SavePlate

SavePlate · legal

Privacy Policy

Last updated

This policy explains what data SavePlate collects, why, where it goes, and how to delete it.

The short version: your recipe library lives on your phone, not on our servers. We hold the bare minimum needed to run an account: your email, a hashed password, a payment record from Lemon Squeezy, and short-lived telemetry that helps us debug the import pipeline. We don't sell data, we don't run third-party ad SDKs, and we don't train AI models on your content.

1.Who runs SavePlate

SavePlate is operated by an individual developer based in Perth, Australia. Contact: [email protected].

For privacy enquiries from the EU/UK we treat that mailbox as the data controller's address. We do not currently have an EU representative; if you are an EU resident and want to lodge a complaint, your local data-protection authority is the right next step.

2.What we collect, and why

2.1 Account data

When you sign up:

  • Email — primary identifier; we send transactional mail (account verification, security alerts, billing receipts).
  • Password — stored only as a salted hash (better-auth / scrypt). We cannot read it.
  • Display name — optional, shown on your account page.

Legal basis: performance of a contract.

2.2 Payment data

Payments are handled by Lemon Squeezy (a Merchant of Record). Lemon Squeezy collects your name, email, billing country, and payment method. SavePlate receives only your subscription tier, renewal date, a pseudonymous customer ID, and invoice metadata (amount, currency, last 4 of the card — never the full PAN).

We never see your card number. See Lemon Squeezy's own privacy notice at lemonsqueezy.com/privacy for what they do with the rest.

2.3 Recipes

Recipes live on your phone, in a local SQLite database we never upload. When you share a reel:

  1. The mobile app sends the source URL to our API.
  2. Our backend fetches the video (or your home agent does, if you set one up).
  3. The video is transcribed and structured into a recipe by our LLM subprocessors.
  4. The structured recipe is sent back to your phone and stored locally.
  5. The temporary copy of the video is deleted from our object storage within 24 hours.

We do not keep a copy of your recipe library. If you connect external targets (Mealie, Tandoor) the recipe is pushed to those servers from your phone — not from ours.

2.4 Source URLs

We never store the URL of a reel you import in plain text. The URL is processed in memory during fetch + transcription, then discarded. For abuse-defense + debugging we store a one-way SHA-256 hash of each URL in our telemetry table for 30 days.

2.5 Instagram session

If you connect Instagram inside the app:

  • Your IG cookies are encrypted on your device (iOS Keychain / Android Keystore).
  • If — and only if — you have set up a home agent, those cookies are sent to our API, encrypted at rest with a key we hold, and relayed to your home agent when it asks. They are never sent to a third party.
  • If you don't set up a home agent, the cookies stay on your device and are never sent anywhere.

You can sign out of Instagram from Settings → Instagram at any time. That clears the local copy + tells our API to drop the relayed copy.

2.6 Operational telemetry

  • Fast-path outcomes (success / failure category + the SHA-256 URL hash) — retained 30 days.
  • Per-recipe cost records (Anthropic + Groq token counts, ffmpeg / R2 byte counts) — kept for billing reconciliation and joined to your account only via your user ID.
  • Push notification tokens — kept while your install is active; rotated on sign-out.
  • Server logs (HTTP method, route, status, request ID, IP) — retained 7 days for incident investigation.

2.7 What we don't collect

  • We don't run a third-party analytics SDK.
  • We don't run advertising SDKs.
  • We don't train ML models on your recipes or shared reels.
  • We don't track you across other websites or apps.
  • We don't share your data with data brokers.

3.Subprocessors

SavePlate uses the following processors to deliver the service:

SubprocessorPurposeRegion
Hetzner CloudCompute infrastructure (API, workers, database)Germany (EU)
Cloudflare R2Temporary object storage for video frames + thumbnails (≤24h)EU
CloudflareDNS + edge proxy + Turnstile captchaGlobal edge
AnthropicLLM that structures transcribed audio into a recipeUS
GroqWhisper-based transcription of recipe audioUS
Lemon SqueezySubscription billing + invoicing (Merchant of Record)US
Expo Push / APNs / FCMPush notification deliveryUS
ResendTransactional emailUS

Each processor sees only the data they need for their job. For example, Anthropic sees the transcript of a single reel during structuring; they never see your email, your library, or any other recipe.

We use Standard Contractual Clauses for the EU→US transfers above.

4.How we share data

We don't sell your data. We share it only:

  • With the subprocessors above, for the purposes listed.
  • When you ask us to — e.g. when you push a recipe to your own Mealie / Tandoor server, that push goes from your phone to that server.
  • When a law-enforcement agency presents a valid legal request (e.g. an Australian subpoena). We will challenge any request we consider overbroad, and we publish a transparency note when we can.

5.How long we keep it

DataRetention
Account + email + hashed passwordWhile the account exists
Recipe libraryOn your device until you delete it; not on our servers
Temporary video copies on R2≤ 24 hours, lifecycle rule
Fast-path telemetry (SHA-256 hashes, outcomes)30 days
Per-recipe cost records6 years (Australian tax requirement)
Server logs7 days
Subscription + invoice records6 years (Australian tax requirement)
Push tokensUntil next sign-out on that device
Instagram cookies (encrypted)Until you sign out of Instagram
Backups30 days, then deleted

6.Your rights

Whatever law applies to you (GDPR, CCPA, the Australian Privacy Act, etc.), you can ask us to:

  • Access the data we have about you.
  • Correct anything that's wrong.
  • Delete your account and the data we hold for it.
  • Export your data in a portable format.
  • Object to processing based on legitimate interest.

Email [email protected] with the request. We aim to respond within 30 days.

6.1 Deleting your account

You can delete your account from Settings → Account inside the app (or by emailing us). Deletion is permanent and removes your account row, your subscription record on our side, all push tokens, and all telemetry rows joined to your user ID. Your local SQLite recipe library stays on your phone; uninstall the app to remove it.

7.Security

  • All HTTP traffic between your device and our infrastructure is TLS-encrypted (Caddy issues certificates from Let's Encrypt).
  • Passwords are stored as scrypt hashes via better-auth.
  • Instagram cookies on our server are encrypted at rest with AES-256-GCM; the key is held only on the API server and rotates with no schema change required.
  • Backups are encrypted (restic with a passphrase held only by the operator) and stored off-site.
  • We follow the principle of least privilege for subprocessors: Anthropic and Groq receive a single reel's transcript or audio, never your library or account identifiers.

We will notify you within 72 hours of becoming aware of a breach that affects your personal data, per GDPR Article 33's timeline.

8.Children

SavePlate is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, email [email protected] and we'll delete the account.

9.Changes to this policy

When we change this policy we'll bump the "last updated" date at the top and post a note in the in-app changelog. Material changes (e.g. adding a new subprocessor) get a separate email to the account address.

10.Contact

Privacy Policy · SavePlate