Privacy Policy

Last updated: May 27, 2026

Controller

Thought for Food is operated as a personal, private project by Vladislav Dektiarev, Alter Güterbahnhof 11B, 22303 Hamburg, Germany. You can contact the operator at vladislav.dektiarev@gmail.com.

What We Process

We process the personal data needed to provide recipe capture, storage, browsing, sharing, image management, authentication, account security, privacy controls, and the shopping list.

Account data: email address, display name, OAuth provider identifiers, session data, admin status, and allowlist status.
Recipe data: recipe text, ingredients, instructions, tags, source URLs, visibility, favourites, copied recipes, and related metadata.
Images and uploads: recipe images, generated images, thumbnails, blur metadata, and storage keys.
Shopping list data: list items, checked state, quantities, recipe-source references, and timestamps.
Preferences and privacy choices: theme, cookie consent, data export requests, and account deletion requests.
Terms and moderation data: terms acceptance version and timestamps, content reports, user blocks, report reasons, report details, review status, and admin resolution notes.
Operational data: rate-limit counters, job status, moderation/guardrail signals, errors, security logs, and abuse-prevention records.

Purposes And Legal Bases

Providing the app, user account, recipes, images, and shopping list: performance of the user relationship and requested service.
Authentication, access control, rate limits, security, fraud prevention, and service reliability: legitimate interests in protecting the service and users.
Processing pasted recipe text, source URLs, and images with AI or ingestion providers: performance of the requested recipe capture or image feature.
Terms acceptance, in-app reporting, creator blocking, AI-image flagging, and admin moderation: legitimate interests in enforcing the terms, protecting users, and meeting platform safety requirements.
Consent preferences and optional analytics processing: consent.
Legal compliance, data subject requests, and dispute handling: legal obligations and legitimate interests.

Processors And External Services

The app uses service providers only as needed to operate its features. Depending on the feature you use, data may be processed by Vercel for hosting, runtime, and consent-enabled web analytics, MongoDB Atlas for database storage, Cloudflare R2 for image object storage, Google OAuth and GitHub OAuth for sign-in, OpenAI for recipe text processing and embeddings, Google Gemini for image validation or generation, Firecrawl for recipe website extraction, and RapidAPI for supported Instagram source ingestion.

These providers may process data in countries outside Germany or the European Economic Area. Where required, transfers should rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, or provider data processing terms.

Public And Shared Content

Recipes are private by default unless you publish them to the Community area. Public recipes may show recipe content, images, source information, engagement metadata, and a creator display name. Internal ownership data such as the creator email is not intentionally exposed in public API responses.

Users can report public recipes, report or flag AI-generated images, and block public recipe creators in the app. Report records may include the reporter account, target recipe or image, reported creator identifier, reason, optional details, timestamps, review status, and admin resolution notes. Block records store the blocking account, blocked user identifier, optional display name, and creation timestamp.

Retention

Account, recipe, image, shopping-list, terms acceptance, block, moderation, and preference data are kept while your account is active or while needed to provide the service. Account deletion removes owned recipes, associated image objects, shopping-list data, profile data, user-owned block records, terms acceptance records, owner-scoped jobs, and linked privacy records, subject to limited retention where necessary for security, abuse prevention, backups, moderation integrity, or legal claims.

Guardrail and abuse-prevention records are intended to be retained for a limited period, currently 90 days where the configured database retention job is active.

Your Rights

If GDPR applies to you, you may request access, rectification, deletion, restriction, portability, or objection to processing. Where processing is based on consent, you may withdraw consent at any time. You can export your data, update cookie consent, and delete your account from Settings, or contact the operator by email.

You also have the right to lodge a complaint with a competent data protection authority.