Privacy Policy

1. Who We Are

This Privacy Policy explains how ALTFLOW LIMITED ("Tasto", "we", "our", or "us") collects, uses, shares, and protects personal data when you use the Tasto mobile application, website, and related services (together, the "Services").

For privacy questions, rights requests, complaints, or takedown-related communications, you can contact us at:

• Email: team@foundersbrain.app
• Registered address: ALTFLOW LIMITED, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

If required for a particular jurisdiction, we may also publish details of a local or regional representative.

2. Scope of This Policy

This Privacy Policy applies to personal data we collect when you:

• use the Tasto app;
• visit our website;
• import recipe or food-related content into Tasto;
• use Tasto features such as saved recipes, lists, meal plans, grocery lists, subscriptions, and AI tools;
• contact us for support, feedback, complaints, or other inquiries.

This Privacy Policy does not apply to third-party websites, apps, or platforms that are not operated by us, even if Tasto links to them or lets you import content from them.

3. The Personal Data We Collect

We collect different categories of personal data depending on how you use Tasto.

3.1 Data You Provide Directly

You may provide us with:

• account information, such as your email address, display name, full name, or login details;
• profile and preference information, such as language, default units, onboarding responses, dietary preferences, allergens, cooking goals, cooking frequency, household size, favourite cuisines, preferred platforms, biggest frustration, recipe saving method, and other settings you choose to provide;
• support and communications data, such as emails, messages, feedback, reports, complaints, and other communications you send to us;
• AI interaction data, such as prompts, instructions, questions, messages, and feedback you submit when using AI-powered features (e.g., Ask);
• content you create or organise in Tasto, such as saved recipes, lists, meal plans, grocery items, notes, ratings, cook counts, and other user state.

3.2 Installation, Device, and Usage Data

When you use Tasto, we may automatically collect technical and usage data, such as:

• installation and session identifiers, including installation ID, device ID, session ID, and similar technical identifiers used to support guest or installation-based usage;
• device and app information, such as device type, operating system, app version, language, time zone, and crash or diagnostic data;
• log and request data, such as IP address, timestamps, error states, request metadata, user-agent strings, and usage events;
• entitlement and billing state, such as free, trial, active, expired, restore status, and related subscription-state information;
• push notification engagement data, including delivery status, whether a notification was opened, notification frequency, and related engagement signals used to manage notification relevance and timing;
• analytics events, including event name, action, screen, element, text, metadata, and timestamps, collected through our own analytics service and through Firebase Analytics.

3.3 Data From Imported Links and Source Content

Tasto allows users to import recipe-related content from third-party sources, including social platforms and websites. When you use those features, we may collect and process:

• the source URL you submit;
• metadata associated with the imported content;
• text, captions, transcripts, recipe text, instructions, ingredients, titles, source labels, hashtags, or similar source content;
• video transcripts extracted from imported content using third-party transcription services;
• images, thumbnails, or other media metadata;
• creator or source identifiers made available through the import process;
• structured or derived recipe outputs generated from the imported content, such as ingredients, steps, serving information, nutrition, cuisine, allergens, tags, or other enrichments.

We may also download, resize, reformat, and rehost images or media from imported content on our own infrastructure (e.g., AWS S3 and CloudFront) to ensure availability, performance, and a consistent user experience. Original source URLs may be stored separately for reference.

3.4 AI and Derived Data

When you use AI-powered features (such as Ask), we may process:

• your prompts and instructions;
• recipe data and source content used as context;
• your profile information, including dietary preferences, allergens, cooking goal, cooking frequency, household size, favourite cuisines, and biggest frustration, used to personalise responses;
• AI-generated outputs such as summaries, substitutions, healthier variations, scaling suggestions, structured recipe data, meal ideas, and similar results;
• operational data needed to improve output quality, maintain safety, debug failures, prevent abuse, and monitor performance.

Your messages, recipe data, and relevant profile information are sent to our AI provider (currently OpenAI) to generate responses. Before using AI features for the first time, you will be asked to provide explicit consent through an in-app consent screen.

3.5 Purchase and Subscription Data

If you purchase a subscription or use a trial, we may receive and process data related to your entitlement status, subscription tier, renewal state, transaction identifiers, Apple transaction tokens (including signed JWS transaction data), app account tokens, cancellation reasons, trial eligibility, and restore-purchase events.

For purchases made through Apple's App Store or another third-party platform, payment card or billing details are generally processed by that platform or its payment providers, not directly by us.

