Forktastic Logo
Login

Privacy Policy

Last Updated: February 17, 2025

Table of Contents

  1. Introduction and Scope
  2. Information We Collect
  3. Browser Extension Permissions Explained
  4. How We Use Your Information
  5. How We Process Recipe Data
  6. Data Sharing and Third-Party Services
  7. Authentication and Security
  8. Data Storage and Retention
  9. Your Rights and Choices
  10. GDPR Compliance (EU/EEA Users)
  11. CCPA/CPRA Compliance (California Residents)
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact Information

1. Introduction and Scope

Welcome to Forktastic. This Privacy Policy explains how Forktastic ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our products and services.

This policy applies to all Forktastic products, including:

  • Forktastic Browser Extension ("Extension") — available for Firefox and Chrome, used to detect and extract recipes from web pages
  • Forktastic Web Application ("Web App") — accessible at app.forktastic.com, used to manage your recipe collection, meal plans, and account
  • Forktastic Marketing Website — accessible at forktastic.com, used for product information and waitlist registration
  • Forktastic Mobile Applications ("Mobile App") — future iOS and Android applications for accessing your recipes on the go

Throughout this policy, we use the following terms:

  • "Service" refers to all Forktastic products collectively
  • "Personal Data" means any information that identifies or could identify you as an individual
  • "Processing" means any operation performed on your Personal Data

By using any Forktastic product, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Service.

2.1 Account Information

When you create a Forktastic account, we collect:

  • Email address — used for account identification, login, and communications
  • Password — securely hashed using bcrypt via Supabase Auth; we never store your password in plain text
  • Authentication tokens — access tokens and refresh tokens generated upon login, used to maintain your authenticated session

2.2 Recipe Content

When you use Forktastic to extract and save recipes, we collect:

  • Full page HTML — the complete HTML content of the web page is transmitted to our server only when you explicitly click "Extract Recipe" (or when auto-extract is enabled in your settings)
  • Source URL — the web address of the page from which the recipe was extracted
  • Structured recipe data — title, ingredients, instructions, nutrition information, prep/cook times, and servings, as extracted by our AI
  • Recipe images — images associated with the recipe, converted to WebP format for storage

Important: The raw HTML is processed in memory, is NOT permanently stored, and is discarded after processing (typically within 30 seconds). Only the structured recipe data is saved to your account.

2.3 Browser Extension Data

The Forktastic browser extension operates in two distinct modes:

2.3.1 Passive Detection (Local Only)

When you browse the web with the extension installed, a content script scans each page for JSON-LD structured data (Recipe schema markup). This scanning happens entirely within your browser. During passive detection, no data is transmitted to our servers. We do not collect your browsing history, page content from non-recipe pages, or track the websites you visit. The extension icon simply updates to indicate whether a recipe was detected on the current page.

2.3.2 Active Extraction (User-Initiated)

When you explicitly click to extract a recipe (or have auto-extract enabled), the full HTML content of the current web page is transmitted to our server via an encrypted HTTPS connection. Our server uses AI to extract structured recipe data. The raw HTML is processed in memory, is NOT permanently stored, and is discarded after processing (typically within 30 seconds). Only the structured recipe data is saved.

2.3.3 Local Storage

The extension stores the following data locally on your device using chrome.storage.local:

  • Authentication tokens — access_token and refresh_token for maintaining your login session
  • User settings — your extension preferences (e.g., auto-extract toggle)
  • Recent recipe IDs — identifiers of recently extracted recipes for quick access

2.4 Subscription Information

We use RevenueCat to manage subscriptions. When you subscribe to Forktastic:

  • RevenueCat receives your anonymous user identifier and subscription purchase details
  • Subscription status (active, expired, trial) is synced with our system
  • We do not handle or store payment card information directly. All payment processing is handled by the app store (Apple App Store, Google Play) or browser payment platform (Stripe)

2.5 Usage and Analytics Data

We collect usage data to improve our Service:

  • Website (forktastic.com): We use Google Analytics 4 and Vercel Analytics to collect anonymized page views, user interactions, and web performance metrics
  • Extension: Feature usage counts and error reports to help us identify and fix issues. You can opt out of analytics data collection in extension settings

2.6 Device and Technical Information

We automatically collect certain technical information when you use our Service, including browser type and version, operating system, device type, language preferences, and referring URLs. This information helps us optimize our Service for different platforms and troubleshoot technical issues.

