Last updated: April 30, 2026
This Privacy Policy describes how Rico collects, uses, and protects your personal information.
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Email, name, authentication provider | Account creation, login |
| Dietary preferences | Vegetarian, keto, low-carb | Recipe personalization |
| Allergy and restriction data | Peanuts, gluten, dairy | Allergen avoidance in recipes; included in prompts sent to AI providers (see §3) |
| Cooking activity | Recipes generated, cooked, rated; wishlisted recipes; paused cooking sessions | Personalization, recommendations |
| Meal plan | Scheduled meals by date | Weekly meal planning feature |
| Grocery lists | Personal grocery items; shared grocery list membership and items | Shopping list feature |
| Store preferences | Preferred grocery store assignments per item | Grocery list organization |
| Photos | Recipe photos uploaded for import or taken while cooking | AI recipe extraction (import photos sent to AI service providers); cooking photos stored in your account |
| Usage analytics | Feature usage, screen views, session data, session recordings | Product improvement (processed by PostHog — see §3) |
| Push notification data | Device push token, device timezone | Sending cooking timer alerts and review reminders |
| Subscription events | Purchase, renewal, and cancellation events | Subscription management |
| Engagement milestones | Counts of recipes cooked, generated, rated | Feature unlocks and personalization |
| In-app feedback | Bug reports and feedback messages submitted in-app | Product improvement |
| AI quality logs | Pseudonymized records of AI requests and responses (no account identifier or health data) | AI quality monitoring and improvement |
If you use Rico without creating an account, you are a guest user. Guest data (dietary preferences, onboarding answers, and app activity) is stored on your device only and is not synced to our servers. When you create an account, your guest data is migrated to your new account and synced to our servers at that time.
Rico collects dietary restriction, allergy, and nutritional preference data that may be classified as health-related information under certain state laws (including the Washington My Health My Data Act and California Consumer Privacy Act). This data is collected solely to personalize your cooking experience and is never sold or shared with third parties for their own purposes.
When you generate recipes or use AI cooking features, your dietary restrictions and allergy information are included in the prompts sent to the AI service providers we use. This is necessary so that Rico can screen recipes for allergens and personalize suggestions to your dietary needs. Your account identifier is not transmitted to AI providers — requests are made through our server-side proxy.
You have the right to: access your health-adjacent data; request deletion of this data; withdraw consent for its collection. To exercise these rights, contact us at support@cookwithrico.com or delete your account through the app.
When a Rico user shares a recipe, we host a public web page at cookwithrico.com/r/{token} that anyone with the link can view without an account. If you visit one of these pages:
__session) that stores a list of recipe tokens you've viewed. This is used to limit non-users to 2 free recipe views before prompting them to install the app. The cookie expires after 90 days.We do not run third-party analytics, advertising trackers, or social pixels on these shared recipe pages.
Rico uses the following third-party services that may process your data. Our current list of data processors is available at cookwithrico.com/subprocessors.
Your recipe requests and cooking questions are sent to AI service providers we use for processing. These providers have their own privacy policies governing data handling. We do not share your account identifier (such as your user ID or email address) with AI providers — requests are made through our server-side proxy. However, your dietary restrictions, allergy information, flavor preferences, and other profile data you have provided are included in the prompts sent to AI providers when you use recipe generation or cooking features.
When our automated AI quality checks detect a potential issue with an AI response, a short excerpt of that response (up to 200 characters) may be sent to an internal monitoring channel to alert our team. This is operational monitoring data; it does not include your account identifier.
Rico uses PostHog to record sessions — screen-level recordings of your app usage — to help us reproduce issues and improve the app. The following applies to session recordings:
Rico includes a voice input feature that transcribes speech to text. Rico uses your device's native speech recognition APIs (provided by Apple on iOS or Google on Android). Rico does not record or store audio — only the resulting text is used by the app. Your device's speech recognition APIs may transmit audio to the API provider's servers for processing; this is outside Rico's control and is governed by your device operating system's privacy policy.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
To exercise these rights — including to opt out of session recording — contact us at support@cookwithrico.com or delete your account through the app. We will respond to verifiable requests within 45 days. We may extend this period by an additional 45 days when reasonably necessary and will notify you of any extension.
We retain your data for as long as your account is active.
When you delete your account, the following data is deleted from our systems within 30 days: your account, your profile (including account information, dietary preferences, and allergy data), recipes, cooking sessions, wishlist, meal plan, grocery lists, store preferences, push notification tokens, subscription events, engagement milestones, and in-app feedback.
A deletion audit record is retained to confirm your request was completed. This record contains only the timestamp and status of your deletion request — no personal data.
AI quality logs are stored in pseudonymized form keyed to a rotating identifier — not your account ID. These logs cannot be linked back to you after account deletion and are retained for up to 90 days before automatic deletion.
We use industry-standard security measures including encrypted data transmission (TLS), Firebase security rules, and server-side API key management. No method of electronic transmission or storage is 100% secure.
Rico is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email.
For privacy questions or to exercise your data rights, contact us at support@cookwithrico.com.