Cocotte (“we”, “us”, or “our”) operates the Cocotte web application at chef-cocotte.com and the “Cocotte – Recipe Clipper” Chrome browser extension (collectively, the “Service”). This Privacy Policy describes how we collect, use, handle, store, and share your personal information when you use our Service. By using Cocotte, you agree to the practices described in this policy.
Google API Compliance
Google API Limited Use Disclosure
Cocotte’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
For the purposes of the EU General Data Protection Regulation (GDPR) and applicable data protection laws, the data controller responsible for your personal data is:
As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection legislation.
Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:
Contractual Necessity (Art. 6(1)(b)): Processing your account data (name, email) and recipe content is necessary to provide the Cocotte service — specifically, to authenticate your account, save recipes, and display your personal recipe collection.
Consent (Art. 6(1)(a)): When you sign in via Google OAuth, you provide explicit consent for us to receive your name and email from Google. You may withdraw your consent at any time by deleting your account.
Legitimate Interest (Art. 6(1)(f)): We process limited technical data (IP addresses for rate limiting, aggregate error rates) based on our legitimate interest in maintaining the security, stability, and performance of the Service.
We do not process any special categories of personal data (Art. 9 GDPR) such as health data, biometric data, religious beliefs, or political opinions.
EU Compliance
EU Digital Services Act (DSA)
In compliance with the European Union Digital Services Act (Regulation (EU) 2022/2065), we provide the following information for users in the European Economic Area (EEA):
Point of Contact
In accordance with Article 12 of the DSA, our single point of contact for EU authorities, the European Commission, the European Board for Digital Services, and users in the EU is:
Content moderation: Cocotte is a personal recipe-saving tool. We do not host user-generated public content, operate a marketplace, or provide a social media platform.
Algorithmic recommendations: We do not use algorithmic recommendation systems, personalized content feeds, or automated profiling.
Advertising: We do not display any advertisements in our Service, nor do we use your data for any advertising purposes.
Dispute Resolution
If you are a user in the EU and disagree with any action we take regarding your account or content:
Judicial redress: You retain the right to seek judicial redress before the courts of the EU Member State where you reside.
Data We Collect
We collect the minimum amount of personal information necessary to provide our Service. Below is an exhaustive list of every category of data we collect:
1. Account & Authentication Data
Name and email address, provided when you sign in via Google OAuth or email/password through Supabase Auth.
Authentication tokens (JWT access token and refresh token) used to keep you signed in. These are stored locally in your browser and are never shared with third parties.
2. Recipe & Website Content
When you explicitly click the extension button or paste a URL to save a recipe, we collect:
The URL of the webpage you are saving from.
Recipe content extracted from that page: title, ingredients, instructions, prep/cook times, servings, and recipe images.
Source attribution: the original website name and URL are preserved for credit.
Affirmative user action only: Website content is collected only when you actively click the extension button or paste a URL. We never collect website content automatically, in the background, passively, or without your explicit action. We do not monitor or track your browsing activity.
3. User Preferences
Language preference (English or French), stored in your browser.
Recipe categories you create to organize your collection.
4. Data We Do NOT Collect
We do not collect your browsing history, bookmarks, or activity on pages you do not save.
We do not collect financial information, payment details, or credit card numbers.
We do not use cookies for tracking or advertising.
We do not collect your IP address for tracking purposes (IP addresses are used transiently for rate limiting and are not stored).
We do not access your camera, microphone, or geolocation.
Chrome Extension Permissions & Data
The Cocotte Chrome extension requests the following browser permissions. Each permission is used solely for the purposes described below:
activeTab – Allows the extension to read the URL of the tab you are currently viewing only when you click the extension icon. This URL is sent to our server to extract recipe data. The extension cannot read tab content at any other time.
storage – Used to store your authentication session (JWT tokens) and language preference locally in Chrome’s extension storage. This data never leaves your device unless you actively make API requests.
tabs – Used to query the currently active tab to obtain the page URL when you click the extension. We do not read the content of other tabs, nor do we monitor tab activity.
Host Permissions
The extension communicates only with the following domains:
*.supabase.co – Our backend database and authentication service (to save recipes and manage your account).
chef-cocotte.com / cocotte.app – Our own website (to sync your login session between the website and the extension).
The extension does not inject content scripts into third-party websites, does not modify any web page content, and does not execute remote code. All extension code is bundled locally within the extension package.
How We Use Your Data
We use your data strictly for the following purposes:
Providing the Service: Authenticating your account, extracting recipes from URLs you provide, storing your saved recipes, and displaying them in your personal collection.
Recipe Extraction: When you save a recipe, we send the page URL (and in some cases the page content) to our backend, which may use third-party AI services to extract structured recipe data (title, ingredients, instructions). The extracted recipe is then stored in your account.
Session Management: Keeping you signed in across sessions and synchronizing your login state between the web app and the Chrome extension.
Service Improvement: Analyzing aggregate, anonymized usage patterns (e.g., total number of recipes saved, error rates) to improve extraction accuracy and reliability. We do not build user profiles for advertising.
