Information We Collect
When you create an account, we collect your name, email address, and an encrypted password. When you import recipes, we process the URLs or text you provide. When you upload a photo (recipe or avatar), we store the image on our servers. On mobile, we process device-level identifiers for push notifications and ad personalization (see below).
How We Use Your Data
Your data is used to provide the Forkato service - storing recipes, meal plans, shopping lists, and pantry contents. Anonymous, aggregated recipe import counts power the public Trending / Discover page (no usernames or personal identifiers are shown). We do not sell or rent your personal information to third parties for their own marketing.
Third-Party Services
- Anthropic (Claude API) - We send recipe content (URLs, scraped HTML, or pasted text) to Claude for structured extraction. Content is processed per Anthropic's privacy policy and is not used for model training.
- USDA FoodData Central - Ingredient names are sent to the USDA API for nutrition lookups. No personal data is shared.
- Open Food Facts - Barcodes you scan are sent to the Open Food Facts public product API to look up product name and category. No personal data is shared.
- UPC Item DB - If Open Food Facts does not recognize a scanned barcode, we send the same barcode (only) to UPC Item DB's free product lookup API as a fallback. No personal data is shared. Every successful lookup is cached on our servers so the same barcode is never re-sent.
- Stripe - If you upgrade to Premium, Stripe processes your payment. Your card details are never sent to or stored by Forkato. Stripe may set its own cookies; see their privacy policy.
- Resend - Email addresses are shared with Resend for outbound transactional email (welcome, password resets, receipts, onboarding sequences).
- ImprovMX - Inbound email to any @forkato.com address (e.g. replies to hello@forkato.com) is forwarded via ImprovMX to a moderated Gmail inbox.
- Google Sign-In (Google OAuth) - If you sign in with Google, Google shares your email, name, and Google account ID with Forkato per your consent.
- Google AdMob (mobile only) - On the Android app, AdMob serves rewarded video ads and may collect device-level identifiers (Advertising ID) to personalize ads and measure performance. You can reset or opt out of ad personalization in Android settings. AdMob is not used on the web app.
- Google AdSense (web) - On the free tier, AdSense may serve display ads on the Discover page and use cookies for personalization and frequency capping. Premium users see no ads.
- Google Analytics 4 (web) - Forkato uses Google Analytics 4 to measure pageviews and a small set of product events (recipe_import, recipe_view, signup, premium_upgrade, share_recipe) so we can see what's working and what isn't. When you are signed in, we pass only your numeric user ID to GA (no email, no name, no recipe content). Google Analytics sets its own cookies for session tracking - you can block them via your browser or opt out with the Google Analytics Opt-out Browser Add-on. GA4 is not loaded on the mobile app.
- Google Search Console (web) - A single meta-tag site-verification token is served on every public page so Google Search Console can confirm Forkato owns the domain. No behavioural data is collected by this tag; it exists only so Forkato can see which search queries land users on the site.
- Amazon Associates - Some recipe pages include affiliate links to Amazon. Clicking a link sends your browser to Amazon with an affiliate tag so Forkato earns a commission on qualifying purchases; Forkato does not receive your Amazon purchase details.
- Walmart and Instacart affiliate links - The shopping list "Order groceries" button links you to Walmart or Instacart search with an affiliate tag. Forkato earns a commission on qualifying purchases; we do not receive your cart details.
- Grocery chain affiliate and delivery links - When you add a grocery chain to your preferred stores, the shopping list may surface a "Shop on [Chain]" button that routes to the chain's ordering page - sometimes with an affiliate tag (currently: Kroger, Target, Safeway, Albertsons via Impact; Whole Foods, Amazon Fresh, Weis via Amazon Associates). Forkato may earn a commission on qualifying purchases; we do not receive your cart details.
- OpenStreetMap Overpass API - The "Find stores near me" feature sends your approximate latitude and longitude (rounded to two decimal places, roughly within a kilometer) to the Overpass API so we can list nearby supermarkets. Results are cached for 24 hours per rounded coordinate.
- Kroger Developer API - If you have a Kroger-family store (Kroger, Fred Meyer, Ralphs, Harris Teeter, King Soopers, Smith's, Fry's, QFC, Pick 'n Save, etc.) selected, the shopping list may look up product prices and aisle locations via Kroger's public Products API. Only your typed item search terms and the store's public locationId are sent.
- Amazon (Alexa skill) - If you enable the Forkato Alexa skill, linking an Alexa account shares a pairing token between Amazon and Forkato so the skill can read your household's meal plan and recipes aloud.
Location Data
Forkato does not track your location continuously. Location data is used in two narrow places, and only when you explicitly opt in:
- "Find stores near me" - your browser or phone provides your current GPS latitude and longitude only when you tap the button. The coordinates are rounded to two decimals before being sent to the Overpass API to respect your approximate location; the rounded result is cached to reduce repeat calls.
- Preferred store addresses - if you add a specific store location to your preferences, its street-level address is saved on your account so the app can sort your shopping list by aisle and link to the correct delivery page. You can remove it at any time from Profile → My grocery stores.
We never broadcast your live location to other users and we do not store a location history.
Cookies
Forkato uses a single session cookie (PHPSESSID) to keep you signed in. Third-party services listed above may set their own cookies; refer to their policies.
Data Retention
Your data is retained for as long as your account is active. You can delete your account at any time from the Profile page, which permanently removes all recipes, meal plans, shopping lists, pantry items, and uploaded photos. Aggregate, de-identified import counts (used for Trending / Discover) are retained indefinitely because they no longer identify you once your account is deleted.
Marketing Email Preferences
Transactional emails (password reset, receipts, household invites) are always sent. Marketing / onboarding emails (the day-3 and day-7 follow-ups) can be opted out of from any of their footers - one click unsubscribes you from all marketing email.
Security
Passwords are hashed using bcrypt. All traffic is encrypted via TLS/SSL. We implement rate limiting, security headers, and regular security reviews.
Changes to this policy
We'll update the "Last updated" date at the top whenever this policy changes. Material changes will be communicated via email to the address on your account.
Contact
For privacy questions, contact us at hello@forkato.com or via the contact form.