Privacy Policy
Effective date: [OPERATOR-CONFIRM effective date — recommend setting to the App Store / Play Store submission date]
Last updated: [OPERATOR-CONFIRM same as above]
1. Introduction
This Privacy Policy describes how [OPERATOR-CONFIRM legal entity name — e.g., "RustleUp Ltd." or sole-trader name] ("RustleUp", "we", "us", "our") collects, uses, stores, and shares information about you when you use the RustleUp mobile applications (iOS and Android), the read-only web viewer at app.rustleup.xyz, and any related services (together, the "Service").
By creating an account and using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
We are based in [OPERATOR-CONFIRM country of operation — e.g., "the United Kingdom"]. The Service is operated globally, but data is processed primarily in the United States (see Section 9 on international transfers).
2. Data we collect
We collect only what we need to run the Service. The table below summarises every category, why we collect it, and where it is stored.
Account information
| Item | Source | Why |
|---|---|---|
| Email address | You provide it at sign-up, or it is shared by Google/Apple Sign-In | To create your account, send sign-in links, and (occasionally) contact you about important Service changes |
| Authentication identifier | Supabase Auth (our identity provider) | Used internally as your account ID |
You can sign in by email magic-link, Google Sign-In, or Apple Sign-In. We do not collect or store passwords ourselves — authentication is handled by Supabase Auth on our behalf.
Profile information
| Item | Why |
|---|---|
| Display name (optional) | Shown in the app and on collections you make public |
| Dietary preferences (e.g., vegan, gluten-free, allergies) | Used by AI features when generating recipes and suggesting filters; never sold or shared with third parties |
| Avoid-ingredients list | Used by AI features to exclude unwanted ingredients |
| Language and regional preference (e.g., en-GB, en-AU) | Localises ingredient names and measurements |
| Measurement system (metric / imperial) | Controls how quantities are displayed |
User-generated content
| Item | Why |
|---|---|
| Saved recipes (ingredients, instructions, photos, notes) | The core of the Service — your library |
| Recipe ratings (1–5 stars) | For your reference and to surface your favourites |
| Personal notes on recipes | Your private notes, stored only on your account |
| Meal plans (which recipe at which meal slot) | The meal-planning feature |
| Shopping lists (recipe-derived plus custom items) | The shopping feature |
| Pantry items | The pantry-tracking feature |
| Collections (groups of recipes you create) | Your organisation system; can be marked public if you choose to share |
| Chat conversations with the recipe AI assistant | Stored on our servers so you can resume previous conversations and so we can enforce fair-use limits |
| Feedback you submit through the app | Helps us improve the Service |
| Feature votes on the public roadmap | Helps us prioritise development |
Usage and analytics data
We use PostHog (see Section 4) to capture a defined set of product-analytics events. The complete list of events we capture, and the properties attached to each, is documented internally in our event taxonomy (ADR-038). The high-level summary:
- Authentication events (sign-in, sign-out)
- Recipe actions (saved, cooked, shared, planned)
- Shopping actions (item added, item purchased)
- Pantry actions (item added)
- Collection actions (collection created)
- Subscription events (paywall shown, purchase initiated, purchase succeeded, purchase failed, subscription restored)
- Invite events (invite link copied, shared, resolved)
- Recipe view events on the web viewer
- Diagnostic events (e.g., when local sync recovers from an offline period, or when local-database encryption needs to be re-initialised)
- Screen views (which screens you visit; we capture the screen's logical name, not URLs that contain identifiers)
- Feature-flag evaluations (which experimental features you see)
Every event we capture is also tagged with:
- The app version you are running
- The environment (development, staging, or production)
- A pseudonymous device identifier assigned by PostHog (not your account ID, and reset on sign-out)
- A session identifier (PostHog-generated, reset between sessions)
- Coarse device information (operating system, device type, screen density) auto-captured by the PostHog SDK
What we deliberately do NOT capture as analytics properties (this is enforced in code at the point of capture):
- Email address (other than as a person-profile attribute — see below)
- Recipe text, ingredient text, instruction text, or notes
- Chat messages
- Search queries
- Feedback content
- Any free-text you type
If you have a paid subscription, the type of subscription (monthly or annual) is captured at purchase time so we can analyse conversion. Your payment card details are never captured (see Section 4).
Person-profile attributes
Tied to your account, not to individual events, we attach: email, display name, current subscription tier (free or premium), and language. These are used to enable filtered analytics (e.g., "how many premium users used the chat feature this week") without exposing individual events to PII.
Diagnostic and crash data
We use Sentry (see Section 4) to capture application crashes and unhandled errors. Sentry receives:
- The stack trace of the crash
- Your device's operating system, OS version, and CPU architecture
- The app version
- A breadcrumb trail of the last few actions you took before the crash (e.g., "opened recipe screen", "tapped save") — these breadcrumbs do not contain free-text or PII
- Your pseudonymous Sentry user identifier (tied to your account ID so we can correlate crashes per user)
Sentry retains crash reports for approximately 90 days by default.
