Chef Happens

LAST UPDATED: JUNE 29, 2026

Your Kitchen, Your Privacy.

We built Chef Happens to be useful, not nosy. This is the plain-English version of how we handle your data — what we collect, why, who else sees it, and the controls you have.

1. Our Promise & Scope

Your pantry, recipe history, and preferences belong to you. We don’t sell personal data. We don’t share your ingredient lists with advertisers. We don’t use your private inputs to train external AI models. Saved recipes live on your device first; your account holds only what we need to remember who you are across reinstalls.

Chef Happens is currently offered only in Australia, New Zealand, and India. This Privacy Policy is written to comply with the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs), the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs), and the Indian Digital Personal Data Protection Act, 2023 (DPDP Act). In DPDP terminology you are the “Data Principal” and Chef Happens is the “Data Fiduciary”.

2. What We Collect

Below is the complete list of data categories Chef Happens collects. We never collect contacts, location, or browsing activity outside the app.

Account basics

Your email, hashed password, and optional name. Used to sign you in, recover access, and personalise the app.

Date of birth & country

Collected once at signup. DOB is used strictly to enforce the alcohol-age gate (Terms §5A) and the COPPA-13 floor; country is used to apply the right tax (AU GST / NZ GST / IN CGST+SGST) and consumer-law framework. Never used for marketing, profiling, or third-party sharing.

Pantry & recipe activity

Ingredients you add, recipes you generate, favourites, ratings, notes, dietary selections, and lifestyle preferences (e.g. lower-sugar, gluten-free, low-FODMAP). Used to power features only — never sold or shared with advertisers.

Photos, voice & scans

When you use them: pantry-ingredient photos, handwritten-recipe photos, and short voice clips for hands-free dictation. Photos are processed via Gemini Vision for label/text extraction then discarded. Voice clips go to OpenAI Whisper for transcription and are deleted from our servers within 30 days.

Imported URLs & links

If you import a recipe from Instagram, TikTok, YouTube, or a recipe website, the URL is fetched and parsed — only the recipe content is kept, not your social-media identity, watch history, or relationship graph.

Meal plans & grocery lists

Weekly meal plans, generated grocery lists, and cook-log history. Stored against your account so you can revisit and edit; deleted along with your account if you choose to.

Device & app metadata

Device model, OS version, app version, anonymised device ID (regenerated on reinstall), and crash diagnostics via Sentry. Used for security, debugging, and to enforce single-device sign-in.

Billing details

Subscription status, plan tier, and customer ID from your payment processor (Stripe for web; Apple App Store or Google Play for in-app). We never see or store your card number — only a token.

3. How We Use Your Data

To provide the Service. Generate recipes that respect your pantry, scale ingredients to your servings, transcribe imported videos, send transactional email, and keep your subscription active.

To keep accounts safe. Detect abuse, rate-limit excessive use, prevent fraud, and enforce single-device sign-in.

To improve Chef Happens. Diagnose crashes, aggregate anonymous usage trends, and fix bugs. Aggregated metrics are never tied back to your identity.

To communicate with you. Send welcome email, password resets, billing receipts, important policy changes, and replies when you reach out to our Culinary Concierge. Marketing emails are opt-in only.

4. Sharing & Third Parties

We share the minimum data needed to power specific features. Each provider below is contractually obligated to protect your data and use it only on our instructions.

Google Gemini

Generates recipes and parses pantry-ingredient photos from your prompts. Your prompts are not used to train Google’s models.

OpenAI Whisper

Transcribes social-media videos (Instagram / TikTok / YouTube) and short voice clips when you dictate ingredients.

Stripe

Processes web subscriptions and stores your payment method securely. Card numbers never touch our servers.

Apple App Store & Google Play

Process in-app subscriptions on iOS / Android. Refunds, cancellations, and receipt validation flow through their billing systems.

Resend

Delivers transactional email (welcome, password reset, email-verification OTP, support replies).

Sentry

Captures anonymised crash reports and performance telemetry to help us diagnose bugs. Personal data is scrubbed before transmission.

Wikipedia, Unsplash, Cloudinary, DeepInfra, Pollinations

Source authentic regional and AI-generated recipe imagery. We send only the dish name (never your account data) to retrieve photos.

We never sell your data, share it with advertisers, or use it to train external AI models. We may disclose data if required by law (e.g., a valid court order) — and we’ll fight overbroad requests.

AI assistants disclosure. Chef Happens features two named AI personas: Pepper (main kitchen assistant) and Fizz (cocktail/drinks sub-assistant). Both are powered by Google’s Gemini family of large language models. The only data sent to the LLM is the prompt content you explicitly type (ingredients, dish names, wishes, imported recipe URLs/text) — never your email, name, DOB, country, payment details, or any other account-level information.

5. Lawful Basis for Processing

We only process your personal data where we have a clear legal basis:

Consent — when you create an account, opt into marketing email, or grant a device permission (camera, microphone, photos), you give us a specific, informed, free, and unambiguous consent. You can withdraw it any time.
Performance of a contract — processing required to provide the Service you signed up for.
Legitimate interests — securing accounts, preventing abuse, fixing bugs, improving the App — balanced against your reasonable expectations.
Legal obligation — to respond to lawful requests, keep tax / GST records, and meet breach-notification duties.

6. International Transfers

Some of the third-party services that power Chef Happens (Google Gemini, Stripe, Resend, OpenAI Whisper, DeepInfra, Pollinations, Sentry) are based in the United States or other countries. To deliver the Service we have to send certain personal data to them.

For users in Australia, this disclosure is covered by APP 8 (cross-border disclosure of personal information). Each provider is bound by contractual obligations equivalent to the APPs. For users in India, transfers happen in accordance with Section 16 of the DPDP Act, 2023 — we only transfer to countries that the Central Government has not restricted, and we apply contractual safeguards in either case. By using the App you acknowledge that some of your data will be processed outside Australia, New Zealand, and India.

7. Your Rights & Controls

Whether you live in Australia, New Zealand, or India, you have meaningful, free, and prompt access to the following rights. You can exercise most of them in-app; for anything we can’t self-serve, contact our Culinary Concierge (Section 12).

What you can do, any time

• Access — see all data we hold about you on the Account screen, or request a full JSON export.

• Correction — fix inaccurate personal data from Account.

• Erasure — wipe your entire account and associated data with one tap (Account → Delete Account).

• Withdraw consent — disable marketing email, revoke camera/microphone permissions, opt out without affecting service availability.

• Portability — receive your data in a structured, machine-readable JSON format.

• Object / restrict — ask us to pause specific processing while we look into a concern.

• Nominate (DPDP §14) — Indian users may nominate another person to exercise these rights on their behalf in case of death or incapacity.

• Complain — escalate to OAIC (AU), OPC (NZ), or the Data Protection Board of India.

We aim to respond to any rights request within 7 business days and, except for complex cases, complete it within 30 days.

8. Marketing Communications & Consent Withdrawal

We will only send you marketing email if you explicitly opt in during signup or from your Account screen. Every marketing email includes a one-tap unsubscribe link. Withdrawing marketing consent does not affect transactional email (welcome, password reset, billing receipts, security alerts) — those are necessary to provide the Service.

For users in Australia, we comply with the Spam Act 2003 (Cth): marketing email is sent only with consent, identifies the sender, and offers a working unsubscribe. For users in India, withdrawal of consent under Section 6(4) of the DPDP Act is as easy as giving it — one tap in-app or a reply to any email saying “Stop”.

9. Cookies, Analytics & Tracking

Chef Happens does not use third-party tracking pixels, advertising IDs, or social-media trackers. The mobile app uses a single anonymised device ID (regenerated on reinstall) to keep your session alive and enforce single-device sign-in. No data is collected for behavioural advertising.

10. Data Security, Retention & Breach Notification

In transit. All data is encrypted with TLS 1.2+ (HTTPS).
At rest. Passwords are hashed with bcrypt (per-user salt). Sensitive infrastructure secrets are encrypted at rest.
Access controls. Only on-call engineers can access production databases, all access is logged.
Retention. Pantry and recipe data are kept while your account is active, plus 30 days after deletion (for backup recovery), after which they are permanently purged. Billing records are kept for 7 years to comply with Australian Tax Office and Indian Income-Tax Act record-keeping rules. Server logs are kept 90 days.

11. Children & Minors

Chef Happens is intended for users 13 years and older. In India, the DPDP Act, 2023 treats anyone under 18 as a child — we require verifiable parental or guardian consent before processing a minor’s personal data, do not run targeted advertising or behavioural monitoring on minors, and apply additional safeguards to their account. If you believe a child has created an account without consent, contact us and we will remove the account immediately.

12. Grievance Officer & Contact

We may update this policy as the App evolves. Material changes will be announced via in-app banner and email at least 14 days before they take effect.

India — Grievance Officer. In compliance with Section 8(10) of the DPDP Act, 2023 and Rule 3(2) of the IT (Intermediary Guidelines) Rules, 2021, our designated point of contact for Indian Data Principals is [email protected] with the subject line Grievance — DPDP. We acknowledge receipt within 24 hours and resolve within 15 days.

Australia — Privacy Officer. Privacy queries from Australian users can be addressed to [email protected] with the subject line Privacy Enquiry — APP. If you are not satisfied with our response, you may complain to OAIC at oaic.gov.au.

Questions, concerns, or requests about your privacy? Our Culinary Concierge replies within two business days.

✉️ Contact Support