Last updated June 21, 2026
Shalotte helps you cook smarter using what's already in your kitchen. To do that, we store your kitchen inventory, equipment, meal history, and preferences. We use AI (Anthropic's Claude) to generate recipes and parse voice input — your data is sent to their API but never used to train AI models. We don't sell your data. Ever. You can delete your account and all your data at any time.
Account information Email address, name, password (encrypted by Supabase Auth). Used to create your account and authenticate you. Legal basis: contract performance.
Kitchen data Inventory items (food, zones, quantities, expiry dates), kitchen equipment (names, brands), dietary preferences, cuisine preferences, household size, cooking skill level. This is the core of Shalotte — we need to know what's in your kitchen to suggest what to cook. Legal basis: contract performance.
Cooking activity Meal history (what you cooked, when, ratings, portions), planned meals, meal reservations, shopping lists and items. Used to avoid repeating meals, learn your preferences over time, and manage your shopping list. Legal basis: contract performance.
Food preferences Purchase patterns, preferred zones, quantities, units, frequently bought items. Used to personalise suggestions and speed up adding items. Legal basis: legitimate interest (improving your experience).
Voice data Voice transcripts from voice input features, plus parsed results. Used to convert your speech into inventory items. Transcripts are logged temporarily for debugging and accuracy improvement. Legal basis: consent (you choose to use voice input).
Usage data API call logs (which features you use, token counts, timestamps). No IP addresses stored in our database. Used to monitor costs, detect abuse, and improve the service. Legal basis: legitimate interest.
Feedback Any messages you send us through the app. Used to improve Shalotte. Legal basis: consent.
Shalotte uses Anthropic's Claude API to generate recipe suggestions, parse voice input, and power the Sous Chef feature. When you use these features:
- Your inventory, equipment, preferences, and recent meal history are sent to Claude's API to generate personalised results. - Anthropic retains API logs for 7 days for safety monitoring, then deletes them automatically. - Your data is never used to train AI models. Anthropic's API terms explicitly exclude training on API customer data. - Voice transcripts are sent to Claude (Haiku model) for parsing. The transcript text is processed and returned — Anthropic does not store audio. - Photos you take for photo inventory are sent to Claude to recognise the food items in them, processed transiently in memory, and never stored by Shalotte.
We also use OpenWeatherMap to fetch local weather data (based on your approximate location) to make weather-appropriate meal suggestions. No personally identifiable information is sent to OpenWeatherMap.
We use a small number of trusted service providers to run Shalotte. We don't sell, rent, or trade your personal data with anyone.
All providers are GDPR-compliant or operate under adequate safeguards for international data transfers.
| Provider | What they process | Why |
|---|---|---|
| Supabase | All account and app data | Database hosting and authentication |
| Anthropic | Kitchen context for AI features | Recipe generation, voice parsing, Sous Chef |
| Vercel | Server requests, IP addresses (in logs) | App hosting and deployment |
| Cloudflare | DNS queries, traffic data | Domain management and security |
| Resend | Email address | Sending authentication emails (sign-up, password reset) |
| Stripe | Payment details (when live) | Subscription billing |
| PostHog (EU) | Product analytics events (only with your consent) | Measuring which features help you cook — opt-in, EU-hosted |
- Your data is stored in Supabase (hosted on AWS in the EU/US). - All data is encrypted in transit (TLS) and at rest. - Row-Level Security (RLS) is enabled on every table — you can only access your own data. - Passwords are hashed by Supabase Auth (bcrypt). We never see or store plaintext passwords. - We don't store payment card details — Stripe handles all payment processing directly.
You have the right to:
- Access your data — see everything we store about you (available in Settings, or email us). - Correct your data — edit your profile, inventory, and preferences at any time in the app. - Delete your data — use the "Delete Account" button in Settings. This permanently removes all your data from our systems within 24 hours. Backup retention: Supabase backups containing deleted data expire within 7 days. - Export your data — email us and we'll provide a copy. (Self-service export is planned for a future release.) - Object to processing — email us to discuss. - Withdraw consent — for optional features like voice input, simply stop using them. For marketing (if any), unsubscribe at any time.
To exercise any right, email privacy@shalotte.com or use the in-app controls.
We respond to all requests within 30 days as required by GDPR.
Shalotte uses:
- Authentication cookies — to keep you signed in (essential, no consent needed). - sessionStorage — to cache recipes temporarily for instant loading (cleared when you close the tab).
Product analytics cookies (PostHog, EU-hosted) are set ONLY if you opt in — you're asked first, and declining carries the same weight as accepting. Decline, and no analytics cookies are set. We do not use advertising cookies or third-party ad trackers. No Google Analytics. No Facebook Pixel.
- Account data: Kept while your account is active. Deleted within 24 hours of account deletion. - Voice parse logs: Retained for 90 days for debugging, then automatically purged. - API usage logs: Retained for 12 months for cost monitoring, then purged. - Anthropic API logs: 7 days (managed by Anthropic, not us). - Vercel server logs: 30 days (managed by Vercel). - Supabase backups: Rolling 7-day window. Deleted data falls out of backups within 7 days.
Shalotte is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, please contact us and we'll delete it immediately.
Your data may be processed outside the UK/EEA by our service providers (Anthropic and Vercel are US-based). These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by UK GDPR and EU GDPR.
We'll update this policy if our data practices change. Material changes will be communicated via email or an in-app notice. The "last updated" date at the top always reflects the current version.
Data controller: Felix Wolf Email: privacy@shalotte.com
For complaints, you also have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk if you're in the UK, or your local data protection authority.
This policy was written in plain English because we believe you shouldn't need a law degree to understand how your data is handled.