← Back to home

Privacy Policy

Effective date: March 4, 2026 · Last updated: March 24, 2026

This Privacy Policy describes how Antigrav (“we,” “us,” “our”), an individual developer based in Bulgaria, European Union, collects, uses, shares, and protects your personal information when you use the Recepto application, website (recepto.app), and all related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

1. Information We Collect

1.1. Account and Profile Information

When you create an account, we collect:

  • Email address — required for account registration and communication.
  • Password — securely hashed and stored by our authentication provider (Supabase Auth). We never store or have access to your plaintext password.
  • Username — chosen by you, used to identify your account publicly.
  • Display name — optional, shown on your public profile.
  • Profile image — optional, uploaded by you and stored in Cloudflare R2.
  • Biography — optional text you may add to your profile.

1.2. Third-Party Authentication Data

If you sign in using Google, we receive limited information from that provider as authorized by you:

  • Email address
  • Name
  • Profile picture URL

We use this information solely to create and maintain your Recepto account. We do not receive or store your Google password. OAuth tokens are used transiently during the authentication process and are not permanently stored by us.

1.3. User-Generated Content

Content that you voluntarily create and submit to the Service, including:

  • Recipes — title, description, ingredients, preparation steps, cook time, difficulty, serving size, tags, and associated images.
  • Comments — text comments you post on recipes.
  • Social interactions — likes, saved/bookmarked recipes, and follow relationships.
  • “Made It” markers — when you mark a recipe as one you have made.

1.4. Usage and Behavioral Data

We collect data about how you interact with the Service to provide and improve the personalized experience:

  • Recipe views — which recipes you view, view duration, and timestamp.
  • Feed interactions — recipes you mark as “Not Interested,” recipes you view from the feed.
  • Like and save patterns — aggregated patterns used by the feed recommendation algorithm.

1.5. Preference Data

Information you provide during onboarding or in your profile settings:

  • Cuisine preferences — types of cuisines you are interested in (e.g., Italian, Bulgarian, Asian).
  • Dietary preferences — dietary restrictions or preferences (e.g., vegetarian, gluten-free).
  • Language preference — your preferred content language (English, Bulgarian, or both).

1.6. Device and Technical Data

  • Push notification tokens — device-specific tokens used to deliver push notifications if you have opted in. Push notifications are entirely optional. The operating system permission prompt serves as your consent. You can disable push notifications at any time via your device settings or in-app notification settings. These tokens do not reveal personal information and are used solely for notification delivery.
  • Device platform — iOS, Android, or Web, collected to provide the appropriate version of the Service.
  • IP address — recorded in server logs for security, abuse prevention, and rate limiting. IP addresses are not associated with your profile or used for tracking.
  • Timestamps — the time of account creation, login events, and content creation.

1.7. Reports and Feedback

If you submit a report about another user or content, or send us feedback, we collect:

  • Report/feedback category — the type of issue (e.g., bug, feature request, spam, inappropriate content).
  • Description — the text you provide describing the issue.
  • Associated content — the recipe or user that is the subject of a report.

1.8. Information We Do NOT Collect

We want to be transparent about what we do not collect:

  • Location data — we do not collect GPS, Wi-Fi, or any other location information.
  • Third-party analytics — we do not use Firebase Analytics, Google Analytics, Mixpanel, or any third-party analytics SDK.
  • Contact lists — we do not access your phone contacts or address book.
  • Financial data — the Service is currently free and we do not collect payment information.
  • Biometric data — we do not collect fingerprint, face recognition, or other biometric data.

2. How We Use Your Information

2.1. Providing and Operating the Service (Legal Basis: Contract Performance)

  • Creating and maintaining your account.
  • Enabling you to post recipes, comments, and interact with other users.
  • Delivering push notifications you have opted into.
  • Processing recipe translations between English and Bulgarian via DeepL.
  • Displaying your public profile and content to other users.

2.2. Personalization and Recommendations (Legal Basis: Legitimate Interest)

  • Generating your personalized “For You” feed using our recommendation algorithm, which considers your cuisine preferences, dietary preferences, language preference, view history, like/save patterns, and interaction data.
  • Displaying trending and popular content.
  • Providing relevant search results and suggestions.

You can control personalization by updating your preferences in your profile settings or by marking content as “Not Interested.”

