Privacy

Privacy Policy

Last updated 2026-06-07

Short version: Mealhive only collects what we need to make your meal plans, grocery list, and pantry work. We don't sell your data. We don't train AI models on it. You can export everything or delete your account in one click, any time.

Who we are

Mealhive ("we", "us", "our") is operated by a small team based in Estonia. You can reach us at hello@mealhive.app. The web app is served from app.mealhive.app; this marketing site is served from mealhive.app.

What we collect

Account information

  • Email address and a password hash (we never see your plaintext password) when you sign up. Handled by Supabase Auth.
  • Authentication session cookies while you're signed in, so we know it's still you between requests.

Content you create

  • Recipes you save, capture, or import (the ingredients, the steps, the hero image if you uploaded one, your edits).
  • Photos you upload when capturing a recipe from a printed page. Stored in Supabase Storage.
  • Meal plans (which recipe you put on which day).
  • Grocery list and pantry items (generated automatically from your plans and your ticks).
  • Cook events (when you started and finished cooking a recipe, your rating, any tweak notes).
  • Household membership (which household you belong to and which other accounts share it with you).
  • Preferences (display language, theme, which onboarding hints you've dismissed).

Technical data

  • Standard request headers (IP address, User-Agent string, timestamps) that any web server sees. We use these only for security, debugging, and rate limiting.
  • Anonymized page-view analytics on the marketing site via Plausible. No cookies, no personal identifiers, no cross-site tracking. (If we add this; see Changes.)

What we do NOT collect

  • We don't ask for your name, phone number, address, age, or any demographic data.
  • We don't track you across other websites.
  • We don't use marketing or advertising cookies.
  • We don't sell, rent, or share your data with advertisers.
  • We don't use your content to train AI models.

Why we collect it

  • To run the app you signed up for. We can't show you your recipes without storing them.
  • To keep the app secure. Standard logs let us detect abuse, rate limit, and recover from outages.
  • To improve the app. Aggregate, anonymized usage signals (e.g., "how often do people use the pantry feature") help us prioritize. We never look at individual content for product decisions.

How AI processing works

When you capture a recipe from a URL or a photo, we send the source content (the URL we fetched, or the photo you uploaded) to Anthropic (the Claude API). Claude extracts the recipe structure (ingredients, steps, hero image) and returns it to us, and we save it to your account.

We use the Claude API in "no-training" mode (the default for API customers per Anthropic's commercial terms). Anthropic does not train models on the content we send. You can read Anthropic's privacy notes at anthropic.com/legal/privacy.

Who we share data with

We use a small number of trusted service providers ("sub-processors") to run Mealhive. Each one only sees the data they need:

  • Supabase: database, authentication, file storage, real-time sync. Hosts your account and all your content.
  • Anthropic: recipe parsing only (URLs and photos you send through the Capture flow, as described above).
  • Vercel: web hosting and edge serverless functions. Sees request metadata; doesn't see your stored content.
  • Upstash: Redis for rate limiting. Sees IP-derived counters; no PII or content.
  • Plausible (marketing site only): anonymized page views. No cookies, no identifiers.

We do not share your data with anyone else. We don't sell it. We don't trade it. We don't pass it to advertisers or data brokers.

Where your data lives

Our Supabase project is hosted in the EU. Anthropic, Vercel, and Upstash process data in the US and EU depending on the request. Our sub-processors have signed appropriate data-transfer agreements with us.

How long we keep it

  • Account and content: for as long as your account is active.
  • Server logs: typically 30 to 90 days, then automatically rotated.
  • Deleted accounts: removed from our live database within 24 hours. Backups containing the data are overwritten within 30 days.

Your rights

You have these rights over your Mealhive data:

  • See it. Your recipes, plans, grocery list, and pantry are all visible inside the app.
  • Export it. Settings → Export. One click, you get a JSON file of everything.
  • Correct it. Every recipe and plan is editable in the app.
  • Delete it. Settings → Delete Account. Removes everything, no recovery.
  • Object to specific processing. Write to us and we'll honor it where the law allows.

Cookies

We use exactly one cookie: a session cookie from Supabase Auth that signs you in. The cookie expires when your session ends.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies.

Security

HTTPS everywhere. Database access uses Postgres row-level security so you can only read and write your own data (and your household's). Passwords are hashed with industry-standard algorithms by Supabase Auth. We follow the principle of least privilege internally and rotate credentials when team members leave.

No system is unbreakable. If we ever discover a breach that affects you, we'll notify you and the relevant authorities promptly.

Children

Mealhive is built for adults. We don't verify ages at signup. If you're a parent or guardian and you think a child has created an account, write to us and we'll remove it.

Changes to this policy

If we make material changes to how we collect or share data, we'll update the "Last updated" date at the top of this page and, where significant, notify you by email. Minor wording or clarification edits won't trigger a notification.

Contact

Questions, requests, or complaints: hello@mealhive.app. We try to reply within 7 days.