Privacy Policy

Effective date: June 3, 2026
Last updated: April 24, 2026

This Privacy Policy explains how KOLM Michał Kołnierzak ("Cookonut", "we", "us", "our") collects, uses, shares, and protects the personal data of users of the Cookonut mobile application and the cookonut.com website (together, the "Service").

This Policy also covers the use of cookies and similar technologies on the website. The mobile application generally does not use browser cookies, but it may use other local storage technologies, app identifiers, push tokens, and system permissions described below.

Cookonut is offered to users in multiple countries. This Policy has been prepared with regard to the data protection laws applicable to our business, in particular the laws of the European Economic Area, the United Kingdom, Brazil, and — where applicable — selected U.S. state privacy laws and other local privacy regulations.

1. Data Controller

The controller of your personal data is:

KOLM Michał Kołnierzak
ul. Milenijna 43/2
03-130 Warsaw, Poland
VAT ID: PL5361929091
Email: [email protected]

If you have any questions about privacy, you can contact us at: [email protected].

2. What Data We Collect

We may process the following categories of data:

2.1. Account Data

email address,
password — if you register with email and password; the password is stored only in a secured form by the authentication provider and is not disclosed to us in plain text,
first name, last name, or username — if you provide it or if we receive it from a login provider with your consent,
internal user identifier,
information about the login method, such as Apple, Google, or email and password.

2.2. Onboarding and Settings Data

We may process optional data used to personalize the app, such as:

language and country,
measurement system, temperature units, decimal separator, and fraction display format,
sources from which you most often get recipes,
cooking frequency,
cooking goals,
dietary or culinary preferences, such as vegetarian, vegan, gluten-free, dairy-free, high-protein, low-carb, or pescatarian.

This data is optional and is used solely to personalize Cookonut. We do not collect information about allergies, illnesses, or medical diagnoses during onboarding.

2.3. Content You Save

We may process content that you create, save, or import in Cookonut, including:

recipes,
ingredients, preparation steps, notes, tags, and comments,
photos,
recipe collections and cookbooks,
meal plans,
shopping lists,
recipe ratings and edits.

2.4. Recipe Import Data

Depending on the import method you choose, we may process:

links and URLs and the content of the referenced webpages,
manually pasted text,
images and photos submitted for OCR or recipe content recognition,
audio recordings submitted for transcription,
metadata and content from public social media materials, if you provide us with a link to a post or video.

If the materials you submit contain personal data, we process them only to the extent necessary to perform the requested feature.

2.5. Subscription and Payment Data

If you use a paid version of Cookonut, we may receive subscription-related data such as:

product or plan identifier,
subscription status,
start, renewal, expiration, or cancellation dates,
trial period information,
currency and transaction amount — where provided by the subscription provider,
technical identifiers related to the purchase.

We do not receive or store full payment card details.

2.6. Technical and Diagnostic Data

We may also process:

device identifier,
app instance identifier,
push notification token,
platform, operating system, and app version,
technical logs,
error, crash, and diagnostic reports,
security data,
IP address and browser data — in connection with the website,
information about consents, privacy settings, and choices relating to cookies and advertising technologies on the website.

Some of this data may be linked to your account where necessary for app functionality, security, support, or diagnostics.

3. Why and on What Basis We Process Data

We process data for the following purposes:

3.1. Providing the Service

To create and maintain your account, synchronize your data, import, save, organize, and edit recipes, create meal plans and shopping lists, and personalize the app.

Legal basis (GDPR): performance of a contract or steps taken at your request before entering into a contract.

3.2. Login and Account Security

To authenticate users, protect accounts, reset passwords, and prevent abuse, fraud, and unauthorized access.

Legal basis (GDPR): performance of a contract and our legitimate interest in ensuring the security of the Service.

3.3. Service and Transactional Communications

To send communications related to your use of the Service, such as registration confirmation, password reset, email change confirmation, account deletion confirmation, subscription or payment messages, and important service-related notices.

Legal basis (GDPR): performance of a contract and, where necessary, our legitimate interest in properly supporting users and maintaining service security.

3.4. Email Marketing and Promotional Communications

We may send you messages about onboarding, new features, product tips, promotional offers, or win-back campaigns after cancellation or subscription expiry.

We send such messages:

based on your consent, where required, or
where permitted by applicable law — based on soft opt-in or a similar legal basis for communications about our own similar services, provided that you can easily opt out both when your data is collected and in every subsequent message.

You can opt out at any time by using the unsubscribe link in the email or by contacting us at [email protected].

3.5. Push Notifications

We may send push notifications relating to the operation of the app, including features triggered by the user, reminders connected with app usage, subscription status, and important service updates.

Push notifications require appropriate system permissions granted on your device. You can disable them at any time in your device settings.

Where a notification is marketing or promotional in nature, we rely on the appropriate consent or another basis permitted by applicable law.

