Privacy Policy

Last updated: June 2026

1. What data we collect

When you register, we collect your name, email address, and password (stored as a secure bcrypt hash — we never store your plain-text password). You may optionally provide a profile photo URL, location, bio, and links.

If you register or sign in with Google, we receive your name, email, and profile picture from Google.

If you use a BYOK (Bring Your Own Key) subscription and save an AI API key, it is stored encrypted with AES-256-GCM — it is never stored or transmitted in plain text.

Recipes you create or save, comments, and likes are stored to provide the service.

We set a session cookie (cookbook_session) to keep you logged in for up to 7 days.

2. How we use your data

Your data is used solely to provide the Cookbook Social recipe-sharing service: to authenticate you, display your profile, store your recipes, and enable social features (likes, comments, follows).

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Third-party services

Google OAuth (optional): if you choose to sign in with Google, your authentication is handled by Google. Google's privacy policy applies to that interaction.

AI providers: we use Google Gemini and OpenAI to power AI features. With your own key (BYOK), your key is sent to the provider only when you request an AI recipe import or translation. On server-paid plans, recipe imports and translations use our server-side keys.

Smart (semantic) search: recipe text — titles, descriptions, ingredients, and steps, including private recipes you create — is sent to Google Gemini (or OpenAI as a fallback) to generate search embeddings. When you use smart search, your search query is also sent to Google Gemini to compute an embedding used only to rank results; queries are processed transiently and never used for advertising. These providers process data under their own privacy policies.

YouTube imports: when you submit a YouTube URL, we may send the video ID or URL to YouTube API Services to retrieve public metadata such as title, description, channel, thumbnail, and duration. Google Privacy Policy (https://policies.google.com/privacy) and YouTube Terms of Service (https://www.youtube.com/t/terms) apply to YouTube API Services.

Payment providers: subscription payments are processed by our web payment provider and Google Play, which receive the information needed to process your payment. We do not store full card details.

4. Data security

Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.

AI API keys are encrypted at rest with AES-256-GCM using a server-side secret.

Data is stored in a PostgreSQL database on Railway infrastructure.

5. Your rights

You can edit or delete your profile and all your recipes at any time from your Profile → Settings page.

Deleting your account schedules removal after a 14-day restoration window. During that period the account is inactive and can be restored by signing in again.

After the window expires, your profile, recipes, likes, comments, follows, credentials, jobs, and other account-linked data are removed. Recipe copies already saved by other users remain in their accounts, but the link back to your deleted account is removed.

6. Contextual advertising

CookbookSocial may show internal sponsored placements based only on the current app context, such as the page, recipe category, interface language, and ad placement.

We do not use cross-site tracking, behavioral advertising profiles, third-party ad networks, or ad-specific cookies/local storage identifiers for this. Ad events are recorded as operational metrics, such as creative ID, surface, event type, and revenue fields, to measure impressions, clicks, hides, and reports. These ad metrics do not include recipe text, search queries, payment data, or the content of your private recipes.

7. Contact

For any privacy-related questions, contact us at: support@cookbooksocial.app