Privacy Policy
What we collect, what we don't, and why.
The short version
Prep Slate is a tool you use to save and cook recipes. To do that, we keep your account (email, password, preferences), the recipes you save, and the activity related to using them (planned meals, cook sessions, shopping list). We use a small number of well-known service providers to host the app, store images, send essential email, and understand which features are used. We do not sell your data. We do not give it to advertisers. You can export everything you have at any time, and delete your account at any time.
Information we collect
Account
- Your email address.
- A password, stored as a one-way bcrypt hash. We never see your plaintext password.
- Your timezone and your default eat time, so the planner schedules cook times correctly.
Content you create or save
- Recipes you write or import: title, ingredients, steps, photos, tags, and source URL.
- Planned meals and cook sessions, including the time of day they happened and how far through a recipe you got.
- Shopping list items, including which recipes they came from.
- Tags you create to organize your library.
Subscription and billing
How a subscription is purchased depends on where you sign up. On the web, payments are processed by Stripe; in the iOS app, payments are processed through the Apple App Store. In both cases we never see or store your card number — Stripe or Apple handles that. What we receive is the information we need to manage your subscription: a transaction or subscription identifier, the product identifier, the status (active, cancelled, expired), and the current period end date.
For web subscriptions, Stripe creates a customer record associated with your email address so it can charge your card, manage renewals, and provide the billing portal where you update payment details or cancel. We store the Stripe customer identifier on your account to link your subscription to you. For iOS subscriptions, Apple provides an opaque, store-issued account token that links a purchase to your account without exposing your store identity.
Technical and security data
- The IP address and user agent (browser or device) of each sign-in, stored with your session so we can show you the active sessions and help you spot anything suspicious.
- Standard web server logs (request URL, status, timing), kept for a short period for debugging and abuse prevention.
- Error reports from the app, with stack traces and the request context that triggered them, so we can fix bugs.
Product analytics
We measure how the product is actually used so we know what to improve. This is event-level data (for example, "an import was started", "a cook session completed") associated with your account, plus basic visit data (the page you landed on, the site that referred you, browser and device type). All of it is collected first-party and stored in our own database — no third-party analytics service receives it. We do not collect mouse-recording, session-replay, keystroke capture, or any other surveillance-grade telemetry. If you delete your account, this data is disassociated from you.
Information we do not collect
- We do not access your contacts, calendar, microphone, camera, or precise location.
- We do not collect biometric data.
- We do not buy data about you from data brokers.
- We do not sell, rent, or trade your personal data to anyone, for any purpose, ever.
- We do not run third-party advertising trackers in the app.
- We do not show ads. There is no ad network reading anything you do here.
How we use information
- To run the product.Storing and showing your recipes, planning meals, generating shopping lists, recording cook sessions, processing payments through Stripe (web) and the Apple App Store (iOS).
- To improve the product.Looking at aggregate usage patterns to decide what to build next, what is confusing, what is broken.
- To support you.Answering email you send us, investigating account issues, restoring data if something goes wrong.
- To send essential email.Account confirmations, password resets, billing notices, occasional security or service announcements. We do not send marketing email unless you opt in explicitly.
- To keep the service safe.Detecting abuse, brute-force sign-in attempts, scraping, and other things that hurt other users or the service.
Recipe imports
When you paste a URL into the importer, our server fetches that page on your behalf. We parse the page for recipe structured data (JSON-LD), and when a page does not provide clean structured data, we may pass the visible recipe content to a large language model so it can extract the ingredients and steps.
Photo imports work the same way: the photos you upload (a cookbook page, a screenshot, a handwritten card) are sent to a large language model to extract the recipe, and the original photos are stored with your recipe.
The LLM providers we use for this are Google Gemini (operated by Google) and Amazon Bedrock (operated by Amazon Web Services). We send the recipe content that needs parsing, along with the names of your existing tags so suggested tags stay consistent with your library. We never send your name, email, or billing details. We log these calls through Braintrust so we can audit and improve quality.
The parsed recipe, the source URL, and the cover image are then saved to your account. The original page belongs to its publisher; importing it for your personal use does not transfer ownership to Prep Slate.
Service providers we rely on
We use a deliberately small number of vendors. Each one only receives the minimum data it needs to do its job.
- Amazon Web Services (AWS).Hosts the application database and stores recipe images in Amazon S3. AWS sees everything in the app, but only as the platform that runs it.
- Sentry.Receives error reports when something breaks. May include request paths, browser details, and (rarely) parts of request payloads. Personally identifying information is scrubbed from error reports where we can.
- Google (Gemini) and Amazon Web Services (Bedrock).Used only for parsing recipe content during imports, including uploaded recipe photos, as described above.
- Resend.Sends our transactional email (password resets, account notices), so it receives your email address and the contents of those messages.
- Braintrust.Stores telemetry from our LLM calls so we can monitor quality and catch regressions in the import pipeline.
- Stripe.Processes payments and subscriptions purchased on the web. Stripe receives your email and payment details directly at checkout; we never see your card number. Its privacy policy covers anything you give it at checkout.
- Apple App Store.Processes payments and subscriptions made in the iOS app. Apple receives your payment details directly at checkout; we never see your card number. Its privacy policy covers anything you give it at checkout.
Data retention
Your recipes, plans, and other content are kept for as long as your account exists. If you delete your account, we delete your content from the live database immediately and from active backups on a rolling schedule. Aggregate, non-identifying analytics may be retained longer.
Server logs and error reports are kept for a short operational window — generally 30 to 90 days — and then rotated.
Your rights and how to exercise them
You always have these rights, no paperwork required:
- Export your data.You can download your full library as JSON, and any recipe as printable HTML, at any time, including after your subscription ends.
- Update your profile.Email, timezone, default eat time — all editable from your profile.
- Delete your account.Removes your account, your recipes, your plans, your sessions, your shopping list, and your subscription records from our systems.
- Ask us anything.If you want to know exactly what we hold for your account, or you want a copy in a specific format, email us and we will help.
If you are in the EU, UK, California, or another jurisdiction that grants statutory privacy rights (access, correction, erasure, portability, objection), those rights apply to you. The simplest way to exercise them is to use the in-app controls above, but you are welcome to email us instead.
How we keep your account safe
- All traffic is served over HTTPS.
- Passwords are stored as bcrypt hashes; we never store or transmit them in plaintext.
- Sessions are tied to your IP and user agent, and you can sign out of any active session from your profile.
- Production database access is restricted to a small number of operators on company-managed devices.
No system is perfectly secure. If you suspect your account has been compromised, change your password and email us so we can help.
Children
Prep Slate is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has created an account, please contact us and we will remove it.
International users
Prep Slate is operated by BMK Studios LLC from the United States. If you use the app from outside the US, you are sending your data to the US. We take reasonable steps to protect it the same way wherever you are.
Changes to this policy
If we change this policy in a way that meaningfully affects how we treat your data, we will update the "Last updated" date above and, for substantive changes, let you know by email before the change takes effect.
Contact
Prep Slate is a product of BMK Studios LLC. We are responsible for the information described in this policy. Questions, requests, or concerns about this policy: email us at support@prepslate.com.