Privacy Policy

Last updated: 22/12/2025

This Privacy Policy explains how Hyaico Ltd (“Hyaico”, “we”, “us”, “our”) collects, uses and shares information about you when you use the Just Cooked™ mobile application and related websites, services and features (together, the “App” or “Service”).

We are committed to handling your personal data fairly, transparently and in compliance with applicable data protection law, including the UK GDPR and the Data Protection Act 2018.

If you do not agree with this Policy, please do not use the App.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

Hyaico Ltd
41 Woodcross Fold
Leeds, West Yorkshire
LS27 9JW
United Kingdom

We have not appointed a Data Protection Officer, but you can contact us using the details above for any privacy-related questions.

2. Scope

This Policy applies to:

  • The Just Cooked™ mobile app (iOS and Android)
  • Any websites operated by Hyaico in connection with Just Cooked™ (including legal pages, marketing sites and landing pages)

It does not apply to third-party services you access via the App (such as Apple App Store, Google Play Store or external websites); those have their own privacy policies.

3. Data we collect

We only collect the information we need to operate, secure and improve Just Cooked™, and to comply with our legal obligations.

3.1 Categories of data

Depending on how you use the App, we may collect the following categories of data:

A. Account & Identification Data

  • Email address
  • Password hash (if you sign up with email)
  • Third-party identifiers (e.g. Apple / Google sign-in IDs)
  • User ID generated by our systems

B. Profile & Personalisation Data

  • Name and/or display name
  • Username
  • Country / region (if provided or inferred)
  • Cooking preferences (e.g. cuisines you like, skill level)

C. Health-Related & Special Category Data (Allergies etc.)

If you choose to provide it, we may collect information such as:

  • Food allergies and intolerances
  • Dietary restrictions (e.g. vegetarian, vegan, halal, kosher, etc.)
  • Other health-related notes you enter into the App in relation to recipes

Important: These data may constitute “special category data” under the UK GDPR. You are not required to provide this information, but if you do, we will only process it with your explicit consent and solely to personalise recipes and filter ingredients according to your preferences.

We do not intend to process medical records or clinical diagnostic information.

D. Physical & Nutrition-Related Data

If you choose to provide it, we may collect:

  • Date of birth or age range
  • Gender
  • Height and weight
  • High-level goals (e.g. gain muscle, lose fat, eat healthier)

We use this to personalise recipe suggestions and approximate nutritional information. This is not clinical or diagnostic health advice.

E. Content & Usage Data

  • Recipes you view, generate, save or cook
  • Pantry items and ingredients you add
  • Your cooking history and in-app actions (e.g. starting a cook session, completing a recipe)
  • Notes you attach to recipes
  • Photos you upload (e.g. pictures of food or pantry items), including any metadata provided by your device
  • Timestamps and basic interaction logs (such as screens viewed, button taps, error events)

F. Technical & Device Data

  • Device model, operating system, app version
  • IP address, approximate location (city/region-level, derived from IP, if available)
  • Device identifiers (e.g. vendor identifiers used for analytics), where permitted
  • Language and time zone settings
  • Crash logs and performance metrics

G. Subscription & Payment Data

We do not store your full payment card details. Payments and subscriptions are processed by the app stores (Apple App Store, Google Play Store).

We do receive and/or generate:

  • Information that a subscription or purchase has been made (from Apple/Google)
  • Your subscription tier, status (active/cancelled/expired) and renewal dates
  • Internal IDs used by our subscription management provider (e.g. RevenueCat)

H. Communications Data

  • Emails you send to us (support requests, feedback)
  • In-app support messages (if implemented)
  • Marketing preferences (if you opt in)

4. How we collect your data

We collect data in the following ways:

  • Directly from you – when you register, edit your profile, input pantry items, set allergies, upload photos, contact support, etc.
  • Automatically – when you use the App, we collect usage, device and technical data for security and performance.
  • From third parties – e.g. app stores (Apple/Google) for subscriptions and sign-in, and our service providers (such as Supabase, RevenueCat) for usage/telemetry data.

