This Privacy Policy explains how CooKing: Meal Planner (“CooKing”, “the App”, “we”, “us”, “our”) collects, uses, stores and shares information when you use the mobile and web applications built from this codebase.CooKing is a recipe, pantry, shopping list and meal planning application built with Flutter. It integrates with Firebase, Google Cloud services and certain AI APIs to provide features such as recipe capture from images and websites, pantry-based recipe matching, notifications and syncing across devices.By using CooKing, you agree to the collection and use of information in accordance with this Privacy Policy.
We only collect information that is necessary to operate the App and provide its features. Based on the reviewed code, the App collects the following categories of data:
Email address – used for account creation, authentication and communication.
Firebase user ID – unique identifier assigned by Firebase Auth.
Sign-up date – stored as an ISO timestamp string.
Display name – optional name you provide or derived from your email.
Profile picture URL – optional URL of a profile image stored in Firebase Storage.
This data is stored in Firebase Authentication, Firebase Realtime Database (usersData/<uid>), and locally in an encrypted Hive box named session.
Password (hashed by Firebase Auth) – handled and stored by Firebase Authentication only.
Local session data – user email, user id and session timestamps stored in a local Hive box to restore sessions for up to 30 days.
The App does not store your raw password in its own data structures; it relies on Firebase Authentication.
Recipes
Name, portions, cooking time, difficulty.
Categories (e.g., cuisine, course).
Ingredients (name, amount, unit, notes, optional flag, section).
Steps (text instructions, optional sections).
Photo URL and/or local image path.
Cooking history (cooked dates).
Planning data (scheduled dates).
Pantry items
Name, quantity, unit, category.
Expiration date.
Reserved quantity.
“Always-available” flags for staple ingredients.
Shopping lists
List names.
Items (name, quantity, unit, category, bought flag).
List metadata (createdAt, optional plan window dates, optional scheduled shopping date).
This content is stored locally in Hive boxes (recipes, browse_recipes, pantry, shoppingLists) and synced, when a user is signed in, to Firebase Realtime Database under usersData/<uid>.
Notification preferences
Whether notifications are enabled globally.
Settings for pantry reminders, planner reminders and shopping reminders (time of day, days of week, frequency).
Stored locally (Hive/shared preferences) and used to schedule local notifications on your device.
App preferences & settings
Whether to show pantry expiration dialogs.
Whether to include optional ingredients in pantry match calculations.
Visibility of dashboard sections (upcoming meals, expiring items, shopping lists, recent recipes).
Last sync timestamp and active cooking session metadata.
These are stored locally in a settings Hive box and in SharedPreferences on the device.
Spoken text transcripts (not raw audio):
The App uses the speech_to_text plugin and the operating system’s speech recognition services to convert your voice into text for pantry and shopping list input.
The App receives only the text transcript, which may include ingredient names, quantities and natural speech phrases.
Transcripts and separated item phrases are held in memory, and may be used to create pantry or shopping list items.
Text from OCR and webpages
OCR’d text extracted from images of recipes.
Visible text and sometimes HTML content from recipe websites.
These texts are used to extract structured recipes.
Via Firebase Analytics, the App collects:
Screen views (e.g., login_screen, recipe_detail, pantry).
Event data (e.g., login attempts, successful/failed authentication, pantry item saved/deleted, shopping list changes, AI parsing start/completion, storage initialization, notification scheduling).
Technical data such as event timestamps and basic device info as handled by Firebase Analytics.
User identifiers (Firebase user ID) may be associated with analytics events via setUserId.
Via Firebase Crashlytics, the App collects:
Non-fatal exceptions and crashes.
Stack traces.
Custom keys related to the error context (for example: recipe or pantry item IDs, error reason codes, whether the user is signed in).
These logs are used to diagnose and fix technical issues.
Photos and camera images used to scan recipes.
Images are read from the camera or photo library and processed locally using Google ML Kit Text Recognition and image-processing libraries.
The App may store temporary processed images on the device file system for OCR, then delete or overwrite them.
A user-selected recipe photo may be stored locally (localImagePath) and, if uploaded as a profile picture, in Firebase Storage.
For certain features, the App sends data to third-party AI services:
To Google Gemini (generativelanguage.googleapis.com):
OCR-extracted recipe text, website text, or HTML fragments plus the original URL.
Spoken pantry or shopping list text transcripts.
Prompts that include lists of allowed units, categories and base ingredient names.
To Grok (x.ai) (api.x.ai), if configured as provider:
Similar recipe text or HTML content for recipe extraction.
