privacy policy
Last updated: April 17, 2026
1. Who we are
Chowy is a household kitchen and grocery-management app operated by SC Delirium Development S.R.L.(“Delirium”, “we”, “us”), CUI RO40159995, Brașov, Romania. We are the data controller for the personal data described here. For any privacy matter, contact privacy@chowy.app.
2. Data we collect
We only collect what we need to run the app. We do not sell or share your personal data for advertising.
- Account data: email address, display name, and authentication tokens. If you sign in with Apple or Google, we receive the identifier and email those providers release to us.
- Household data: household name, members you invite, and invite emails. Visible to everyone you share a household with.
- User content: shopping lists, pantry items, recipes, ingredients, cooking steps, photos you upload, meal polls, ratings, and swipe preferences.
- AI inputs: when you use an AI feature, the text prompts, pantry items, imported recipe URLs, video links/transcripts, and receipt photos you submit are sent to our AI provider to produce the result (see “AI features” below).
- Purchase data (if you subscribe): product identifier, purchase timestamp, subscription status. Handled by Apple / Google and our billing provider (RevenueCat).
- Device & diagnostic data: crash logs, app version, device model, and operating system, collected via Firebase Crashlytics to keep the app stable.
- Usage analytics: pseudonymous product-usage events (e.g. which screens and features are used) tied to a random user ID only — no name or email — via PostHog. No session recording.
- Push tokens: if you enable notifications, a device push token (via Firebase Cloud Messaging) so we can deliver them.
3. How we use your data
- To run the app and sync your kitchen across devices.
- To power AI features you choose to use.
- To send invite emails when you invite a new household member.
- To send account-related emails (email verification, password reset).
- To process subscription purchases and restore them.
- To send push notifications and, with your consent, product updates.
- To diagnose crashes, understand feature usage, and improve the app.
4. Legal bases (GDPR)
- Performance of a contract: running the app, syncing your data, households, AI features you request, and processing subscriptions.
- Legitimate interests: keeping the service secure and stable (crash diagnostics), preventing abuse, and understanding aggregate feature usage to improve the product. You can object to analytics at any time (see “Your rights”).
- Consent: optional push notifications and marketing emails. You can withdraw consent at any time in Settings.
- Legal obligation: tax/accounting records for purchases, and responding to lawful requests.
5. AI features
Some features use third-party AI services to generate or process content at your request:
- OpenAI— recipe generation, reading text from receipt photos, transcribing imported audio/video, content moderation, and recipe cover-image generation. The inputs listed under “AI inputs” above are sent to OpenAI to produce the result.
- Apify — fetches the public web page or video you ask us to import so we can extract the recipe.
These providers process your input to return a result and for limited abuse-monitoring; under their API terms your content is not used to train their models. Recipes published to the community feed are also screened by automated moderation.
6. Service providers
We share data with the following processors, who act on our behalf under data-processing agreements.
- Supabase — database, authentication, and file storage (EU).
- OpenAI — AI features described above (US).
- Apify — fetching pages/videos for recipe import (US).
- Google Firebase — crash diagnostics (Crashlytics) and push delivery (Cloud Messaging) (US).
- PostHog — pseudonymous product analytics (EU).
- Brevo — transactional email delivery (invite, verify, reset).
- RevenueCat — subscription management; receives a pseudonymous user ID (US).
- Apple / Google — payment processing and Sign in with Apple / Google.
- UPCitemDB & Open Food Facts — product lookups when you scan a barcode (the scanned barcode is sent to look up the item).
- Vercel — web hosting for chowy.app; receives standard request logs (IP, user agent) (US).
7. International transfers
Supabase and PostHog process data in the EU. Some providers (OpenAI, Google/Firebase, Apify, RevenueCat, Vercel) process data in the United States; those transfers are covered by the European Commission's Standard Contractual Clauses.
8. Notifications
If you enable push notifications, we store a device push token (via Firebase Cloud Messaging) to deliver them. You control push, email, and marketing preferences in Settings; marketing messages are sent only with your consent, which you can withdraw at any time.
9. Public content
Recipes you explicitly mark as public are visible to other Chowy users in the Discover feed, with your display name attached. Everything else (shopping lists, pantry, private recipes) is visible only within your household.
10. Your rights
Subject to applicable law, you have the right to access, export (portability), correct, delete, and restrict processing of your data, to object to processing based on legitimate interests (including analytics), and to withdraw consent. You can access/export, correct, and delete your data directly in the app under Settings; for anything else, email privacy@chowy.app. We respond within one month.
If you are in the EU/EEA you can lodge a complaint with your local data-protection authority — in Romania, the ANSPDCP.
California residents (CCPA/CPRA): you have the right to know, delete, and correct your personal information, and to opt out of its sale or sharing. We do not sell or share personal information, and we have not done so in the preceding 12 months. To exercise these rights, contact privacy@chowy.app.
11. Data retention
Account and user content are kept while your account exists. When you delete your account, deletion is permanent and propagates to the household content you authored within 30 days, subject to short backup rotation windows at our providers. Crash diagnostics and pseudonymous analytics are retained for no longer than necessary (typically up to 24 months). Push tokens are kept until you disable notifications or delete your account. AI draft outputs that you don't save expire automatically within about 24 hours.
12. Children
Chowy is not directed to anyone under 16. We do not knowingly collect data from people under 16; if you believe a minor has provided us data, contact privacy@chowy.app and we will delete it.
13. Security
Data is encrypted in transit (TLS) and at rest. Access is restricted to household members via row-level security. Passwords are hashed server-side by Supabase.
14. Cookies & the website
chowy.app is hosted on Vercel and uses only essential request logs; we do not use advertising or cross-site tracking cookies. The Terms and Privacy pages accept a ?lang parameter to show your language and set no tracking cookies.
15. Changes to this policy
We'll post updates on this page and, for material changes, notify you by email or in-app before they take effect. Where a change requires consent, we will ask for it rather than rely on continued use.
16. Contact
Questions or requests? privacy@chowy.app.