Privacy Policy
Last updated: April 2026 · Publisher: Boldoath Co., Ltd.
The short version
Kitchenote is a recipe app with accounts, cloud sync, shared groups, and AI features. Your data is stored on our servers so you can access it across devices. When you use AI features, relevant content is sent to Anthropic's API to generate responses — Anthropic does not train on your data. We never sell your data. You can delete your account and all your data at any time from Settings.
1. Who We Are
Kitchenote is operated by Boldoath Co., Ltd. (株式会社Boldoath), a company registered in Japan.
Privacy enquiries: privacy@kitchenote.app
General support: support@boldoath.com
New Zealand residents: our designated Privacy Officer can be contacted at support@boldoath.com.
2. Information We Collect
Account information
When you create an account, we collect:
- Email address — used for sign-in and account recovery
- Display name — provided by Apple or Google Sign-In, or entered directly; visible to friends and group members
- User ID — a unique identifier assigned by our authentication system
- Profile photo (optional) — if you upload one, stored in cloud storage and visible to other users
- Friend code — a short unique code that lets other users find and add you as a friend
- Device push token — an identifier used to deliver push notifications to your device; removed when you sign out
Recipes and content
Everything you create — recipes, ingredients, cooking steps, kitchen notes, and comments — is stored on our servers so it's available across your devices. Content you share to a group is visible to other members of that group.
Dietary and health-related information
If you choose to set dietary preferences (such as vegan, gluten-free, or nut-free), these are stored on our servers. When you use AI features, they are included in the request sent to Anthropic's API so the AI can personalise its responses. Depending on your jurisdiction, this information may be treated as health data requiring explicit consent. We collect it only after you've acknowledged how it is used. You can withdraw consent and remove your preferences at any time from Settings → My Diet.
AI feature data
When you use an AI-powered feature (ingredient explanations, technique details, or recipe Q&A), the following is sent to Anthropic:
- Relevant recipe content (title, ingredients, steps)
- Your query or the ingredient or technique you're looking up
- Your cooking preferences (dietary restrictions, skill level, language, household size) — only if you've consented to dietary data sharing
Anthropic processes this data to generate your response only. See Section 5 for details.
Social and group features
If you use shared groups, your recipes, notes, and comments in those groups are visible to all group members. Your display name and profile photo (if set) are visible to friends and group members. Your friend code is searchable by other users.
Subscription information
Subscription purchases are handled entirely by Apple via StoreKit. We do not receive or store your payment card details. We receive a subscription status signal from Apple to determine whether your account has Pro access.
Usage data
We log feature usage counts (such as how many AI requests you've made today or how many recipes you've imported) to enforce free-tier limits. We also log AI call metadata — feature type, model used, response time, success or failure — for cost monitoring and reliability. Raw AI prompts and responses are never stored in our logs.
3. How We Use Your Information
| Purpose | Data used | Lawful basis (UK GDPR) |
|---|---|---|
| Providing the app and syncing your data across devices | Account info, recipes, notes | Contract — Art. 6(1)(b) |
| Shared groups and social features | Display name, recipes, comments | Contract — Art. 6(1)(b) |
| AI-powered features | Recipe content, preferences | Contract / Explicit consent for dietary data |
| Dietary and health preferences | Dietary restrictions | Explicit consent — Art. 9(2)(a) |
| Push notifications | Device push token | Consent — Art. 6(1)(a) |
| Subscription management | Subscription status from Apple | Contract — Art. 6(1)(b) |
| Service improvement and reliability | Usage counts, AI call metadata | Legitimate interests — Art. 6(1)(f) |
| Security and fraud prevention | Account info, usage logs | Legal obligation / Legitimate interests |
4. Dietary and Health Data
Under UK GDPR (Article 9), Japan's APPI, Australian privacy law, and other applicable regulations, information related to a person's health — including food allergies and medically-driven dietary restrictions — may be classified as sensitive personal data requiring a higher level of protection and explicit consent.
We collect dietary preferences only when you choose to add them in Settings → My Diet. Before your preferences are saved for the first time, you are shown a clear disclosure explaining how the data is used. You must acknowledge this disclosure before any dietary data is stored.
You can withdraw your consent and remove all dietary preferences at any time from Settings → My Diet. Removing your preferences immediately stops them from being included in future AI requests.
5. AI Features — Anthropic
Kitchenote's AI features are powered by Claude, developed by Anthropic, Inc. (San Francisco, USA). When you use an AI feature, the relevant request is routed through our own server (a Supabase Edge Function) before being forwarded to Anthropic's API. Anthropic acts as our data processor.