To a configurable OpenAI-compatible endpoint (https://api.openai.com/v1/responses by default):
Small JSON payloads describing ingredient amount, source unit, target unit and optional ingredient name, in order to compute unit conversions.
To Google Translate via the translator package:
Snippets of OCR’d text to detect whether it is a readable language for recipe OCR.
These requests are necessary for recipe extraction, pantry/shopping parsing, and some unit conversions, and may include content the user scans or speaks, but are not intended to include account identifiers.
We collect information through:
User input – when you sign up, log in, edit your profile, add or edit recipes, pantry items or shopping lists, schedule meals, and configure settings.
Device features – when you grant access to camera, photo library, microphone, speech recognition or notifications, the App uses those capabilities for scanning recipes, voicing ingredients, and delivering reminders.
Automatic collection – through Firebase Analytics and Crashlytics, which automatically collect usage and crash data.
AI processing requests – when you choose to:
scan a recipe from an image,
import a recipe from a URL,
parse spoken pantry or shopping items,
or perform certain unit conversions;
the App sends the relevant text/content to the AI providers as described above.
We use the collected information to:
Provide core features:
display, edit and sync recipes, pantry items, shopping lists and meal plans;
schedule and manage cooking sessions;
compute pantry match percentages and ingredient availability;
generate shopping lists from meal plans.
Support capture/import features:
extract recipes from images, text or websites;
parse spoken pantry or shopping inputs into structured items;
perform ingredient unit conversions.
Maintain your account and profile:
authenticate you via Firebase Auth;
store and display your profile data;
manage sessions across app launches.
Improve stability and performance:
analyze app usage via Firebase Analytics;
investigate errors and crashes via Firebase Crashlytics;
monitor the success/failure of AI and OCR operations.
Provide notifications:
schedule local reminders for pantry reviews, meal planning, daily meals and shopping;
reschedule notifications after device reboot.
We do not sell your personal information or use it for advertising.
Certain features rely on third-party AI services (Google Gemini, Grok, OpenAI-compatible endpoints) and language detection (Google Translate):
When you scan a recipe from an image, import from a URL, or paste HTML, the app sends:
recipe text extracted by OCR, parts of the webpage or structured data, and sometimes the source URL to the AI provider for parsing into ingredients, steps and metadata.
When you use voice-based pantry or shopping features:
speech is transcribed by OS speech recognition services (Apple or Google) into text;
the text is then sent to Google Gemini to extract ingredient names, units, quantities, categories and expiration dates.
When you trigger certain unit conversions that cannot be handled locally:
the App sends a minimal JSON payload with amount, source unit, target unit and optional ingredient name to an OpenAI-compatible endpoint.
When determining if OCR text is readable:
short snippets of the text are sent to Google Translate to detect language and readability.
These third-party providers process the data according to their own privacy policies. Your content may be temporarily stored or logged by those providers to operate their services.
The App uses:
Hive (local key–value storage) for:
recipes, browse recipes, pantry, shopping lists;
settings;
authentication session data.
SharedPreferences for:
simple boolean and string flags such as dashboard preferences and certain settings.
All of this data resides on your device. It can be cleared by uninstalling the app and, where supported in the UI, by clearing data or resetting certain settings.
The App uses several Firebase services:
Firebase Authentication – account creation, login, login via Google and Sign in with Apple, password reset.
Firebase Realtime Database – storage of per-user data under usersData/<uid>, including:
email and signUpDate;
recipes, pantry items, calendar data and shopping lists.
Firebase Cloud Firestore – storage of global browse recipes and ingredient tokens, used for discovery and search, not tied to your account.
Firebase Storage – storage of profile pictures you upload.
Firebase Analytics – collection of anonymized usage statistics and events.
Firebase Crashlytics – collection of crash and non-fatal error reports.
Data stored in Firebase may be hosted on servers located in different regions depending on Firebase configuration.
At the time of this codebase:
The App does not include in-app purchase or billing logic.
No payment information (card numbers, billing addresses) is collected or processed by the App.
SUBSCRIPTION_PLAN.md and SUBSCRIPTION_PLAN_UPDATED.md describe planned Free, Premium and Pro tiers and AI credit systems, but these are not yet enforced in the client.
If and when subscriptions or credit purchases are implemented in future versions:
Purchases will be processed by the relevant app stores or external payment providers.
Additional privacy disclosures may be added to reflect any new data flows (e.g., purchase receipts, subscription status).
Based on AndroidManifest and Info.plist:
Camera – to capture photos of recipes for OCR-based scanning.
Photo library / storage – to select existing images for recipe capture and to store temporary processed images.