3.6. Website Analytics

On cookonut.com, we may use analytics tools such as Google Analytics 4 to understand how users interact with the website and how we can improve it.

Where such tools require consent, we use them only after obtaining it.

Legal basis (GDPR): consent.

3.7. Website Advertising and Remarketing

On the website, we may use advertising and remarketing tools such as Meta Pixel and Google Ads to measure campaign performance, create audiences, and display ads tailored to a user's prior activity on the website.

We use such tools only where permitted by law and — where required — after obtaining the appropriate user consent.

Legal basis (GDPR): consent.

3.8. Accounting, Tax, and Compliance

To comply with accounting, bookkeeping, and tax obligations.

Legal basis (GDPR): legal obligation and, where necessary, performance of a contract.

3.9. Security, Claims, and Legal Compliance

To protect the Service against abuse, ensure the integrity and security of our systems, establish, exercise, or defend legal claims, and respond to lawful requests from public authorities.

Legal basis (GDPR): legitimate interest and legal obligation, where applicable.

4. Dietary Preferences and Special Categories of Data

We treat dietary preferences provided in Cookonut as optional culinary personalization settings, not as medical information collected for diagnosis, treatment, or health profiling.

We do not ask you during onboarding to provide allergies, illnesses, diagnoses, medical information, religious beliefs, or other special category data within the meaning of data protection laws.

Please do not include health information or other sensitive personal data in content saved in Cookonut unless you consciously choose to do so and consider it necessary.

5. Children

Cookonut is not directed to children under the age of 13.

If your local law requires a higher age for independent use of the Service or for valid consent to data processing, Cookonut may only be used once that age has been reached or — where permitted by law — with the consent of a parent or legal guardian.

We do not knowingly collect children's personal data in violation of applicable law. If we learn that a child's data was collected without a valid legal basis, we will take steps to delete it.

6. Who We Share Data With

We use third-party service providers that help us operate and improve Cookonut. We share data with them only to the extent necessary to provide specific functions.

The main categories of recipients and providers include:

Supabase Inc. — backend infrastructure, database, authentication, file storage, and server functions,
RevenueCat, Inc. — subscription management and synchronization,
Apple — Apple ID login, app distribution, App Store payments, and Apple push notifications,
Google — Google login, app distribution through Google Play, Android push notifications, YouTube API, Google Analytics 4 on the website, and Google Ads and website remarketing where appropriate consent has been obtained,
Brevo SAS — email delivery and email communication management,
Cloudflare, Inc. — website hosting, CDN, security, and abuse prevention,
Meta Platforms — Instagram oEmbed / Graph API for importing public Instagram content and Meta Pixel on the website where appropriate consent has been obtained,
AI and content processing providers — only as described in Section 7.

We may also disclose data to providers of legal, accounting, audit, or advisory services, to public authorities where we are legally required to do so, and to a legal successor, buyer, or investor in connection with a sale, transformation, or restructuring of the business, subject to applicable data protection law.

7. External AI and Content Processing Providers

To enable recipe import and structuring, we may use external content-processing tools, including AI-based tools.

Depending on the feature used, these may include:

OpenAI, LLC — for example, for audio transcription, content recognition, or text structuring,
Google LLC — for example, for OCR, image processing, translation, or content structuring,
Meta Platforms — for public data obtained through Instagram oEmbed / Graph API,
YouTube API Services — for public data relating to YouTube videos where the user imports content from that source.

As a rule, we provide these providers with the user-submitted content necessary to perform the requested function, rather than broader account data, unless broader data is technically necessary.

Please note, however, that user-submitted content — including text, images, audio, or the content of an imported link — may itself contain personal data. In that case, the relevant provider may process such data only to the extent necessary to perform the requested function.

8. International Data Transfers

Some of our providers are located in, or use infrastructure located in, countries outside your country of residence, including outside the European Economic Area.

Where we transfer data outside the EEA, the United Kingdom, or another jurisdiction requiring special safeguards for international transfers, we use appropriate legal mechanisms such as adequacy decisions, standard contractual clauses, relevant transfer certification frameworks, or supplementary technical and organizational measures.

If you would like more information about the transfer mechanisms we use, contact us at [email protected].

9. How Long We Keep Data

As a rule:

we keep account data and user content until the account is deleted or a valid deletion request is fulfilled,
we keep onboarding and settings data until you change or delete it, or until your account is deleted,
we keep audio recordings used for import temporarily, generally for no longer than 24 hours,
we keep images submitted for OCR or content recognition temporarily, generally for no longer than 7 days,
we keep technical, security, and crash reporting logs for the period necessary for diagnostics, security, and abuse prevention,
we keep accounting and tax-related data for the period required by applicable accounting and tax laws,
we keep data necessary to establish, exercise, or defend claims until the relevant limitation periods expire,
backups may contain data for a limited period after deletion from active systems, generally up to 30 days.

