Privacy Policy
Last updated: 19 June 2026 Effective date: 19 June 2026
This Privacy Policy explains how Ciboo, operated by IE Yevhen Lomakin (individual entrepreneur, Georgia) (“Ciboo”, “we”, “us”, or “our”), collects, uses, shares, and protects your personal data when you use the Ciboo mobile application (the “App”) and our website at getciboo.com (together, the “Service”).
Please read this Policy together with our Terms & Conditions.
Plain-language summary. Ciboo helps you import recipes, plan meals, and build shopping lists. To do that we store your account details and the content you create, and we use a small number of trusted service providers (for sign-in, payments, AI recipe parsing, hosting, and crash reporting). We store your data on servers in Germany (EU). We do not sell your personal data. You can access, export, or delete your data at any time, including by deleting your account from inside the App.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
IE Yevhen Lomakin (individual entrepreneur, registered in Georgia) Address: წინამძღვრიშვილის ქუჩა 52, Didube-Chughureti, Tbilisi 0102, Georgia (Tsinamdzghvrishvili Street 52, Didube-Chughureti, Tbilisi 0102, Georgia)
- Privacy enquiries and data-subject requests: [email protected]
- General support: [email protected]
2. Scope and who this applies to
This Policy applies to everyone who uses Ciboo, anywhere in the world. Because our users include people in the European Economic Area (EEA), the United Kingdom, Georgia, and the United States, this Policy contains region-specific sections (see Section 11) that give you additional rights depending on where you live. Those regional rights are in addition to, and do not replace, the rest of this Policy.
The Service is intended for users aged 16 and over (see Section 12).
3. The personal data we collect
We collect the following categories of personal data.
| Category | Examples | Where it comes from |
|---|---|---|
| Account & identity | Email address (or an Apple private relay email if you use Sign in with Apple), username, Firebase user ID, date of last sign-in | You, and your sign-in provider (Firebase, Google Sign-In, or Sign in with Apple) |
| Content you create | Recipes (title, description, ingredients, instructions), recipe images you upload, meal plans (number of people, dates), meal entries and notes, shopping lists | You |
| AI feature inputs | Recipe URLs or text you submit for import; images/media you submit for recipe extraction | You |
| Subscription & purchase data | Your subscription status (free/Pro), plan, entitlement expiry, RevenueCat customer ID, in-app purchase events | You and our payments providers (RevenueCat, Apple App Store, Google Play) |
| Usage & quota data | Timestamps recording your AI-import usage (to enforce free-tier limits and prevent abuse) | Generated by the Service |
| Crash & error data | Crash logs, stack traces, error reports, device/OS information (collected in released app builds only) | Generated by the App (Firebase Crashlytics) |
We do not intentionally collect special-category (sensitive) data such as health or medical information. Meal and recipe content may indirectly reveal dietary choices; please do not enter sensitive health information you do not want stored. We also do not use the device advertising identifier (IDFA/AAID) and do not run advertising or cross-app tracking SDKs.
Note: Ciboo does not currently collect product-analytics/usage data. If we introduce analytics in the future, we will update this Policy and provide any notice or controls required by law before doing so.
4. AI-powered features
Ciboo uses third-party AI providers to power recipe import and search:
- Recipe parsing. When you import a recipe from a URL or text, the URL and/or the page content and text you provide are sent to Anthropic (Claude models) to extract a structured recipe (title, ingredients, instructions, etc.).
- Search embeddings. Recipe text (such as title and ingredients) is sent to OpenAI to generate numerical “embeddings” that power semantic recipe search.
Important:
- These providers process your input only to return a result to us; under our agreements with these providers, your inputs are not used to train their models.
- AI output can be inaccurate or incomplete. Ciboo’s AI features do not provide medical, nutritional, or dietary advice — see our Terms & Conditions.
- We may add or change AI providers (for example, for image or video recipe extraction). If we do, we will update this Policy and the sub-processor list in Section 7.
5. How we use your data and our legal bases
Where the GDPR or UK GDPR applies, we rely on the following legal bases.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and manage your account; authenticate you | Performance of a contract (Art. 6(1)(b)) |
| Provide core features (recipes, meal plans, shopping lists, storage) | Performance of a contract (Art. 6(1)(b)) |
| Provide AI import and search features | Performance of a contract (Art. 6(1)(b)); legitimate interests for service improvement (Art. 6(1)(f)) |
| Process subscriptions and purchases | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting records (Art. 6(1)(c)) |
| Enforce free-tier limits and prevent abuse/fraud | Legitimate interests (Art. 6(1)(f)) |
| Diagnose crashes and keep the App stable and secure | Legitimate interests (Art. 6(1)(f)) |
| Communicate with you about the Service and respond to requests | Performance of a contract and legitimate interests (Art. 6(1)(b), (f)) |
| Comply with legal obligations and defend legal claims | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.
6. Cookies and similar technologies
The Ciboo mobile App does not use advertising cookies or third-party tracking SDKs. The App uses local on-device storage and caching to make the App work and to remember your settings. Our website getciboo.com uses strictly necessary cookies, including security cookies set by our infrastructure provider Cloudflare (for example, to identify trusted traffic and to mitigate malicious or automated requests); these are essential to deliver and protect the site. If we add analytics or other non-essential cookies to the website, we will provide a cookie notice and obtain consent where required.
