Privacy Policy

This Privacy Policy (“Policy”) describes how Two Minds Solutions FZ LLC, a company incorporated under the laws of the United Arab Emirates (“KitchUp,” “Company,” “we,” “us,” or “our”), collects, uses, stores, processes, shares, and discloses information when you access or use the KitchUp mobile application, website, APIs, and all related services (collectively, the “Service”).

By downloading, installing, accessing, or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, storage, processing, sharing, and disclosure of your information as described in this Policy. If you do not agree to this Policy, you must immediately stop using the Service and delete your account.

This Policy is incorporated into and forms part of our Terms & Conditions. Capitalized terms not defined herein have the meanings assigned to them in the Terms & Conditions.

1. Information We Collect

We collect information from and about you in various ways when you use the Service. The types of information we collect depend on how you interact with the Service and the features you use.

1.1 Account and Identity Information

When you create an account, we collect:

• Name: First name and last name (required)
• Email address: Required for email-based accounts; may be provided by OAuth providers
• Username: If you choose to set one
• Profile picture: If you upload one or if provided by your authentication provider
• OAuth identifiers: Unique identifiers from Apple or Google (and any other authentication providers we may add in the future) when you use those services to sign in
• Authentication data: One-time passwords (OTPs), email verification tokens, and related security data (stored in encrypted or hashed form)

1.2 Recipe and Kitchen Data

We collect and store all content you create, import, or interact with, including:

• Recipes (titles, ingredients, instructions, cooking times, servings, notes, images, source URLs, author information, and translations)
• Recipe categories, tags, and organizational preferences
• Favorite recipes and saved recipes
• Recipe images you upload or that are extracted from imported sources
• Preparation checklists and manual prep tasks

1.3 Meal Planning Data

• Meal plan entries (dates, meal types, dish names, servings, notes)
• Recurring meal configurations and scheduling preferences
• Meal plan modifications and exceptions

1.4 Grocery and Shopping Data

• Grocery list items, quantities, units, aisle preferences, and completion status
• Favorite grocery items and unit/aisle preferences
• Custom grocery lists and list preferences
• Preferred grocers/stores, custom store names, website URLs, logos, and ordering preferences
• Grocer requests and suggestions

1.5 Health, Nutrition, and Body Data

If you use our nutrition tracking features, we collect sensitive health-related data including:

• Nutrition profile: Height, weight, age, gender, activity level, health goals, weekly goal targets, macro and micronutrient targets, water intake targets
• Food logs: Meals logged (food names, serving descriptions, serving sizes), caloric intake, macronutrients (protein, carbohydrates, fat), fiber, sugar, sodium, and other nutritional values, categorized by meal type and date
• Weight logs: Body weight measurements over time, with dates and notes
• Water logs: Daily water intake amounts and container types
• Workout logs: Exercise names, types, duration, calories burned, intensity levels, and notes
• Day completion records: Daily tracking completion status
• Saved foods: Custom food entries with nutritional information you define

You provide this data voluntarily. By using nutrition tracking features, you explicitly consent to the collection, processing, and storage of this health-related data as described in this Policy.

1.6 Apple Health Data

With your explicit opt-in permission, KitchUp may read from and write to Apple Health. Specifically, we may read step count, active energy burned, body weight, and workout data from Apple Health, and we may write dietary energy (calories consumed), dietary water, and body weight to Apple Health. We store a flag indicating whether Apple Health integration is enabled and may store Apple Health record identifiers to prevent duplicate synchronization.

Apple Health data is handled in accordance with Apple’s requirements: we do not share Apple Health data with third parties, do not use it for advertising, and do not sell it. Apple Health data is used solely within the Service to display your health metrics and synchronize your tracking data.