3. Browser Extension Permissions Explained

The Forktastic browser extension requests specific permissions to function. Here is a detailed explanation of each permission and why it is needed:

PermissionWhy It's Needed
<all_urls>Recipes are published across millions of websites. To detect recipe markup on any page, our content script requires this permission. The script scans for JSON-LD structured data locally within your browser. During detection, no data is transmitted. We do not collect browsing history, page content from non-recipe pages, or track the websites you visit.
activeTabAllows access to the content of the current tab only when you interact with the extension (e.g., clicking the extension icon or the "Extract Recipe" button). This is used to read the page HTML for recipe extraction.
storageStores your authentication tokens, extension preferences, and recent recipe identifiers locally on your device. This data never leaves your browser unless you initiate an action.
scriptingInjects the content script that performs local JSON-LD recipe detection on web pages. The script runs passively and only communicates with the extension's background service worker.
tabsUpdates the extension icon badge and state based on whether a recipe was detected on the current page. Also used for navigation to the web app when needed.
host_permissions (api.revenuecat.com)Allows the extension to check your subscription status with RevenueCat. Only your anonymous user identifier and subscription status are transmitted.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Provision: To provide, maintain, and improve the Forktastic Service, including recipe extraction, storage, meal planning, and recipe management
  • Authentication: To verify your identity and maintain secure access to your account across the extension and web app
  • Subscription Management: To manage your subscription status, entitlements, and billing through RevenueCat
  • Analytics and Improvement: To understand how our Service is used, identify issues, and improve the user experience
  • Communications: To send you service-related updates, security alerts, and (with your consent) marketing communications about new features
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

We process your information only for the purposes described in this policy. We do not use your recipe content to train AI models or for any purpose other than providing the Service to you.

5. How We Process Recipe Data

Here is a detailed explanation of how recipe data flows through our system:

Step 1: On-Device Detection

The extension's content script scans the current page for JSON-LD Recipe schema markup. This happens entirely in your browser with no network calls. If recipe markup is found, the extension icon updates to indicate a recipe is available.

Step 2: Server-Side Extraction

When you click "Extract Recipe," the full page HTML is sent to our API server (api.forktastic.com) over an encrypted HTTPS connection. Our server passes the HTML to AWS Bedrock (AI service) which extracts structured recipe data including title, ingredients, instructions, nutrition, and timing information. The raw HTML is processed in memory and discarded within approximately 30 seconds. It is never written to permanent storage.

Step 3: Image Processing

Recipe images are converted to WebP format and stored on Cloudflare R2 via presigned URLs generated by Supabase Edge Functions. Images are associated with your recipe and accessible only through your authenticated account.

Step 4: Recipe Storage

The structured recipe data (title, ingredients, instructions, nutrition, source URL, and image URLs) is stored in our Supabase PostgreSQL database, linked to your user account. You can view, edit, organize, and delete your saved recipes at any time through the web app or extension.

6. Data Sharing and Third-Party Services

We do NOT sell your personal data. We share information with third-party services only as necessary to provide the Forktastic Service. Below is a comprehensive list of third-party services we use:

ServicePurposeData SharedPrivacy Policy
SupabaseAuthentication, database, edge functionsEmail, hashed password, recipes, user IDsupabase.com/privacy
AWS (Bedrock, Lambda, API Gateway)AI recipe extraction, API hostingPage HTML (during extraction only), email (waitlist)aws.amazon.com/privacy
RevenueCatSubscription managementAnonymous user ID, subscription statusrevenuecat.com/privacy
Cloudflare R2Recipe image storageRecipe images (WebP format)cloudflare.com/privacypolicy
Google Analytics 4Website analyticsAnonymized page views, events, device infopolicies.google.com/privacy
VercelWebsite hosting, analyticsWeb vitals, performance metricsvercel.com/legal/privacy-policy

We may also share information when required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets (in which case you will be notified).

