Privacy Policy

Last updated: 19 June 2026 Effective date: 19 June 2026

This Privacy Policy explains how Ciboo, operated by IE Yevhen Lomakin (individual entrepreneur, Georgia) (“Ciboo”, “we”, “us”, or “our”), collects, uses, shares, and protects your personal data when you use the Ciboo mobile application (the “App”) and our website at getciboo.com (together, the “Service”).

Please read this Policy together with our Terms & Conditions.

Plain-language summary. Ciboo helps you import recipes, plan meals, and build shopping lists. To do that we store your account details and the content you create, and we use a small number of trusted service providers (for sign-in, payments, AI recipe parsing, hosting, and crash reporting). We store your data on servers in Germany (EU). We do not sell your personal data. You can access, export, or delete your data at any time, including by deleting your account from inside the App.


1. Who we are (Data Controller)

The data controller responsible for your personal data is:

IE Yevhen Lomakin (individual entrepreneur, registered in Georgia) Address: წინამძღვრიშვილის ქუჩა 52, Didube-Chughureti, Tbilisi 0102, Georgia (Tsinamdzghvrishvili Street 52, Didube-Chughureti, Tbilisi 0102, Georgia)


2. Scope and who this applies to

This Policy applies to everyone who uses Ciboo, anywhere in the world. Because our users include people in the European Economic Area (EEA), the United Kingdom, Georgia, and the United States, this Policy contains region-specific sections (see Section 11) that give you additional rights depending on where you live. Those regional rights are in addition to, and do not replace, the rest of this Policy.

The Service is intended for users aged 16 and over (see Section 12).


3. The personal data we collect

We collect the following categories of personal data.

CategoryExamplesWhere it comes from
Account & identityEmail address (or an Apple private relay email if you use Sign in with Apple), username, Firebase user ID, date of last sign-inYou, and your sign-in provider (Firebase, Google Sign-In, or Sign in with Apple)
Content you createRecipes (title, description, ingredients, instructions), recipe images you upload, meal plans (number of people, dates), meal entries and notes, shopping listsYou
AI feature inputsRecipe URLs or text you submit for import; images/media you submit for recipe extractionYou
Subscription & purchase dataYour subscription status (free/Pro), plan, entitlement expiry, RevenueCat customer ID, in-app purchase eventsYou and our payments providers (RevenueCat, Apple App Store, Google Play)
Usage & quota dataTimestamps recording your AI-import usage (to enforce free-tier limits and prevent abuse)Generated by the Service
Crash & error dataCrash logs, stack traces, error reports, device/OS information (collected in released app builds only)Generated by the App (Firebase Crashlytics)

We do not intentionally collect special-category (sensitive) data such as health or medical information. Meal and recipe content may indirectly reveal dietary choices; please do not enter sensitive health information you do not want stored. We also do not use the device advertising identifier (IDFA/AAID) and do not run advertising or cross-app tracking SDKs.

Note: Ciboo does not currently collect product-analytics/usage data. If we introduce analytics in the future, we will update this Policy and provide any notice or controls required by law before doing so.


4. AI-powered features

Ciboo uses third-party AI providers to power recipe import and search:

Important:


Where the GDPR or UK GDPR applies, we rely on the following legal bases.

PurposeLegal basis (GDPR Art. 6)
Create and manage your account; authenticate youPerformance of a contract (Art. 6(1)(b))
Provide core features (recipes, meal plans, shopping lists, storage)Performance of a contract (Art. 6(1)(b))
Provide AI import and search featuresPerformance of a contract (Art. 6(1)(b)); legitimate interests for service improvement (Art. 6(1)(f))
Process subscriptions and purchasesPerformance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting records (Art. 6(1)(c))
Enforce free-tier limits and prevent abuse/fraudLegitimate interests (Art. 6(1)(f))
Diagnose crashes and keep the App stable and secureLegitimate interests (Art. 6(1)(f))
Communicate with you about the Service and respond to requestsPerformance of a contract and legitimate interests (Art. 6(1)(b), (f))
Comply with legal obligations and defend legal claimsLegal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.


6. Cookies and similar technologies

The Ciboo mobile App does not use advertising cookies or third-party tracking SDKs. The App uses local on-device storage and caching to make the App work and to remember your settings. Our website getciboo.com uses strictly necessary cookies, including security cookies set by our infrastructure provider Cloudflare (for example, to identify trusted traffic and to mitigate malicious or automated requests); these are essential to deliver and protect the site. If we add analytics or other non-essential cookies to the website, we will provide a cookie notice and obtain consent where required.