1.7 Dietary Preferences and Restrictions

• Selected dietary tags and custom dietary preference text
• Selected diets (e.g., vegan, keto, gluten-free)
• Selected allergens (e.g., nuts, dairy, gluten)
• Whether you have completed dietary preference setup

1.8 Location Information

• User-provided location: Country, state/province, and city stored in your preferences for grocer suggestions and regional features
• Postal/zip codes: May be provided when using shopping integrations to locate nearby stores
• IP-based location: Your IP address may be used to infer approximate geographic location for rate limiting, security, and analytics purposes

1.9 Device and Technical Information

We automatically collect technical information when you access the Service, including:

• IP address: Collected via server access logs and rate limiting systems
• User agent string: Browser type, version, operating system, and device information
• Request metadata: HTTP headers, request timestamps, response times, and status codes
• App version and platform: Operating system version, device type, and application version
• Language preferences: Device and app language settings

1.10 Import and Media Data

When you use import features, we collect:

• URLs you submit for recipe import
• Photos, images, and media files you upload for recipe extraction
• Audio recordings you provide for voice-based features
• Text content you paste for recipe extraction
• Import processing status, progress, and any errors encountered
• Metadata about the AI models used to process your imports

1.11 Social and Family Data

• Follower and following relationships
• Family group membership, roles, and permissions
• Family invitations (sender, recipient, type, status)
• Recipe sharing permissions within family groups

1.12 Subscription and Transaction Data

• Subscription tier (free, pro, family), source, and status
• Apple App Store product identifiers and original transaction identifiers
• Subscription start dates, expiration dates, and renewal status
• We do not directly collect or store your payment card information; all payment processing is handled by Apple

1.13 Search Queries

When you use the recipe search feature, we process your search queries to return results. Search queries may be transmitted to third-party search providers as described in Section 4.

1.14 Usage and AI Consumption Data

We track your usage of AI-powered features, including:

• Which AI features you use and how frequently
• AI token consumption (prompt and completion tokens) per feature and model
• Estimated computational costs associated with your AI usage
• Processing duration and success/failure status of AI requests

This data is retained for up to twelve (12) months and is used for service optimization, cost management, abuse prevention, and feature development.

1.15 Communications

If you contact us via email or other channels, we collect the content of your communications, your contact information, and any attachments you provide.

2. How We Use Your Information

We use the information we collect for the following purposes. By using the Service, you consent to all uses described below:

2.1 Providing and Operating the Service

• Creating and managing your account
• Storing, syncing, and displaying your recipes, meal plans, grocery lists, and tracking data across your devices
• Processing recipe imports from URLs, images, audio, and text
• Generating nutritional analysis, ingredient substitutions, and preparation checklists
• Powering meal planning, grocery list generation, and food logging features
• Facilitating family sharing, permissions, and collaborative features
• Processing and managing subscriptions

2.2 AI Processing and Improvement

• Processing your content through AI systems (including third-party AI providers) to deliver AI-powered features such as recipe extraction, nutritional analysis, ingredient substitution, food image recognition, barcode scanning, nutrition label scanning, voice transcription, and recipe suggestions
• Training, improving, and developing our AI models, algorithms, and machine learning systems using anonymized or aggregated data derived from your use of the Service
• Analyzing AI usage patterns to optimize model selection, performance, and cost efficiency

2.3 Personalization

• Tailoring recipe suggestions based on your dietary preferences, allergens, and past activity
• Customizing grocery and shopping experiences based on your location and preferred stores
• Adapting nutritional targets and recommendations based on your nutrition profile

2.4 Communications

• Sending transactional emails including login codes, welcome messages, and account notifications
• Sending service updates, feature announcements, and promotional communications (you may opt out of marketing communications, but not transactional messages)
• Responding to your inquiries and support requests

2.5 Analytics, Research, and Development

• Analyzing usage patterns to understand how users interact with the Service, including screen views, button taps, tab selections, and feature engagement events transmitted to our third-party product analytics provider (see Section 4.11)
• Associating non-identifying user properties (such as authentication method, country code, subscription tier, language, and unit preference) with analytics events to segment usage and measure feature adoption
• Monitoring AI feature usage, costs, and performance
• Identifying trends, conducting research, and developing new features
• Creating anonymized or aggregated datasets for internal analytics, benchmarking, and business intelligence

