Privacy Policy - Chefs AI

Effective Date: November 3, 2025 Last Updated: November 3, 2025 Version: 1.0

1. Introduction

Welcome to Chefs AI! We respect your privacy and are committed to protecting your personal data.

This Privacy Policy explains:

What data we collect and why
How we use your data
Your rights under GDPR, CCPA, and other privacy laws
How to exercise those rights

Who we are:

Service: Chefs AI (https://app.chefs-ai.com)
Legal Entity: CHEFS AI, LLC
Contact: info@chefs-ai.com

What Chefs AI does: Chefs AI is a Progressive Web App (PWA) that generates AI-powered recipe recommendations based on your ingredients and dietary preferences. We use Google's Gemini API for AI generation and Firebase for data storage.

2. Legal Framework

This Privacy Policy complies with:

GDPR (General Data Protection Regulation) – EU law
CCPA (California Consumer Privacy Act) – California law
PIPEDA (Canada) – Canadian privacy law
Other applicable data protection laws

Your rights are the same regardless of where you live. We apply the highest standard (GDPR) to all users globally.

3. What Data We Collect

3.1 Account Information (Google OAuth)

When you sign in with Google, we collect:

Name (from your Google profile)
Email address (your Google account email)
Profile picture (from your Google account)
User ID (unique Firebase UID)

Why we collect this: Required for authentication and account management.

Legal basis (GDPR): Necessary for contract performance (Art. 6(1)(b)).

Third-party processor: Google Firebase Authentication (https://firebase.google.com/support/privacy)

3.2 Recipes You Generate

Each recipe you create includes:

Recipe name (AI-generated or user-edited)
Ingredients list (from AI generation)
Cooking instructions (from AI generation)
Recipe metadata:
- Meal type (Breakfast, Lunch, Dinner, Snack, Dessert)
- Dietary preferences (Vegetarian, Vegan, Gluten-Free, etc.)
- Servings, prep time, cook time
- Rating (if you rate the recipe)
- Creation timestamp
Generation context:
- Input ingredients you provided
- Selected diner profile (if any)
- AI model parameters used

Why we collect this: To save and organize your recipes for future access.

Legal basis (GDPR): Necessary for contract performance (Art. 6(1)(b)).

Storage: Firebase Firestore at /users/{userId}/savedRecipes/{recipeId}

3.3 Diner Profiles

If you create diner profiles, we store:

Profile name (e.g., "John's Profile")
Dietary restrictions (e.g., Gluten-Free, Dairy-Free)
Preferences (likes/dislikes)

Why we collect this: To personalize recipes for family members or guests.

Legal basis (GDPR): Necessary for contract performance (Art. 6(1)(b)).

Storage: Firebase Firestore at /users/{userId}/profiles/{profileId}

3.4 Pantry Data

If you use the Pantry feature, we store:

Ingredient names (e.g., "Chicken Breast")
Quantities (optional)
Categories (Protein, Vegetable, Spice, etc.)
Add date

Why we collect this: To help you generate recipes from available ingredients.

Legal basis (GDPR): Necessary for contract performance (Art. 6(1)(b)).

Storage: Firebase Firestore at /users/{userId} (pantryItems array)

3.5 Subscription and Usage Data

For all users (free and paid), we track:

Subscription tier (Occasional Chef, Home Chef, Master Chef)
Monthly recipe generation count (to enforce quotas)
Billing period start date
Last usage reset date
Stripe customer ID (paid users only)
Stripe subscription ID (paid users only)
Subscription status (active, cancelled, past_due)

Why we collect this: To enforce usage limits, process payments, and prevent fraud.

Legal basis (GDPR):

Contract performance (Art. 6(1)(b)) for quota enforcement
Legal obligation (Art. 6(1)(c)) for tax/financial records (7-year retention)

Storage: Firebase Firestore at /users/{userId} (subscription and usageStats fields)

3.6 AI Generation Requests

When you generate a recipe, we send to Google Gemini API:

Ingredients list (what you entered)
Dietary preferences (if selected)
Meal type (if selected)
Diner profile data (if you selected a profile)
Number of servings
Available cooking tools (optional)

Why we collect this: Required to generate AI-powered recipes.

