Privacy Policy
Last updated: February 27, 2026 · Version 1.1
Pluck ("we", "us", "our") operates the Pluck mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our App.
We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and applicable data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
Hjers Consulting AB
Email: privacy@pluckrecipes.com
For the purposes of GDPR, Hjers Consulting AB is a small-scale data controller and is not required to appoint a Data Protection Officer (DPO). You may direct all privacy inquiries to the email address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
- Authentication data - email address, display name, and avatar URL provided by your Google or Apple account when you sign in
- Age declaration - your confirmation that you are at least 16 years old
2.2 Recipe Data
- Recipes - titles, descriptions, ingredients, instructions, cook times, servings, cuisine, and tags
- Source URLs - links you provide for recipe extraction
- Recipe images - photos you upload or that are extracted from source pages
2.3 AI Conversation Data
- Chat messages - messages you send to the AI cooking assistant and the AI responses
2.4 Subscription Data
- Subscription status - your current subscription tier (Free, Plus, or Pro), subscription platform (Apple or Google), and expiry date
- Transaction identifiers - app store transaction IDs used to verify your purchase. We do not store payment card details, billing addresses, or other financial information - all payment processing is handled by Apple App Store or Google Play Store.
2.5 Consent Records
- Consent preferences - your choices regarding analytics and error tracking
- Consent audit log - timestamps and details of consent changes (retained for compliance)
2.6 Optional Data (Only With Your Consent)
- Usage analytics - anonymous app usage patterns (via PostHog), collected only if you opt in
- Error reports - crash reports and device information (via Sentry), collected only if you opt in
3. Purpose and Legal Basis for Processing
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the recipe extraction service | Account, recipes, images, source URLs | Contract performance |
| AI cooking assistant | Chat messages, recipe context | Contract performance |
| User authentication | Email, OAuth tokens | Contract performance |
| Subscription management | Subscription status, transaction IDs | Contract performance |
| Analytics | Anonymous usage data | Consent |
| Error tracking and bug fixing | Crash reports, device info | Consent |
| Compliance with legal obligations | Consent records, audit logs | Legal obligation |
4. AI Data Processing
To provide recipe extraction and the AI cooking assistant, we send data to third-party AI providers. We take the following precautions:
- Only the minimum necessary data is sent to AI providers - recipe text, image content, or chat messages needed for the specific task
- We never send your email address, user ID, authentication tokens, or other personal identifiers to AI providers
- AI providers are prohibited from using your data to train their models under their API terms of service
4.1 AI Providers
- Anthropic (Claude) - primary provider for recipe extraction and complex cooking questions. Data processing under Anthropic's API terms (no training on API data by default).
- OpenAI (Whisper, GPT-4o mini, GPT-4.1 nano) - used for audio transcription from recipe videos (Whisper) and simpler cooking questions. No user identifiers are included in API requests. We have opted out of training data usage via API settings.
- Google (Gemini) - tertiary fallback provider. Uses Gemini API with zero-training data processing terms.
All AI providers are based in the United States. Data transfers are covered by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) as required by GDPR.
5. Third-Party Processors
We use the following sub-processors to operate the App:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, backend functions | EU (Frankfurt) |
| Anthropic | AI recipe extraction and cooking assistant | United States |
| OpenAI | AI cooking assistant (simple queries) | United States |
| Google (Gemini) | AI fallback provider | United States |
| PostHog | Usage analytics (only with your consent) | EU |
| Sentry | Error tracking (only with your consent) | EU |
| RevenueCat | Subscription management and purchase verification | United States |
| Google Cloud Platform | Video processing for recipe extraction (Cloud Run) | EU |
| Expo | Mobile app build and update delivery | United States |
6. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Profile data | Until account deletion | User deletes account |
| Recipes and images | Until deletion | User deletes recipe or account |
| AI conversations | Until deletion | User deletes conversation or account |
| Subscription data | Until account deletion | User deletes account |
| Consent records | 3 years after withdrawal | Automatic (compliance requirement) |
| Analytics data | 12 months | Automatic (PostHog retention) |
| Error reports | 90 days | Automatic (Sentry retention) |
| Auth sessions | 30 days | Automatic (token expiry) |
When you delete your account, all personal data is removed within 72 hours. Consent audit logs are retained with your user ID removed (set to null) for compliance purposes.