5. Why we use your data and legal bases

Under the UK GDPR, we must have a lawful basis for each use of your personal data. We rely on:

  • Performance of a contract – to provide you with the App and its features
  • Explicit consent – for special category data (allergies) and certain profile data
  • Legitimate interests – for security, service improvement and fraud prevention
  • Legal obligation – where we must comply with law, tax or regulatory duties

5.1 Table of purposes and legal bases

Purpose Data used Legal basis
Create and manage your accountAccount data, profile dataContract
Provide core recipe and cooking featuresAccount data, profile data, content & usage dataContract
Personalise recipes and suggestionsProfile data, nutrition-related data, content & usage dataLegitimate interests (personalisation); Consent where special category (allergies)
Filter recipes according to your allergiesAllergy / dietary data (special category)Explicit consent
Process subscriptions and verify entitlementAccount data, subscription data, device dataContract; Legal obligation (financial records)
Maintain security, prevent abuse and fraudAccount data, usage data, technical dataLegitimate interests (security)
Improve and debug the AppUsage data, technical data, crash logs, content data (in aggregate)Legitimate interests (service improvement)
Communicate with you about your account and service changesContact details, account dataContract / Legal obligation
Send optional marketing messages (if enabled)Contact details, usage data (where permitted)Consent / Legitimate interests (soft opt-in)
Comply with legal obligations (tax, accounting, regulatory)Transaction records, account dataLegal obligation

You can withdraw your consent at any time where we rely on consent (e.g. for allergy data) by updating your settings in the App or contacting us.

6. AI and automated processing

Just Cooked™ uses AI services to generate recipes and analyse food images.

6.1 Recipe generation (OpenAI or similar models)

When you request AI-generated recipes, we may send to our AI provider:

  • A list of ingredients (from your pantry and/or image analysis)
  • Your preferences (e.g. dietary choices, cuisine styles)
  • High-level constraints (e.g. time to cook)

We do not send your full name or email to the AI provider for recipe generation.

We use the AI responses to display recipes within the App. AI may make mistakes; recipe content may be incomplete, inaccurate or unsuitable for you. You must always check ingredients and use your own judgement before cooking or eating anything. (See our separate Disclaimer and Terms of Use.)

6.2 Ingredient recognition (image analysis)

If you upload photos for ingredient recognition, the images are sent to an image recognition provider (e.g. Google Cloud Vision) to detect food items and text on packaging (where possible). The provider processes the image to return labelled ingredients or other structured data. We use that result to help populate ingredients and suggest recipes.

6.3 Automated decisions

We do not make decisions that produce legal or similarly significant effects solely based on automated processing. AI is used to assist your cooking experience, not to make legal, financial or medical decisions about you.

7. Cookies and similar technologies

In the Just Cooked™ mobile app, we use cookies and similar technologies (such as local storage, device identifiers and SDKs) for:

  • Authentication and security
  • Basic functionality and preferences
  • Measuring performance and usage (product analytics)

7.1 PostHog analytics (mobile app)

We use PostHog in the mobile app for product analytics to measure feature usage, monitor performance, debug issues and improve the user experience. PostHog operates via an SDK and may collect:

  • Information about your interactions with the App (e.g. screens viewed, button taps, feature usage, timestamps)
  • Technical information (e.g. device model, operating system, app version)
  • Pseudonymous identifiers used to link events on a single device or account

We do not use PostHog for advertising, marketing attribution or cross-app tracking. We configure analytics to minimise the collection of personal data where reasonably possible and to focus on aggregated and/or pseudonymous insights. We do not intentionally send PostHog your special category data (such as allergy information) or the content of your private notes/photos.

We rely on legitimate interests to process in-app analytics for service improvement, debugging and performance monitoring.

In the App, we may also use:

  • Local storage and device identifiers
  • App store / subscription identifiers
  • SDKs for crash reporting and performance

8. How we share your data

We do not sell your personal data.

We may share your data with:

8.1 Service providers (processors)

We use carefully chosen third parties to help us operate the App. These may include:

  • Supabase – authentication, database, storage and backend hosting
  • AI service providers (e.g. OpenAI) – recipe generation, language processing
  • Image recognition providers (e.g. Google Cloud Vision) – analysing food images
  • Subscription management services (e.g. RevenueCat) – tracking subscription status and entitlements
  • Paywall/experiment providers (e.g. Superwall) – managing in-app paywalls and experiments
  • Cloud hosting and infrastructure providers – running our services
  • Customer support tools (if used) – managing support emails and tickets
  • PostHog – product analytics to understand usage and improve the Service

These providers act as our data processors and may only process your personal data on our instructions and for the purposes described in this Policy. We take steps to ensure they implement appropriate security measures.

8.2 App stores and payment providers

When you subscribe or make in-app purchases, your transaction is processed by:

  • Apple App Store (for iOS users)
  • Google Play Store (for Android users)

We receive limited information from these platforms (e.g. that a payment was successful, your subscription status and renewal date). We do not receive or store your full payment card details.

