Home

Privacy Policy

Last updated: 27 March 2026

Operator: Racim Amermoussa (“we”, “us”, “our”) operates the meal-planning application branded as Rizto / Weekly Recipe Planner (the “Service”).

Contact (privacy): racim.amermoussa@gmail.com

This Policy explains how we collect, use, store, and share personal data when you use the Service (website and related features). By using the Service, you acknowledge this Policy. If you do not agree, please do not use the Service.

1. Who this Policy applies to

  • Visitors who browse public areas (e.g. recipe catalogue) without signing in.
  • Registered users who create an account (e.g. via Google sign-in) and use planning, groceries, preferences, AI features, or calendar integration.

2. Data we collect

2.1 Account and profile

  • Authentication: When you sign in with Google, we receive identifiers and profile data that Google shares with us (e.g. user ID, email, display name, profile photo URL), as permitted by your Google account settings and Google’s policies.
  • User profile in our database: We store preferences and settings you provide or that we derive (e.g. diet, allergies, household, language, onboarding status, feature flags).

2.2 Content you create in the Service

  • Meal plans and calendars: Dates, selected recipes, reminders, and related notes you save.
  • Grocery lists: Items, quantities, categories, and check-off state.
  • Recipe interactions: Ratings, personal notes, “cooked” / “planned” dates, archive state, favourites, and similar fields tied to your account.
  • Fridge / adaptation features (if enabled): Ingredient lists or inputs you provide to suggest recipe adaptations.

2.3 Recipe catalogue data

  • Public catalogue: Some recipe information may be stored in a shared database readable without an account (e.g. titles, ingredients, steps, images).
  • Contributions: If you generate images or edit catalogue entries while signed in, those updates may be stored in the same catalogue and become visible to other users, depending on product design and permissions.

2.4 AI and automation

  • Prompts and outputs: Text you submit or that we build to generate recipes, suggestions, or images may be sent to Google AI (Gemini / Imagen) or other providers you configure.
  • Usage metadata: We may store counts or limits associated with AI usage (e.g. quotas) tied to your account.

2.5 Google Calendar (optional)

  • If you connect Google Calendar, we may store OAuth tokens or refresh tokens and calendar-related settings in your profile so we can create or update events on your behalf.
  • We request only the scopes needed for the features we expose.

2.6 Technical and security data

  • Device and connection: IP address, browser type, language, approximate region, timestamps, and similar data from standard server and client logs.
  • Cookies and local storage: We may use cookies or browser storage for session, language, and essential functionality.
  • Diagnostics: Error reports or performance data may be collected to keep the Service reliable.

We do not knowingly collect special categories of data under GDPR (e.g. health) beyond what you voluntarily enter (such as dietary preferences). Treat such fields as non-medical preferences.

3. How we use your data

We use personal data to:

  • Provide, operate, and improve the Service.
  • Authenticate you and protect accounts.
  • Sync your plans, lists, and preferences across devices.
  • Run AI features (recipe text, images) when you trigger them.
  • Integrate with Google Calendar when you opt in.
  • Enforce our terms, prevent abuse, and comply with law.
  • Communicate service-related messages (we do not sell your email for marketing).

4. Legal bases (EEA / UK / similar)

Where GDPR-style rules apply, we rely on:

  • Contract — processing necessary to provide the Service you request.
  • Legitimate interests — e.g. security, fraud prevention, product improvement, analytics that do not override your rights.
  • Consent — where required (e.g. certain cookies or optional integrations); you may withdraw consent where applicable.
  • Legal obligation — when the law requires us to retain or disclose data.

5. Sharing and processors

We do not sell your personal data. We share data only as needed with:

  • Infrastructure — Google Firebase (Authentication, Firestore, Storage, Hosting, Cloud Functions). Data may be processed on Google’s global infrastructure.
  • AI — Google (Gemini / Imagen) or other AI APIs you configure. Prompts and related content are sent according to those providers’ terms.
  • Hosting — e.g. Vercel or other deploy targets, which may process requests and logs.
  • Legal — courts, regulators, or parties when required by law or to protect rights and safety.

Each processor processes data under their own privacy policies and, where applicable, data processing terms.

6. International transfers

If you are in the EEA, UK, or Switzerland, your data may be transferred to countries that provide a different level of protection. Where required, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) offered by our processors.

7. Retention

  • Account data: Kept while your account exists and for a reasonable period after deletion to resolve disputes or meet legal duties.
  • Backups: May persist for a limited time after deletion.
  • Logs: Typically rotated on a short cycle unless longer retention is needed for security or legal reasons.

Specific retention periods may be adjusted; material changes should be reflected in updates to this Policy.

8. Your rights

Depending on your location, you may have the right to:

  • Access a copy of your data.
  • Correct inaccurate data.
  • Delete your account or certain data (the Service may offer export/delete tools in Settings).
  • Restrict or object to certain processing.
  • Data portability — receive data in a structured, machine-readable form where applicable.
  • Withdraw consent where processing is consent-based.
  • Lodge a complaint with a supervisory authority.

To exercise rights, contact racim.amermoussa@gmail.com. We may need to verify your identity.

9. Children

The Service is not directed at children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

10. Security

We use industry-standard measures (encryption in transit, access controls, secured credentials for server-side keys) appropriate to the risk. No method of transmission or storage is 100% secure.

11. Third-party links

The Service may link to third-party sites. We are not responsible for their privacy practices. Read their policies before providing data.

12. Changes

We may update this Policy. We will post the new version with an updated “Last updated” date and, where appropriate, notify you in the app or by email. Continued use after changes means you accept the updated Policy, to the extent permitted by law.

13. California residents (summary)

If the CCPA/CPRA applies, you may have rights to know, delete, and correct personal information, and to opt out of certain “sales” or “sharing.” We do not sell personal information for money. For requests, use racim.amermoussa@gmail.com.

14. Contact

Privacy questions: racim.amermoussa@gmail.com