Privacy Policy
Last updated: 19 May 2026
1. Controller & Contact
The data controller is Casper, registered at Denmark. You can reach us at admin@recipelize.com.
Where we are required to appoint a Data Protection Officer, you can contact them at admin@recipelize.com.
2. Personal Data We Process
- Account data: email address, username, password (hashed), display name.
- Profile data: avatar, bio, optional public links.
- Content data: recipes, comments, ratings, favourites and uploaded images.
- Authentication data: session tokens, two-factor recovery codes (hashed), OAuth identifiers when you sign in with Google.
- Technical/usage data: IP address, device and browser metadata, language, approximate location derived from IP, log files, security events.
- Cookies & similar technologies: see our Cookie Policy.
- Communications: emails you send us, support tickets.
3. Purposes & Legal Bases (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Provide the Service, host your account and User Content | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection, moderation under the Digital Services Act | Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
| Email verification, password reset, transactional notifications | Contract (Art. 6(1)(b)) |
| Service improvement and aggregate analytics | Legitimate interest (Art. 6(1)(f)) — with consent where required by ePrivacy |
| Advertising and personalisation | Consent (Art. 6(1)(a)) |
| Marketing emails about Recipelize | Consent (Art. 6(1)(a)), withdrawable at any time |
| Compliance with tax, accounting, and legal requests | Legal obligation (Art. 6(1)(c)) |
4. Recipients & Processors
We share personal data only with processors acting on our instructions or where required by law:
- Hosting & database: Supabase (operated using infrastructure provided by Supabase Inc. and underlying cloud providers).
- Authentication: Google LLC when you choose to sign in with Google.
- Email delivery: noreply@recipelize.com.
- Advertising networks: Google, only after consent.
- Authorities: where compelled by valid legal process.
5. International Transfers
Some processors may host data outside the European Economic Area. In such cases we rely on adequacy decisions of the European Commission or on the EU Standard Contractual Clauses (2021/914) together with additional safeguards where required following the Schrems II ruling.
6. Retention
- Account data: while your account exists, plus up to 30 days after deletion to complete back-up rotation.
- User Content: until you delete it; aggregated copies (e.g. counts of ratings) may persist after deletion.
- Security logs: up to 12 months.
- Records required for tax/accounting: up to 10 years where required by law.
- Moderation decisions and DSA records: as required by Regulation (EU) 2022/2065.
7. Your Rights (Arts. 15–22 GDPR)
You have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate data;
- erase your data (“right to be forgotten”) within the limits of the law;
- restrict processing in certain cases;
- object to processing based on legitimate interests, including profiling;
- data portability for data you provided to us;
- withdraw consent at any time, without affecting the lawfulness of prior processing;
- lodge a complaint with your national supervisory authority — for example, in the Netherlands, the Autoriteit Persoonsgegevens; the list is at edpb.europa.eu.
To exercise these rights, email admin@recipelize.com. We respond within one month (extendable by two further months in complex cases).
8. Automated Decision-Making
We do not subject users to decisions based solely on automated processing that produce legal or similarly significant effects, within the meaning of Art. 22 GDPR. Automated tools may flag potentially abusive content for human review.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent in line with Art. 8 GDPR and applicable national age thresholds.
10. Security
We apply appropriate technical and organisational measures, including encryption in transit, hashed passwords, role-based access, audit logging and regular back-ups, to protect personal data against unauthorised access, alteration, disclosure or destruction.
11. Cookies & Similar Technologies
See our separate Cookie Policy.
12. Changes
We may update this Policy. Material changes will be communicated by email or in-product notice at least 30 days before they take effect.
13. Contact
Questions, requests, or complaints: admin@recipelize.com.