Privacy Policy

The short version

softboiled is a personal recipe management app. We do not sell your data, show ads, or track your behavior. Your recipes are yours. You can export them anytime and delete your account whenever you want.

What we collect

• Email address — for login and account recovery
• Display name — shown in the app
• Recipe data — titles, ingredients, steps, tags, images, source info, notes, ratings. This is the core of what softboiled stores for you.
• Kitchen Lab history — AI blend requests and results, so you can revisit past experiments

What we do NOT collect

• No tracking cookies or analytics cookies
• No behavioral profiling or usage tracking
• No location data
• No contact list access
• No device fingerprinting

Cookbook indexing — what stays on your device

When you use the cookbook indexing feature to photograph pages from cookbooks you own, our long-term goal is for the photo itself never to leave your device — only the extracted ingredient list and steps reach our servers. We are migrating toward client-side text recognition for this feature; until that migration is complete, photos are processed by our private AI server (Eva) and discarded immediately after extraction.

Recipes you index from cookbooks are kept private to your account. We never make them public, never share them with third parties beyond what is required to operate the service, and never include their contents in any analytics shared outside softboiled.

Each time you upload from a cookbook, we record an ownership attestation (a timestamped log of your confirmation that you own the book) along with the cookbook's title, author, and ISBN where known. This is an audit record retained for compliance purposes.

Logs and audit data

We retain server logs containing IP addresses and request metadata for up to 90 days for security and abuse-prevention purposes. Ownership attestations and DMCA notices are kept indefinitely as legal records. Account-deletion does not erase ownership attestation records — these are anonymized (the user link is removed) but the attestation event itself is preserved.

How we protect your data

• Encryption in transit: All connections use HTTPS with TLS 1.2+. HSTS is enforced.
• Encryption at rest: Supabase encrypts the database at the infrastructure level.
• Row Level Security: Database rules ensure you can only access your own recipes.
• Log sanitization: Passwords, tokens, and email addresses are automatically redacted from logs.

AI features (Simmer)

When you use Simmer to transform a recipe, your recipe data is sent to Eva (our local AI server) for processing. Eva runs on private infrastructure — not a Big Tech cloud service.

If the local AI cannot process your request (for example, a handwritten recipe photo that needs better vision), it may fall back to Anthropic's Claude API. This happens rarely and only for specific vision tasks. When it does, the recipe content is sent to Anthropic and is subject to their data usage policy.

Simmer only processes data when you explicitly click "Simmer it" or "Generate" — never in the background.

Third-party services

• Supabase — hosts our database and handles authentication
• Vercel — hosts the website
• Upstash — provides rate limiting (stores request counts, not personal data)
• Eva / LocalAI — AI processing on private infrastructure
• Anthropic — fallback AI processing for vision tasks (rare)

We do not use Google Analytics, Facebook Pixel, or any advertising network.

Your rights

You can:

• See your data — your recipes, collections, and tags are all visible in the app
• Export your data — download your entire library as JSON from Settings
• Delete your account — permanently removes your account, all recipes, collections, tags, and Kitchen Lab history. Available in Settings.

We will never

• Sell, license, or trade your data
• Show you ads
• Build behavioral profiles
• Share your recipes with anyone unless you choose to make them public

Contact

For privacy questions: privacy@jessicathornton.dev