2.6 Safety, Security, and Legal Compliance

• Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues
• Enforcing rate limits to prevent abuse of the Service
• Maintaining server access logs for security monitoring and incident investigation
• Complying with applicable laws, regulations, legal processes, and governmental requests
• Enforcing our Terms & Conditions and protecting our rights and property

2.7 Advertising

• Displaying advertisements in the free tier of the Service through third-party advertising networks
• We do not share your recipe content, meal plans, health data, or nutrition tracking data with advertising partners
• Advertising partners may collect device identifiers and usage signals independently, subject to their own privacy policies and your device settings

2.8 Business Operations

• Operating, maintaining, and improving our business
• Financial reporting, cost analysis, and business planning
• Any other lawful purpose related to the operation of the Service

3. Legal Bases for Processing

We process your information based on the following legal grounds:

• Consent: By using the Service, you consent to the processing of your information as described in this Policy. For health-related data and Apple Health integration, we rely on your explicit consent.
• Contract performance: Processing necessary to provide the Service to you under our Terms & Conditions.
• Legitimate interests: Processing necessary for our legitimate business interests, including service improvement, analytics, AI model development, security, fraud prevention, and marketing, where such interests are not overridden by your rights.
• Legal obligations: Processing necessary to comply with applicable laws and regulations.

4. How We Share Your Information

We may share your information with the following categories of recipients. By using the Service, you consent to such sharing as described below:

4.1 AI and Machine Learning Providers

To deliver AI-powered features, we transmit certain content to third-party AI service providers for processing:

• Google (Gemini): Recipe text, images, ingredient lists, instructions, nutritional data, voice audio recordings (for voice-based features), and food/product images (for recognition features). Google processes this data in accordance with their API terms of service.
• OpenAI: Recipe text and related content for AI-powered extraction, analysis, and generation features. OpenAI processes this data in accordance with their API data usage policies.
• We may engage additional AI providers from time to time to supplement or replace existing providers. Such providers will be subject to appropriate contractual obligations regarding data handling.

We do not transmit your name, email address, or account identifiers to AI providers. However, the content you submit (such as recipe text, images, or voice recordings) is transmitted for processing and may be subject to the AI provider’s data handling practices.

4.2 Shopping and Grocery Service Providers

The Service integrates with third-party shopping platforms and grocery service providers to enable shopping list, product linking, store location, and product resolution features. When you use these features, we may share the following with our shopping partners:

• Instacart: Shopping list titles, item names, quantities, units, and recipe information (titles, ingredients, instructions, images, source URLs) to enable shopping and product linking features.
• Northfork: Postal/zip codes, store preferences, ingredient names, quantities, and units to enable store location, smart-cart creation, and product matching features. Data is processed in accordance with Northfork's terms.
• We may engage additional grocery or product resolution providers from time to time. Such providers will be subject to appropriate contractual obligations regarding data handling.

The specific shopping partners we integrate with may change over time. Any purchases made through shopping partner integrations are transactions between you and the third-party provider, governed by their own terms and privacy policies.

4.3 Search Providers

When you use the recipe search feature, your search query and language/region preferences are transmitted to SerpApi, which proxies the request to the underlying search engine (currently DuckDuckGo) and returns results. We do not share your identity, email, or account identifiers with the search provider, although your IP address may be visible to the provider as part of the network request.

4.4 Content Import Service Providers

When you import recipes from external sources, we may use third-party content extraction services to retrieve and process content on your behalf:

• Apify: URLs you submit from Instagram and Facebook are transmitted to Apify's Instagram Scraper and Facebook Posts Scraper actors to retrieve publicly available post, reel, and video content for recipe extraction.
• YouTube Data API (Google): YouTube video URLs you submit are processed using the YouTube Data API to retrieve public video metadata (title, description, thumbnail) for recipe extraction.
• TikTok and Pinterest: URLs you submit from TikTok and Pinterest are fetched directly from the respective platforms to retrieve publicly available post and pin metadata, captions, and media for recipe extraction.
• Other websites and recipe URLs you submit are fetched directly by our servers to retrieve the publicly available page content.