How long Google keeps it:

Google does NOT store your data long-term per their API terms
Data is processed for inference only
No training on your personal recipes

Legal basis (GDPR): Necessary for contract performance.

Third-party processor: Google Gemini API (https://ai.google.dev/gemini-api/terms)

3.7 Recipe Images

Generated recipe images are stored:

Image files - Stored in Firebase Storage at /images/{userId}/{recipeId}.{ext}
Image URLs - Referenced in your recipe documents

Why we collect this: To provide visual recipe inspiration and improve user experience.

Legal basis (GDPR): Necessary for contract performance.

3.8 Technical Data (Automatic)

Our Progressive Web App (PWA) automatically collects:

Service worker cache - App files cached for offline use (HTML, CSS, JavaScript, images)
LocalStorage data - User preferences, authentication tokens
Session data - To keep you logged in

Why we collect this: To enable offline functionality and maintain your session.

Legal basis (GDPR): Legitimate interest (improving service performance) and necessary for contract performance.

4. How We Use Your Information

We use your information ONLY for:

Providing the Service
- Authenticating your account
- Generating AI-powered recipes
- Saving and retrieving your recipes
- Managing your subscription tier
- Enforcing usage quotas
Service Improvement
- Fixing bugs and errors
- Optimizing performance
- Understanding which features are used
Communication
- Responding to support requests
- Sending important service updates (e.g., security issues, policy changes)
- Subscription-related emails (renewal, cancellation confirmations)

We DO NOT:

Sell your data to third parties
Use your data for advertising
Share your recipes with anyone
Train AI models on your personal recipes
Send marketing emails (unless you explicitly opt-in)

5. Data Storage and Security

5.1 Where Your Data is Stored

Primary Storage: Google Firebase (Cloud Firestore, Firebase Authentication, Firebase Storage)

Data Residency: us-central1

Encryption:

At rest: All data encrypted by Firebase (AES-256)
In transit: All connections use HTTPS/TLS encryption

5.2 Who Can Access Your Data

You: Full access to all your data

Chefs AI Admins: Limited access for:

Technical support (with your permission)
Debugging critical issues
Compliance with legal obligations

Google Firebase: Infrastructure provider (bound by data processing agreement)

Google Gemini API: Processes recipe generation requests (does not store data long-term)

Stripe (paid users only): Processes payment information (we only store customer ID, not payment details)

Nobody Else: We do not share, sell, or rent your data to third parties for marketing.

5.3 Data Isolation

Your data is protected by Firebase security rules:

You can ONLY access your own recipes, profiles, and pantry data
Other users CANNOT see your data
You CANNOT modify your own subscription tier (prevents fraud)
Server-side validation enforces all security rules

6. How Long We Keep Your Data

6.1 Active Users

While you use the service:

Account data: Retained indefinitely
Recipes: Retained until you delete them
Profiles: Retained until you delete them
Pantry data: Retained until you delete it
Subscription data: Retained for current period + 7 years (tax/legal requirements)
Usage stats: Retained for current billing period + 1 year

6.2 Inactive Users

If you stop using Chefs AI:

Your data remains in your account indefinitely
We do not automatically delete inactive accounts
You can return anytime and your data will still be there

Future Policy: We may implement automatic deletion of accounts inactive for 2+ years (with advance notice).

6.3 Deleted Accounts

When you delete your account:

All data is permanently deleted within 30 days
Backups are purged within 90 days
Stripe subscription cancelled immediately
No data is retained except:
- Anonymized usage statistics (no personal identifiers)
- Financial records (Stripe transaction IDs only, for 7 years per tax law)

7. Your Rights Under Data Protection Laws

You have the following rights under GDPR (EU), CCPA (California), and other privacy laws:

7.1 Right to Access (GDPR Article 15)

What it means: You can see all data we have about you.

How to exercise:

View your data in the app (Settings, Recipes, Profiles)
Request a complete copy: Settings > Privacy > Download My Data (coming soon)

7.2 Right to Portability (GDPR Article 20)

What it means: You can get a copy of your data in a machine-readable format.