7. Authentication and Security

We take the security of your data seriously and implement the following measures:

7.1 Authentication

  • Account authentication is managed through Supabase Auth using email and password
  • Passwords are hashed using bcrypt before storage; we never store plain-text passwords
  • Upon login, access tokens and refresh tokens are generated and stored locally in the browser extension via chrome.storage.local

7.2 Auth Bridge

When you sign in through the web app (app.forktastic.com), the extension uses an auth bridge mechanism to synchronize your login state. A content script on app.forktastic.com securely forwards authentication tokens to the extension's background service worker via the browser's internal messaging API. This communication stays within your browser and does not transmit tokens to any external server.

7.3 Data Protection

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • At Rest: Data stored in our databases and storage services is encrypted using AES-256 encryption
  • Access Controls: Access to user data is restricted to authorized personnel and automated systems on a need-to-know basis

8. Data Storage and Retention

We retain your data only for as long as necessary to provide the Service and fulfill the purposes described in this policy.

Data TypeRetention Period
Raw page HTMLDiscarded immediately after processing (~30 seconds)
Authentication tokensUntil logout or token expiry
Recipes and imagesUntil user deletes them or account is deleted
Waitlist email addressesUntil unsubscribe or 2 years, whichever comes first
Contact form submissions1 year after resolution
Google Analytics data14 months (GA4 default retention)
Extension local storageUntil extension uninstall or logout

Account Deletion: When you request account deletion, all associated data (recipes, images, account information) is permanently purged from our systems within 30 days of your request. Local extension data is cleared upon logout or extension uninstall.

9. Your Rights and Choices

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data and account
  • Export: Request a copy of your recipe data in JSON format
  • Opt-Out of Analytics: Disable analytics data collection in extension settings
  • Uninstall Extension: Removing the extension clears all local data (tokens, settings, cached recipe IDs)
  • Withdraw Consent: Opt out of marketing communications at any time

To exercise any of these rights, contact us at privacy@forktastic.com. We will respond to your request within 30 days.

10. GDPR Compliance (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). We process your data under the following legal bases (Article 6):

  • Contract (Art. 6(1)(b)): Account creation, recipe extraction, subscription management — processing is necessary to perform our contract with you
  • Legitimate Interest (Art. 6(1)(f)): Analytics, security monitoring, and service improvement — we have a legitimate interest in understanding usage and securing our Service
  • Consent (Art. 6(1)(a)): Marketing communications — we only send marketing emails with your explicit consent, which you can withdraw at any time
  • Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations

Your GDPR Rights

In addition to the rights listed in Section 9, EU/EEA users have the right to:

  • Restriction of Processing: Request that we limit how we use your data
  • Object to Processing: Object to processing based on legitimate interests
  • Lodge a Complaint: File a complaint with your local Data Protection Authority

International Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA, including the United States. Our third-party service providers maintain appropriate safeguards for cross-border data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. CCPA/CPRA Compliance (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

  • Identifiers: Email address, user ID, authentication tokens
  • Internet or Network Activity: Browsing interactions with our Service, feature usage, analytics data
  • Commercial Information: Subscription status and purchase history

Your California Privacy Rights

  • Right to Know: Request what personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale or sharing of your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

To exercise your rights, contact us at privacy@forktastic.com. We will respond within 45 days of receiving your verifiable request.

12. Children's Privacy

Forktastic is not directed at children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to promptly delete that information.

If you believe a child has provided us with personal data, please contact us at privacy@forktastic.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by:

  • Sending an email to the address associated with your account
  • Posting a prominent notice on our website or within the extension
  • Updating the "Last Updated" date at the top of this policy

We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Privacy Inquiries: privacy@forktastic.com
  • Data Deletion Requests: privacy@forktastic.com
  • General Support: support@forktastic.com
  • Legal Inquiries: legal@forktastic.com
Forktastic LogoForktastic

AI-Powered Recipe Intelligence

Legal

  • Terms of Use
  • Privacy Policy
  • Contact Us

Stay Updated

Get the latest news and updates about Forktastic.

© 2026 Forktastic. All rights reserved.