2.3. Safety, Security, and Integrity (Legal Basis: Legitimate Interest)

  • Detecting and preventing fraud, abuse, spam, and other harmful activity.
  • Enforcing our Terms of Service and community guidelines.
  • Automated content moderation: recipe images are analyzed for inappropriate content via Sightengine, and recipe text is checked for profanity via profanity.dev (legal basis: legitimate interest in content safety; only recipe text — title, ingredients, steps — is sent, with no personal identifiers; profanity.dev does not retain any data beyond API call processing). This processing is necessary to maintain a safe community environment. You will be notified if your content is flagged. You have the right to request human review of any automated moderation decision by contacting us at [email protected].
  • Reviewing reports of content or user violations.
  • Rate limiting and abuse prevention using IP addresses.

2.4. Communication (Legal Basis: Contract Performance / Legitimate Interest)

  • Sending verification emails when you create an account or change your email address.
  • Sending push notifications about activity on your account (new followers, likes, comments) if you have opted in.
  • Responding to your feedback, support requests, or reports.

2.5. Improvement and Development (Legal Basis: Legitimate Interest)

  • Understanding usage patterns to improve Service features and performance.
  • Analyzing aggregated, non-identifiable data to develop new features.
  • Monitoring system health and performance.

2.6. Legal Obligations (Legal Basis: Legal Obligation)

  • Complying with applicable laws, regulations, and legal processes.
  • Responding to lawful requests from governmental authorities.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

3.1. Public Content

Your public profile (username, display name, profile image, biography) and your public recipes, comments, likes, and follows are visible to other users of the Service. This is fundamental to how the Service operates as a social platform.

3.2. Service Providers

We share information with third-party service providers who process data on our behalf to help us operate the Service. These providers are contractually obligated to use your data only for the purposes we specify:

Provider Purpose Data Shared Location
Supabase Authentication, database hosting Email, password hash Singapore
Render Backend application hosting All data processed by the server (encrypted in transit) United States
Cloudflare DNS, CDN, DDoS protection, image storage, Turnstile bot protection IP address (for verification), uploaded images United States / global CDN
DeepL Recipe text translation Recipe title, ingredients, steps — no personal identifiers Germany
Resend Transactional emails Email address United States
Google OAuth authentication; Play Integrity for device attestation on Android Name, email, authentication tokens United States
Sightengine Recipe image content moderation (nudity detection) Recipe image URLs United States
profanity.dev Recipe text profanity detection Recipe text (title, ingredients, steps) — no personal identifiers; no data retained beyond API call processing Via API
Expo Push notification delivery Device push tokens United States
Discord Admin notifications via webhook Usernames only (no email or other PII); used solely for internal admin review United States

3.3. Admin Notifications

Reports and feedback submitted by users are forwarded to a private Discord channel via webhook for admin review. Discord is a US-based service. These notifications contain the report/feedback category, description, and the username (not email or other PII) of the reporting user. Content moderation alerts (flagged images or text) include the recipe title, author username, and flagged content details. This channel is accessible only to Recepto administrators and is used solely for internal admin review.

3.4. Legal Requirements

We may disclose your information if required to do so by law, or in good faith belief that such action is necessary to:

  • Comply with a legal obligation or lawful request from governmental authorities.
  • Protect and defend the rights or property of Antigrav.
  • Prevent or investigate possible wrongdoing in connection with the Service.
  • Protect the personal safety of users of the Service or the public.
  • Protect against legal liability.

3.5. Business Transfers

If Antigrav is involved in a merger, acquisition, asset sale, or similar business transaction, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information.

4. International Data Transfers

Antigrav is based in Bulgaria, a member state of the European Union. However, we use service providers located in various countries, including the United States and Singapore.

When your data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place in accordance with Article 46 of the GDPR. These safeguards include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
  • Adequacy decisions by the European Commission for countries deemed to provide an adequate level of data protection.
  • EU-U.S. Data Privacy Framework for transfers to certified US-based service providers, where applicable.

By using the Service, you acknowledge that your data may be processed in countries outside the EEA. We take steps to ensure that your data receives an adequate level of protection wherever it is processed.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

All personal data is retained until you delete your account. This includes:

  • Account and profile data
  • User-generated content (recipes, comments, likes, saves)
  • Usage data (views, interactions)
  • Push notification tokens
  • Preference and personalization data
  • Reports and feedback

When you delete your account, all your personal data is permanently deleted within thirty (30) days. This includes content moderation logs and personalization data associated with your account.

Server logs containing IP addresses are retained for up to 90 days for security and debugging purposes.

Certain aggregated, anonymized data (such as recipe popularity statistics) that cannot be used to identify you may be retained indefinitely for analytical purposes.

6. Your Rights and Choices

6.1. Rights for All Users

Regardless of your location, you have the following rights:

  • Access: You can view your personal information through your profile and settings in the Service.
  • Correction: You can update your profile information at any time through the Service.
  • Deletion: You can delete your account and associated data through the Service or by contacting us at [email protected].
  • Push Notifications: You can enable or disable push notifications through your device settings or the Service settings.
  • Feed Personalization: You can update your cuisine, dietary, and language preferences at any time. You can mark content as “Not Interested” to influence your feed.

6.2. Rights Under GDPR (EEA, UK, and Switzerland Residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation:

  • (a) Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
  • (b) Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete personal data.
  • (c) Right to Erasure / Right to Be Forgotten (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions (such as compliance with a legal obligation).
  • (d) Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • (e) Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON), and to transmit that data to another controller.
  • (f) Right to Object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • (g) Right to Withdraw Consent (Article 7): Where we process data based on your consent, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.
  • (h) Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (CPDP) at https://www.cpdp.bg.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days. We may request verification of your identity before processing your request.

6.3. Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • (a) Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.
  • (b) Right to Delete: You have the right to request deletion of your personal information, subject to certain legal exceptions.
  • (c) Right to Correct: You have the right to request correction of inaccurate personal information.
  • (d) Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out; however, you have this right should our practices change in the future.
  • (e) Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your CCPA/CPRA rights, contact us at [email protected]. We will verify your identity using your account email. You may also designate an authorized agent to make a request on your behalf.

7. Local Storage and Cookies

The Service uses local device storage to provide a functional experience. We do not use tracking cookies or third-party cookies.

Data stored locally on your device:

  • iOS Keychain / Android Keystore — authentication tokens for securely storing login credentials.
  • AsyncStorage (mobile) — cached user profile, app preferences for improving app performance and offline access.
  • SecureStore (mobile) — encrypted authentication credentials for secure credential storage.
  • localStorage (web) — session data, user preferences for maintaining login state and preferences.

You can clear locally stored data at any time by clearing the app data on your device or clearing your browser storage for the web version.

We do not use tracking pixels, web beacons, or similar tracking technologies.

8. Children’s Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.

If we learn that we have collected personal information from a child under 16, we will take prompt steps to delete that information and terminate the associated account.

If you are a parent or guardian and believe that your child under 16 has provided personal information to us, please contact us at [email protected], and we will take steps to remove the information and close the account.

9. Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it, including:

  • Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS (HTTPS).
  • Password hashing — passwords are hashed using bcrypt via Supabase Auth. We never store or have access to plaintext passwords.
  • Access controls — access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Input validation and sanitization — to prevent injection attacks and other common vulnerabilities.
  • Rate limiting — API rate limiting (500 requests per 15-minute window) to prevent abuse and brute-force attacks.
  • Secure authentication — JWT-based authentication with token expiration and refresh mechanisms.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the security of your account credentials.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, in accordance with Article 34 of the GDPR.

10. Future Changes: Advertising

We currently do not display advertisements in the Service. However, we may introduce advertising in the future (such as Google AdMob).

If and when we introduce advertising, we will update this Privacy Policy to reflect any additional data collection or sharing practices associated with the advertising service. We will provide notice of such changes as described in Section 12.

We will never sell your personal data to advertisers. Any future advertising will rely on contextual targeting or anonymized, aggregated data, not the sale of personal information.

11. Data Protection Officer

Given the current scale of our operations, we have not appointed a dedicated Data Protection Officer (DPO). However, for all data protection inquiries, requests, or concerns, you may contact us at:

Data Protection Contact
Email: [email protected]

If our data processing activities expand to the point where a DPO appointment is required under Article 37 of the GDPR, we will make such an appointment and update this section accordingly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will provide notice through the Service (such as an in-app notification or a prominent notice on our website) at least thirty (30) days before the changes take effect.

The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the revised Privacy Policy. If you do not agree with the updated Privacy Policy, you should discontinue your use of the Service and delete your account.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For GDPR-related requests, please include “Data Protection Request” in the subject line of your email so that we can prioritize your inquiry.

For CCPA/CPRA-related requests, please include “California Privacy Request” in the subject line.

We aim to respond to all inquiries within thirty (30) days.