How to exercise:

Settings > Privacy > Download My Data (JSON format)

What you'll receive:

All recipes (with ingredients, instructions, ratings)
All diner profiles
Pantry data
Account settings
Subscription information

7.3 Right to Rectification (GDPR Article 16)

What it means: You can correct inaccurate data.

How to exercise:

Edit recipes directly in the app
Edit profiles in Settings > Profiles
Edit pantry items in Pantry view
Update account info: Settings > Account

7.4 Right to Erasure / "Right to be Forgotten" (GDPR Article 17)

What it means: You can delete your data.

How to exercise:

Delete specific items:

Delete individual recipes (swipe to delete or click delete button)
Delete profiles: Settings > Profiles > Delete
Clear pantry: Pantry > Clear All

Delete everything:

Settings > Privacy > Delete Account
Requires email confirmation + password re-entry
WARNING: This is permanent and cannot be undone

What gets deleted:

Your Firebase Authentication account
All recipes and recipe history
All diner profiles
All pantry data
All images in Firebase Storage
All usage statistics

What we keep:

Anonymized usage statistics (no personal identifiers)
Financial records (Stripe transaction IDs for tax compliance, 7 years)

7.5 Right to Restriction (GDPR Article 18)

What it means: You can limit how we process your data.

How to exercise:

Contact us at info@chefs-ai.com
We can temporarily freeze your account while disputes are resolved

7.6 Right to Object (GDPR Article 21)

What it means: You can object to certain types of processing.

How to exercise:

Since we only process data necessary for the service, objecting means you cannot use Chefs AI
To stop all processing: Delete your account (Settings > Privacy > Delete Account)

7.7 Right to Withdraw Consent (GDPR Article 7)

What it means: You can change your mind about data processing.

How to exercise:

Stop using specific features (e.g., don't create profiles if you don't want that data stored)
Delete your account to withdraw all consent

7.8 California Residents (CCPA)

If you're a California resident, you have additional rights:

Right to Know:

Request what personal information we've collected (past 12 months)
Request what categories of sources we collected it from
Request why we collected it

Right to Delete:

Same as GDPR Right to Erasure (above)

Right to Opt-Out of Sale:

We do NOT sell your personal information (never have, never will)
No opt-out needed

Right to Non-Discrimination:

We will NOT discriminate against you for exercising your rights
Same service and pricing for everyone

How to exercise CCPA rights:

Email: info@chefs-ai.com
Or use in-app tools (Settings > Privacy)

8. Third-Party Services

We use the following third-party services to provide Chefs AI:

8.1 Google Firebase

What it is: Cloud infrastructure for data storage, authentication, and hosting

What we share:

Everything listed in Section 3 (all data is stored on Firebase)

Their role: Data processor (processes data on our behalf)

Their privacy policy: https://firebase.google.com/support/privacy

Data Processing Agreement: Google Cloud Data Processing Addendum applies

Location: us-central1

8.2 Google Gemini API

What it is: Artificial intelligence service for recipe generation

What we share:

Ingredients lists
Dietary preferences
Meal types
Diner profile data (when selected)

Their role: Data processor (AI inference only)

Data retention: Google does NOT store your data long-term (per API terms)

Their privacy policy: https://ai.google.dev/gemini-api/terms

Important: All API calls are made server-side via our Cloud Functions. Your data never goes directly from your browser to Google.

8.3 Stripe (Paid Tiers Only)

What it is: Payment processing service

What we share:

Email address (to create Stripe customer)
We do NOT see or store your payment card details (handled entirely by Stripe)

What we store:

Stripe customer ID
Stripe subscription ID
Current subscription status

Their role: Independent data controller (for payment processing)

Their privacy policy: https://stripe.com/privacy

PCI compliance: Stripe is PCI-DSS Level 1 certified

8.4 GitHub (Deployment Only)

What it is: Code hosting and deployment automation

What we share: Nothing. GitHub only hosts our code and triggers deployments. No user data passes through GitHub.