3.6 Website and Similar Technologies

If you use our website, we may use cookies, local storage, pixels, logs, or similar technologies to operate the site, remember preferences, analyse usage, and protect the service.

Where required by applicable law, we will provide notice and obtain consent for non-essential cookies or similar technologies.

4. How We Use Personal Data

We use personal data for the following purposes:

• to provide, operate, maintain, and improve Tasto;
• to enable guest-mode or account-based access;
• to process recipe imports, including scraping, transcription, AI extraction, image rehosting, and generating structured recipe data;
• to provide lists, meal plans, grocery lists, saved recipe features, and similar functionality;
• to provide and improve AI-powered features, including recipe chat, substitutions, healthier variations, and related outputs;
• to personalise the Services, such as language, unit preferences, and feature experience;
• to manage subscriptions, trials, entitlements, restore purchases, and related support;
• to communicate with you about the Services, support matters, security notices, updates, and changes;
• to send push notifications, manage notification frequency and timing, and track notification engagement;
• to monitor performance, fix bugs, diagnose errors, track crashes, and investigate incidents, including through error-monitoring tools;
• to prevent fraud, abuse, misuse, excessive automated use, and violations of our Terms;
• to enforce rate limits and protect our infrastructure;
• to enforce our agreements and protect our legal rights;
• to comply with legal and regulatory obligations;
• to carry out internal analytics, service quality monitoring, and product development;
• to create aggregated or de-identified insights where permitted by law.

If you opt in where required, we may also use your contact information to send product updates, marketing, or promotional communications. You can opt out at any time.

5. Our Lawful Bases for Processing

Where UK GDPR or EU GDPR applies, we process personal data under one or more of the following legal bases:

• Performance of a contract: where processing is necessary to provide the Services you request, such as operating the app, importing recipes, managing subscriptions, providing AI features, and maintaining your saved content;
• Legitimate interests: where processing is necessary for our legitimate interests, such as improving Tasto, analysing usage patterns through analytics, maintaining security, preventing abuse, debugging import and processing failures, managing notification delivery, monitoring errors, and understanding product performance, provided those interests are not overridden by your rights;
• Consent: where we rely on consent, such as for AI data processing (explicit in-app consent before first use of Ask features), certain optional marketing communications, or certain cookies and similar technologies;
• Legal obligation: where processing is necessary to comply with applicable law, regulation, court orders, or lawful requests.

6. How We Share Personal Data

We may share personal data with the following categories of recipients:

• hosting, infrastructure, database, storage, and cloud providers (e.g., AWS S3, CloudFront, Firebase/Google Cloud);
• analytics, observability, and monitoring providers (e.g., Firebase Analytics);
• error monitoring, crash reporting, and exception-tracking providers (e.g., Sentry);
• AI, natural language processing, and content-understanding providers (e.g., OpenAI);
• video transcription and media-processing providers (e.g., Supadata);
• web scraping, content extraction, and data-collection providers used to process imported links (e.g., Firecrawl, Bright Data);
• payment, subscription, entitlement, and billing-related providers (e.g., Apple App Store);
• email and transactional communication providers (e.g., Resend);
• push notification providers (e.g., Expo);
• professional advisers such as lawyers, accountants, auditors, or insurers;
• law enforcement, regulators, courts, or other authorities where required by law or where reasonably necessary to protect rights, safety, or the Services;
• buyers, investors, or parties involved in a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate safeguards.

We may also share data if you ask us to, if you consent, or if it is otherwise permitted by law.

We do not sell personal data to advertisers.

7. Imported Content and Third-Party Sources

Because Tasto supports imports from third-party sources, some imported material may include personal data relating to content creators, account handles, captions, comments, transcripts, or similar information made available through the relevant source.

We process that information only to the extent necessary to provide and improve Tasto, including importing, structuring, displaying, organising, debugging, enforcing abuse controls, and supporting the relevant feature.

As part of the import process, we may download and rehost images or media from imported content on our own cloud infrastructure. Rehosted media may persist on our servers even if the original source content is later changed, restricted, or removed.

Third-party platforms and creators control their own content and privacy practices. We are not responsible for third-party privacy practices.

If you believe content available through Tasto infringes your rights or should be removed, you can contact us at team@foundersbrain.app. We may review and act on such requests in accordance with our Terms and internal policies.

8. International Transfers

We may process personal data in the United Kingdom, the European Economic Area, the United States, and other countries where we or our service providers operate.