4.5 Cloud Infrastructure and Storage

• Amazon Web Services (AWS): All data is stored on AWS infrastructure. User uploads (profile pictures, recipe images) are stored in AWS S3 and may be served via AWS CloudFront CDN. Our database is hosted on cloud database infrastructure.

4.6 Email Service Providers

We use Amazon Simple Email Service (SES) to deliver transactional emails. Your email address, name, and email content (such as login codes and welcome messages) are transmitted to AWS SES for delivery.

4.7 Authentication Providers

When you authenticate using Apple or Google (or any other authentication provider we may add in the future), authentication tokens and profile information are exchanged with that provider during the sign-in process. Each provider’s privacy policy governs their handling of this data. We only receive the profile information you authorize these providers to share (typically a unique provider identifier, your name, your email address, and, where available, a profile picture URL).

4.8 Advertising Networks

The free tier of the Service displays advertisements through Google AdMob. AdMob may independently collect device identifiers, advertising identifiers, and usage signals for serving and personalizing advertisements. AdMob’s data collection is governed by Google’s privacy policy. We do not share your recipe, meal plan, or health/nutrition data with advertising networks.

4.9 Apple App Store

Subscription verification and management data is exchanged with Apple’s App Store servers, including transaction identifiers and subscription status. Apple’s privacy policy governs their processing of this data.

4.10 Other Disclosures

We may also disclose your information:

• Legal requirements: When required by law, regulation, legal process, subpoena, court order, or governmental request
• Protection of rights: To enforce our Terms, protect our rights, property, or safety, or the rights, property, or safety of others
• Business transfers: In connection with any merger, acquisition, corporate reorganization, sale of assets, financing, or transfer of all or a portion of our business, your information may be transferred to the acquiring entity. You acknowledge and agree that such transfers may occur and that the acquirer may continue to use your information as set forth in this Policy
• Service providers: We may share information with third-party vendors, consultants, and other service providers who perform services on our behalf and require access to your information to carry out that work. The specific service providers we engage may change over time without notice to you.
• With your consent: For any other purpose with your express consent
• Aggregated or de-identified data: We may share anonymized, aggregated, or de-identified data that cannot reasonably be used to identify you with any third party for any purpose, including research, analytics, marketing, and commercial purposes, without restriction

4.11 Product Analytics Provider

We use Google Firebase Analytics (provided by Google LLC and Google Ireland Limited) to collect product analytics from the mobile application. The following information is transmitted to Firebase:

• A pseudonymous Firebase app-instance identifier generated by the Firebase SDK on your device
• Standard event metadata, including app version, operating system, device model, language, country (inferred from IP address by Google), and timestamp
• Application events we explicitly emit, such as app launch, screen views, button taps, tab selections, and feature-specific interactions
• Non-identifying user properties, including authentication method (e.g., “apple,” “google”), preferred unit system, subscription tier, account language, and country code

We do not transmit your name, email address, account identifier, recipes, meal plans, grocery lists, food/water/weight logs, or other content to Firebase Analytics. Firebase processes this data in accordance with Google’s privacy policy and the Firebase data processing terms. You may reset your Firebase app-instance identifier at any time by reinstalling the application.

4.12 Nutrition Data Providers

When you use the barcode scanning feature (available to subscribers), the scanned product barcode is transmitted to Open Food Facts, a public, non-profit food product database, to retrieve product and nutrition information. We do not transmit your name, email, or account identifier to Open Food Facts. The barcode and the resulting network request are subject to Open Food Facts’ own data handling practices.

5. Cookies and Tracking Technologies

5.1 Website Cookies

Our website (kitchup.app) uses cookies and similar technologies. We use the following types of cookies:

• Essential cookies: Required for website functionality, including authentication cookies for website administration. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our website, including page views, traffic sources, and browsing patterns.
• Advertising cookies: May be set by third-party advertising partners to build a profile of your interests and show relevant ads on other sites.