7. Your Rights
Under GDPR and applicable data protection laws, you have the following rights:
7.1 Right to Access (Art. 15)
You can view all personal data we hold about you in the App under Settings > Privacy > View My Data. This includes your profile information, recipe count, conversation count, consent choices, and account creation date.
7.2 Right to Rectification (Art. 16)
You can edit your profile data (display name, avatar) and your recipes at any time within the App.
7.3 Right to Erasure (Art. 17)
You can delete your account and all associated data from Settings > Privacy > Delete My Account. Deletion is processed within 72 hours and removes all personal data from our systems, including data held by PostHog and Sentry. You can also delete individual recipes and conversations at any time.
7.4 Right to Data Portability (Art. 20)
You can export all your data in JSON format from Settings > Privacy > Export My Data. The export includes your profile, all recipes (with ingredients, instructions, and tags), all AI conversations, and consent records.
7.5 Right to Restriction of Processing (Art. 18)
You can request restriction of processing by contacting us at privacy@pluckrecipes.com. When restricted, we will retain your data but stop all processing (no AI calls, no analytics).
7.6 Right to Object (Art. 21)
You can object to analytics and error tracking processing by toggling these off in Settings > Privacy. Core service processing cannot be objected to without deleting your account, as it is necessary for contract performance.
7.7 How to Exercise Your Rights
Most rights can be exercised directly in the App under Settings > Privacy. For requests that cannot be handled in-app, contact us at privacy@pluckrecipes.com. We will respond to all requests within 30 days.
8. International Data Transfers
Your primary data is stored in the EU (Supabase, Frankfurt region). Video processing runs on Google Cloud Platform in the EU. When we transfer data to processors in the United States (Anthropic, OpenAI, Google AI, RevenueCat, Expo), these transfers are protected by:
- The EU-US Data Privacy Framework, where applicable, for providers who are certified participants
- Standard Contractual Clauses (SCCs) as included in each provider's Data Processing Agreement
- Each provider's API terms of service, which include data processing provisions and prohibit training on API data
- Data minimization - only the minimum necessary data is transferred, and no personal identifiers are sent to AI providers
9. Data Security
We implement the following security measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted in our database
- AI provider API keys are stored securely on the server and never exposed to the client app
- Rate limiting is implemented to prevent abuse
- Row-level security ensures you can only access your own data
- Access to personal data is logged for audit purposes
10. Tracking and Analytics
We do not use cookies. The App may use PostHog for usage analytics and Sentry for error tracking, but only if you explicitly opt in during the consent flow or in Settings > Privacy. These services are not initialized until you grant consent. Withdrawing consent immediately stops data collection.
11. CCPA/CPRA Notice (California Residents)
If you are a California resident, you have additional rights under the CCPA/CPRA:
Categories of Personal Information Collected
- Identifiers - email address, display name
- Internet activity - app usage data (only with consent)
- User-generated content - recipes, chat messages, images
Sources of Personal Information
- Directly from you (account creation, recipe input, chat messages)
- From third-party authentication providers (Google, Apple)
- Automatically from your device (error reports, only with consent)
Sale of Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
Non-Discrimination
We will not discriminate against you for exercising your privacy rights. You will receive the same quality of service regardless of your consent choices.
12. Age Restrictions
Pluck is not intended for users under 16 years of age. We require all users to confirm they are at least 16 years old during the sign-up process. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their account and all associated data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes to how we process your data, we will notify you through the App and ask you to review and accept the updated policy. Non-material changes (such as clarifications) will be posted here with an updated date.
14. Supervisory Authority
If you are in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully. As a Swedish company, our lead supervisory authority is:
Integritetsskyddsmyndigheten (IMY)
www.imy.se
Email: imy@imy.se
15. Contact Us
For any questions about this Privacy Policy or to exercise your rights, contact us at:
privacy@pluckrecipes.com