Privacy Policy
- Effective date
- 2 May 2026
- Last updated
- 2 May 2026
- Version
- 1.1
Plain-English summary.Palate is a recipe app operated by Bayes Strategies BV, a Belgian company. We store the dietary preferences and recipe activity you give us so the app can recommend meals you’ll like. We use a small number of trusted vendors (listed below) to host the app, run AI features, and (only with your consent) measure usage. We never sell your data. You can ask us to export or delete your data at any time by emailing privacy@trypalate.app.
1. Who is responsible for your data (the “controller”)
The controller of your personal data under the GDPR is:
- Controller: Bayes Strategies BV
- Trade name: Palate
- Registered seat: Coupure Rechts 58, 9000 Ghent, Belgium
- KBO/BCE number: 1023.000.107
- VAT number: BE 1023.000.107
- Represented by: Nicolas Knudde, manager
- Privacy contact: privacy@trypalate.app
Palate has not appointed a Data Protection Officer because we do not meet the criteria of GDPR Art. 37(1). The contact email above is the single point of contact for any data-protection question or request.
2. What personal data we collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, hashed password, authentication tokens | You, when you sign up |
| Profile data | Household size, cooking-skill level, kitchen equipment, taste preferences, disliked ingredients, allergies | You, during onboarding and profile edits |
| Health-related dietary presets (special category — Art. 9) | Optional flags such as “diabetic-friendly” or “low-sodium” | You, only if you explicitly enable them |
| Recipe activity | Recipes generated, recipes rated, ratings, free-text feedback, grocery lists | You, while using the app |
| Group data | Household-group membership, shared shopping lists | You and other group members |
| Technical data | IP address (truncated), device type, browser, language, error reports, performance traces | Automatically, when you use the app |
| Analytics data (consent only) | Pages viewed, feature usage, session length | Automatically, only after you accept analytics in the cookie banner |
3. Why we use it and on what legal basis (Art. 6 & 9)
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and operate your account | Account data | Contract performance — Art. 6(1)(b) |
| Personalise recipe recommendations | Profile data, recipe activity | Contract performance — Art. 6(1)(b) |
| Process medical / health-related dietary presets | Health-related dietary presets | Explicit consent — Art. 9(2)(a). You give this consent during onboarding via a separate, dedicated checkbox. You can withdraw it at any time by removing the preset or deleting your account. |
| Detect and fix bugs, prevent abuse | Technical data, error reports | Legitimate interest — Art. 6(1)(f). Our interest in keeping the service stable and secure is balanced against your reasonable expectation that errors are diagnosed. |
| Measure usage and improve the product | Analytics data | Consent — Art. 6(1)(a). Granted via the cookie banner. You can withdraw it at any time. |
| Comply with legal obligations (tax, accounting) | Account data, billing data (if/when paid plans launch) | Legal obligation — Art. 6(1)(c) |
We do not use your personal data for advertising, profiling that has legal effects, or automated decision-making within the meaning of GDPR Art. 22.
4. Recipes generated by AI — important context
Palate uses large-language-model AI (Anthropic Claude) and image-generation AI (Replicate / Flux) to create recipe suggestions and pictures. To do so, we send a sub-set of your profile data (preferences, allergies, dietary presets) and recent recipe activity to Anthropic. We do not send your email address, password, IP, or any direct identifier — only a non-reversible internal user id and the dietary context needed to generate the recipe.
Anthropic processes these prompts on our behalf as our processor. Anthropic’s processing terms (including its standard data-processing addendum and applicable transfer safeguards) are published at anthropic.com/legal and apply to our use of the Claude API.
5. Who we share your data with — sub-processors
We rely on the following processors to deliver the service. Each processor’s own published data-processing terms apply to our use of their service (links in the right-hand column).
| Processor | Purpose | Country | Vendor terms |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) | supabase.com/legal |
| Vercel | Application hosting, edge network | EU (Frankfurt) primary; global edge for static assets | vercel.com/legal |
| Anthropic (Claude) | Recipe-text generation | United States | anthropic.com/legal |
| Replicate | Recipe-image generation | United States | replicate.com/terms |
| Sentry | Error monitoring | EU (Frankfurt) | sentry.io/legal |
| Langfuse | AI prompt/response tracing for debugging | EU (Frankfurt) | langfuse.com/legal |
| PostHog (consent only) | Product analytics | EU Cloud (Frankfurt) | posthog.com/legal |
| Axiom (legitimate interest) | Application logs | EU | axiom.co/legal |
We will update this list when sub-processors change. Material changes will be notified via the in-app banner and by updating the “Last updated” date at the top of this policy.
