Legal · Updated May 11, 2026
Privacy policy
How we process your personal data, in accordance with Regulation (EU) 2016/679 (GDPR).
This policy informs you, pursuant to articles 13 and 14 of the GDPR, of the personal data processing we carry out as part of the RecetteClic Service. We want it to be readable: key information appears at the top of each section.
1Data controller
- Florian Francese, sole proprietor
- Trading under the business name mf2n.dev
- SIREN 939 378 782, Paris Commercial Register
- Address: 60 rue François Ier, 75008 Paris, France
- Dedicated privacy contact: privacy@recetteclic.app
We have not appointed a Data Protection Officer (DPO), as this is not required for our activity (article 37 GDPR). You may nonetheless send any data-related request to privacy@recetteclic.app; we reply within thirty (30) days maximum.
2Data we collect
Data you provide
- Identity: first name, last name (or pseudonym), avatar (optional).
- Account: email address, password (hashed, never stored in plaintext), or Apple / Google identifier if you use social login.
- Content: recipes you import or create, sources (URLs, videos, images), social interactions (favorites, comments, likes, follows) if you use the community.
- Communications: content of your support emails.
Data collected automatically
- Technical data: device type, OS version, app version, language, time zone, anonymized install identifier.
- Logs: IP address (anonymized after 24 hours), request date and time, response codes, necessary for security and abuse detection.
- Error diagnostics: error traces (Sentry) without sensitive content.
We collect no precise location data, no biometric data, no advertising identifier (IDFA, AAID), and we do not use any third-party tracking cookies.
3Purposes and legal bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Provide the Service (account, notebook, cooking mode, community) | Performance of contract (art. 6.1.b GDPR) | For the duration of the account + 30 days after deletion |
| AI extraction of a recipe from a source | Performance of contract (art. 6.1.b GDPR) | Data sent to OpenAI / Anthropic not retained by them beyond 30 days (DPA) |
| Subscription and payment management (via Apple / Google / RevenueCat) | Performance of contract + accounting obligations | 10 years (art. L. 123-22 of the French Commercial Code) |
| Transactional emails (confirmation, password reset) | Performance of contract (art. 6.1.b GDPR) | 13 months after last send |
| Improving the Service, anonymous statistics | Legitimate interest (art. 6.1.f GDPR) | 25 months, anonymized |
| Abuse detection, Service security | Legitimate interest (art. 6.1.f GDPR) | Logs: 12 months — IP fingerprints: 24 hours |
| Complying with a legal obligation (judicial request) | Legal obligation (art. 6.1.c GDPR) | Duration of the obligation |
4Subprocessors
We rely on the following subprocessors, who act only on our instructions and under GDPR-compliant data processing agreements (DPA):
| Subprocessor | Role | Data location |
|---|---|---|
| Hostinger International Ltd (Cyprus) | Server hosting, PostgreSQL database, Redis cache, S3-compatible storage | European Union datacenters |
| OpenAI, Inc. (USA) | AI models for recipe extraction (gpt-5-mini, gpt-4o-mini, Whisper) | United States — Standard Contractual Clauses (SCC) + OpenAI Enterprise DPA |
| Anthropic PBC (USA) | Claude AI models (alternative configuration) | United States — Standard Contractual Clauses (SCC) + Anthropic DPA |
| Resend, Inc. (USA) | Sending transactional emails (confirmation, reset) | United States — Standard Contractual Clauses (SCC) |
| Functional Software, Inc. d/b/a Sentry (USA) | Application error diagnostics | United States — Standard Contractual Clauses (SCC) + automatic PII scrubbing |
| RevenueCat, Inc. (USA) | Subscription management (Apple / Google receipt validation) | United States — Standard Contractual Clauses (SCC) + RevenueCat DPA |
| Apple Inc. (Ireland for EU) | In-App Purchase on iOS, Sign in with Apple | European Union (Apple Distribution International Ltd) |
| Google LLC (Ireland for EU) | In-App Purchase on Android, Sign in with Google | European Union (Google Ireland Ltd) |
Any update to this list will be published on this page with 30 days' notice in case of addition of a subprocessor that would access your identifying personal data.
5Transfers outside the European Union
Some of our subprocessors (OpenAI, Anthropic, Resend, Sentry, RevenueCat) are established in the United States. These transfers are framed by:
- Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914).
- Where applicable, certification under the EU-US Data Privacy Framework (Decision (EU) 2023/1795).
- Additional measures: encryption in transit (TLS 1.3), data minimization (no direct user identifier sent to AI providers), prompt deletion at subprocessor.
You may request a copy of the safeguards in place by writing to privacy@recetteclic.app.
6Your rights
Pursuant to articles 15 to 22 of the GDPR, you have the following rights:
- Right of access: obtain a copy of the data concerning you.
- Right to rectification: correct inaccurate data.
- Right to erasure ("right to be forgotten"): delete your account and data.
- Right to restriction: temporarily restrict processing.
- Right to portability: retrieve your recipes in a structured format (JSON).
- Right to object: object to processing based on legitimate interest.
- Right to withdraw your consent at any time, without retroactive effect.
- Right to give directives about your data after death (art. 85 French Data Protection Act).
- Right to lodge a complaint with the CNIL (cnil.fr) if you believe your rights are not respected.
To exercise these rights: write to privacy@recetteclic.app. We reply within thirty (30) days maximum. For simple requests (export, deletion), most actions can be done directly from the app.
7Minors
The Service is intended for persons aged fifteen (15) or over, in accordance with the digital age of consent set by article 7-1 of the French Data Protection Act. Minors under 15 must obtain prior consent from a parent or legal guardian.
If you are a parent and find that a child under 15 has created an account without your authorization, write to privacy@recetteclic.app: we delete the account within 72 hours.
8Security
We implement the following technical and organizational measures:
- Encryption of all communications (TLS 1.3).
- Password hashing (scrypt algorithm via Better Auth).
- Encryption at rest for databases.
- Multi-factor authentication available for administrator accounts.
- Access logging and security alerts.
- Regular security updates.
In case of a data breach likely to result in a high risk to your rights and freedoms, we will inform you individually as soon as possible pursuant to article 34 GDPR, and notify the CNIL within 72 hours (art. 33 GDPR).
9Changes
We may update this policy. The date at the top of the page reflects the latest change. Material changes will be notified to you by email or in-app notification at least thirty (30) days before they take effect.
A question?
Email us at hello@recetteclic.app. We reply within 5 business days.