Rate Limiting: We transiently process IP addresses solely to enforce rate limits and prevent abuse. IP addresses are not stored or logged.
Prohibited Uses
We do not sell, rent, or trade your personal data to data brokers, advertisers, or any third party. We do not use your data for targeted advertising, personalized ads, user profiling, or any purpose other than providing and improving the Cocotte recipe-saving service.
How We Share Your Data
We share your data only in the following limited circumstances:
Third-Party Service Providers: We share the minimum data necessary with the service providers listed below, solely to extract recipe information from web pages. We share only webpage content and URLs — never your name, email, account details, or other personally identifiable information.
Legal Requirements: We may disclose your data if required by law, court order, or governmental regulation.
With Your Consent: If you choose to share a recipe through Cocotte’s sharing features, the recipe content you choose to share will be visible to those recipients.
We do not share, sell, or transfer your personal data to any other parties beyond those listed above. We do not share data with advertising networks, analytics companies, or data brokers.
Third-Party Service Providers
To extract and process recipe information from URLs you provide, we use the following third-party services. Each provider receives only the webpage content or URL needed for recipe extraction — no personally identifiable information is shared.
Supabase (database & authentication) – Hosts our database and handles user authentication. Privacy Policy
Firecrawl (web scraping) – Processes webpage URLs to extract structured content for recipe parsing. Privacy Policy
Anthropic (Claude AI) (recipe extraction) – Analyzes extracted webpage content to identify and structure recipe data. Privacy Policy
Google (Gemini AI) (recipe extraction) – Used as an alternative AI model to extract recipe data from text content. Privacy Policy
OpenAI (Whisper) (audio transcription) – For video-based recipes, we may transcribe spoken audio to text. Receives only the audio content. Privacy Policy
ScrapeCreators (social media data) – Retrieves publicly available post data from social media platforms. Receives only the post URL. Privacy Policy
All data transmitted to these services is sent over encrypted HTTPS connections.
Data Storage & International Transfers
Where Your Data Is Stored
Server-side: Your account information and saved recipes are stored in a Supabase-hosted PostgreSQL database on Amazon Web Services (AWS).
Client-side (Chrome extension): Authentication tokens and language preference are stored locally in Chrome’s extension storage on your device.
Client-side (web app): Authentication session data is stored in your browser’s local storage.
International Data Transfers (GDPR Art. 44–49)
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure compliance through:
EU–U.S. Data Privacy Framework: Where applicable, our service providers participate in or are certified under the EU–U.S. Data Privacy Framework.
Standard Contractual Clauses (SCCs): Transfers are protected by Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR).
Encryption: All cross-border data transfers are protected by HTTPS/TLS encryption in transit and AES-256 encryption at rest.
Active accounts: We retain your data for as long as your account remains active.
Account deletion: When you delete your account, all your personal data and saved recipes are permanently deleted within 30 days.
Local data: Uninstalling the Chrome extension automatically removes all locally stored data from your browser.
Third-party providers: Data sent to third-party AI services for recipe extraction is processed in real-time and is not permanently stored by these providers.
To request data deletion, delete your account in app settings or contact us at contact@chef-cocotte.com.
Your Rights (GDPR & CCPA)
Rights for All Users
Right to Access (GDPR Art. 15): Request a copy of all personal data we hold about you.
Right to Export / Data Portability (GDPR Art. 20): Download your recipe collection in a structured, machine-readable format.
Right to Delete / Erasure (GDPR Art. 17): Permanently delete your account and all associated data.
Right to Rectification (GDPR Art. 16): Update or correct inaccurate personal information.
Right to Restrict Processing (GDPR Art. 18): Request that we limit how we use your data.
Right to Object (GDPR Art. 21): Object to processing based on legitimate interests.
Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.
Additional Rights for EU/EEA Residents
Right to Withdraw Consent (GDPR Art. 7(3)): You may withdraw consent at any time by deleting your account. Withdrawal does not affect prior lawful processing.
Right to Lodge a Complaint (GDPR Art. 77): You may lodge a complaint with a supervisory authority in your EU Member State. See the European Data Protection Board website.
To exercise any of these rights, contact us at contact@chef-cocotte.com. We will respond within 30 days as required by GDPR Art. 12(3).
Data Security
Encryption in transit: All data uses HTTPS/TLS encryption.
Encryption at rest: AES-256 encryption provided by our database host.
Authentication security: Passwords are hashed and salted; JWT tokens with expiration and refresh.
Access control: Restricted to essential personnel only with role-based access controls.
Rate limiting: API endpoints are rate-limited to prevent abuse.
Cocotte is not directed at children. We do not knowingly collect personal information from:
Children under 13 years of age (United States / COPPA).
Children under 16 years of age (European Union / GDPR), or the age set by their EU Member State, without verifiable parental consent.
If you believe your child has provided us with personal data, please contact us at contact@chef-cocotte.com.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify users via the Cocotte web application. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: