Consumer Health Data Privacy Policy

Last updated: April 23, 2026

This policy applies to residents of Washington State and describes how Rico handles consumer health data as defined by the Washington My Health My Data Act (MHMDA). It supplements our Privacy Policy, which covers all users and all data categories. If you have questions, contact us at support@cookwithrico.com.

1. Consumer Health Data We Collect

Rico collects the following information that may constitute consumer health data under the Washington My Health My Data Act:

Dietary restrictions — foods you cannot or choose not to eat (e.g., gluten-free, dairy-free, nut-free)
Food allergies — specific allergens you have identified (e.g., peanut allergy, shellfish allergy, tree nut allergy)
Dietary conditions — health-related dietary requirements you have disclosed (e.g., diabetic diet, low-sodium, celiac disease)
Nutritional preferences — dietary patterns tied to health goals that you provide during onboarding or in conversation with Rico (e.g., low-carb, high-protein)

This information is collected when you complete Rico's onboarding survey, update your profile preferences in Account Settings, or mention relevant restrictions in conversation with the Rico cooking assistant.

We do not collect medical diagnoses, prescriptions, biometric data, precise location, or other health data categories beyond those listed above.

2. Why We Collect This Data

We collect consumer health data for one purpose: to personalize your cooking experience. Specifically:

Allergen screening — every recipe Rico generates or imports is checked against your stated allergens before being shown to you
Recipe personalization — your restrictions are included in the instructions Rico sends to AI providers so that generated recipes respect your dietary needs
Preference learning — your preferences are used to refine the flavor profile and ingredient suggestions Rico makes over time

We do not use this data for advertising, marketing, or any purpose unrelated to generating and personalizing your recipes.

3. Who Receives Your Consumer Health Data

Your consumer health data is transmitted to the following third-party AI service providers when you use Rico's recipe generation, cooking assistance, or import features. This transmission is necessary for the service to function — without it, Rico cannot screen recipes for your allergens or personalize suggestions.

AI Service Providers

Your dietary restrictions, food allergies, and nutritional preferences are included in requests sent to third-party AI service providers to power Rico's features: recipe generation, cooking assistance and chat, recipe import from URL or photo, ingredient suggestions, and recipe discovery. Rico currently uses the following AI service providers:

OpenAI — openai.com
Anthropic — anthropic.com

Under Rico's agreements with these providers:

They will not use your data to train their AI models
They retain request logs for up to 30 days for security and abuse monitoring, after which they are deleted
They do not receive your name, email address, or Rico account identifier — only the food-relevant information needed to process your request

No other recipients

Your consumer health data is not sold, shared with data brokers, or transmitted to any other third party. It is not used for advertising, marketing, or cross-context behavioral tracking.

4. Session Recordings

Rico uses PostHog to record screen-level sessions of app usage to help us reproduce issues and improve the app. Consumer health data is specifically excluded from session recordings:

Recording pauses when you are viewing screens that display dietary preferences, allergy selections, AI cooking responses, or the health consent screen
Brief transition frames (typically 1–3 seconds) at the moment of entering or leaving a sensitive screen may be captured before recording pauses
Session recordings are retained for 30 days
To disable session replay recording, email us at support@cookwithrico.com. We will disable recording upon processing your request within 45 days.

PostHog does not receive your consumer health data through session recordings.

5. Your Rights Under the Washington My Health My Data Act

Washington residents have the following rights with respect to their consumer health data:

Right to access — you may request a copy of the consumer health data Rico holds about you by emailing support@cookwithrico.com. We will respond within 30 days.
Right to deletion — you may request deletion of your consumer health data. Because Rico's core functionality (allergen screening, recipe personalization) depends on this data, requesting deletion of your consumer health data will result in account deletion and removal of all your Rico data within 30 days.
Right to withdraw consent — you may withdraw your consent at any time. Because Rico's recipe personalization and allergen screening depend on this data, withdrawing consent means you'll no longer be able to use these core features. Withdrawing consent will delete your account and remove all your data from our systems; you will not be charged for any unused portion of an active subscription.
Right to appeal — if we decline to act on any of your requests under this policy, you may appeal the decision by contacting us at support@cookwithrico.com within 30 days of our response. We will respond to appeals within 45 days.
Right to no retaliation — we will not discriminate against you for exercising any of these rights

6. How to Exercise Your Rights

To exercise any of the rights described above:

Delete your account (fastest) — Account Settings → Privacy & Data → Withdraw consent and delete account. This immediately initiates cascade deletion of all your data, including consumer health data, and is completed within 30 days.
Email request — contact us at support@cookwithrico.com. We will respond to verifiable requests within 30 days as required by MHMDA.

We may need to verify your identity before processing a request. For email requests, we will ask you to confirm the email address associated with your Rico account.

7. Data Retention

Your consumer health data (dietary restrictions, allergies, nutritional preferences) is stored in your Rico account profile and retained for as long as your account is active.

When you delete your account, your consumer health data is deleted from Rico's systems within 30 days. A deletion audit record (containing only the timestamp and status of your deletion request — no health data) is retained to confirm your request was completed.

Rico's internal AI quality logs do not contain your consumer health data. Before any AI request is logged, your profile information (including dietary restrictions, allergies, and preferences) is stripped from the request, and any self-disclosed health phrases in your input are replaced with a placeholder token. These pseudonymized logs are retained for up to 90 days and cannot be linked back to you.

8. Data Security

Rico transmits your consumer health data to AI service providers over encrypted connections (TLS). Your account identifier is not transmitted to AI providers — all requests are proxied through Rico's server-side infrastructure. API keys and secrets are managed server-side and never exposed to the app.

9. Changes to This Policy

If we make material changes to how we collect, use, or share your consumer health data — including adding new AI service providers — we will notify you through the app before the change takes effect and ask you to review and re-consent. You can review the current version of this policy at any time at cookwithrico.com/health-privacy.

10. Contact

For questions about this policy or to exercise your rights, contact us at support@cookwithrico.com.

Rico is operated by Agora Labs LLC.