Privacy Policy

1. Introduction

Orcaas.ai ("Company," "we," "us," or "our") operates EatEit (the "Service"), accessible at eateit.com. EatEit is a cooking identity platform that lets you create recipes, log cooks, and share your cooking life with others.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. It covers all features of EatEit, including AI-powered recipe tools, analytics, payment processing, and social features.

By accessing or using EatEit, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

• Email address
• Display name and username
• Google profile information (name, email, profile photo) when you authenticate via Google OAuth
• Locale, timezone (IANA format), and preferred currency (ISO 4217 format)

2.2 User-Generated Content

• Recipes you create (ingredients, instructions, notes, tags)
• Cook logs (timestamps, notes, ratings, modifications)
• Photos and media uploaded with recipes and cook logs
• Voice transcriptions from cook log voice input
• Collections and saved recipes
• Reactions, follows, and social interactions
• Ingredient cost data you optionally enter (stored as structured data alongside your recipes)

2.3 Usage Data

• Pages visited, features used, and interaction patterns
• Device type, browser type, and operating system
• IP address and approximate location
• Referring URLs and access timestamps
• Analytics events (such as recipe creation, cook logging, theme changes, and share actions) collected via PostHog, only when you opt in

2.4 AI Feature Data

When you use AI-powered features (ingredient substitution, nutritional estimation, or recipe polish), the specific recipe data required by that feature is sent to Anthropic's API. This is described in detail in Section 5 below.

2.5 Payment Data

If you subscribe to EatEit Pro, payment processing is handled entirely by Stripe. Stripe collects your card number, billing address, and email address. We never see or store your full card number. We receive from Stripe only your subscription status, plan type, and a truncated card identifier (last four digits) for display in your account settings.

2.6 API Keys You Provide

To use AI features, you provide your own Anthropic API key in Settings. We encrypt this key using AES-256-GCM with a server-side encryption key before storing it. We never store the plaintext version of your API key. See Section 5 for full details.

3. How We Collect Information

3.1 Directly From You

When you create an account, build recipes, log cooks, upload photos, use voice input, enter ingredient costs, configure your locale/timezone/currency, provide an API key, or manage your subscription.

3.2 From Third-Party Authentication

When you sign in using Google OAuth, we receive your name, email address, and profile photo from Google. We do not receive your Google password.

3.3 Automatically

We collect usage data automatically through server logs. If you opt in to analytics cookies, we also collect usage data through PostHog (see Section 7).

3.4 Through AI Features

When you invoke an AI-powered feature, your recipe data is sent to Anthropic's API using your own API key. See Section 5 for what data is sent for each feature.

3.5 Through Payment Processing

When you subscribe to a paid plan, Stripe collects your payment information directly. Stripe notifies us of subscription status changes via webhooks.

4. Voice Data

EatEit offers voice input for cook logs and recipe dictation. Voice data is processed entirely client-side using the Web Speech API built into your browser. Raw audio is never transmitted to our servers. Only the final transcribed text is stored as part of your cook log or used as input for AI features (such as recipe polish). We do not retain, process, or share any raw voice recordings.

5. AI-Powered Features and Data Processing

5.1 Bring Your Own API Key

EatEit's AI features require you to provide your own Anthropic API key. When you enter your key in Settings:

• Your key is encrypted using AES-256-GCM with a server-side encryption key before it is written to the database
• The plaintext key is never stored at rest
• When you use an AI feature, your key is decrypted server-side, used to make the API call to Anthropic, and immediately discarded from memory
• You can delete your API key from Settings at any time, which removes the encrypted key from our database

5.2 What Data Is Sent to Anthropic

Each AI feature sends only the minimum data required:

• Ingredient Substitution: The ingredient name and surrounding recipe context (other ingredients, recipe title)
• Nutritional Estimation: The full ingredient list for the recipe
• Recipe Polish: The raw dictated text you want cleaned up

All AI requests are made to Anthropic's API using the Claude Haiku 4.5 model. AI requests are rate-limited per user to prevent abuse.

