Privacy Policy
Last Updated: February 9, 2026
1. Introduction
Welcome to Souffle ("we," "our," or "us"). Souffle is an AI-powered kitchen management application for iOS that helps you track your pantry, discover and import recipes, plan meals, manage grocery lists, and cook with hands-free voice assistance.
This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Souffle mobile application and our associated backend services (collectively, the "Service").
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
Data Controller: Matthew Lorelle
Contact: support@souffleai.com
2.1 Account Information
When you create an account, we collect:
- Email address or phone number — used for authentication via one-time passcode (OTP)
- First name (required) and last name (optional)
- Username (optional)
- Date of birth (optional) — used to verify age eligibility
- Profile picture (optional) — uploaded and stored securely
2.2 Dietary & Allergen Information
To personalize your experience and provide safety alerts, we collect:
- Dietary restrictions — such as vegetarian, vegan, pescatarian, keto, paleo, low-carb, gluten-free, dairy-free, nut-free, egg-free, soy-free, low-sodium, diabetic-friendly, and low-fat
- Allergens — including milk, eggs, fish, shellfish, tree nuts, peanuts, wheat, soybeans, and sesame, each with a severity level (mild, moderate, or severe)
- Cooking skill level — beginner, intermediate, or advanced
Dietary and allergen data is provided voluntarily during onboarding or in your profile settings. This information is used solely to personalize recipes, flag incompatible ingredients, and suggest suitable alternatives. It is never sold or used for advertising.
2.3 Preferences & Settings
- AI preferences — substitution style (conservative, creative, exact), explanation detail (minimal, standard, detailed), proactive suggestions
- Preferred cuisines — such as Italian, Mexican, Asian, Mediterranean, American, Indian, French, Thai
- Measurement system — metric or imperial
- Notification preferences — expiration alerts, low stock reminders, shopping activity, weekly digest, recipe suggestions, and quiet hours
2.4 App Usage Data
As you use the Service, we collect data about your activity:
- Recipes saved, imported, favorited, and rated
- Cooking sessions started and completed
- Food items scanned (via barcode or camera)
- Pantry inventory — items, quantities, expiration dates
- Grocery lists and item completion status
- Consumption records — food consumed, wasted, donated, or composted, along with associated cost data
- Activity metrics — active days, total recipes cooked, shopping trips
2.5 Content You Provide
- Recipe URLs — web links you submit for recipe import
- Photos — images of food items, barcodes, expiration dates, or recipes captured via your device camera
- Videos — recipe video URLs from platforms such as YouTube, TikTok, Instagram, and Facebook, which are processed server-side for recipe extraction
- Voice commands — audio input during hands-free cooking mode, processed via on-device speech recognition and sent as text to our backend for AI responses
2.6 Technical & Log Data
When you interact with our Service, our servers automatically collect:
- IP address
- User agent string (device type, OS version)
- Request metadata (API endpoint, response status, response time)
- Authentication identifiers (user ID, household ID)
This data is used for security monitoring, debugging, and service reliability. It is not used for tracking or advertising.
2.7 Information We Do Not Collect
Souffle does not collect your location data, access your contacts, integrate with Apple HealthKit, use advertising or tracking SDKs, or engage in cross-app tracking. Our app's privacy manifest declares NSPrivacyTracking = false.
3. How We Use Your Information
We use your information for the following purposes:
- Account management — creating and maintaining your account, authenticating your identity
- Core app functionality — pantry tracking, recipe management, grocery list creation, cooking session management
- Personalization — filtering recipes by dietary restrictions, flagging allergens, adjusting instructions to your cooking skill level, and suggesting ingredient substitutions
- AI-powered features — extracting recipes from URLs, images, and videos; classifying food items from photos and barcodes; providing conversational cooking assistance; assessing dietary compatibility
- Voice-guided cooking — processing your voice commands and generating spoken recipe instructions
- Household collaboration — sharing recipes, grocery lists, and pantry data with members of your household
- Notifications — sending expiration alerts, low stock reminders, and other notifications you have opted into
- Subscription management — managing your Free or Souffle Pro subscription tier
- Service improvement — operational logging for debugging, performance monitoring, and service reliability
- Security — protecting against unauthorized access, fraud, and abuse
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom (UK), we process personal data under the following legal bases:
| Processing Activity |
Legal Basis |
| Account creation & authentication |
Performance of a contract (Article 6(1)(b)) |
| Core app features (recipes, pantry, lists) |
Performance of a contract (Article 6(1)(b)) |
| Dietary & allergen management |
Explicit consent (Article 6(1)(a)) |
| AI-powered recipe processing |
Performance of a contract (Article 6(1)(b)) |
| Household sharing |
Legitimate interest & consent (Article 6(1)(f) & (a)) |
| Push notifications |
Consent (Article 6(1)(a)) |
| Operational logging (IP, user agent) |
Legitimate interest in security & debugging (Article 6(1)(f)) |
| Subscription management |
Performance of a contract (Article 6(1)(b)) |
Where we rely on consent, you may withdraw it at any time by adjusting your settings in the app or contacting us at support@souffleai.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
5. Data Sharing & Third-Party Services
We share data with the following third-party service providers solely to operate the Service. We do not sell your personal information to anyone.
| Service |
Provider |
Data Shared |
Purpose |
| Supabase |
Supabase Inc. (US) |
Email, phone number, auth tokens |
User authentication (OTP, session management) |
| Google Gemini AI |
Google LLC (US) |
Recipe page content, food images, video files, cooking queries, dietary context |
AI recipe extraction, ingredient classification, cooking assistance |
| ElevenLabs |
ElevenLabs Inc. (US) |
Recipe instruction text |
Text-to-speech voice generation for cooking mode |
| RevenueCat |
RevenueCat Inc. (US) |
Apple subscription receipts, user ID |
In-app purchase and subscription management |
| Amazon Web Services |
Amazon.com Inc. (US) |
All user data, uploaded images |
Primary data storage (DynamoDB) and image hosting (S3) |
| YouTube Data API |
Google LLC (US) |
Video URLs |
Extracting recipe descriptions from YouTube videos |
When you submit a recipe video URL from YouTube, TikTok, Instagram, or Facebook, we download the video server-side for AI analysis. The video content is processed by Google Gemini AI and is not permanently stored after extraction is complete.
We do not: sell your personal information, share data for advertising purposes, use advertising or analytics SDKs, or engage in cross-app tracking.
6. Household Data Sharing
Souffle supports multi-user households for collaborative kitchen management. When you create or join a household:
- Shared data: Recipes, grocery lists, pantry inventory, cooking sessions, and consumption records are visible to all household members.
- Member visibility: Household members can see each other's first names and profile pictures, and real-time activity such as who is currently viewing or shopping a grocery list.
- Roles: Household owners can invite or remove members, manage settings, and delete the household. Members have standard read/write access to shared data.
- Joining: Households are joined via invite codes that expire after a set period (typically 7 days).
- Personal household: Each user also has a personal household for private data that is not shared with anyone.
You can leave a household at any time. Data you contributed to a shared household may remain accessible to other members after you leave.
7. AI & Automated Processing
Souffle uses artificial intelligence to power several features:
- Recipe extraction: When you import a recipe from a URL, image, or video, AI analyzes the content to extract structured recipe data (ingredients, steps, nutrition information, dietary compatibility).
- Ingredient classification: When you scan a food item with your camera or a barcode, AI identifies the product and suggests categories, nutritional data, and estimated shelf life.
- Cooking assistant: During cooking sessions, you can ask questions and receive AI-generated guidance, including ingredient substitutions and step-by-step help. Your dietary preferences and allergens are included in the context to provide safe, personalized advice.
- Dietary compatibility: Recipes are automatically checked against your dietary restrictions and allergen profile.
AI processing is performed by Google's Gemini models via our backend servers. Your data is sent to Google's API for processing and is subject to Google's Privacy Policy.
No automated decision-making with legal effects: AI is used for assistance and suggestions only. No decisions with legal or similarly significant effects are made solely through automated processing.
8. Data Storage & Security
We take the security of your data seriously and implement the following measures:
- Encryption in transit: All communications between the app and our servers use HTTPS/TLS encryption.
- Secure token storage: Authentication tokens are stored in the iOS Keychain, which provides hardware-level encryption on your device.
- Backend infrastructure: Your data is stored on Amazon Web Services (AWS) in the US-West-2 (Oregon) region, using DynamoDB for structured data and S3 for images.
- Access controls: API endpoints are protected with JWT (JSON Web Token) authentication. Webhook communications are verified using HMAC-SHA256 signatures.
- Image security: Images are accessed via time-limited presigned URLs rather than permanent public links.
- Upload limits: File size limits are enforced on all uploads to prevent abuse.
- Local storage: Preferences stored on your device use iOS sandboxed storage (UserDefaults), which is isolated from other applications.
While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
9. Data Retention
We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:
| Data Type |
Retention Period |
| Account data (profile, preferences) |
Until you delete your account |
| Recipes, pantry, grocery lists |
Until you or a household owner deletes them |
| Consumption & activity records |
Until you delete your account |
| Scan session data |
Automatically deleted after 24 hours |
| Household invite codes |
Automatically expire after ~7 days |
| Server logs (IP, user agent) |
Retained per infrastructure log rotation policies |
| Uploaded images |
Until you delete your account |
| Processed video content |
Not permanently stored; deleted after recipe extraction |
Account Deletion
You may delete your account at any time through the app or by contacting us at support@souffleai.com. Upon account deletion:
- Your personal profile data, preferences, and authentication credentials are permanently removed.
- Content you contributed to shared households (recipes, grocery list items) may remain accessible to other household members.
- We will process deletion requests within 30 days.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and associated data.
- Withdraw consent: Withdraw consent for optional data processing at any time.
- Data portability: Request your data in a structured, machine-readable format.
EEA & UK Residents (GDPR)
In addition to the rights above, you have the right to:
- Restriction: Request restriction of processing of your data in certain circumstances.
- Object: Object to processing based on legitimate interest.
- Automated decisions: Not be subject to decisions based solely on automated processing that produce legal effects. (Note: we do not make such decisions.)
- Complaint: Lodge a complaint with your local data protection supervisory authority.
California Residents (CCPA)
See Section 13 for your specific rights under the California Consumer Privacy Act.
To exercise any of these rights, contact us at support@souffleai.com. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request.
11. Children's Privacy
Souffle is intended for users aged 16 and older. We do not knowingly collect personal information from children under the age of 16.
If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@souffleai.com so we can take appropriate action.
12. International Data Transfers
Our Service is operated from the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, where our servers and service providers are located.
Specifically, data is processed by:
- Amazon Web Services (AWS) — US-West-2 (Oregon)
- Supabase — United States
- Google (Gemini AI) — United States
- ElevenLabs — United States
- RevenueCat — United States
For transfers of personal data from the EEA or UK to the United States, we rely on the data protection commitments of our service providers, including Standard Contractual Clauses (SCCs) where applicable. By using the Service, you acknowledge and consent to the transfer and processing of your data in the United States.
13. California-Specific Disclosures (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights. This section supplements the rest of our Privacy Policy.
Categories of Personal Information Collected
| CCPA Category |
Examples from Souffle |
| Identifiers |
Email address, phone number, name, username, user ID |
| Internet or network activity |
IP address, user agent, API request logs |
| Sensory data |
Photos of food items/barcodes, voice commands (processed as text) |
| Commercial information |
Subscription tier, purchase history (via Apple/RevenueCat) |
| Inferences |
Dietary compatibility assessments, AI-generated recipe suggestions |
Your CCPA Rights
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a request, email support@souffleai.com. We will verify your identity before processing your request and respond within 45 days.
You may designate an authorized agent to submit requests on your behalf with written permission.
14. EEA & UK-Specific Disclosures
For users in the European Economic Area and United Kingdom:
- Data Controller: Matthew Lorelle (individual developer). As an individual developer not engaged in large-scale processing of special category data, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR.
- Legal basis for processing: See Section 4 above.
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority, such as the ICO (UK), CNIL (France), or BfDI (Germany).
- Data protection agreements: We maintain data processing agreements with our sub-processors as required.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
If we make material changes, we will notify you by:
- Posting a prominent notice within the app, or
- Sending you an email or push notification (if you have opted in)
The "Last Updated" date at the top of this policy will be revised accordingly. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
Previous versions of this policy are available upon request by contacting support@souffleai.com.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will respond to all inquiries within 30 days.