Where applicable data protection law requires safeguards for international transfers, we will use an appropriate transfer mechanism, such as adequacy regulations, standard contractual clauses, or another lawful basis for transfer.

Our key service providers are based in the following jurisdictions:

• United States: OpenAI, AWS, Sentry, Expo, Resend, Bright Data, Firecrawl, Supadata
• United States / Global: Google (Firebase), Apple

9. Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain user libraries, manage subscriptions, resolve disputes, enforce our agreements, prevent abuse, and comply with legal obligations.

In general:

• account and profile data are kept while your account remains active and for a reasonable period afterward;
• saved recipes, lists, grocery items, meal plans, notes, and similar content are retained until deleted by you, deleted by us under our policies, or no longer needed for the service;
• import processing artifacts (intermediate pipeline data used for debugging and quality assurance) are retained for up to 30 days for successful imports and up to 7 days for failed imports, after which they are automatically deleted;
• AI conversation history (messages and conversation threads) is retained while your account is active;
• analytics events are retained for as long as reasonably necessary for product improvement and may be retained in anonymised form after account deletion;
• subscription and transaction records (including Apple App Store transaction data) may be retained for the period required by applicable law, including tax and accounting requirements, and may be retained in anonymised form after account deletion;
• email verification codes expire after 10 minutes;
• push notification logs are retained for operational and abuse-prevention purposes;
• error and diagnostic logs (including data sent to Sentry) are retained in accordance with the relevant provider's retention policies;
• billing, tax, and transaction-related records may be retained for the period required by law.

We may also retain de-identified or aggregated information that no longer identifies you.

10. What Happens When You Delete Your Account

When you request account deletion (available in the app or by contacting us), we will:

• delete your profile data, saved recipes, lists, meal plans, grocery items, conversations, messages, import records, and subscription records;
• anonymise (rather than delete) analytics events and App Store transaction records by removing your user identifier, so that these records can no longer be linked to you but can be retained for business, legal, and audit purposes;
• delete your Firebase authentication account.

Please be aware that:

• rehosted images (images we downloaded and stored on our infrastructure as part of the import process) may not be immediately deleted upon account deletion, as recipes may be shared across multiple users;
• data previously shared with third-party processors (such as OpenAI, Sentry, Bright Data, or other providers listed in Section 6) is subject to those providers' own retention and deletion policies and may not be deleted upon your request to us;
• de-identified or aggregated data that can no longer identify you may be retained.

11. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include encrypted data transmission (HTTPS/TLS), secure token storage (iOS Keychain), rate limiting, and access controls.

However, no system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials and for securing access to your device and accounts.

12. Your Privacy Rights

Depending on where you are located, you may have rights to:

• access the personal data we hold about you;
• correct inaccurate or incomplete personal data;
• delete your personal data (see Section 10 for details on what is deleted vs. anonymised);
• restrict processing of your personal data;
• object to certain processing;
• data portability: receive a copy of certain personal data in a structured, commonly used, machine-readable format;
• withdraw consent where processing is based on consent (e.g., for AI features);
• complain to a supervisory authority or regulator.

To exercise your rights, contact us at team@foundersbrain.app. We may need to verify your identity before responding. We will respond to valid requests within the timeframes required by applicable law (generally within one month under UK/EU GDPR).

For data portability requests, we will provide your data in a commonly used electronic format. As we continue to develop the Services, we may introduce self-service data export features within the app.

If you are in the UK, you may also complain to the Information Commissioner's Office (ico.org.uk). If you are in the EEA, you may complain to your local supervisory authority.

13. Children

Tasto is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction), and we do not knowingly collect personal data from children below that age.

If you believe a child has provided personal data to us without appropriate consent, please contact us at team@foundersbrain.app, and we will review the matter and take appropriate action, which may include deleting the data.

14. Third-Party Services and Links

Tasto may contain links to, integrate with, or rely on third-party websites, platforms, or services. Their privacy practices are governed by their own policies, not ours.

We encourage you to review the privacy policies of any third-party service you interact with.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may notify you through the Services, by email, or by other appropriate means.

The "Last updated" date at the top indicates when this Privacy Policy was most recently revised. Your continued use of the Services after the updated Privacy Policy takes effect constitutes your acceptance of the revised Privacy Policy.

16. Contact Us

If you have questions, complaints, takedown requests, or privacy-related requests, please contact:

ALTFLOW LIMITED
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: team@foundersbrain.app
Website: https://www.tastoapp.com