Privacy Policy
Last updated: February 12, 2026
This privacy policy describes how Spark Aether Ltd ("we", "our", "FoodCraft") collects, uses, stores, and protects your personal data when you use the foodcraft.app website and its associated services (the "Service").
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR — EU 2016/679) and the UK GDPR (Data Protection Act 2018).
1. Data Controller
The data controller responsible for your personal data is:
- Spark Aether Ltd
- Company registered in England & Wales (UK Companies House)
- Website: foodcraft.app
- Contact email: hello@foodcraft.app
2. Personal Data Collected
We collect the following categories of data, which are strictly necessary for the operation of the Service:
2.1. Account Data
When you register, we collect your email address, first name, and last name. Your password is stored in a hashed form (bcrypt) and is never readable in plain text.
2.2. Nutritional Profile
To personalize your recommendations, you may provide: food allergies and intolerances, dietary preferences (vegetarian, vegan, gluten-free, etc.), calorie and macronutrient goals, food preferences, and household composition (family profiles). This data is provided voluntarily and can be modified or deleted at any time.
2.3. Payment Data
Payments are handled entirely by our provider Stripe, Inc. FoodCraft does not collect, store, or process any banking data (card number, expiry date, CVC). Only a Stripe customer ID and your subscription status are kept in our systems.
2.4. Usage Data
We collect minimal technical data necessary for the Service to function: language preferences, recipes viewed and saved, and interactions with app features.
2.5. Data NOT Collected
FoodCraft does not collect: conversation history with the AI assistant (exchanges with the AI coach are not stored server-side), geolocation data, data from social networks, or data for advertising purposes.
3. Purposes and Legal Basis for Processing
Each data processing activity is based on a legal basis compliant with GDPR:
| Purpose | Legal Basis | Data Concerned |
|---|---|---|
| Account creation and management | Performance of a contract (Art. 6.1.b GDPR) | Email, name, hashed password |
| Personalization of nutritional recommendations and recipes | Performance of a contract (Art. 6.1.b GDPR) | Nutritional profile, preferences |
| Payment processing and subscription management | Performance of a contract (Art. 6.1.b GDPR) | Stripe ID, subscription status |
| Sending transactional emails (verification, password reset) | Performance of a contract (Art. 6.1.b GDPR) | Email address |
| Service improvement and bug fixing | Legitimate interest (Art. 6.1.f GDPR) | Anonymized usage data |
| Compliance with our legal obligations | Legal obligation (Art. 6.1.c GDPR) | Billing data |
4. Data Retention Period
Your data is kept for the following periods:
| Account data | For the duration of your registration, then deleted within 30 days of account deletion |
| Nutritional profile | For the duration of your registration, deleted with the account |
| Payment data (Stripe ID) | For the duration of the subscription, then 36 months for accounting obligations |
| Transactional emails (logs) | 12 months |
| Functional cookies | Session duration or 13 months maximum |
5. Processors and Data Recipients
We use the following processors to operate the Service:
| Processor | Role | Location |
|---|---|---|
| OVH SAS | Infrastructure and database hosting | Roubaix, France (EU) |
| Stripe, Inc. | Payment processing and subscription management | United States |
| OpenAI, Inc. | AI processing for recipe personalization and image analysis | United States |
| Resend, Inc. | Sending transactional emails | United States |
| Amazon Web Services (AWS) | Recipe image storage (S3, eu-west-3 region) | Paris, France (EU) |
No data is sold or shared with third parties for advertising purposes.
6. Data Transfers Outside the EEA/UK
Some of our processors are located in the United States (Stripe, OpenAI, Resend). These transfers are governed by:
- The EU-U.S. Data Privacy Framework (DPF) for certified processors
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs for transfers from the United Kingdom
We ensure that each processor offers a level of data protection consistent with the requirements of the GDPR and the UK GDPR.
7. Your Rights
In accordance with the GDPR and the UK GDPR, you have the following rights:
- Right of access
- Obtain a copy of all personal data we hold about you.
- Right to rectification
- Correct or update inaccurate or incomplete personal data.
- Right to erasure
- Request the deletion of your personal data ("right to be forgotten").
- Right to portability
- Receive your data in a structured, commonly used, and machine-readable format.
- Right to object
- Object to the processing of your data based on legitimate interest.
- Right to restriction
- Request the restriction of processing your data in certain circumstances.
- Right to withdraw consent
- When processing is based on consent, you can withdraw it at any time.
To exercise your rights, contact us at hello@foodcraft.app. We will respond within 30 days in accordance with the regulations.
In case of a dispute, you can file a complaint with the Information Commissioner's Office (ICO) in the United Kingdom, or with the data protection authority of your country of residence (e.g., the CNIL in France).
8. Cookies
FoodCraft uses only functional cookies, strictly necessary for the proper functioning of the Service. No advertising or tracking cookies are used.
Cookies Used
| Authentication session cookie | Maintain your connection to the Service | Session duration | Strictly necessary |
| Cookie consent preference | Remember your choice regarding cookies | Persistent (localStorage) | Strictly necessary |
| Interface preferences | Remember your usage preferences (recipe steps, favorites) | Persistent (localStorage) | Functional |
FoodCraft does not use any third-party analytics services (no Google Analytics, no advertising trackers). No browsing data is shared with third parties for profiling or advertising purposes.
Strictly necessary cookies do not require consent. Functional cookies can be refused via the consent banner displayed during your first visit, or by changing your browser settings.
9. Protection of Minors
The Service is intended for persons aged 16 or older. We do not knowingly collect personal data from minors under 16. If we learn that a user under 16 has registered, their account and data will be deleted as soon as possible.
If you are a parent or guardian and believe your child under 16 has provided us with personal data, please contact us at hello@foodcraft.app.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption of connections (HTTPS/TLS)
- Password hashing (bcrypt)
- Restrictive Content Security Policy (CSP)
- Restricted and secure database access
- No banking data stored in our systems
11. Changes to This Policy
We reserve the right to modify this privacy policy at any time. In the event of a substantial change, we will inform you by email or via a visible notification on the Service.
The last updated date is indicated at the top of this page. We encourage you to consult this policy regularly.
12. Contact Us
For any questions relating to this privacy policy or the protection of your personal data, you can contact us:
- By email: hello@foodcraft.app
- By mail: Spark Aether Ltd, England & Wales, United Kingdom