5.2 Mobile Application

The mobile application uses authentication tokens (JSON Web Tokens) stored on your device to maintain your session. The app uses the following device-level identifiers and tracking technologies:

• Firebase app-instance identifier: A pseudonymous identifier generated by the Firebase SDK and used for product analytics (see Section 4.11). This identifier is reset if you uninstall and reinstall the app.
• Apple advertising identifier (IDFA): Used by Google AdMob to serve and measure advertisements when you have granted App Tracking Transparency permission. The ATT permission prompt is only shown after you have demonstrated meaningful engagement with the Service (such as importing several recipes or building a meal plan). You may decline or revoke ATT permission at any time in your device’s privacy settings, and you may remove advertisements entirely by upgrading to a paid subscription.
• Local on-device storage: The app stores preferences, cached content, import progress counters, and ATT engagement counters in iOS user defaults and an app group container. This data does not leave your device.

5.3 Server-Side Tracking

Our servers automatically log information about requests made to the Service, including IP addresses, user agent strings, request URLs, timestamps, HTTP methods, response status codes, and response times. These logs are maintained for security, debugging, and analytics purposes.

6. Data Storage, Security, and Transfers

6.1 Storage

Your data is stored on cloud infrastructure operated by Amazon Web Services (AWS) and other cloud database providers. Uploaded files (including profile pictures and recipe images) are stored in AWS S3 and may be distributed via AWS CloudFront. Server infrastructure may be located in various regions worldwide.

6.2 Security

We implement commercially reasonable technical and organizational security measures to protect your information, including HTTPS encryption for data in transit, security headers, rate limiting, access controls, and secure authentication mechanisms.

However, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee the absolute security of your information. You acknowledge that you provide your information at your own risk. We are not responsible for any unauthorized access, data breach, or data loss resulting from circumstances beyond our reasonable control, including but not limited to hacking, cyberattacks, or failures of third-party service providers.

6.3 International Data Transfers

Your information may be transferred to, stored in, and processed in countries other than your country of residence, including the United Arab Emirates, the United States, and other countries where our service providers operate. These countries may have data protection laws that differ from (and may be less protective than) the laws of your jurisdiction.

By using the Service, you explicitly consent to the transfer of your information to these countries. We take commercially reasonable steps to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

7. Data Retention

7.1 Active Accounts

We retain your personal information for as long as your account is active, plus any additional period necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

7.2 AI Usage Data

AI token usage events are retained for up to twelve (12) months from creation. Aggregated usage counters may be retained for longer periods.

7.3 Server Logs

Server access logs containing IP addresses, user agents, and request metadata are retained for up to ninety (90) days for security and operational purposes, unless longer retention is required for legal compliance or active investigation.

7.4 Import Logs

Detailed import processing logs (which may contain URLs, extracted content, and AI processing outputs) are retained on our servers for debugging and quality improvement purposes.

7.5 Account Deletion

If you delete your account through the app settings, we will delete your primary account record. Please be aware of the following:

• In ordinary circumstances, your account record and the associated content and data (including recipes, meal plans, grocery lists, nutrition profiles, food logs, weight logs, workout logs, water logs, day-completion records, saved foods, manual prep tasks, recurring meals, import records, AI usage records, feedback submissions, uploaded images, and other user-generated content) are deleted from our primary database immediately upon request. In all cases, deletion or anonymization will be completed within ninety (90) days following account deletion.
• We may retain anonymized, aggregated, or de-identified data derived from your use of the Service indefinitely. This data cannot reasonably be used to identify you and may be used for analytics, research, AI model training and improvement, product development, and any other lawful business purpose.
• We may retain data as required by applicable law, regulation, legal process, or governmental request, or as necessary to protect our legal rights and enforce our Terms.
• Backup systems may contain copies of your data for up to ninety (90) days following deletion.
• Content you shared with other users through family features may continue to exist in those users’ accounts.
• Files stored on third-party infrastructure (such as cloud storage) may take additional time to be fully purged.
• Data that has already been transmitted to third-party service providers (such as AI providers, shopping partners, or search providers) is subject to those providers’ respective retention policies and cannot be recalled or deleted by us.
• Cached or derived data (such as cached recipe extractions) that does not contain personally identifiable information may be retained indefinitely.