Microphone – to capture voice for pantry and shopping list input.
Speech recognition – to convert your voice into text on the device using OS services.
Internet – to communicate with Firebase, AI APIs, Google ML Kit, Google Translate and other network services.
Wake lock – to keep the screen on during cooking mode.
Notifications / exact alarms / vibration / boot completed – to show scheduled reminders and reschedule them after device restart.
Background fetch / remote notification (iOS) – to handle certain notification and sync scenarios.
You may revoke these permissions at any time in your device settings. Some features will not work without the corresponding permission.
The App integrates with the following third-party services:
Google Firebase (Auth, Realtime Database, Storage, Analytics, Crashlytics, Cloud Firestore).
Google ML Kit Text Recognition (OCR on device / via Google frameworks).
Google Sign-In and Sign in with Apple (social login).
Google Gemini API (generativelanguage.googleapis.com) – recipe extraction, ingredient parsing and shopping list parsing from text.
Grok (x.ai) (api.x.ai) – optional alternative for recipe extraction (if configured).
OpenAI-compatible API (api.openai.com or configured endpoint) – optional unit conversion assistant.
Google Translate API (via translator package) – language detection for OCR text.
speech_to_text plugin – uses OS-level speech recognition services.
flutter_local_notifications & system notification services – scheduling and displaying notifications.
Each of these providers processes data under its own terms and policies. We recommend reviewing their privacy policies.
Where the GDPR applies, we rely on the following legal bases:
Contract performance – to provide the App and its core features, including account management, syncing, recipe/pantry/list storage and notifications you request.
Legitimate interests – to improve stability and security via analytics and crash reporting, and to enhance features such as OCR, recipe parsing and unit conversion.
Consent – for:
notifications (where consent is required by platform),
access to camera, microphone, photo library and speech recognition,
storing and processing content you voluntarily submit for AI-based features.
You may withdraw consent at any time by changing settings or revoking permissions, but this will not affect processing already performed.
Subject to applicable law, you have the right to:
Access the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
Request restriction of processing in certain circumstances.
Object to processing based on legitimate interests.
Request data portability in a structured, commonly used format for data you provided.
Lodge a complaint with a supervisory authority.
To exercise these rights, please contact us at [contact@email.com]. We may need to verify your identity before fulfilling your request.Because the app relies on Firebase and local storage, deleting your account includes removing your user document and associated data from Firebase and deleting or anonymizing Crashlytics identifiers. You can remove local data by uninstalling the app.
Where the CCPA/CPRA applies:
We do not sell or share your personal information for cross-context behavioral advertising.
We act as a “business” that uses “service providers” such as Firebase and AI providers to process data on our behalf.
You have the right to:
Request to know the categories and specific pieces of personal information we have collected about you.
Request deletion of your personal information, subject to exceptions.
Request correction of inaccurate personal information.
Not be discriminated against for exercising your privacy rights.
You or your authorized agent can submit requests by contacting us at [contact@email.com]. We will respond as required by California law.
CooKing is not directed to children under the age of 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children under this age.If you are a parent or guardian and believe that your child has provided personal data through the App, please contact us so we can delete that information.
We retain your data for as long as:
your account is active, or
as necessary to provide the App, comply with legal obligations, resolve disputes and enforce agreements.
When you request deletion of your account:
We will delete or anonymize your Firebase user data (recipes, pantry, lists, profile) within a reasonable time.
Crashlytics and Analytics data may be retained in aggregate or anonymized form for technical and statistical purposes.
Local data on your device will be removed when you uninstall the App; certain settings can also be reset from within the App.
We take reasonable technical and organizational measures to protect your information, including:
Using Firebase services with industry-standard security.
Encrypting network connections using HTTPS/TLS for Firebase, AI APIs and other HTTP requests.
Limiting Crashlytics context to technical details rather than sensitive content.
Avoiding storage of plaintext passwords.
However, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
Your information may be transferred to and processed on servers located outside your country of residence, including where Firebase and AI providers operate. These countries may have data-protection laws different from those in your jurisdiction.By using the App, you consent to such transfers, subject to applicable law. Where required, we will rely on appropriate safeguards (such as standard contractual clauses) provided by our processors.
We may update this Privacy Policy from time to time. The “last updated” date will be revised accordingly. If changes are material, we will provide additional notice via the App or other appropriate means.Your continued use of CooKing after the effective date of any changes constitutes acceptance of the revised policy.
If you have questions about this Privacy Policy, or wish to exercise your rights, please contact us at:
Email: contact@qsi-labs.com