5.3 Anthropic's Data Handling

Data sent to Anthropic is governed by Anthropic's Privacy Policy and their API Terms of Service. Because you use your own API key, your relationship with Anthropic regarding that data is directly between you and Anthropic. EatEit does not control how Anthropic processes data once it reaches their API.

6. How We Use Your Information

• Provide, maintain, and improve the Service
• Create and manage your account
• Display your public profile, recipes, and cook logs to other users
• Enable social features (following, reactions, remixing)
• Process AI feature requests using your provided API key and recipe data
• Process subscription payments through Stripe
• Send transactional emails (magic link authentication, account notifications)
• Analyze usage patterns to improve the Service (only with your analytics consent)
• Display your locale, timezone, and currency preferences throughout the Service
• Enforce our Terms of Service and prevent abuse
• Comply with legal obligations

7. Cookies and Analytics

7.1 Cookie Consent Model

EatEit uses a granular cookie consent model. When you first visit the Service, you will see a cookie consent banner with the following options:

• Accept All: Enables both essential and analytics cookies
• Save Preferences: Lets you choose which categories to enable
• Essential Only: Enables only the cookies required for the Service to function

You can change your cookie preferences at any time via the "Cookie Preferences" link in the footer or in your account settings.

7.2 Essential Cookies

These cookies are always active and are required for EatEit to function. They include:

• Supabase authentication session cookies (to keep you logged in)
• Cookie consent preference (to remember your cookie choices)

7.3 Analytics Cookies (Opt-In Only)

If you opt in to analytics cookies, we use PostHog to collect usage data. PostHog is configured with opt-out capturing by default, meaning no analytics data is collected until you affirmatively consent.

Analytics events we track include:

• Page views
• Account signup
• Recipe creation
• Cook log entries
• Theme changes
• Share actions

PostHog data is hosted in the United States (us.i.posthog.com). PostHog's data handling is governed by PostHog's Privacy Policy.

7.4 We Do Not Use

• Advertising cookies or tracking pixels
• Cross-site tracking
• Third-party advertising networks

8. Social Features and Public Information

EatEit includes social features. The following information may be visible to other users:

• Your public profile (display name, username, profile photo, cooking stats)
• Recipes and cook logs you make public
• Follow relationships (who you follow and who follows you)
• Reactions you leave on other users' cook logs
• Recipe remixes and attribution chains

You may control the visibility of individual recipes and cook logs through the Service's privacy settings.

9. Photo and Media Storage

Photos and media you upload are stored in Supabase Storage, hosted in the US-West region. Photos associated with public recipes or cook logs may be visible to other users. You may delete your uploaded media at any time through the Service.

10. Third-Party Services

We use the following third-party services to operate EatEit. Each receives only the data necessary for its function:

• Supabase — Database, authentication, and file storage. Stores your account data, recipes, cook logs, encrypted API keys, and uploaded media. Data is stored in the US-West region. See Supabase Privacy Policy.
• Vercel — Web hosting and serverless functions. Processes your requests and serves the application. See Vercel Privacy Policy.
• Google — OAuth authentication only. When you sign in with Google, your authentication is governed by Google's Privacy Policy.
• PostHog — Product analytics (opt-in only). When you consent to analytics cookies, PostHog receives usage events (page views, feature usage). Data is hosted in the US (us.i.posthog.com). See PostHog Privacy Policy.
• Stripe — Payment processing for Pro subscriptions. Stripe receives your card number, billing address, and email. We never see or store your full card number. See Stripe Privacy Policy.
• Anthropic — AI model provider. When you use AI features, your recipe data is sent to Anthropic's API using your own API key. Anthropic receives the recipe data described in Section 5.2. See Anthropic Privacy Policy.

11. Third-Party Embeds

Recipe pages on EatEit may include embedded video or media content from third-party platforms. These embeds are user-initiated: they load only when a recipe author has added a video URL to their recipe.

