Last updated: 3 March 2026 · Effective: 3 March 2026
This Privacy Policy explains how SteakChef ("we", "us", "our") collects, uses, shares, and protects your personal data when you use steakchef.app (the "Service"). It applies to all users in the United Kingdom and European Economic Area and is written to comply with the UK GDPR, the Data Protection Act 2018, and the EU GDPR (Regulation 2016/679).
Contents
The data controller responsible for your personal data is SteakChef, operated by Zulfikar Gani. You can contact us at [email protected].
We are not currently required to appoint a Data Protection Officer (DPO), but all data protection enquiries should be directed to the address above and will be handled promptly.
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, hashed password, profile photo URL | You, directly |
| Authentication data | Google OAuth ID, session tokens, email verification tokens | You / Google |
| Subscription & billing data | Stripe customer ID, subscription status, payment intent IDs | Stripe |
| Cooking preferences | Preferred cuts, doneness levels, cooking methods | You, directly |
| AI-generated recipes | Steak recipes generated using your inputs | AI processing of your inputs |
| Usage data | Pages visited, features used, timestamps, IP address | Automatically |
| Communications | Support emails, feedback submitted through the Service | You, directly |
| Marketing preferences | Email opt-in/out status, unsubscribe token | You / system |
We do not collect special-category data (health, biometric, political, religious data) and do not collect payment card numbers — all card processing is handled directly by Stripe.
We process your personal data only where we have a valid lawful basis under UK/EU GDPR:
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Create and manage your account | Name, email, password hash | Contract (Article 6(1)(b)) |
| Authenticate you and maintain sessions | Session tokens, OAuth IDs | Contract (Article 6(1)(b)) |
| Process subscription payments via Stripe | Email, Stripe IDs, subscription status | Contract (Article 6(1)(b)) |
| Generate AI-powered steak recipes | Cooking preferences, inputs you provide | Contract (Article 6(1)(b)) |
| Send transactional emails (verification, password reset) | Email address | Contract (Article 6(1)(b)) |
| Send marketing & onboarding emails (welcome, tips) | Email address, name | Consent (Article 6(1)(a)) — you may withdraw at any time |
| Improve the Service and conduct analytics | Usage data, aggregated recipe data | Legitimate interests (Article 6(1)(f)) |
| Comply with legal obligations | Any data required by law | Legal obligation (Article 6(1)(c)) |
| Prevent fraud and ensure security | IP address, session data | Legitimate interests (Article 6(1)(f)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and concluded that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 7).
SteakChef uses an AI language model to generate personalised steak recipes based on the inputs you provide (cut, doneness, cooking method, and optional preferences). Your inputs and the resulting recipes are processed on our servers. We may use aggregated, anonymised recipe data to improve our AI prompts and Service quality, but we do not use your personal data to train external AI models.
AI-generated recipes are provided for informational and culinary guidance purposes only. They do not constitute professional dietary, nutritional, or medical advice. You should exercise your own judgement when following any recipe, particularly regarding food safety temperatures and allergens.
Automated decision-making that produces legal or similarly significant effects is not used on this Service.
We retain your personal data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Active account data | For the duration of your account |
| Deleted account data | Purged within 30 days of deletion request |
| Billing records (Stripe IDs, transaction references) | 7 years (UK tax/accounting obligations) |
| Email communication logs | 2 years |
| Server access logs (IP, timestamps) | 90 days |
| Unverified accounts (no verification within 30 days) | Deleted after 30 days |
Under UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact us at [email protected] or use the controls in your Account Settings.
| Right | What it means |
|---|---|
| Access (Article 15) | Request a copy of all personal data we hold about you. |
| Rectification (Article 16) | Ask us to correct inaccurate or incomplete data. |
| Erasure / 'Right to be forgotten' (Article 17) | Request deletion of your account and personal data, subject to legal retention obligations. |
| Restriction (Article 18) | Ask us to pause processing while a dispute is resolved. |
| Data portability (Article 20) | Receive your data in a structured, machine-readable format (JSON). |
| Object (Article 21) | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent (Article 7(3)) | Withdraw marketing consent at any time via the unsubscribe link in any email or in Account Settings. |
| Automated decision-making (Article 22) | We do not use solely automated decision-making that produces legal effects. |
We will respond to all requests within 30 days. We may need to verify your identity before processing a request. There is no charge for exercising your rights.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, hashed password storage (bcrypt), JWT-signed session tokens with short expiry, and access controls limiting data access to authorised personnel only.
No method of transmission over the internet is 100% secure. If you become aware of any security vulnerability or breach, please contact us immediately at [email protected].
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay.
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
Users between 13 and 16 in the EEA require parental or guardian consent for data processing based on consent under Article 8 GDPR.
Your data may be processed outside the UK and EEA by our service providers (including Stripe and Manus AI infrastructure). Where such transfers occur, we ensure appropriate safeguards are in place, including:
You may request a copy of the relevant transfer safeguards by contacting us.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by updating the "Last updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
If you are based in the EEA, you may also contact your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.
We use essential cookies to keep you signed in and remember your preferences. With your consent, we also use analytics cookies to understand how the Service is used. We do not use advertising cookies.
Read our Cookie Policy and Privacy Policy.