8. Your Rights and Choices

8.1 Account Controls

• Profile: You may update your name, username, profile picture, and preferences through the app settings.
• Dietary preferences: You may update your dietary preferences, diets, and allergens at any time.
• Notifications: You may control email and push notification preferences through the app settings.
• Apple Health: You may enable or disable Apple Health integration through your device’s Health app settings at any time.
• Account deletion: You may delete your account at any time through the app settings, subject to the retention terms described in Section 7.5.

8.2 Advertising Choices

You may opt out of personalized advertising by declining the App Tracking Transparency prompt when it appears, or at any time by disabling tracking for KitchUp under Settings → Privacy & Security → Tracking on your device. You may also upgrade to a paid subscription to remove advertisements entirely.

8.3 Jurisdiction-Specific Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. These rights vary by location and may include the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete personal information
• Request deletion of your personal information (subject to certain exceptions)
• Request portability of your personal information
• Object to or restrict certain processing of your personal information
• Withdraw consent for optional data processing
• Lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us at support@kitchup.app. We will respond to your request within the timeframe required by applicable law. We may require you to verify your identity before processing your request. We reserve the right to charge a reasonable administrative fee for manifestly unfounded, excessive, or repetitive requests.

Please note: Certain rights may be limited where we have a legitimate basis for processing, a legal obligation to retain data, or where the request would adversely affect the rights and freedoms of others. Exercising your right to deletion will result in termination of your account, and we cannot restore deleted accounts or data.

9. AI Features and Data Processing

9.1 How AI Processes Your Data

When you use AI-powered features, the content you provide (which may include recipe text, ingredient lists, images, photos of food, photos of nutrition labels, barcode images, and voice audio recordings) is transmitted to third-party AI providers for processing. This transmission is necessary to deliver the AI features you have requested.

9.2 AI Provider Data Practices

Third-party AI providers process your content in accordance with their own terms of service and privacy policies. We use API-level integrations where available, which typically provide that input data is not used for model training by the provider. However, we cannot control or guarantee the data practices of third-party AI providers, and their policies may change over time. By using AI features, you acknowledge and accept this risk.

9.3 Our Use of AI Data

We may use anonymized or aggregated data derived from your interactions with AI features to improve our AI models, algorithms, prompts, and overall Service quality. This may include analyzing patterns in recipe extraction accuracy, nutritional analysis quality, and feature usage to optimize our AI systems.

10. Children’s Privacy

The Service is not directed to individuals under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take prompt steps to delete such information and terminate the associated account without notice. If you believe that a child under 16 has provided us with personal information, please contact us immediately at support@kitchup.app.

11. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not owned or controlled by us. This Policy does not apply to third-party services. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.

12. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. There is currently no industry standard for recognizing or honoring DNT signals. Accordingly, we do not currently respond to DNT signals or similar mechanisms.

13. Changes to This Policy

We reserve the right to update, modify, or replace this Privacy Policy at any time, at our sole discretion. Changes will be effective immediately upon posting to this page and updating the “Last updated” date above. We may, but are not obligated to, provide additional notice of material changes through the app, push notifications, or email.

Your continued use of the Service after any modification to this Policy constitutes your binding acceptance of the modified Policy. If you do not agree to the modified Policy, your sole remedy is to stop using the Service and delete your account.

14. Contact Us

For questions or concerns about our data practices, or to exercise your privacy rights, please contact us:

• Company: Two Minds Solutions FZ LLC
• Email: support@kitchup.app
• Website: https://kitchup.app

We will make every reasonable effort to respond to your inquiry within thirty (30) days, or within the timeframe required by applicable law.