Platforms that may be embedded include:

• YouTube (google.com/youtube)
• Vimeo (vimeo.com)
• TikTok (tiktok.com)
• Instagram (instagram.com)

When these embeds load, the third-party platform may set its own cookies, collect your IP address, and track your interaction with the embedded content according to its own privacy policy. EatEit does not control the data these platforms collect. Embeds are lazy-loaded and do not activate until they enter your viewport.

If you have concerns about third-party embed tracking, you can use your browser's built-in content blocking features or a browser extension to prevent these iframes from loading.

12. Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may share your information only in the following circumstances:

• With your consent
• With the third-party service providers listed in Section 10, as necessary to operate the Service
• With Anthropic when you use AI features, as described in Section 5
• With Stripe when you subscribe to a paid plan, as described in Section 2.5
• To comply with legal obligations, court orders, or governmental requests
• To protect our rights, safety, or property, or that of our users
• In connection with a merger, acquisition, or sale of assets (you will be notified)

13. Data Retention

We retain your account data and user-generated content for as long as your account is active. Specific retention details:

• Your encrypted API key is retained until you delete it from Settings or delete your account
• Analytics data collected by PostHog is retained according to PostHog's retention policies
• Stripe retains payment data according to its own retention policies and legal obligations
• Server logs are retained for up to 30 days

When you request account deletion, we will delete your personal information, recipes, cook logs, uploaded media, and encrypted API key within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

14. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

• All data in transit is encrypted using HTTPS/TLS
• Anthropic API keys are encrypted at rest using AES-256-GCM with a server-side encryption key
• Authentication is managed by Supabase Auth with secure session handling
• Database access is controlled through Row Level Security (RLS) policies
• Payment data is handled entirely by Stripe, which is PCI DSS Level 1 certified
• AI feature requests are rate-limited per user

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.

15. Children's Privacy

EatEit is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@eateit.com.

16. Your California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information. As such, we do not offer an opt-out of sale mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Data Portability: You may request a copy of your personal information in a portable, machine-readable format.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than providing the Service.

To exercise any of these rights, please contact us at privacy@eateit.com. We will respond to verifiable requests within 45 days.

Categories of Personal Information Collected

• Identifiers (email, username, display name, IP address)
• Internet activity (usage data, pages visited, features used, analytics events)
• Commercial information (subscription status, payment history via Stripe)
• Sensory data (photos uploaded by users)
• Geolocation data (timezone, locale preferences)
• Other information you provide (recipes, cook logs, voice transcription text, ingredient costs, API keys in encrypted form)

We Do Not

• Sell personal information
• Share personal information for cross-context behavioral advertising
• Use or disclose sensitive personal information for purposes other than providing the Service

17. International Users

EatEit is operated from the United States. All data, including account data, recipes, uploaded media, and encrypted API keys, is stored and processed in the United States (Supabase US-West region, Vercel US infrastructure, PostHog US hosting).

If you access EatEit from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We do not currently offer EU-specific data processing or storage.

18. Your Rights and Choices

• Access: You may access and download your personal data through your account settings.
• Correction: You may update your account information, locale, timezone, and currency at any time in Settings.
• Deletion: You may request deletion of your account and all associated data by contacting us at privacy@eateit.com.
• Portability: You may request an export of your data in a machine-readable format.
• Analytics Opt-Out: You may disable analytics cookies at any time via the "Cookie Preferences" link in the footer or in your account settings. Disabling analytics cookies stops all PostHog data collection immediately.
• API Key Removal: You may delete your stored Anthropic API key at any time from Settings, which immediately removes the encrypted key from our database.
• Subscription Cancellation: You may cancel your Pro subscription at any time from your account settings. Stripe will stop processing future payments.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes (such as new categories of data collection or new third-party services), we will make reasonable efforts to notify you via email or an in-app notice. Your continued use of the Service after changes constitutes acceptance of the updated policy.

20. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us at: