Privacy Policy
Last updated: June 7, 2026
This policy explains what information Chefra LLC (“we”, “us”) collects, how we use it, and the rights you have over it.
1. Who we are
Chefra is a social recipe platform where you save, share, and organize recipes. Chefra is operated by Chefra LLC. You can reach us at privacy@getchefra.com for any privacy question, or support@getchefra.com for general support.
2. Information we collect
- Account data: email address, password (stored hashed), display name, optional avatar.
- Profile information: bio, username, links, and any other details you choose to add.
- Recipes and user content: recipes, posts, comments, cookbooks, meal plans, grocery lists, and any images you upload.
- Imported content: URLs you import from and the factual data we extract (ingredients, times, tags). We do not retain the original author's prose.
- Usage data: pages viewed, actions taken, approximate device and browser type, IP address, and timestamps.
- Payment information: if you subscribe to premium, billing details (card number, expiration, billing address) are collected and processed by Stripe. Chefra does not store your full card number — we only store a token, the last 4 digits, and subscription status.
3. How we use your information
- To operate, maintain, and improve Chefra.
- To personalize your feed, search, and recommendations.
- To process payments and manage your subscription.
- To secure accounts and prevent abuse, fraud, and spam.
- To send service-related messages (you can opt out of non-essential email).
- To respond to your requests and provide customer support.
- To comply with legal obligations.
4. Cookies and Analytics
Chefra uses essential cookies (authentication, security) and analytics cookies (aggregate usage patterns). We do not use advertising cookies and do not serve behavioral advertising.
Because we use only essential and analytics cookies, we do not currently require an opt-in consent banner. If we add advertising cookies in the future, we will implement a compliant consent mechanism with equally prominent accept and reject options.
5. Third-party services we use
We rely on the following service providers to run Chefra. Each is bound by contract to protect your data and to use it only to provide their service to us:
- Supabase — database, authentication, and file storage for your account, recipes, and images.
- Stripe — payment processing and subscription billing.
- Cloudflare — hosting, content delivery (CDN), and security/DDoS protection.
- Anthropic — AI features such as recipe parsing and assistance. Prompts and content sent to AI features are processed by Anthropic to generate responses; we do not allow this content to be used for training third-party models.
- Resend — transactional email delivery (sign-in confirmations, password resets, billing receipts).
- Apple Push Notification service (APNs) — delivery of push notifications on iOS devices when you opt in.
- Firebase Cloud Messaging (FCM) — delivery of push notifications on Android devices when you opt in.
- Google & Apple OAuth — when you choose "Continue with Google" or "Continue with Apple", the provider returns a verified email and a unique account identifier. We do not receive your provider password.
We may also disclose information when required by law or in response to valid legal process, and in the event of a merger, acquisition, or sale of assets. We do not sell your personal information.
6. Sub-Processors and Third-Party Services
To operate Chefra, we share data with these sub-processors:
- Supabase — Database, authentication, file storage (USA)
- Stripe — Payment processing, subscription management (USA)
- Lovable (AI Gateway) — Routes AI requests for recipe parsing, nutrition estimation, content moderation, and grocery categorization (USA)
- Google LLC — AI processing of recipe text and images via Gemini models (accessed through the Lovable AI Gateway); Android push notifications via Firebase Cloud Messaging (USA)
- OpenAI — AI-generated cookbook cover images (accessed through the Lovable AI Gateway) (USA)
- Firecrawl — Fetching and extracting recipe content from URLs you import (USA)
- Cloudflare — Content delivery, DDoS protection, bot/abuse prevention (Turnstile) (USA)
- Resend — Transactional email delivery (USA)
If you use AI-assisted features (recipe import, parsing, nutrition estimation, moderation, grocery categorization, or cover image generation), your input — such as recipe text, URLs, images, or grocery items — is transmitted through the Lovable AI Gateway to the relevant AI model provider (Google or OpenAI) for processing. These providers process this data solely to return the requested result and do not use it to train their models under our agreements.
7. How Long We Keep Your Data
- Account and profile data: Life of account, plus up to 90 days after deletion, then deleted or anonymized.
- Recipe and content data: Life of account. Deleted content is removed promptly but may persist in backups up to 30 days.
- Consent records: At least three years, or one year after account termination.
- Billing records: Seven years for tax and legal compliance. Full card numbers are never stored — Stripe handles payment data.
- Usage/analytics data: Up to 24 months for individual-level data.
- DMCA and legal records: Duration of related legal matter plus applicable statutes of limitations.
8. Your Privacy Rights
Depending on where you live, you may have the right to access, delete, correct, or port your personal data, and to opt out of sale or sharing of your data and automated profiling.
Chefra does not sell your personal data or share it for cross-context behavioral advertising. If this changes, we will update this policy and provide opt-out mechanisms first.
California residents (CCPA/CPRA) and residents of other states with comprehensive privacy laws (Colorado, Connecticut, Virginia, Texas, and others) have these rights under applicable state law.
To submit a request: email privacy@getchefra.com with "Privacy Request" in the subject line. We will verify your identity and respond within 45 days.
Exercising your privacy rights will never result in denial of service or different pricing.
9. Global Privacy Control (GPC)
Chefra honors the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as a request to opt out of sale and sharing of your personal data. Because Chefra does not currently sell or share data for advertising, this has no additional practical effect at this time, but it is acknowledged.
10. Children's Privacy
Chefra is for users 13 and older (16 or older for EEA users). We do not knowingly collect personal information from children under 13. If we learn we have done so, we will delete it promptly. To report an underage account: privacy@getchefra.com.
11. International Data Transfers
Chefra is based in the United States. If you use Chefra from outside the US, your data will be transferred to and processed in the United States. For EEA and UK users, we rely on the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses for international data transfers.
12. EEA and UK Users
If you are in the EEA or UK, we process your data on these legal bases: contract (to provide the service), consent (marketing, optional features), legitimate interests (security, fraud prevention, analytics), and legal obligation.
EEA users must be at least 16 years old to create an account.
You have the right to lodge a complaint with your local data protection authority.
Data controller: Chefra LLC, PO Box 76, Haven, Kansas 67543, USA. Email: privacy@getchefra.com.
EU/EEA and UK Data Protection Representative. Chefra LLC has appointed Data Protection Representative Limited (trading as DataRep) as its Data Protection Representative under Article 27 of the EU GDPR and the UK GDPR. EEA and UK data subjects may contact DataRep regarding the processing of their personal data:
- Email: datarequest@datarep.com (quote "Chefra LLC" in the subject line)
- Online form: www.datarep.com/data-request
- EU/EEA post: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
- UK post: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
When writing by post, please address your letter to "DataRep" (not "Chefra LLC") so it reaches us. For questions about the Chefra product or your account, contact us directly at privacy@getchefra.com.
13. Data Security
We implement reasonable security measures including encrypted storage, encrypted transmission (TLS), access controls, and database row-level security. In the event of a breach affecting your personal data, we will notify you as required by applicable law, including K.S.A. 50-7a01 (Kansas).
13a. Mobile app permissions
The Chefra iOS and Android apps may ask for the following device permissions. Each permission is requested only when the related feature is used, and you can revoke it at any time in your device settings:
- Camera — to take a photo of a dish or scan a printed recipe. Photos are uploaded only when you tap "save" or "post".
- Photo library — to attach an existing image to a recipe, post, or profile.
- Notifications — to deliver the alerts you opt into (replies, mentions, DMs, follows). You can change notification topics in Settings → Notifications.
Chefra does not request location, microphone, contacts, calendar, health, motion, or Bluetooth access, and the app does not track you across other companies' apps or websites (no IDFA / Advertising ID collection, no AppTrackingTransparency prompt).
13b. Manage, export, or delete your data
You can take these actions yourself, without contacting us:
- Export a copy of your data — Settings → Privacy & Security → "Download my data" produces a JSON file with your recipes, posts, comments, grocery items, and profile.
- Delete your account — Settings → Privacy & Security → "Delete account" permanently removes your account and personal data (subject to the retention schedule in §7).
- Block or report a user — use the menu on any profile, post, comment, or message.
- Manage notifications — Settings → Notifications.
If you need help, email privacy@getchefra.com.
14. DMCA designated agent
Chefra has designated the following agent to receive notices of claimed copyright infringement under the Digital Millennium Copyright Act:
- Designated Agent: Eli Kramer
- Organization: Chefra LLC
- Email: dmca@getchefra.com
- U.S. Copyright Office Registration: DMCA-1073800
15. Changes to this policy
We may update this policy. When we make material changes, we will notify you in the app or by email and update the "Last updated" date at the top of this page.
16. Contact
Privacy questions or requests? Email privacy@getchefra.com.