We do not sell your personal data, and we do not share it with third parties for their own marketing.
6. International transfers
Where data is transferred outside the EU/EEA (Anthropic and Replicate, both US-based), the transfer is covered by the standard transfer safeguards published by each of these vendors as part of their service terms — typically the European Commission’s Standard Contractual Clauses (Commission Decision 2021/914). On our side, we minimise what is sent: no direct identifiers (email, IP) are transmitted, and the data is encrypted in transit.
You can review each vendor’s published transfer safeguards at the links in the table above, or contact us at privacy@trypalate.app for the specific document in force.
7. How long we keep your data
| Data | Retention period |
|---|---|
| Account data (email, auth) | Until you delete your account, or 24 months after your last login (we email you 30 days before deletion) |
| Profile and dietary preferences | Same as account data |
| Health-related dietary presets | Until you remove the preset, or your account is deleted |
| Recipe activity (ratings, history) | 36 months rolling, then aggregated/anonymised for product analytics |
| Free-text feedback | 24 months, then anonymised |
| Group membership | While the group exists; on group deletion, your membership record is deleted within 30 days |
| Application logs (Axiom, Sentry) | 90 days, then deleted |
| AI traces (Langfuse) | 30 days, then deleted |
| Analytics events (PostHog) | 12 months, then aggregated |
| Backups | Rolling 30-day encrypted backups; deletion requests are honoured at the next backup cycle |
| Tax / accounting records | 7 years (Belgian Income Tax Code Art. 315) — only billing-related data, not recipe content |
When data is no longer needed, we delete it or irreversibly anonymise it.
8. Your rights under the GDPR
You have the right to:
- Access — get a copy of the personal data we hold about you (Art. 15)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure— ask us to delete your data (“right to be forgotten”) (Art. 17)
- Restriction — ask us to pause processing in specific cases (Art. 18)
- Portability — receive your data in a machine-readable format and have it transmitted to another controller (Art. 20)
- Object — object to processing based on legitimate interest (Art. 21)
- Withdraw consent — at any time, without affecting the lawfulness of past processing (Art. 7(3))
- Lodge a complaint with the Belgian Data Protection Authority (see §11)
How to exercise your rights: email privacy@trypalate.app with a clear description of your request. We respond within 30 days (extendable by 60 days for complex requests, with notice).
In-app shortcuts:
- Export your data: Profile → Settings → Export my data. Returns a JSON file containing every row Palate stores about you (Art. 20).
- Delete your account: Profile → Settings → Delete account. Deletes your authentication record, profile, taste data, ratings, saved recipes, and grocery lists. Recipes you authored that other users have saved remain in their lists but are no longer linked to you (Art. 17).
- Withdraw analytics consent: click Cookie settings in the footer at any time
9. Cookies and similar technologies
We use a minimum of strictly-necessary cookies (authentication, CSRF protection) which do not require consent under e-Privacy Directive Art. 5(3).
Analytics cookies (PostHog) and product-improvement cookies (Vercel Analytics) are off by default and only set after you accept them via our cookie banner. You can change your choice at any time by clicking Cookie settings in the footer.
10. Security
We protect your data with: TLS 1.2+ in transit; AES-256 encryption at rest in Supabase; row-level-security policies that prevent users from reading each other’s data; rate limiting; multi-factor authentication on all admin accounts; periodic dependency scanning. No system is perfectly secure — if a breach affects you, we will notify you and the Belgian DPA within 72 hours as required by GDPR Art. 33–34.
11. How to lodge a complaint
If you are not satisfied with how we handle your data, you can lodge a complaint with the Belgian Data Protection Authority:
- Autorité de protection des données / Gegevensbeschermingsautoriteit
- Drukpersstraat 35, 1000 Brussel
- Phone: +32 2 274 48 00
- Email: contact@apd-gba.be
- Web: dataprotectionauthority.be
You also have the right to bring a judicial action (GDPR Art. 79).
12. Children
Palate is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has created an account, email privacy@trypalate.app and we will delete it.
13. Changes to this policy
We will update this policy when our processing changes or when the law requires. The “Last updated” date at the top reflects the most recent change. For material changes (new data categories, new sub-processors handling sensitive data, broader purposes), we will notify you via the app and, where required, ask for fresh consent.
This policy is currently provided in English only. If you are a Belgian resident and would prefer to receive it in Dutch or French, please contact privacy@trypalate.app and we will provide a translation.