Your data is yours.

We sell nothing, share nothing, target nothing. The whole point of COOKED is to keep money in your account — that includes not making money off your information. Plain English below.

What we collect

Only what we need to run the app for you:

• Email address — for account sign-in via Supabase Auth.
• Apple ID identifier — if you sign in with Apple. We never see your real name unless you choose to share it through Apple's prompt.
• Subscription status — managed by RevenueCat. Apple charges your Apple ID; we receive only "active" / "expired" status, never your card details.
• Your activity — cook logs, daily check-ins, the cravings you type into the craving button. Stored in our Supabase database, scoped to your row only.
• Anonymous analytics (optional) — only if you tap "Allow" on the App Tracking Transparency prompt at first launch. We use PostHog and never tie events to your name or email.
• Crash logs — collected by Apple's system. We use them to fix bugs.

What we don't collect

• Your real name, address, phone number, or government ID.
• Your contacts, your photos, your calendar.
• Your microphone or camera. We don't ask for those permissions.
• Your location. Ever.
• Your bank account, credit card, or any payment data — Apple handles that entirely.

Who we share with

Three sub-processors, each handling one specific job. None of them get your data for advertising or resale.

• Supabase (database + auth) — stores your account row.
• Apple (App Store + Sign in with Apple + iCloud) — handles auth and payment.
• RevenueCat (subscription management) — tells us whether your subscription is active.
• Anthropic (AI recipe generation) — receives only the craving text you type, server-side. They never see your name, email, or account ID.
• PostHog (analytics) — only if you opted in via the ATT prompt. Events are anonymized.

How long we keep it

For as long as you have an account. When you delete your account inside the app (Settings → Delete account), we permanently remove your profile, cook logs, check-ins, savings history, and craving events. We also call Apple's revocation endpoint to sever the Sign in with Apple link if you used it. Backups roll off within 30 days.

Your rights

• Delete your account — in the app: Settings → Delete account. Or email us; we'll do it within 7 days.
• Export your data — email us. We'll send a JSON dump within 7 days.
• Opt out of analytics — deny the ATT prompt at first launch, or revoke later in iOS Settings → Privacy & Security → Tracking.
• Ask us anything — see Contact below.

Children's privacy

COOKED is not directed to anyone under 13. We don't knowingly collect data from children. If you believe a child has signed up, email us and we'll delete the account.

Security

Auth tokens live in your iOS Keychain. All network traffic is TLS-encrypted (HTTPS). Supabase Row-Level Security ensures your data row is only readable by you. We never see your password — Supabase hashes it before storage.

Changes to this policy

If we make changes, we'll bump the "Effective" date below and notify you in-app on next launch for any material change.

Effective: 2026-05-03