Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Toy Division (“CookCook”, “we”, “us”) processes personal data when you visit cookcook.app, join our waitlist, or use the CookCook mobile app. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the ePrivacy Directive as implemented in the Netherlands.

1. Data controller

The controller responsible for your personal data is:

• Toy Division
• Nieuwendijk 106, 1012 MR Amsterdam, Netherlands
• Email: privacy@cookcook.app

If you are in the EU/EEA and have questions about this policy or want to exercise your rights, contact us at the email above.

2. What we collect and why

2.1 Waitlist sign-ups

• What: your email address and the timestamp of your sign-up.
• Why: to confirm your interest, contact you when CookCook is available, and measure marketing performance.
• Legal basis: your consent (Art. 6(1)(a) GDPR), given when you submit the form. You can withdraw it at any time by emailing us or unsubscribing.
• Retention: until you unsubscribe or until 24 months of inactivity, whichever is earlier.

2.2 Account data (web and iPhone app)

• What: email address, password (hashed), display name if provided, and authentication tokens.
• Why: to create and secure your account, sign you in, and let you access your saved content across devices.
• Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — we cannot provide the service without an account.
• Retention: for as long as your account exists. You can delete your account at any time; we will erase your data within 30 days, except where we are required to keep it longer for legal reasons.

2.3 Activity data

• What: cookbooks you add to your library, recipes you view, save, rate, or mark as cooked, ingredients you add to lists, and similar in-app actions.
• Why: to power core features (your library, history, grocery list) and to generate personalised recipe recommendations.
• Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for the core features; legitimate interest (Art. 6(1)(f) GDPR) for improving recommendations. You can object to the latter at any time.
• Retention: for as long as your account exists.

2.4 Technical data and logs

• What: IP address, user-agent, device type, OS version, app version, and request logs.
• Why: to operate the service, prevent abuse, and diagnose errors.
• Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in keeping the service secure and functional.
• Retention: server logs are kept for up to 30 days.

2.5 Analytics and advertising (consent-based)

We only place analytics and advertising cookies/identifiers after you give consent via the cookie banner. If you decline or have not yet chosen, these tools are not loaded.

• PostHog — product analytics (page views, feature usage, anonymised session events).
• Meta Pixel and the Meta Conversions API— measures the effectiveness of advertising on Facebook and Instagram. When you sign up to the waitlist after consenting, we send a hashed version of your email to Meta to attribute the conversion. This is a joint controllership with Meta Platforms Ireland Ltd. for the Pixel/CAPI events; see Meta’s Controller Addendum.

Legal basis:your consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive). You can withdraw consent at any time via the “Cookie settings” link in the footer.

3. AI-generated recommendations

To suggest recipes and menus, we send a summary of your activity (e.g. recipes you saved or cooked) to AI providers (OpenAI, Anthropic, Google) which return suggestions. We do not send your email address, password, or contact details. These providers process the data on our behalf and do not use it to train their models, under the API terms we have agreed to.

These recommendations do not produce legal or similarly significant effects (Art. 22 GDPR). You can ignore them at any time.

4. Who we share data with

We share personal data only with the processors needed to run the service:

• Railway Corp. (USA) — website and application hosting, search infrastructure.
• Supabase Inc. (region-dependent) — database and authentication.
• Typesense Inc. (region-dependent) — search index.
• Resend — transactional and waitlist email delivery.
• OpenAI Ireland Ltd. / OpenAI, L.L.C. — AI recommendations.
• Anthropic PBC (USA) — AI text extraction and recommendations.
• Google Ireland Ltd. / Google LLC — AI processing.
• PostHog Inc. — analytics (only with consent).
• Meta Platforms Ireland Ltd. — advertising measurement (only with consent).
• Apple Inc. — App Store distribution and crash reports for the iPhone app.

We do not sell your personal data.

5. International transfers

Some of the processors above are located outside the EU/EEA, in particular in the United States. Where this is the case, we rely on:

• the EU–US Data Privacy Framework, where the recipient is certified, or
• the European Commission’s Standard Contractual Clauses (Decision 2021/914), supplemented where necessary by additional safeguards.

You can request a copy of the safeguards in place by emailing us.

6. Your rights under the GDPR

If you are in the EU/EEA, you have the right to:

• access the personal data we hold about you (Art. 15);
• rectify inaccurate data (Art. 16);
• erase your data (Art. 17);
• restrict processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)).

To exercise any of these rights, email privacy@cookcook.app. We respond within one month.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You can also complain to the authority of your country of residence.

7. Cookies and similar technologies

We use a small number of cookies and local-storage items:

• Strictly necessary — authentication session, cookie-consent choice. No consent required.
• Analytics — PostHog. Loaded only after consent.
• Advertising — Meta Pixel. Loaded only after consent.

You can change your choice at any time via the “Cookie settings” link in the footer.

8. Children

CookCook is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will erase it.

9. Security

We use industry-standard measures including TLS in transit, encryption at rest where provided by our hosting providers, hashed passwords, and access controls. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the supervisory authority as required by Art. 33–34 GDPR.

10. Changes

We may update this policy. Material changes will be announced on this page and, where appropriate, by email. The date at the top of this page reflects the latest revision.