10. Your Rights

Depending on your place of residence and the laws that apply, you may have the following rights:

the right to access your data,
the right to rectify your data,
the right to erase your data,
the right to restrict processing,
the right to data portability,
the right to object to processing based on legitimate interests,
the right to withdraw consent at any time,
the right to lodge a complaint with the relevant supervisory authority,
rights under local privacy laws, including rights to know, correct, delete, opt out, or limit certain advertising-related practices, where applicable.

10.1. Users in the EEA and the United Kingdom

If processing is subject to the GDPR or UK GDPR, you have the rights set out in those laws.

10.2. Users in Brazil

If processing is subject to the LGPD, you have the rights provided by the LGPD, including the rights to confirmation of processing, access, correction, anonymization, blocking, deletion, information about data sharing, and withdrawal of consent where consent is the legal basis.

10.3. Users in California and Other U.S. States

If relevant U.S. state privacy laws apply, you may have rights including the right to know what categories of data we collect, obtain a copy of your data, correct your data, delete your data, and opt out of the "sale" or "sharing" of personal data where those concepts apply to our advertising practices.

We do not sell personal data for monetary consideration. However, the use of certain website advertising and remarketing technologies — such as Meta Pixel or Google Ads — may, in some jurisdictions, especially California, be treated as "sharing" or "sale" under local privacy laws.

If you wish to exercise an opt-out right in this respect, you can change your consent and cookie settings on our website or contact us at [email protected].

11. How to Delete Your Account and Data

You can delete your account at any time directly in the app:

open Settings,
select Account,
tap Delete account,
type "DELETE",
tap "Delete my account".

Once deletion is confirmed, the account will be promptly removed from active production systems or marked for permanent deletion in accordance with the system architecture. Data may remain temporarily in backups for the limited period described in Section 9.

Account deletion is irreversible from the user's perspective. Once the process is complete, the account and data saved in Cookonut cannot be restored.

You may also request deletion by emailing [email protected]. Where necessary, we may ask you to verify your identity.

Please note: deleting your Cookonut account does not automatically cancel your App Store or Google Play subscription. You must cancel your subscription separately through the relevant store or account settings.

12. Data Security

We apply appropriate technical and organizational measures to protect data against loss, unauthorized access, disclosure, or destruction.

These measures may include encrypted transmission, access controls, user authentication, permission restrictions, security event logging, user data segregation, and measures for detecting abuse and incidents.

However, no system can guarantee absolute security. If an incident occurs that requires reporting or user notification, we will take the steps required by applicable law.

13. Cookies and Similar Technologies

13.1. Website

On cookonut.com, we may use cookies and similar technologies such as localStorage, tags, and pixels.

We may use the following categories of technologies:

strictly necessary — needed for website operation, security, and saving privacy settings,
functional — for example, remembering language or website preferences,
analytics — for example, Google Analytics 4, where the user consents,
marketing — for example, Meta Pixel and Google Ads / remarketing, where the user consents.

Where required by law, we do not place non-essential cookies or run non-essential tags before obtaining valid user consent.

13.2. Mobile Application

The Cookonut mobile application generally does not use browser cookies. However, it may use local app settings storage, device or app instance identifiers, push tokens, technical and diagnostic logs, and system permissions granted by the user.

On the website, you can manage your choices relating to cookies and similar technologies through the consent banner or the privacy settings mechanism made available on the site.

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

14. Information Required by Login and API Providers

14.1. Sign in with Apple

If you sign in through Apple, Apple may provide us with your email address, including a private relay email address, and — depending on your settings and permissions — your first or last name. We do not receive your Apple ID password.

14.2. Google Sign-In and Google API Services

If you sign in through Google, Google may provide us with your email address and — depending on your settings and permissions — your first or last name. We do not request access to your contacts, calendar, Google Drive, or other Google data unless we clearly describe and implement such a feature in the future.

Where we use Google API Services, that use is subject to the applicable Google terms and Google privacy policies.

14.3. YouTube API Services

If you import a recipe from YouTube content, we may use YouTube API Services to retrieve publicly available information related to that content. Use of YouTube API Services is subject to Google and YouTube terms.

14.4. Instagram oEmbed / Meta Graph API

If you import content from public Instagram materials, we may use Meta tools to retrieve publicly available data associated with the link you provide.

15. Advertising and Ad Measurement

On the website, we may use advertising and measurement tools provided by third parties, in particular Meta and Google.

Depending on configuration and the consents obtained, these tools may measure conversions, help assess campaign performance, create audiences for remarketing, and support the display of ads tailored to a user's prior activity on the website.

If local law treats such practices as "sharing," "sale," behavioral advertising, or a similar type of processing requiring opt-out or additional notice, the relevant user rights are described in Section 10.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, in particular when Cookonut features, providers, legal requirements, or our data use practices change.

The current version of the Policy will be published together with the date of the latest update. If changes are material, we may also notify users in the app, on the website, or by email.

17. Contact and Complaints

For any matters relating to privacy, data protection, or the exercise of your rights, you can contact us at: