Privacy Policy

1. Who we are and how to reach us

Method Cooking is operated by Cha Cha Labs, PBC, a Delaware Public Benefit Corporation (“Method Cooking,” “we,” “us,” or “our”). We are the data controller for the personal data described in this Privacy Policy.

How to contact us about your data.

• Email: privacy@methodcooking.com
• Postal: 1604 Philadelphia Pike, PMB 303, Wilmington, DE 19809, United States

UK Article 27 Representative. A UK Representative under UK GDPR Article 27 will be designated and named in this Section and Section 17 once engagement is complete. Until then, please contact us directly at the email address above for any data-protection inquiry.

2. The information we collect

We collect the following categories of personal information.

Information you give us directly:

• Your email address (when you sign up to our landing page or to participate in the Tester Program).
• Your account credentials (when you create or upgrade an account; via Google sign-in if you choose to upgrade from anonymous-first authentication).
• Your recipe content (URLs, photographs, text, notes) that you submit for conversion into our structured Method Format.
• Your shared cooking task data (when you use the helper page feature to share a task with someone you are cooking with).
• Your communications with us (email, in-product messages, feedback you submit during the Tester Program).
• Your tester program survey and feedback responses.

Information we collect automatically:

• Product analytics about how you use Method Cooking, collected through PostHog. We use these analytics for product improvement, tester program cohort management, and operational monitoring of the Service. PostHog processing is keyed to your tester program email so we can understand cohort-level behavior over time. We do not use this data for cross-context behavioral advertising and we do not share it with third parties for their own purposes. See Section 5 for the categories of data we sync into PostHog and Section 9 for the constraints we apply.
• Error events (technical information about crashes or failures), collected through Sentry. This may include browser, device, and IP information.
• Anti-abuse signals from reCAPTCHA, used to distinguish humans from automated bots.
• Server-side request logs (IP address, user agent, timestamp), collected through Vercel and Supabase for operational monitoring.

Information we collect from third parties:

• If you sign in with Google, we receive your name and email address from Google as part of the sign-in flow.

Recipe-input retention. We keep your recipe content for as long as your account is active. If you delete a recipe, it is removed from your account immediately and from our backups within 30 days. If you delete your account, your recipe content is removed within 30 days of deletion.

3. How we use your information

We use your personal information to:

• Deliver the Service. Convert your recipes into the Method Format, provide our AI cooking assistant (“Charlie”), and operate the helper page feature for shared cooking.
• Authenticate and maintain your account. Verify it is you and keep your account active.
• Communicate with you. Send you product updates, tester program communications, and respond to your inquiries.
• Improve the Service. Use product analytics to understand how the Service is used and where to improve, including cohort-level behavioral patterns over time, conversion attempts, and operational error patterns. See “Improving the Service includes AI training” below for the AI-training-specific disclosure.
• Prevent abuse. Use reCAPTCHA, rate limiting, and security telemetry to protect the Service and other users.
• Administer the Tester Program. Match applicants to cohorts, communicate with cohorts, collect and review feedback.

Improving the Service includes AI training. We may use anonymized and aggregated recipe content (the underlying ingredients, instructions, structural patterns of submitted recipes, and any edits or corrections you make to Method Format output, with personal identifiers stripped) to train, fine-tune, and evaluate the AI models that power the Method Format conversion. We do not train models on photographs that include identifiable people, your name, your account information, or your conversational interactions with our AI cooking assistant. We do not sell User Content to third parties. If you delete a recipe, we stop using that recipe in any future training; copies already incorporated into a trained model state cannot always be removed retroactively from the model itself. This disclosure is consistent with the AI training language in Section 6 of our Terms of Service.

What we do not do with your information.

• We do not sell your personal data.
• We do not share your personal data with third parties for their own marketing purposes.
• We do not use your personal data for cross-context behavioral advertising.
• We do not use your conversational interactions with our AI cooking assistant for AI training (these stay within the operational context of providing the Service).

4. Legal bases for processing (UK and EU GDPR)

If you are a user in the United Kingdom or the European Economic Area, the legal bases on which we process your personal data are:

• Performance of a contract (UK GDPR Article 6(1)(b)): for processing necessary to deliver the Service to you (account, recipe conversion, AI cooking assistant, helper page).
• Consent (UK GDPR Article 6(1)(a)): for marketing communications, Tester Program participation, and any non-essential cookies that require it under PECR (see Section 9).
• Legitimate interests (UK GDPR Article 6(1)(f)): for security, abuse prevention, product analytics for service improvement (including tester program cohort analysis and operational monitoring of conversion attempts and error events), and the operation of our analytics warehouse described in Section 5. Where we rely on legitimate interests, we have considered your interests and rights and concluded that our processing does not override them. Section 5 describes the operational constraints we apply to keep this processing limited to product improvement and cohort management.
• PECR Regulation 6 (UK), as amended by the Data (Use and Access) Act 2025: for analytics cookies used solely to make improvements to the Service (see Section 9 for detail).
• Compliance with legal obligation (UK GDPR Article 6(1)(c)): where applicable (for example, responding to lawful requests from regulators or law enforcement).

You can withdraw consent at any time where consent is the basis for processing. See Section 8 for how to exercise your rights.

5. The companies that help us run Method Cooking (sub-processors)

We use the following service providers (“sub-processors”) to operate Method Cooking. Each sub-processor processes personal data only for the purposes we instruct, under a Data Processing Agreement.

When we add or change a sub-processor in a way that materially affects how your personal data is handled, we will update this Privacy Policy and notify users by email if the change is material.

Constraints on analytics processing. Where we process product analytics keyed to your tester program email (as described in Section 2 and the PostHog row above), we apply the following operational constraints to limit how the data is used:

1. Defined data categories only. We sync only the categories listed for PostHog in the table above. Adding a new category requires a Privacy Policy update and renewed notice to you.
2. No free-text personal information. Error strings and event payloads are sanitized server-side before they leave our database. We do not transmit names, comments, recipe text, or other free-text personal information into the analytics layer.
3. Time-limited retention. Warehouse-derived analytical records are retained for no longer than 24 months and are then automatically purged.
4. Erasure cascade. When you exercise your right to deletion under Section 8, your analytics data is deleted from PostHog (including the warehouse) at the same time as your account data, using PostHog’s deletion API and a corresponding warehouse purge.
5. Documented access. Only authorized members of our team can query the analytics warehouse. The access list is reviewed quarterly.
6. Annual compliance review. We review the analytics processing against these commitments at least once per year and record the result.

6. International transfers of personal data

Some of our sub-processors are located in the United States. When we transfer your personal data outside the United Kingdom or the European Economic Area, we rely on one or more of the following lawful transfer mechanisms under UK GDPR and EU GDPR Chapter V:

• For transfers of UK personal data: the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK International Data Transfer Addendum annexed, issued by the Information Commissioner’s Office. We carry out a transfer risk assessment for these transfers, including for our primary database provider Supabase Inc (United States) and our product-analytics provider PostHog Inc (United States).
• For transfers of EU and EEA personal data: the European Commission’s Standard Contractual Clauses (2021).
• EU-US Data Privacy Framework (DPF) and UK-US Data Bridge. Where a US sub-processor is certified under the EU-US DPF (for example Mailchimp and Google), or under the UK-US Data Bridge that operates as the UK Extension to the DPF, we may rely on that certification for transfers within the scope of its certification, and treat the clauses above as a backup mechanism. Where PostHog Inc maintains DPF certification with the UK Extension, we may rely on that certification for transfers to PostHog Inc.

You can request more information about the safeguards we use by emailing privacy@methodcooking.com.

7. How long we keep your personal data

We keep your personal data only as long as we need it for the purposes set out in this Policy.

• Account data (email, profile, authentication): while your account is active, then 30 days after account deletion before full removal from production systems and backups.
• Recipe content: as described in Section 2; deleted on your action or within 30 days of account deletion.
• Mailchimp marketing audience: until you unsubscribe; following unsubscribe, your address is retained on Mailchimp’s suppression list to honor your unsubscribe request and to comply with email marketing record-keeping obligations (typically several years under CAN-SPAM).
• Analytics events (PostHog): standard behavioral events are retained according to PostHog’s configured retention for our project. Operational records synced into our PostHog Data Warehouse from Supabase (cooking events, conversion attempts, recipe count snapshots, daily cohort snapshots) are retained for no more than 24 months and are then automatically purged.
• Tester Program feedback: retained for the duration of the Tester Program and for two years after the Tester Program ends, for product-improvement evidentiary purposes.
• Server logs: typically 30 to 90 days, depending on the source (Vercel and Supabase defaults).
• Recipes deleted by you: removed from active systems immediately and from backups within 30 days.

If you delete your account, all categories above are processed on the timelines stated, with backup removal completing within 30 days unless a longer retention is required by law.

8. Your rights

If you are in the United Kingdom or the European Economic Area, you have the following rights under UK GDPR and EU GDPR:

• Access: the right to receive a copy of the personal data we hold about you.
• Rectification: the right to ask us to correct inaccurate or incomplete personal data.
• Erasure (“right to be forgotten”): the right to ask us to delete your personal data in certain circumstances.
• Restriction: the right to ask us to limit the processing of your personal data in certain circumstances.
• Portability: the right to receive your personal data in a structured, commonly used, machine-readable format.
• Objection: the right to object to processing based on our legitimate interests or for direct marketing.
• Withdrawal of consent: where we rely on consent, the right to withdraw it at any time.
• Automated decision-making: the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you. Method Cooking does not currently make such decisions.
• Complaint: the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local EU Supervisory Authority.

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the rights to know what personal information we collect, delete personal information, correct inaccurate personal information, opt out of the sale or sharing of personal information (Method Cooking does not sell or share for cross-context behavioral advertising), and limit the use of sensitive personal information (Method Cooking does not collect sensitive personal information for purposes that would require this opt-out). You may also designate an authorized agent. We will not discriminate against you for exercising your rights.

How to exercise your rights. Email privacy@methodcooking.com with a description of your request. We will respond within one calendar month of receipt; for complex or numerous requests we may extend this by up to two further months and will tell you if we do.

For Method Cooking v1, account-deletion requests are handled manually by email. We will introduce a self-service deletion flow in a future version of the Service.

9. Cookies and similar technologies

Method Cooking uses cookies and similar technologies as described below. We do not use cookies for advertising, cross-site tracking, or building behavioral profiles of individual users.

Strictly necessary technologies. We use cookies and similar technologies for authentication, session security, the Access Gate during our soft-launch period, and reCAPTCHA bot protection. These do not require consent under PECR Regulation 6.

Product analytics for service improvement and tester program management. We use PostHog to measure how the Service is used, to manage tester program cohorts, and to monitor operational events such as conversion attempts and sanitized error patterns. We use this data to improve Method Cooking and to manage the Tester Program. We do not use it for cross-context behavioral advertising and we do not share it with third parties for their own purposes. The processing is keyed to your tester program email so we can understand cohort-level behavior over time; the operational constraints we apply to this processing are set out at the end of Section 5. Under PECR Regulation 6 as amended by the Data (Use and Access) Act 2025 (in force 5 February 2026), this use is conducted under the low-risk analytics consent exemption insofar as the data is used solely for service improvement. You can opt out at any time by emailing privacy@methodcooking.com or by toggling the analytics control in your Settings, where available.

reCAPTCHA cookies. Google reCAPTCHA v2 sets cookies on the google.com domain to distinguish humans from bots. This is covered by Google’s privacy policy and our Google Cloud Data Processing Addendum.

No marketing or advertising cookies. Method Cooking does not use cookies for advertising, retargeting, audience measurement for advertising purposes, or cross-site tracking of any kind.

10. Marketing communications

If you have signed up to receive emails from us (whether through the landing page, the Tester Program signup, or otherwise), we will send you product updates, tester program communications, and similar email content.

How we collect your consent. When you sign up, we use a single-opt-in flow with reCAPTCHA bot protection. You consent by submitting the form on the page where the consent text is displayed. This is a deliberate design choice (single opt-in plus bot protection), and our use of single opt-in is CAN-SPAM compliant.

How to unsubscribe. Every email we send includes an unsubscribe link. Click the link to stop receiving marketing emails. Your unsubscribe is processed promptly. You may continue to receive non-marketing transactional emails (for example, security alerts about your account) where these are necessary to provide the Service.

Physical address. Our mailing address is included in every marketing email footer (CAN-SPAM Section 5): Cha Cha Labs, PBC, 1604 Philadelphia Pike, PMB 303, Wilmington, DE 19809, United States.

11. Tester Program data

If you participate in our invite-only Tester Program, the following additional data-handling practices apply:

• We collect your feedback (bug reports, suggestions, survey responses, in-product feedback).
• We collect telemetry about how you use the Tester features, in addition to the standard analytics described in Section 2.
• We may contact you by email about Tester-specific matters, including the Tester Credits Promotion described in Section 6 of the Tester Program Agreement (the controlling text on the offer’s definition, vesting, sunset, and forfeiture).

Tester data is handled by Method Cooking internally for product improvement and Tester Program administration. We do not share Tester-identifiable feedback externally.

12. AI processing

The Service uses artificial intelligence to convert your recipe content into the Method Format and to power our AI cooking assistant (“Charlie”). The AI processing involves the following:

• Method Format conversion. When you submit a recipe, its content (URL, text, or photo content extracted on your device) is sent to our AI processing pipeline (the Method Engine), which uses third-party AI models in the Gemini family operated by Google Cloud. The AI returns a structured Method Format representation of your recipe.
• AI cooking assistant interactions. When you interact with Charlie, your messages are processed by AI models in the same family.
• Retention of inputs by AI providers. Method Cooking does not retain your recipe content or your AI cooking assistant interactions beyond what is needed to fulfill your request. Our agreement with Google Cloud governs how the underlying AI provider handles your inputs.
• AI training on your content. See Section 3 (“Improving the Service includes AI training”) for the disclosure of when and how anonymized recipe content (and not your photos of identifiable people, your name, your account information, or your AI cooking assistant interactions) may be used for training.
• AI may produce errors. AI output can be incorrect or incomplete, including in safety-relevant categories such as allergens, quantities, and cooking times.
• In-product disclaimer. When you first use the AI features of the Service, you will see an in-product AI disclaimer covering these matters in user-facing language. You must acknowledge that disclaimer before continuing. Section 7 of our Terms of Service is the contractual disclosure that mirrors this in-product language.

13. Children’s privacy and age eligibility

Method Cooking is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16.

If you believe a person under 16 has provided personal data to Method Cooking, please contact us at privacy@methodcooking.com and we will delete it.

14. Security

We take reasonable and proportionate steps to protect your personal data, including:

• Database security. Supabase row-level security (RLS) policies on all personal-data tables. Encryption at rest at the Postgres-service level.
• Encryption in transit. All connections to the Service use TLS.
• Anti-abuse. Rate limiting on signup and other public endpoints. reCAPTCHA bot protection on signup.
• Access controls. During the soft-launch period, access to the Service is gated by a password (the Access Gate).

No system is perfectly secure. We do not claim absolute security. We will notify you in accordance with applicable law if we become aware of a personal-data breach that creates a risk to you.

15. Contact and complaints

For any privacy-related question or to exercise your rights:

• Email: privacy@methodcooking.com
• Postal: Cha Cha Labs, PBC, 1604 Philadelphia Pike, PMB 303, Wilmington, DE 19809, United States

Complaints.

• United Kingdom. Information Commissioner’s Office, ico.org.uk.
• European Economic Area. The Supervisory Authority in your country of residence.
• California. California Attorney General’s Office, oag.ca.gov.
• United States (other states). Your state’s attorney general or consumer-protection authority, as applicable.

We would appreciate the chance to address your concern before you escalate to a regulator. Email us first if you can.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

• Material changes. Where a change materially affects your rights or our handling of your personal data, we will give you reasonable advance notice by email and through an in-product notice.
• Non-material changes. Typo fixes, formatting updates, and clarifications take effect when posted, with the “Last updated” date at the top updated to reflect the change.

A changelog is maintained at the bottom of this Policy.

17. Jurisdiction-specific notes

United Kingdom. Method Cooking is committed to UK GDPR and PECR compliance. Our UK Article 27 Representative will be designated and added to Sections 1 and 15 once engagement is complete. We have deferred ICO registration in favor of Article 27 representation; this approach is documented in our internal compliance materials and is open to revisit at public launch.

European Union. Personal data of EU residents is handled in accordance with EU GDPR. Where we transfer EU personal data to the United States, we rely on the lawful transfer mechanisms described in Section 6 (SCCs and the EU-US Data Privacy Framework where applicable).

California. This Policy includes notice at collection of the categories of personal information we collect and the purposes for which we collect them. California residents have the rights described in Section 8.

Changelog