- What is sent to Anthropic: Recipe content relevant to your query, your question or lookup term, and (with your consent) dietary and cooking preferences
- What is not sent: Kitchen notes you haven't linked to the recipe, your account credentials, payment information, or friend list
- Training: Anthropic is contractually prohibited from using API inputs to train AI models
- Retention: Anthropic does not retain your data beyond the API session
- Security: All requests are encrypted in transit (TLS 1.2+) and at rest (AES-256)
- International transfer (UK/EU users): Data transferred to Anthropic in the USA is covered by Standard Contractual Clauses
Anthropic's privacy documentation: anthropic.com/legal/privacy
6. Third-Party Services
| Service | Provider | Purpose | Data shared |
|---|---|---|---|
| Database, authentication, and file storage | Supabase Inc. (USA) | Cloud storage, user accounts, real-time sync | All account and content data |
| AI processing | Anthropic, Inc. (USA) | AI-powered ingredient, technique, and recipe features | Recipe content, preferences (with consent) |
| Push notifications | Apple Inc. (USA) | Delivering push alerts to your device | Device push token |
| Sign in with Apple | Apple Inc. (USA) | Authentication | Email and name at sign-in only |
| Sign in with Google | Google LLC (USA) | Authentication | Email and name at sign-in only |
We do not use advertising networks, third-party analytics SDKs, or crash reporting services that transmit your data to additional parties.
7. International Data Transfers
Boldoath Co., Ltd. is based in Japan. Your data is processed in Japan and transferred to service providers in the United States (Supabase and Anthropic).
- UK residents: Japan holds a UK adequacy decision, covering transfers from Boldoath to your data held in Japan. Transfers from Japan to US-based providers (Supabase, Anthropic) are covered by Standard Contractual Clauses (SCCs).
- Australian residents: We have entered into data processing agreements with Supabase and Anthropic that require them to handle your data in a manner consistent with the Australian Privacy Principles.
- New Zealand residents: Transfers to US service providers are covered by contractual data protection obligations in our data processing agreements with each provider.
- Japanese residents: Transfers of personal information to Supabase and Anthropic (both USA) are made under Article 28 of Japan's APPI. Both providers maintain data processing agreements consistent with APPI requirements, and both have established privacy protection systems.
8. Data Retention
| Data type | How long we keep it |
|---|---|
| Account and profile data | Until account deletion, then permanently deleted within 30 days |
| Recipes, notes, and content | Until account deletion, then immediately removed |
| Dietary preferences | Until you remove them in Settings or delete your account |
| Device push token | Until you sign out or delete your account |
| AI call metadata (feature type, latency, success/failure) | 12 months |
| Usage counters (import counts, AI request counts) | 12 months |
| AI prompts and responses | Not stored by us; Anthropic session only (not retained) |
9. Your Rights
To exercise any of the rights below, contact us at privacy@kitchenote.app. We will respond within 30 days.
All users
- Access: Request a copy of the personal data we hold about you
- Correction: Ask us to update inaccurate or incomplete data
- Deletion: Delete your account and all associated data from within the app (Settings → Account → Delete Account) or by contacting us. Deletion is permanent and completed within 30 days.
- Withdraw consent: Remove dietary preferences or revoke AI data consent at any time from Settings → My Diet
UK residents (UK GDPR)
- Right to restrict processing in certain circumstances
- Right to data portability — receive your content in a machine-readable format (JSON). Contact us to request an export.
- Right to object to processing based on legitimate interests
- Right to lodge a complaint with the ICO: ico.org.uk · 0303 123 1113
California residents (CCPA / CPRA)
- We do not sell or share your personal information for advertising or commercial purposes
- Right to know what categories of personal information we collect and how it is used
- Right to delete personal information (subject to certain exceptions)
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information (including dietary data) to what is necessary to provide the service
- We will not discriminate against you for exercising any of these rights
- To submit a request: privacy@kitchenote.app
Australian residents
- Right to access and correct personal information we hold about you (Australian Privacy Principles 12 and 13)
- To lodge a complaint: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
New Zealand residents
- Right to access and correct personal information under the New Zealand Privacy Act 2020 (Information Privacy Principles 6 and 7)
- Privacy Officer: support@boldoath.com
- To lodge a complaint: Office of the Privacy Commissioner — privacy.org.nz
10. Push Notifications
If you allow push notifications when prompted by iOS, we store your device's push token with Supabase and use it to send alerts — for example when a new recipe is added to a shared group or someone comments on your content. You can turn off notifications at any time in your device's Settings app, or within Kitchenote at Settings → Notifications. Your push token is deleted from our servers when you sign out or delete your account.
11. Subscriptions
Kitchenote Pro is an auto-renewing subscription managed by Apple. All billing is handled through the App Store — we never receive or store your payment card details. We receive a subscription status from Apple to determine your access level. To manage or cancel your subscription, go to Settings → Apple ID → Subscriptions on your device. Cancellation and refund policies are governed by Apple's terms.
12. Data Security
Your data is encrypted in transit using TLS 1.2+ and at rest using AES-256 (managed by Supabase). Row-Level Security policies ensure that only you can access your personal data — other users cannot read your recipes or notes unless you share them. Our team does not have routine access to user content. In the event of a security breach that poses a risk to your rights, we will notify you and the relevant supervisory authority as required by applicable law.
13. Children's Privacy
Kitchenote is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, please contact us at privacy@kitchenote.app and we will delete it promptly.
14. Changes to This Policy
If we make material changes to this policy, we will notify you through the app before the changes take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the app after a material change takes effect constitutes acceptance of the revised policy.
15. Contact and Supervisory Authorities
Privacy enquiries: privacy@kitchenote.app
General support: support@boldoath.com
Relevant supervisory authorities by region:
- Japan: Personal Information Protection Commission (個人情報保護委員会) — ppc.go.jp
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz