privacy policy

last updated: 13 march 2026

1. who we are

not a slop bowl ("we", "us", "our") is the data controller responsible for your personal data. we are based in the United Kingdom.

contact: posteritylabsportcos_enquiries@proton.me
address: Teignmouth Road, NW2 4HN

this policy applies to all users of our service, wherever you are located. for EU-based users, your data is processed in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679). for UK-based users, the UK GDPR and Data Protection Act 2018 apply.

2. what data we collect

data you provide

account information name, email address, Google account ID, profile picture (received from Google during sign-in)
personalisation preferences primary health goal, secondary concerns, daily calorie and protein targets
pantry input free-text ingredient descriptions you enter in the "what can i cook?" feature (up to 500 characters per query)
recipe interests recipes you mark as interesting (used for recommendation improvement)

data we collect automatically

usage data which recipes you view and unlock, your saved/favourite recipes, meal plan selections
IP address recorded at signup and login for fraud prevention; stored temporarily in rate-limit records (auto-deleted after 60 seconds)
subscription data Stripe customer ID, subscription ID, subscription status, billing dates (we never see or store your card number)

data stored on your device only

body measurements weight, height, age, gender, activity level — stored in your browser's local storage for calorie calculations. this data never leaves your device and is never sent to our servers

3. why we process your data and our legal basis

purpose legal basis (UK/EU GDPR)
create and manage your account contract performance (Art. 6(1)(b))
process payments and manage subscriptions contract performance (Art. 6(1)(b))
deliver personalised recipe recommendations contract performance (Art. 6(1)(b))
operate weekly unlock system and meal planning contract performance (Art. 6(1)(b))
AI-powered pantry matching contract performance (Art. 6(1)(b)) — you initiate this feature
fraud prevention and rate limiting (IP addresses) legitimate interest (Art. 6(1)(f)) — protecting the service from abuse
recipe interest tracking legitimate interest (Art. 6(1)(f)) — improving recommendations
body measurements in browser storage consent (Art. 6(1)(a)) — you voluntarily enter this data; it stays on your device
authentication cookies contract performance (Art. 6(1)(b)) — strictly necessary for the service

4. who we share your data with

we share your data only with the service providers necessary to operate not a slop bowl:

provider what they receive and why
Google authentication only — we receive your profile data from Google during sign-in
Stripe your user ID (as a reference) for payment processing. Stripe independently collects your payment card details and billing address — we never see these
Anthropic (Claude AI) only the ingredient text you type in the pantry feature. no personal identifiers (name, email, user ID) are sent
Supabase database hosting — stores your account data, recipe history, and subscription status
Vercel web hosting — processes your requests and may log IP addresses and request headers
Cloudinary image delivery — serves recipe images. may log IP addresses of image viewers in standard access logs

we do not sell, rent, or share your personal information with third parties for their marketing purposes.

5. international data transfers

our service providers (Supabase, Stripe, Anthropic, Vercel, Cloudinary) are based in the United States. your personal data is transferred to and processed in the US.

these transfers are protected by:

  • the EU-US Data Privacy Framework (for providers that are DPF-certified)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable

the European Commission has confirmed the UK provides an adequate level of data protection (adequacy decision renewed December 2025, valid until December 2031).

you may request copies of the relevant transfer safeguards by contacting us.

6. how long we keep your data

data retention period
account data until you delete your account
subscription and payment records until account deletion. Stripe retains its own records per its retention policy
recipe view history and unlocks until account deletion (cascading delete)
IP addresses (signup/login) until account deletion
rate-limit records (IP) automatically deleted after 60 seconds
body measurements (localStorage) until you clear your browser data — we have no access to delete this
pantry text input not stored by us. our AI provider (Anthropic) retains API inputs for up to 30 days per their policy

7. cookies and local storage

cookies

cookie purpose
authentication cookies (sb-*-auth-token) strictly necessary — maintains your signed-in session. HttpOnly, Secure, SameSite=Lax
free view tracking (ffh_free_views) functional — tracks which free recipes you have viewed. expires after 30 days

local storage

key purpose
ffh_biometrics stores your body measurements (weight, height, age, gender, activity level) for calorie calculations. never sent to our servers
ffh_free_views backup of free recipe view tracking

we do not use any analytics, advertising, or third-party tracking cookies or pixels.

8. your rights

depending on your location, you have the following rights regarding your personal data:

all users

  • access: request a copy of the personal data we hold about you
  • correction: request correction of inaccurate data
  • deletion: delete your account and all associated data via account settings, or request deletion by email
  • portability: request your data in a structured, machine-readable format (JSON)

UK and EU residents

  • restriction: request that we restrict processing of your data in certain circumstances
  • objection: object to processing based on legitimate interest
  • withdraw consent: where processing is based on consent (e.g., body measurements), you may withdraw consent at any time by clearing your browser's local storage. this does not affect the lawfulness of prior processing

California residents

  • right to know: request what personal information we collect, use, and disclose
  • right to delete: request deletion of your personal information
  • do not sell: we do not sell your personal information. we do not share your personal information for cross-context behavioural advertising
  • non-discrimination: you will not be penalised for exercising your privacy rights

to exercise any of these rights, contact us at posteritylabsportcos_enquiries@proton.me. we will respond within 30 days (or one calendar month for UK/EU GDPR requests).

9. do not track

we do not track users across third-party websites. we do not use any tracking technologies beyond the strictly necessary cookies and local storage described above. our service does not respond to "Do Not Track" browser signals because we do not perform any cross-site tracking.

10. automated decision-making

we use AI to parse ingredient input for recipe matching (see section 4, Anthropic). this is a recommendation feature only — it does not make decisions that materially affect your account, access, pricing, or rights. you are not subject to decisions based solely on automated processing that produce legal or similarly significant effects.

11. children's privacy

our service is not directed at children under 13. we do not knowingly collect personal information from children under 13. if we learn that we have inadvertently collected such data, we will delete it promptly. if you believe a child under 13 has provided us with personal information, please contact us at posteritylabsportcos_enquiries@proton.me.

12. data security

we implement reasonable technical and organisational measures to protect your personal data, including:

  • row-level security (RLS) on our database — users can only access their own data
  • all data transmitted over HTTPS/TLS encryption
  • authentication cookies set as HttpOnly, Secure, and SameSite=Lax
  • rate limiting on all API endpoints to prevent abuse
  • no storage of payment card details (handled entirely by Stripe)

in the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable law (within 72 hours where required).

13. how to complain

if you have concerns about how we handle your data, please contact us first at posteritylabsportcos_enquiries@proton.me.

you also have the right to lodge a complaint with a supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk, tel: 0303 123 1113
  • EU: your local data protection authority (e.g., CNIL in France, BfDI in Germany). a full list is available at edpb.europa.eu

14. changes to this policy

we may update this privacy policy from time to time. material changes will be communicated via the email associated with your account. the "last updated" date at the top reflects the most recent revision.

15. contact

for data protection queries, contact us at posteritylabsportcos_enquiries@proton.me.