Culinarium — Privacy Policy

← All Policies

Data Controller: Popescu Ionut Gabriel, Bucharest, Romania. Contact: privacy@culinarium.app.
We do not currently appoint a Data Protection Officer (DPO) as we do not meet the threshold under GDPR Art. 37. You may contact us at the email above for any privacy-related inquiries.

1. Who We Are

Culinarium is a food-first social platform available on iOS and Android ("the App"). It allows you to share food photos and videos, browse recipes, follow creators, watch Shortbites (short food videos), plan weekly meals, and manage grocery lists. The App is operated by Popescu Ionut Gabriel ("we", "us", "our"), an individual based in Bucharest, Romania.

2. Data We Collect

2.1 Data you provide

Account data: email address, password (stored as a cryptographic hash, never in plain text), display name, profile photo, bio (all optional except email and password).
Sign-in with Apple / Google: if you use a third-party sign-in, we receive only your name and email (as permitted by you). We do not receive your password from these providers.
User-Generated Content (UGC): recipes, food photos, videos, comments, likes, follows, collections, weekly plans, shopping list items, ratings, and reviews.
Communications: if you contact us via email (support, abuse reports, appeals), we retain the correspondence.

2.2 Data collected automatically

Device information: device model, operating system and version, app version, language/locale, screen resolution.
Push notification tokens: Firebase Cloud Messaging (FCM) device tokens for delivering push notifications. These tokens are device-specific identifiers, not personal data per se, but we treat them with equivalent care.
Advertising identifier: IDFA (iOS) or Advertising ID (Android), only with your consent, for ad personalization via Google AdMob.
Usage data: interactions within the App (e.g., pages viewed, features used, time spent), crash reports, performance metrics.
IP address: may be transiently processed by our infrastructure providers (Fly.io, Cloudflare) for security, delivery, and anti-abuse purposes. We do not store IP addresses in our own database.

2.3 Data we do NOT collect

Precise geolocation (GPS)
Contacts or address book
Health or biometric data
Financial or payment information (the App is free)

3. Purposes and Legal Bases

Purpose	Data used	Legal basis (GDPR)
Provide the App and its features (account, posting, feed, social)	Account data, UGC, device info	Contract performance (Art. 6(1)(b))
Deliver push notifications	FCM tokens, notification preferences	Consent (Art. 6(1)(a)) — you can disable in device settings or App Settings at any time
Serve advertisements (AdMob)	Advertising ID, ad interaction data	Consent (Art. 6(1)(a)) for personalized ads; Legitimate interest (Art. 6(1)(f)) for non-personalized ads
Security, anti-abuse, fraud prevention	Device info, IP (transient), usage patterns	Legitimate interest (Art. 6(1)(f))
Improve the App (bug fixes, feature development)	Crash reports, usage data (aggregated)	Legitimate interest (Art. 6(1)(f))
Content moderation (community guidelines enforcement)	UGC, reports, account data	Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Respond to your requests (support, data access, deletion)	Communications, account data	Legal obligation (Art. 6(1)(c)) and contract (Art. 6(1)(b))
Comply with legal obligations	As required by law	Legal obligation (Art. 6(1)(c))

4. Third-Party Services and Sub-Processors

We use the following third-party services that process personal data on our behalf or as independent controllers:

Provider	Purpose	Data processed	Location / Transfer safeguard
Google Firebase Authentication	User authentication (email, Google Sign-In)	Email, auth tokens	US — Standard Contractual Clauses (SCCs)
Google Firebase Cloud Messaging (FCM)	Push notifications	FCM device tokens	US — SCCs
Google AdMob	In-app advertising	Advertising ID, ad signals (with consent)	US — SCCs, Google Ads Data Processing Terms
Cloudflare R2	Media storage (photos, videos)	Uploaded media files, uploader ID	EU/US — Cloudflare DPA with SCCs
Fly.io	Application hosting and database	All App data (encrypted at rest and in transit)	EU (Frankfurt) — Fly.io DPA
Apple (Sign in with Apple)	Authentication (if used)	Name, email (user-controlled)	US — Apple Privacy Policy

We do not sell your personal data. We share data only with the processors listed above and as described in this policy.

5. International Data Transfers

Some of our processors (Google, Cloudflare, Apple) are based in the United States. For transfers outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914);
EU-US Data Privacy Framework (where the recipient is certified);
Binding Corporate Rules where applicable.

You may request a copy of the safeguards in place by contacting privacy@culinarium.app.

6. Data Retention

Data category	Retention period
Account data and UGC	Until you delete your account, or 24 months of inactivity (then deleted/anonymized)
FCM push tokens	Until logout, token refresh, or account deletion
Security/anti-abuse logs	Up to 12 months
Backups (database)	Up to 90 days, then purged
Support correspondence	Up to 3 years (for legal/dispute resolution)
Legal records (abuse reports, appeals, DMCA notices)	3–5 years as required by law

7. Your Rights (GDPR)

As an EU/EEA resident, you have the following rights under GDPR:

Access (Art. 15) — request a copy of your personal data.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17) — request deletion of your data ("right to be forgotten"). See Section 8 for our account deletion process.
Restriction (Art. 18) — request limited processing.
Portability (Art. 20) — receive your data in a structured, machine-readable format.
Objection (Art. 21) — object to processing based on legitimate interests, including direct marketing.
Withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any right, email privacy@culinarium.app. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

Right to complain: You may lodge a complaint with the Romanian supervisory authority ANSPDCP (dataprotection.ro) or with the supervisory authority in your EU member state of residence.

8. Account Deletion

You can delete your account at any time from within the App:

Go to Profile → Settings → Account → Delete Account.
Confirm your identity (re-enter password or re-authenticate).
Your account and all associated personal data will be permanently deleted.

What is deleted: your profile, all posts (recipes, photos, videos, comments), likes, follows, collections, weekly plans, shopping lists, push notification tokens, and any other data linked to your account.

What is retained: anonymized aggregate data (e.g., total post count), legal records (abuse reports you made or received, DMCA notices), and database backups (purged within 90 days).

You may also request deletion by emailing privacy@culinarium.app.

For more details, see our Account & Data Deletion page.

9. Children

Culinarium is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If we discover that a user is under 16, we will promptly close their account and delete associated data. If you believe a minor has provided us with personal data, please contact privacy@culinarium.app.

10. Automated Decision-Making

We use algorithms to personalize your feed (showing content from accounts you follow and content similar to what you engage with). This is based on your usage patterns and does not produce legal effects or similarly significant effects on you. Ad personalization through AdMob (when consented) uses automated profiling for ad targeting; you may opt out at any time in App Settings > Privacy or by resetting your advertising ID in device settings.

11. Cookies & SDKs

The App uses mobile SDKs (not browser cookies). In the EEA/UK, we use Google's User Messaging Platform (UMP) to collect consent for personalized ads before any ad-related data processing begins. If you decline, we serve non-personalized ads only. You can change your consent choice at any time in App Settings > Privacy.

Our website (culinarium.app) does not use cookies or tracking scripts. It serves static pages only.

See our Cookies & Ads Policy for details.

12. Security

TLS encryption for all data in transit.
Passwords stored using industry-standard cryptographic hashing (bcrypt).
Database encrypted at rest.
Least-privilege access controls for all internal systems.
Anti-abuse monitoring and rate limiting.

Data breach notification: In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.

13. California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: what personal information we collect, use, and disclose.
Right to Delete: request deletion of your personal information.
Right to Correct: correct inaccurate personal information.
Right to Opt-Out of Sale/Sharing: we do not sell your personal information. Sharing data with AdMob for targeted advertising may constitute "sharing" under CPRA; you can opt out via App Settings > Privacy or by resetting your advertising ID.
Non-discrimination: we will not discriminate against you for exercising these rights.

Categories of personal information collected: identifiers (email, device ID), internet/network activity (usage data), user-generated content. See Section 2 for full details.

To submit a request, email privacy@culinarium.app. We will respond within 45 days.

14. UK Residents

The UK GDPR applies to our processing of personal data of UK residents. Your rights are substantially the same as those described in Section 7. You may lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

15. Changes to This Policy

We may update this policy as our practices evolve or as required by law. Material changes will be announced in-app with at least 14 days' notice before taking effect. The "Effective date" at the top reflects the latest version.

16. Contact

Privacy inquiries: privacy@culinarium.app
General support: support@culinarium.app
Data Controller: Popescu Ionut Gabriel, Bucharest, Romania

Operator de date: Popescu Ionut Gabriel, Bucuresti, Romania. Contact: privacy@culinarium.app.
Nu avem un Responsabil cu Protectia Datelor (DPO) desemnat, deoarece nu indeplinim pragul prevazut la art. 37 GDPR. Ne puteti contacta la adresa de mai sus pentru orice intrebare legata de confidentialitate.

1. Cine suntem

Culinarium este o platforma sociala dedicata mancarii, disponibila pe iOS si Android ("Aplicatia"). Permite partajarea de fotografii si clipuri cu mancare, retete, urmarirea creatorilor, vizionarea Shortbites (clipuri scurte culinare), planificarea saptamanala a meselor si gestionarea listelor de cumparaturi. Aplicatia este operata de Popescu Ionut Gabriel ("noi"), persoana fizica cu domiciliul in Bucuresti, Romania.

2. Datele pe care le colectam

2.1 Date furnizate de tine

Date de cont: adresa de email, parola (stocata hash-uit criptografic, niciodata in text clar), nume afisat, fotografie de profil, bio (toate optionale cu exceptia email-ului si parolei).
Autentificare Apple / Google: daca folosesti un serviciu de autentificare tert, primim doar numele si email-ul (conform permisiunilor tale). Nu primim parola de la acesti furnizori.
Continut generat de utilizatori (UGC): retete, fotografii, clipuri, comentarii, aprecieri, urmariri, colectii, planuri saptamanale, liste de cumparaturi, evaluari si recenzii.
Comunicari: daca ne contactezi prin email (suport, raportari de abuz, apeluri), pastram corespondenta.

2.2 Date colectate automat

Informatii despre dispozitiv: model, sistem de operare si versiune, versiunea aplicatiei, limba/localizare, rezolutia ecranului.
Token-uri de notificare push: token-uri Firebase Cloud Messaging (FCM) pentru livrarea notificarilor push.
Identificator publicitar: IDFA (iOS) sau Advertising ID (Android), doar cu consimtamantul tau, pentru personalizarea reclamelor prin Google AdMob.
Date de utilizare: interactiuni in Aplicatie (ex. pagini vizualizate, functii folosite, timp petrecut), rapoarte de eroare, indicatori de performanta.
Adresa IP: poate fi procesata tranzitoriu de furnizorii nostri de infrastructura (Fly.io, Cloudflare) pentru securitate si livrare. Nu stocam adrese IP in baza noastra de date.

2.3 Date pe care NU le colectam

Localizare precisa (GPS)
Contacte sau agenda telefonului
Date de sanatate sau biometrice
Informatii financiare sau de plata (Aplicatia este gratuita)

3. Scopuri si temeiuri legale

Scop	Date utilizate	Temei legal (GDPR)
Furnizarea Aplicatiei si a functiilor sale	Date de cont, UGC, info dispozitiv	Executarea contractului (Art. 6(1)(b))
Livrarea notificarilor push	Token-uri FCM, preferinte notificari	Consimtamant (Art. 6(1)(a))
Afisarea reclamelor (AdMob)	ID publicitar, date interactiune reclame	Consimtamant (Art. 6(1)(a)) pentru reclame personalizate; Interes legitim (Art. 6(1)(f)) pentru cele nepersonalizate
Securitate, anti-abuz, prevenire frauda	Info dispozitiv, IP (tranzitoriu), tipare de utilizare	Interes legitim (Art. 6(1)(f))
Imbunatatirea Aplicatiei	Rapoarte de eroare, date de utilizare (agregate)	Interes legitim (Art. 6(1)(f))
Moderarea continutului	UGC, raportari, date de cont	Interes legitim (Art. 6(1)(f)) si obligatie legala (Art. 6(1)(c))
Raspuns la cererile tale	Corespondenta, date de cont	Obligatie legala (Art. 6(1)(c)) si contract (Art. 6(1)(b))
Conformare cu obligatiile legale	Conform cerintelor legale	Obligatie legala (Art. 6(1)(c))

4. Servicii terte si sub-procesatori

Furnizor	Scop	Date procesate	Locatie / Mecanism transfer
Google Firebase Authentication	Autentificare utilizatori	Email, token-uri de autentificare	SUA — Clauze Contractuale Standard (SCC)
Google Firebase Cloud Messaging	Notificari push	Token-uri FCM	SUA — SCC
Google AdMob	Publicitate in aplicatie	ID publicitar, semnale publicitare (cu consimtamant)	SUA — SCC, Google Ads DPA
Cloudflare R2	Stocare media (foto, video)	Fisiere media, ID incarcator	UE/SUA — Cloudflare DPA cu SCC
Fly.io	Gazduire aplicatie si baza de date	Toate datele Aplicatiei (criptate)	UE (Frankfurt) — Fly.io DPA
Apple (Sign in with Apple)	Autentificare (daca este utilizata)	Nume, email (controlat de utilizator)	SUA — Apple Privacy Policy

Nu vindem datele tale personale. Partajam date doar cu procesatorii de mai sus si conform acestei politici.

5. Transferuri internationale de date

Unii dintre procesatorii nostri (Google, Cloudflare, Apple) au sediul in SUA. Pentru transferurile in afara SEE, ne bazam pe:

Clauze Contractuale Standard (SCC) adoptate de Comisia Europeana (Decizia 2021/914);
EU-US Data Privacy Framework (pentru destinatarii certificati);
Reguli corporative obligatorii, acolo unde este aplicabil.

6. Pastrarea datelor

Categoria de date	Perioada de pastrare
Date de cont si UGC	Pana la stergerea contului sau 24 luni de inactivitate
Token-uri FCM	Pana la deconectare, reimprospatare token sau stergere cont
Loguri securitate/anti-abuz	Pana la 12 luni
Backup-uri baza de date	Pana la 90 zile
Corespondenta suport	Pana la 3 ani
Acte legale (raportari abuz, apeluri, notificari DMCA)	3–5 ani conform legii

7. Drepturile tale (GDPR)

Ca rezident UE/SEE, ai urmatoarele drepturi:

Acces (Art. 15) — solicita o copie a datelor tale personale.
Rectificare (Art. 16) — corecteaza datele inexacte.
Stergere (Art. 17) — solicita stergerea datelor ("dreptul de a fi uitat"). Vezi Sectiunea 8.
Restrictionare (Art. 18) — solicita procesare limitata.
Portabilitate (Art. 20) — primeste datele intr-un format structurat, lizibil de masina.
Opozitie (Art. 21) — opune-te procesarii bazate pe interese legitime, inclusiv marketing direct.
Retragerea consimtamantului (Art. 7(3)) — oricand, fara a afecta legalitatea procesarii anterioare.

Pentru exercitarea oricarui drept, scrie la privacy@culinarium.app. Raspundem in 30 de zile.

Dreptul de a depune plangere: Poti depune plangere la ANSPDCP (dataprotection.ro) sau la autoritatea de supraveghere din statul tau membru UE de resedinta.

8. Stergerea contului

Poti sterge contul oricand din Aplicatie: Profil → Setari → Cont → Sterge contul. Toate datele personale asociate vor fi sterse permanent. Pentru detalii, vezi pagina Stergere cont si date.

9. Minori

Culinarium este destinat utilizatorilor de 16 ani si peste. Nu colectam cu buna stiinta date de la persoane sub 16 ani. Conturile identificate ca apartinand minorilor vor fi inchise si datele sterse.

10. Decizii automatizate

Folosim algoritmi pentru personalizarea feed-ului tau. Personalizarea reclamelor prin AdMob (cand este consimtita) foloseste profilare automata; poti renunta oricand din Setari > Confidentialitate.

11. Cookies si SDK-uri

Aplicatia foloseste SDK-uri mobile (nu cookie-uri de browser). In SEE/UK, folosim UMP de la Google pentru consimtamant la reclame personalizate. Site-ul nostru (culinarium.app) nu foloseste cookie-uri sau scripturi de urmarire. Vezi Politica Cookies & Ads.

12. Securitate

Criptare TLS pentru toate datele in tranzit.
Parole stocate cu hash criptografic (bcrypt).
Baza de date criptata.
Acces cu minimul privilegiu pentru toate sistemele.
Monitorizare anti-abuz si limitarea ratei de acces.

Notificare incalcare date: In caz de incalcare a securitatii datelor personale, vom notifica ANSPDCP in 72 de ore si utilizatorii afectati fara intarziere nejustificata, conform GDPR Art. 33–34.

13. Rezidenti California (CCPA/CPRA)

Daca esti rezident California, ai drepturi suplimentare: dreptul de a sti, de a sterge, de a corecta, de a renunta la partajare. Nu vindem informatiile tale personale. Partajarea datelor cu AdMob pentru publicitate directionata poate constitui "partajare" conform CPRA; poti renunta din Setari > Confidentialitate. Contact: privacy@culinarium.app.

14. Rezidenti UK

UK GDPR se aplica procesarii datelor rezidentilor UK. Drepturile tale sunt similare celor din Sectiunea 7. Poti depune plangere la ICO: ico.org.uk.

15. Modificari ale politicii

Putem actualiza aceasta politica. Modificarile semnificative vor fi anuntate in Aplicatie cu cel putin 14 zile inainte.

16. Contact

Confidentialitate: privacy@culinarium.app
Suport general: support@culinarium.app
Operator de date: Popescu Ionut Gabriel, Bucuresti, Romania