9. Cookies and Tracking

9.1 What We Use

Chefs AI is a Progressive Web App (PWA) that uses browser storage for functionality:

LocalStorage:

Firebase authentication tokens (keeps you logged in)
User preferences (theme, settings)
PWA installation status

Service Worker Cache:

App files (HTML, CSS, JavaScript) for offline use
Recipe images for offline viewing
API responses (temporary caching)

Session Storage:

Temporary data during your current session
Cleared when you close the tab

9.2 What We DON'T Use

❌ No third-party analytics (no Google Analytics, no Facebook Pixel) ❌ No advertising cookies ❌ No cross-site tracking ❌ No marketing cookies

9.3 How to Clear Storage

Browser settings:

Chrome: Settings > Privacy and Security > Clear browsing data
Firefox: Settings > Privacy & Security > Cookies and Site Data > Clear Data
Safari: Settings > Safari > Clear History and Website Data

In-app:

Sign out (clears authentication tokens)
Uninstall PWA (clears all cached data)

10. International Data Transfers

10.1 Where Your Data is Stored

Primary location: us-central1

Backup locations: Google Firebase may replicate data to other Google Cloud regions for redundancy

10.2 Transfers Outside the EU (if applicable)

If you're in the EU and our Firebase project is in the US:

Legal mechanism: Google Cloud's Standard Contractual Clauses (SCCs)

Safeguards:

Encryption in transit and at rest
Google's data protection commitments
Your rights under GDPR still apply

11. Children's Privacy

Chefs AI is NOT intended for children under 13 (or under 16 in the EU).

We do not knowingly collect data from children. If you believe a child has created an account:

Contact us immediately at info@chefs-ai.com
We will delete the account within 48 hours

Parents: If you discover your child has created an account, please contact us for immediate deletion.

12. Data Breach Notification

In the unlikely event of a data breach:

Our obligations:

Notify affected users within 72 hours (GDPR requirement)
Report to supervisory authorities if required by law
Provide details on what data was affected and what we're doing about it

Your actions:

Change your password immediately
Monitor your account for suspicious activity
Contact us with any concerns

How we'll notify you:

Email to your registered address
In-app notification
Notice on our website

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

Changes in data protection laws
New features we add
Improvements to our practices

How we'll notify you:

Email notification (for significant changes)
In-app notification
Updated "Last Updated" date at the top of this policy

Your consent:

Continued use of Chefs AI after changes means you accept the updated policy
If you don't agree, you can delete your account

Version history: We maintain previous versions at https://github.com/yourusername/chef_ai/docs/legal/archive

14. Legal Basis for Processing (GDPR)

| Data Type | Legal Basis | |-----------|-------------| | Account information | Contract performance (Art. 6(1)(b)) | | Recipe data | Contract performance (Art. 6(1)(b)) | | Diner profiles | Contract performance (Art. 6(1)(b)) | | Pantry data | Contract performance (Art. 6(1)(b)) | | Subscription data | Contract performance (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) for tax records | | Technical data (caching) | Legitimate interest (Art. 6(1)(f)) - improving service performance | | AI processing | Contract performance (Art. 6(1)(b)) |

15. Supervisory Authority (EU Residents)

If you're unhappy with how we handle your data, you have the right to complain to your data protection authority:

Find your authority: https://edpb.europa.eu/about-edpb/board/members_en

Before complaining: Please contact us first at info@chefs-ai.com. We want to resolve any issues directly.

16. Contact Us

Privacy-related questions: Email: info@chefs-ai.com Response time: Within 48 hours (72 hours on weekends)

Data subject access requests: Email: info@chefs-ai.com We'll respond within 30 days (GDPR requirement)

General support: Email: support@chefs-ai.com

17. Definitions

Personal Data: Any information that can identify you (name, email, user ID, etc.)

Data Controller: The entity that decides how personal data is processed (that's us: Chefs AI LLC)

Data Processor: A third party that processes data on our behalf (e.g., Google Firebase, Stripe)

GDPR: General Data Protection Regulation (EU law)

CCPA: California Consumer Privacy Act (California law)

PII: Personally Identifiable Information

This Privacy Policy was last updated: November 3, 2025 Effective date: November 3, 2025 Version: 1.0

Acknowledgment:

By using Chefs AI, you acknowledge that you have read, understood, and agree to this Privacy Policy.