Subscription and payment data
If you subscribe to RustleUp Premium, payment is processed entirely by Apple (App Store) or Google (Play Store). We do not collect, store, or have access to your payment card or bank account details. RevenueCat (see Section 4) acts as our subscription-management layer: it receives a receipt from the store, validates it, and tells our backend whether your subscription is active. Your purchase receipt and entitlement state (premium / free, expiry date) are stored on our servers; payment instruments are not.
Device and install attribution
We use Branch.io (see Section 4) to attribute deep links and share links. Branch may collect a pseudonymous device identifier and limited install-attribution data (e.g., that you tapped a particular share link before installing) so that we can deliver the right recipe context when you first open the app. We do not use Branch for advertising attribution.
We also rely on PostHog's anonymous device identifier ($device_id) for analytics. This is generated by the PostHog SDK on first launch and is reset when you sign out.
Photos and camera
If you use the "scan a recipe from a photo" feature, the photo you select is uploaded to our backend and processed by an AI extraction service (currently routed through OpenRouter to OpenAI / Anthropic / Google models — see Section 4). The original photo is not retained after extraction completes. Extracted recipe text is then saved as part of your recipe library (see "User-generated content" above).
If you grant camera access for QR-code scanning or photo capture, photos are processed in-memory on your device unless you explicitly choose to use them in a feature that uploads to our backend.
Cookies and web storage
The mobile apps do not use cookies (cookies are a browser concept).
The web viewer at app.rustleup.xyz uses one PostHog analytics cookie (typically named _ph or similar) to maintain a session identifier across pages. No other cookies are set by us. The web viewer is read-only and does not support sign-in, so it does not store authentication tokens.
3. How we use your information
We use the information we collect to:
- Provide the Service: authenticate you, sync your data across your devices, generate shopping lists, run AI recipe extraction and chat
- Improve the Service: understand which features are used, identify bugs, prioritise development
- Communicate with you: send sign-in links by email, send important Service notices
- Protect the Service: detect and prevent abuse, fraud, and violations of our Terms
- Comply with legal obligations
We do not sell your personal information. We do not use your data to train external AI models — when we send recipe text or photos to AI providers for extraction or chat, we do so on a per-request basis under contractual terms that prohibit the provider from training their models on your data (subject to each provider's own policies — see Section 4).
4. Third-party processors
We rely on the following processors to operate the Service. Each is contractually bound to handle your data only for the purposes we direct.
| Processor | Purpose | Location of processing |
|---|---|---|
| Supabase | Account authentication, primary database (your saved recipes, plans, etc.), file storage (recipe images) | AWS US-East-1 (United States) |
| PowerSync | Real-time data sync between your device and Supabase | Cloud (staging and production); the development environment is self-hosted on our infrastructure |
| PostHog | Product analytics and feature flags | United States (us.posthog.com) |
| Sentry | Crash reporting and release health monitoring | United States (sentry.io) |
| RevenueCat | Subscription receipt validation and entitlement management | United States (revenuecat.com) |
| Branch.io | Deep-link and share-link attribution | United States |
| Cloudflare | Content delivery, edge routing for the web viewer, share-link redirection | Global edge network |
| OpenAI, Anthropic, Google (via OpenRouter) | AI models that power recipe extraction from URLs/photos/text and the recipe chat assistant. All AI calls go through our backend — the AI providers receive only the recipe text, photo, or chat message needed for the request, plus a pseudonymous request identifier. No account email, payment data, or full user history is shared. | United States |
| Codemagic | Build and release pipeline (does not receive runtime user data; only the application source code) | Build-time only |
| Apple (App Store) and Google (Play Store) | Payment processing and subscription billing | Per Apple and Google's own privacy policies |
The full list of integrations is also documented in our internal architecture decision records. We will update this Policy if we add, remove, or materially change a processor.
[OPERATOR-CONFIRM: confirm this list is complete and matches the actual production deployment — additions to consider if relevant: any email-sending provider (e.g., Resend, Postmark) used for transactional email; any push-notification provider; any moderation tool.]
5. Data retention
- Account data (email, profile, recipes, plans, shopping lists, pantry, collections, ratings, notes): retained for as long as your account is active. If you delete your account, we delete this data within 30 days, except where we are required by law to retain certain records.
- Chat conversations: stored on our servers for the lifetime of your account so you can resume them. We may add automatic expiry (e.g., 7 days for unused conversations) in a future release; if we do, you will be notified.
- Analytics events (PostHog): retained according to PostHog's default retention policy, currently up to 7 years for our plan tier. We may shorten this in the future.