8.3 Professional advisers and legal authorities

We may share your data with:

  • Lawyers, accountants, auditors and insurers, where necessary for advice or compliance
  • Law enforcement bodies, regulators or courts, when required by law or to protect our rights, users or others

8.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, sale of assets or similar transaction, your data may be transferred as part of that deal. We will ensure appropriate protections are in place and will notify you if required by law.

9. International transfers

We are based in the United Kingdom, but many of our service providers are located in other countries, including the European Economic Area (EEA) and the United States.

When your personal data is transferred outside the UK/EEA, we ensure an adequate level of protection by:

  • Relying on an adequacy decision (where applicable), or
  • Using Standard Contractual Clauses (SCCs) and, where necessary, the UK’s International Data Transfer Addendum, or
  • Implementing other appropriate safeguards as required by law.

You can contact us if you would like more details about the specific transfer mechanisms we rely on.

10. Data retention

We keep your personal data only for as long as necessary for the purposes described in this Policy, including:

  • For as long as you have an active account
  • For a limited period after you delete your account, to allow for recovery (if offered) and to comply with legal obligations
  • For as long as required by law for tax, accounting or regulatory reasons
  • For a limited period for backup and security logs

In general:

  • Account data – retained while your account is active, then deleted or anonymised within a reasonable period afterwards
  • Allergy and profile data – retained while your account is active or until you delete or change it
  • Content (recipes saved, notes, photos) – retained while your account is active or until you delete it
  • Subscription and transaction data – retained for the applicable statutory retention periods (e.g. 6 years for accounting records in the UK)
  • Logs and technical data – retained for a limited period for security and performance analysis, then deleted or aggregated

When we no longer need personal data, we will delete it or anonymise it so that it can no longer be linked to you.

11. Security

We use appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration or destruction, including:

  • Encrypted connections (HTTPS/TLS)
  • Access controls and least-privilege principles for staff and systems
  • Secure storage of passwords (hashed, not plain text)
  • Regular updates and security patches for our infrastructure
  • Monitoring for abuse and suspicious activity

However, no system can be completely secure. You are responsible for keeping your account credentials confidential and for securing your own device.

12. Your rights

Under the UK GDPR, you have the following rights (subject to certain conditions):

  • Right of access – to obtain a copy of your personal data we hold about you
  • Right to rectification – to have inaccurate or incomplete data corrected
  • Right to erasure – to request deletion of your personal data in certain circumstances
  • Right to restriction – to ask us to restrict the processing of your data in certain cases
  • Right to data portability – to receive your data in a structured, commonly used format and to have it transmitted to another controller, where technically feasible and lawful basis is consent or contract
  • Right to object – to object to processing based on our legitimate interests, and to object to direct marketing
  • Right to withdraw consent – where we rely on your consent (e.g. for allergies), you can withdraw it at any time

You can exercise many of these rights directly within the App (e.g. updating your profile, changing settings, deleting your account). For other requests, contact us at support@justcooked.app.

We may need to verify your identity before processing your request and we may refuse or limit requests where we are legally entitled to do so (for example, where they are manifestly unfounded, excessive or impact the rights of others).

13. Children and age restrictions

Just Cooked™ is not intended for children under 16.

  • You must be at least 16 years old to use the App.
  • We do not knowingly collect personal data from children under 16.
  • If you are a parent or guardian and believe your child has provided us with personal data, please contact us so we can delete it.

If we become aware that we have collected personal data from someone under 16, we will delete it as soon as reasonably practicable.

14. Account deletion

You can request deletion of your account from within the App (where this feature is available), or by contacting us.

When you delete your account:

  • We will delete or anonymise personal data that we no longer need
  • We may retain certain information where required by law (e.g. invoices, basic transaction records) or for our legitimate interests (e.g. fraud prevention, security logs) for the applicable retention period

Details of the account deletion process and its effects are described in the App and/or in our Terms of Use.

15. Complaints

If you have questions or concerns about this Policy or how we handle your personal data, please contact us first at:

Email: support@justcooked.app

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors.

When we make material changes, we will:

  • Update the “Last updated” date at the top, and
  • Provide notice in the App and/or by email where appropriate

Your continued use of the App after any changes take effect will constitute your acceptance of the updated Policy. If you do not agree with the changes, you should stop using the App and delete your account.