Privacy Policy
Last updated: February 12, 2026
This privacy policy describes how Spark Aether Ltd ("we", "our", "FoodCraft") collects, uses, stores, and protects your personal data when you use the foodcraft.app website and its associated services (the "Service").
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR — EU 2016/679) and the UK GDPR (Data Protection Act 2018).
1. Data Controller
The controller of your personal data is:
- Spark Aether Ltd
- Company registered in England & Wales (UK Companies House)
- Website: foodcraft.app
- Contact email: hello@foodcraft.app
2. Personal data collected
We collect the following categories of data, strictly necessary for the operation of the Service:
2.1. Account data
When you register, we collect your email address, first name, and last name. Your password is stored in a hashed format (bcrypt) and is never readable in plain text.
2.2. Nutritional profile
To personalize your recommendations, you can provide: your food allergies and intolerances, your diet (vegetarian, vegan, gluten-free, etc.), your calorie and macronutrient goals, your food preferences, and your household composition (family profiles). This data is provided voluntarily and can be modified or deleted at any time.
2.3. Payment data
Payments are handled entirely by our provider Stripe, Inc. FoodCraft does not collect, store, or process any banking data (card number, expiration date, security code). Only a Stripe customer ID and your subscription status are kept in our systems.
2.4. Usage data
We collect minimal technical data necessary for the operation of the Service: language preferences, recipes viewed and saved, and interactions with the application's features.
2.5. Data NOT collected
FoodCraft does not collect: conversation history with the AI assistant (exchanges with the AI coach are not stored server-side), geolocation data, data from social networks, or data for advertising purposes.
3. Purposes and legal bases for processing
Each data processing operation is based on a legal basis compliant with the GDPR:
| Purpose | Legal basis | Data concerned |
|---|---|---|
| Account creation and management | Performance of a contract (Art. 6.1.b GDPR) | Email, name, hashed password |
| Personalization of nutritional recommendations and recipes | Performance of a contract (Art. 6.1.b GDPR) | Nutritional profile, preferences |
| Payment processing and subscription management | Performance of a contract (Art. 6.1.b GDPR) | Stripe ID, subscription status |
| Sending transactional emails (verification, password reset) | Performance of a contract (Art. 6.1.b GDPR) | Email address |
| Service improvement and bug fixing | Legitimate interest (Art. 6.1.f GDPR) | Anonymized usage data |
| Compliance with our legal obligations | Legal obligation (Art. 6.1.c GDPR) | Billing data |
4. Data retention period
Your data is kept for the following periods:
| Account data | For the duration of your registration, then deleted within 30 days of account deletion |
| Nutritional profile | For the duration of your registration, deleted with the account |
| Payment data (Stripe ID) | For the duration of the subscription, then 36 months for accounting obligations |
| Transactional emails (logs) | 12 months |
| Functional cookies | Session duration or 13 months maximum |
5. Processors and data recipients
We use the following processors for the operation of the Service:
| Processor | Role | Location |
|---|---|---|
| OVH SAS | Infrastructure and database hosting | Roubaix, France (EU) |
| Stripe, Inc. | Payment processing and subscription management | United States |
| OpenAI, Inc. | AI processing for recipe personalization and image analysis | United States |
| Resend, Inc. | Sending transactional emails | United States |
| Amazon Web Services (AWS) | Recipe image storage (S3, eu-west-3 region) | Paris, France (EU) |
No data is sold or shared for advertising purposes with third parties.
6. Data transfers outside the EEA/UK
Some of our processors are located in the United States (Stripe, OpenAI, Resend). These transfers are governed by:
- The EU-U.S. Data Privacy Framework (DPF) for certified processors
- Standard Contractual Clauses (SCC) approved by the European Commission
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs for transfers from the United Kingdom
We ensure that each processor offers a level of data protection compliant with GDPR and UK GDPR requirements.
7. Your rights
In accordance with the GDPR and UK GDPR, you have the following rights:
- Right of access
- Obtain a copy of all your personal data that we hold.
- Right to rectification
- Correct or update your inaccurate or incomplete personal data.
- Right to erasure
- Request the deletion of your personal data ("right to be forgotten").
- Right to portability
- Receive your data in a structured, commonly used, and machine-readable format.
- Right to object
- Object to the processing of your data based on legitimate interest.
- Right to restriction of processing
- Request the restriction of processing of your data in certain circumstances.
- Right to withdraw consent
- When processing is based on consent, you may withdraw it at any time.
To exercise your rights, contact us at hello@foodcraft.app. We will respond within 30 days in accordance with regulations.
In the event of a dispute, you may lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom, or with the data protection authority of your country of residence (for example, the CNIL in France).
8. Cookies
FoodCraft exclusively uses functional cookies, which are strictly necessary for the proper functioning of the Service. No advertising or tracking cookies are used.
Cookies used
| Authentication session cookie | Maintaining your connection to the Service | Session duration | Strictly necessary |
| Cookie consent preference | Remembering your choice regarding cookies | Persistent (localStorage) | Strictly necessary |
| Interface preferences | Remembering your usage preferences (recipe steps, favorites) | Persistent (localStorage) | Functional |
FoodCraft does not use any third-party analytics services (no Google Analytics, no advertising trackers). No browsing data is shared with third parties for profiling or advertising purposes.
Strictly necessary cookies do not require consent. Functional cookies can be refused via the consent banner displayed during your first visit, or by modifying your browser settings.
9. Protection of minors
The Service is intended for individuals aged 16 and over. We do not knowingly collect personal data from minors under 16. If we learn that a user under 16 has registered, their account and data will be deleted as soon as possible.
If you are a parent or guardian and believe that your child under 16 has provided us with personal data, please contact us at hello@foodcraft.app.
10. Data security
We implement appropriate technical and organizational measures to protect your personal data:
- Connection encryption (HTTPS/TLS)
- Password hashing (bcrypt)
- Restrictive Content Security Policy (CSP)
- Restricted and secure database access
- No banking data stored in our systems
11. Changes to this policy
We reserve the right to modify this privacy policy at any time. In the event of a substantial change, we will inform you by email or via a visible notification on the Service.
The date of the last update is indicated at the top of this page. We encourage you to regularly review this policy.
12. Contact us
For any questions regarding this privacy policy or the protection of your personal data, you can contact us:
- By email: hello@foodcraft.app
- By mail: Spark Aether Ltd, England & Wales, United Kingdom