- Crash reports (Sentry): retained for approximately 90 days by default.
- Subscription records: retained for the lifetime of your account, plus any period required for tax, accounting, or fraud-prevention purposes.
- Backups: routine backups of our database are retained on a rolling 30-day window. Deleted account data is removed from backups within that window.
You can request immediate deletion of your account at any time — see Section 6.
6. Your rights
Depending on where you live, you have the following rights over your personal information.
EU / UK (GDPR / UK GDPR)
- Access: ask for a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate data
- Deletion ("right to be forgotten"): ask us to delete your account and associated data
- Portability: ask for your data in a machine-readable format
- Restriction: ask us to limit how we process your data
- Objection: object to processing based on our legitimate interests (analytics, fraud prevention)
- Withdraw consent: where we rely on consent, you can withdraw it
- Complaint: lodge a complaint with your local data-protection authority (in the UK, the ICO at ico.org.uk)
California (CCPA / CPRA)
- Right to know what categories of information we collect, why, and to whom we disclose it
- Right to delete personal information we hold about you
- Right to correct inaccurate personal information
- Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of, but we provide this notice for completeness
- Right to non-discrimination — exercising your rights will not affect the price or quality of the Service
How to exercise your rights
Email us at [OPERATOR-CONFIRM privacy contact email — recommend "privacy@rustleup.app" once domain is owned, or operator's preferred email until then]. We will respond within 30 days (or longer if permitted by law for complex requests).
You can also delete your account directly from within the app: Account → Settings → Delete Account. [OPERATOR-CONFIRM: this in-app flow is on the launch checklist; if not yet shipped, point users to the email instead.]
7. Children's privacy
The Service is not directed at children under the age of 13 (or under 16 in the European Economic Area and the United Kingdom). You must self-attest that you are at least 13 (or 16 in the EU/UK) when you create an account.
If we learn that we have collected personal information from a child under the applicable age without verified parental consent, we will delete it as quickly as possible. If you believe a child has provided us with personal information, please contact us at the email address in Section 6.
8. Security
We protect your data through a combination of technical and organisational measures:
- Encryption in transit: all communication between the app, our backend, and our processors uses TLS 1.2 or higher.
- Encryption at rest on your device: the local copy of your data (recipes, plans, etc.) on your phone is encrypted using AES-256 (via the sqlite3mc cipher). The encryption key is generated on your device and stored in your platform's secure hardware-backed storage (iOS Keychain / Android Keystore).
- Encryption at rest on our servers: handled by our database providers (Supabase, PostHog, Sentry).
- Authentication: managed by Supabase Auth, with support for email magic-links, Google Sign-In, and Apple Sign-In (which include their own security guarantees such as two-factor authentication on the underlying account).
- Least privilege: only the engineers and operators who need access to production systems have it, and access is logged.
No system is perfectly secure. If you suspect your account has been compromised, contact us immediately at the address in Section 6.
9. International data transfers
We are based in [OPERATOR-CONFIRM country]. Most of our processors (Supabase, PostHog, Sentry, RevenueCat, Branch.io, OpenRouter, the AI providers) operate in the United States. By using the Service, you acknowledge that your data may be transferred to and processed in countries other than your own, including the United States.
For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum where applicable) as the legal mechanism for these transfers. Our processors are bound by these clauses through their own data-processing agreements with us.
[OPERATOR-CONFIRM: if the operator is established in the EU/UK and the threshold for an Article 27 representative applies, name the representative here. Otherwise this line can be removed.]
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in the Service, our practices, or applicable law. Material changes will be notified to you by in-app notice and/or email before they take effect. The effective date at the top of this Policy reflects the most recent change.
Continuing to use the Service after a change takes effect means you accept the updated Policy. If you do not accept it, you can delete your account at any time.
11. Contact us
For privacy questions, data-subject requests, or any other matters covered by this Policy:
- Email: [OPERATOR-CONFIRM privacy contact email]
- Postal address: [OPERATOR-CONFIRM postal address if any — the App Store does not require one, but EU/UK users may exercise rights more easily with a postal channel available]
Notes for review
This draft was prepared by the engineering team based on the codebase's actual data practices as of the launch date. It has not been reviewed by a qualified privacy lawyer. Before publishing, we strongly recommend:
- Legal review of the GDPR / UK GDPR / CCPA rights sections, the data-retention table, and the international-transfer mechanism (SCCs).
- Confirmation of the legal entity, contact address, and effective date placeholders marked
[OPERATOR-CONFIRM]. - Confirmation that the processor list in Section 4 matches the production deployment.
- If the Service is marketed to or used by EU/UK residents in significant numbers and the operator is not established in the EU/UK, appointing an Article 27 representative.
- Re-review when material features change (e.g., adding push notifications, web sign-in, new AI providers, new payment paths, or community features such as comments).