7. Service providers and sub-processors we share data with

We share personal data only with the providers we need to run the Service. We do not sell your personal data, and we do not share it for cross-context behavioural advertising. Each provider may act as our processor or, for their own defined purposes, as an independent controller.

ProviderPurposeData sharedLocation
Google / FirebaseAuthentication, Google Sign-In, crash reportingAccount identifiers, email, sign-in data, crash/diagnostic dataGoogle global infrastructure (incl. US)
AppleSign in with Apple authenticationThe email (or Apple private relay email) you choose to shareApple global infrastructure (incl. US/EU)
RevenueCatSubscription management and entitlement validationApp user ID, subscription/purchase events, customer IDUS
Apple App Store / Google PlayProcess in-app purchases and subscriptionsPurchase and billing data (Apple/Google are the merchants of record)Global (incl. US)
AnthropicAI recipe parsingRecipe URLs/text you submitUS
OpenAISearch embeddingsRecipe textUS
MongoDB AtlasPrimary database hostingAll account and content dataGermany (EU)
MinIO / AIStor (self-hosted)Object storage for images and temporary mediaUploaded images and temporary mediaGermany (EU)
CloudflareCDN, DNS, TLS, caching, and security/DDoS protection for our website and APIIP addresses, request metadata, and security signals from website visitors and app trafficGlobal edge network (incl. EU & US)

If we add or change service providers (for example, optional AI video analysis or LLM tracing), we will update this table and the “Last updated” date above.

We may also disclose personal data to: professional advisers (lawyers, accountants); authorities where required by law; and a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.


8. International data transfers

Your personal data is stored on servers located in Germany (EU). Some of our service providers (Section 7) process data outside the EEA/UK — principally in the United States — and we, as the operator, access data from Georgia.

Where we transfer personal data outside the EEA or UK, we rely on appropriate safeguards, such as:

Neither the United States nor Georgia is currently covered by an EU adequacy decision. Transfers to our providers in the United States, and our own administrative access to the data from Georgia, therefore rely on the Standard Contractual Clauses referenced above (and on the EU–US Data Privacy Framework where a provider is certified).

You can request a copy of the relevant safeguards by emailing [email protected].


9. Your choices and controls


10. Data retention

We keep personal data only as long as we need it:


11. Your rights

EEA / UK (GDPR and UK GDPR)

If you are in the EEA or UK, you have the right to: access your data; rectify inaccurate data; erase your data (“right to be forgotten”); restrict or object to processing (including processing based on legitimate interests); data portability; and to withdraw consent at any time where we rely on consent. You also have the right to lodge a complaint with your local supervisory authority.

To exercise these rights, email [email protected]. We will respond within the time limits required by law (generally one month under the GDPR).

Georgia (Law of Georgia on Personal Data Protection)

If you are in Georgia, you have rights under the Law of Georgia on Personal Data Protection (in force since 1 March 2024), including rights to information, access, correction, deletion, blocking, and withdrawal of consent. You may lodge a complaint with the Personal Data Protection Service of Georgia (personaldata.ge).

California (CCPA/CPRA) and other US state laws

If you are a California resident, you have the right to: know what personal information we collect and how we use it; access and delete your personal information; correct inaccurate information; and to be free from discrimination for exercising your rights.

To exercise these rights, email [email protected]. You may use an authorised agent, and we will verify your request as required by law. Residents of other US states with comparable privacy laws have similar rights, which we honour where applicable.


12. Children

Ciboo is not directed to, and is not intended for, children. You must be at least 16 years old to use the Service. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us personal data, contact [email protected] and we will delete it.


13. Security

We use technical and organisational measures to protect your data, including encryption in transit, access controls, authentication via Firebase, and EU-based hosting. No method of transmission or storage is completely secure, but we work to protect your data. Where a personal-data breach occurs, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, and will inform affected users where required by law.


14. Changes to this Policy

We may update this Policy from time to time. We will change the “Last updated” date above and, for material changes, provide a more prominent notice (such as in the App). Your continued use of the Service after an update means you accept the revised Policy.


15. Contact us

For any question about this Policy or your personal data:


Disclaimer: This document is a best-practice template tailored to Ciboo’s data practices as described to us. It is not legal advice. Have it reviewed by a qualified lawyer before publishing, and keep it accurate as the Service changes.