't sell your data. You can export or delete everything any time.

What we collect

  • Account info (via Clerk): email address, display name, sign-in metadata. We use Clerk as our auth provider; their data handling is governed by Clerk's privacy policy.
  • Content you create: recipes, ingredients, instructions, notes, photos, tags, and any chat-source URLs you provide. Stored in our database (Neon Postgres) and, for photos, in Vercel Blob storage.
  • OAuth grants: when you connect an AI client (Claude, ChatGPT, etc.), we store metadata about the grant (which client, when, last used).
  • Product analytics: event data linked to your account (pageviews, key actions like "saved a recipe", filter usage) via PostHog. Used to understand how the product is working; not sold.
  • Server logs: standard request logs (IP, URL, response status, timestamp) retained for ~30 days for debugging and abuse prevention.

How we use it

  • To provide the service (show your recipes, connect your AI).
  • To send transactional email (verification, password reset, account-related notifications). We use Clerk's email infra for this.
  • To improve the product (which features are used, where users drop off in onboarding).
  • To prevent abuse and respond to support requests.

Who we share it with

We share data only with the service providers we use to operate:

  • Vercel (hosting + Blob storage for photos)
  • Neon (Postgres database)
  • Clerk (authentication + transactional email)
  • PostHog (product analytics)

Each handles data under their own published privacy policies and security practices. We do not sell your data, and we don't share it with advertising or marketing networks.

Your content and AI clients

When you connect an AI client (e.g. Claude), that client gets an OAuth token scoped to your recipe library. Through that token it can read, save, edit, and (depending on the tool) delete recipes on your behalf. The AI provider you're using (Anthropic, OpenAI, etc.) operates under its own privacy policy. You can revoke any connection at any time at /connect.

Cookies

We use cookies for sign-in (set by Clerk), to remember your theme preference, and for product analytics (set by PostHog). We don't use third-party advertising cookies.

Your rights (CCPA / GDPR)

Regardless of where you live, you have the following rights:

  • Access / portability: request a copy of all your data via the export endpoint at /account.
  • Deletion: delete your account at /account. This permanently removes your recipes, photos, and account record within 30 days.
  • Correction: you can edit any of your content directly in the app.
  • Opt-out of analytics: email us at support@cookingrebel.com and we'll exclude your account from analytics.
  • Non-discrimination: exercising any of these rights doesn't affect the service you receive.

We don't sell personal information, so the CCPA "right to opt out of sale" doesn't apply.

Data retention

We keep your account data and content while your account is active. After you delete your account, we remove personal data within 30 days, except where retention is required by law (e.g. accounting records, abuse-investigation evidence).

Children

Cooking Rebel isn't directed at children under 13 and we don't knowingly collect their data. If you believe a child has signed up, contact us and we'll delete the account.

Security

We use industry-standard encryption in transit (HTTPS) and at rest (provider-managed). Auth tokens are signed with a private keypair and verified per-request. We don't claim to be unbreakable, but we take reasonable measures and respond promptly to any incident.

Changes

Material changes to this policy will be announced by email or in-product notice at least 14 days before they take effect.

Contact

Privacy questions or rights requests: support@cookingrebel.com.