7. Service providers and sub-processors we share data with
We share personal data only with the providers we need to run the Service. We do not sell your personal data, and we do not share it for cross-context behavioural advertising. Each provider may act as our processor or, for their own defined purposes, as an independent controller.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Google / Firebase | Authentication, Google Sign-In, crash reporting | Account identifiers, email, sign-in data, crash/diagnostic data | Google global infrastructure (incl. US) |
| Apple | Sign in with Apple authentication | The email (or Apple private relay email) you choose to share | Apple global infrastructure (incl. US/EU) |
| RevenueCat | Subscription management and entitlement validation | App user ID, subscription/purchase events, customer ID | US |
| Apple App Store / Google Play | Process in-app purchases and subscriptions | Purchase and billing data (Apple/Google are the merchants of record) | Global (incl. US) |
| Anthropic | AI recipe parsing | Recipe URLs/text you submit | US |
| OpenAI | Search embeddings | Recipe text | US |
| MongoDB Atlas | Primary database hosting | All account and content data | Germany (EU) |
| MinIO / AIStor (self-hosted) | Object storage for images and temporary media | Uploaded images and temporary media | Germany (EU) |
| Cloudflare | CDN, DNS, TLS, caching, and security/DDoS protection for our website and API | IP addresses, request metadata, and security signals from website visitors and app traffic | Global edge network (incl. EU & US) |
If we add or change service providers (for example, optional AI video analysis or LLM tracing), we will update this table and the “Last updated” date above.
We may also disclose personal data to: professional advisers (lawyers, accountants); authorities where required by law; and a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.
8. International data transfers
Your personal data is stored on servers located in Germany (EU). Some of our service providers (Section 7) process data outside the EEA/UK — principally in the United States — and we, as the operator, access data from Georgia.
Where we transfer personal data outside the EEA or UK, we rely on appropriate safeguards, such as:
- the European Commission’s Standard Contractual Clauses (SCCs) and the UK Addendum/International Data Transfer Agreement;
- transfers to providers certified under the EU–US Data Privacy Framework (and its UK extension), where applicable; and
- transfers to countries recognised as providing an adequate level of protection, where applicable.
Neither the United States nor Georgia is currently covered by an EU adequacy decision. Transfers to our providers in the United States, and our own administrative access to the data from Georgia, therefore rely on the Standard Contractual Clauses referenced above (and on the EU–US Data Privacy Framework where a provider is certified).
You can request a copy of the relevant safeguards by emailing [email protected].
9. Your choices and controls
- Account data. You can view and update your profile in the App.
- Delete your account. You can delete your account and associated data directly in the App. Deletion removes your account and the content linked to it from our active systems (see Section 10, Data retention).
- Crash reporting. We collect crash and error diagnostics in released builds on the basis of our legitimate interest in keeping the App stable and secure.
- Marketing. We do not currently send marketing emails. If we start, you will be able to unsubscribe at any time.
10. Data retention
We keep personal data only as long as we need it:
- Account and content data: until you delete it or close your account, after which it is removed from active systems, and any copies in encrypted backups are deleted within 30 days as those backups rotate.
- Temporary uploaded media: automatically deleted approximately 24 hours after upload if not attached to a saved recipe.
- Usage/quota timestamps: kept only for the rolling window needed to enforce limits.
- Payment and tax records: retained as long as required by applicable accounting and tax law.
11. Your rights
EEA / UK (GDPR and UK GDPR)
If you are in the EEA or UK, you have the right to: access your data; rectify inaccurate data; erase your data (“right to be forgotten”); restrict or object to processing (including processing based on legitimate interests); data portability; and to withdraw consent at any time where we rely on consent. You also have the right to lodge a complaint with your local supervisory authority.
To exercise these rights, email [email protected]. We will respond within the time limits required by law (generally one month under the GDPR).
Georgia (Law of Georgia on Personal Data Protection)
If you are in Georgia, you have rights under the Law of Georgia on Personal Data Protection (in force since 1 March 2024), including rights to information, access, correction, deletion, blocking, and withdrawal of consent. You may lodge a complaint with the Personal Data Protection Service of Georgia (personaldata.ge).
California (CCPA/CPRA) and other US state laws
If you are a California resident, you have the right to: know what personal information we collect and how we use it; access and delete your personal information; correct inaccurate information; and to be free from discrimination for exercising your rights.
- In the past 12 months we have collected these categories of personal information: identifiers (e.g., email, user IDs), commercial information (subscription/purchase records), internet/app activity (crash and diagnostic data), and user content (recipes, meal plans, images).
- We do not sell your personal information and we do not share it for cross-context behavioural advertising, so there is no “Do Not Sell or Share My Personal Information” mechanism to operate. We do not process sensitive personal information for purposes that would require an opt-out.
To exercise these rights, email [email protected]. You may use an authorised agent, and we will verify your request as required by law. Residents of other US states with comparable privacy laws have similar rights, which we honour where applicable.
12. Children
Ciboo is not directed to, and is not intended for, children. You must be at least 16 years old to use the Service. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us personal data, contact [email protected] and we will delete it.
13. Security
We use technical and organisational measures to protect your data, including encryption in transit, access controls, authentication via Firebase, and EU-based hosting. No method of transmission or storage is completely secure, but we work to protect your data. Where a personal-data breach occurs, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, and will inform affected users where required by law.
14. Changes to this Policy
We may update this Policy from time to time. We will change the “Last updated” date above and, for material changes, provide a more prominent notice (such as in the App). Your continued use of the Service after an update means you accept the revised Policy.
15. Contact us
For any question about this Policy or your personal data:
- Privacy: [email protected]
- Support: [email protected]
- Post: IE Yevhen Lomakin, წინამძღვრიშვილის ქუჩა 52, Didube-Chughureti, Tbilisi 0102, Georgia
Disclaimer: This document is a best-practice template tailored to Ciboo’s data practices as described to us. It is not legal advice. Have it reviewed by a qualified lawyer before publishing, and keep it accurate as the Service changes.