Privacy Policy
Last updated: 20 May 2026
1. Controller & Contact
The data controller is Casper, registered at Denmark. You can reach us at admin@recipelize.com.
Where we are required to appoint a Data Protection Officer, you can contact them at admin@recipelize.com.
2. Personal Data We Process
- Account data: email address, username, password (hashed), display name.
- Profile data: avatar, bio, optional public links.
- Content data: recipes, comments, ratings, favourites and uploaded images.
- Authentication data: session tokens, two-factor recovery codes (hashed), OAuth identifiers when you sign in with Google.
- Technical/usage data: IP address, device and browser metadata, language, approximate location derived from IP, log files, security events.
- Cookies & similar technologies: see our Cookie Policy.
- Communications: emails you send us, support tickets.
3. Purposes & Legal Bases (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Provide the Service, host your account and User Content | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection, moderation under the Digital Services Act | Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
| Email verification, password reset, transactional notifications | Contract (Art. 6(1)(b)) |
| Service improvement and aggregate analytics | Legitimate interest (Art. 6(1)(f)) — with consent where required by ePrivacy. We use Google Analytics (anonymised IP). |
| Advertising and personalisation | Consent (Art. 6(1)(a)) |
| Marketing emails about Recipelize | Consent (Art. 6(1)(a)), withdrawable at any time |
| Compliance with tax, accounting, and legal requests | Legal obligation (Art. 6(1)(c)) |
4. Recipients & Processors
We share personal data only with processors acting on our instructions or where required by law:
- Hosting & database: Supabase (operated using infrastructure provided by Supabase Inc. and underlying cloud providers).
- Authentication: Google LLC when you choose to sign in with Google.
- Email delivery: noreply@recipelize.com.
- Analytics: Google LLC (Google Analytics) — collects anonymous, aggregated usage data. IP addresses are anonymised before storage.
- Advertising networks: Google, only after consent.
- Authorities: where compelled by valid legal process.
5. International Transfers
Some processors may host data outside the European Economic Area. In such cases we rely on adequacy decisions of the European Commission or on the EU Standard Contractual Clauses (2021/914) together with additional safeguards where required following the Schrems II ruling.
6. Retention
- Account data: while your account exists, plus up to 30 days after deletion to complete back-up rotation.
- User Content: until you delete it; aggregated copies (e.g. counts of ratings) may persist after deletion.
- Security logs: up to 12 months.
- Records required for tax/accounting: up to 10 years where required by law.
- Moderation decisions and DSA records: as required by Regulation (EU) 2022/2065.
7. Your Rights (Arts. 15–22 GDPR)
You have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate data;
- erase your data (“right to be forgotten”) within the limits of the law;
- restrict processing in certain cases;
- object to processing based on legitimate interests, including profiling;
- data portability for data you provided to us;
- withdraw consent at any time, without affecting the lawfulness of prior processing;
- lodge a complaint with your national supervisory authority — for example, in the Netherlands, the Autoriteit Persoonsgegevens; the list is at edpb.europa.eu.
To exercise these rights, email admin@recipelize.com. We respond within one month (extendable by two further months in complex cases).
7a. Self-Serve Data Export & Account Deletion
You can download a full copy of your data, or permanently delete your account and all associated content, directly from Dashboard → Settings → Your data & account. For your safety, deletion requires re-entering your current password and (if enabled) a two-factor authentication code. A single click is not enough — you must confirm your identity and type your username before the action proceeds. Deletion is immediate and irreversible. If you signed in only via a social provider, set a password first under Account, or email us at admin@recipelize.com and we will verify your identity manually.
7b. US State Privacy Rights
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or another US state with a comprehensive consumer privacy law, you have the following rights in addition to those above, subject to verification and legal exceptions:
- Right to know / access: request the categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose, and the third parties we share it with.
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to portability: receive a copy in a readily usable format.
- Right to opt out of sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share your personal information as those terms are defined under California law.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising these rights.
- Right to appeal a refusal of your request (VCDPA / CPA / CTDPA).
Categories of personal information collected in the last 12 months: identifiers (email, username, IP address), internet/network activity (log data), user-generated content (recipes, comments), and approximate geolocation (derived from IP). We collect these from you directly and automatically from your device when you use the Service. We do not knowingly collect "sensitive personal information" as defined by the CCPA.
How to exercise these rights: use the self-serve tools described in section 7a, or email admin@recipelize.com. We may need to verify your identity (typically via the email address on your account). An authorised agent may submit a request on your behalf with written permission. We will respond within the time required by your state's law (typically 45 days, extendable by 45 more).
Global Privacy Control (GPC): we honour the GPC browser signal as a valid opt-out of sale/sharing where applicable.
"Shine the Light" (California Civil Code §1798.83): we do not share personal information with third parties for their own direct marketing purposes.
Notice of Financial Incentive: we do not offer financial incentives in exchange for personal information.
Children: consistent with the US Children's Online Privacy Protection Act (COPPA), the Service is not directed at children under 13 and we do not knowingly collect their personal information. If you believe a child has provided us data, email admin@recipelize.com and we will delete it.
8. Automated Decision-Making
We do not subject users to decisions based solely on automated processing that produce legal or similarly significant effects, within the meaning of Art. 22 GDPR. Automated tools may flag potentially abusive content for human review.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent in line with Art. 8 GDPR and applicable national age thresholds.
10. Security
We apply appropriate technical and organisational measures, including encryption in transit, hashed passwords, role-based access, audit logging and regular back-ups, to protect personal data against unauthorised access, alteration, disclosure or destruction.
11. Cookies & Similar Technologies
See our separate Cookie Policy.
12. Changes
We may update this Policy. Material changes will be communicated by email or in-product notice at least 30 days before they take effect.
13. Contact
Questions, requests, or complaints: admin@recipelize.com.