Cookit

Privacy Policy

Last updated: December 7, 2025

1. Data Controller

This policy describes the processing of personal data carried out through the mobile application Cookit (hereinafter, the "App").

The Data Controller is:

Alessio Falcone
E-mail: support@ierakos.com

The Controller is an individual who manages the App on a personal basis and not in the context of a business activity.

2. Personal Data Processed

2.1 User Account Data

When creating and using an account, the following data may be processed:

  • unique internal identifier (sub);
  • username chosen by the user;
  • email address;
  • first and last name (if provided by the authentication system);
  • roles associated with the user (e.g. standard user / PRO user);
  • preferred language for using the App.

2.2 Data Stored in the User Profile (Database)

The App's database stores, in particular:

  • technical identifier of the user;
  • unique username within the App;
  • technical key identifying the profile picture on external storage;
  • language chosen for the App interface;
  • notification settings for friend requests;
  • notification settings for shared recipes.

The profile picture itself is stored on external file storage.

2.3 Recipe Data

For the operation of the App and recipe management, the following data is processed:

  • identifier of the user who owns the recipe;
  • owner's username;
  • recipe name;
  • number of servings;
  • category / type of recipe (e.g. starter, main course, dessert, etc.);
  • cost indication (e.g. budget, medium, expensive);
  • preparation time;
  • list of steps / procedure (free text);
  • list of ingredients (ingredient name and quantity);
  • technical key of the dish photo on external storage;
  • information about sharing with other users.

Recipes may include textual content voluntarily entered by the user (e.g. descriptions, notes, internal recipe comments).

2.4 Social Data (Friends and Sharing)

The App allows users to establish friendships and share recipes with other users. For this purpose, the following data is processed:

  • identifier and username of the user sending a friend request;
  • identifier and username of the recipient user;
  • status of the friend request;
  • creation and update date of the friend request;
  • information about which recipes have been shared with which users.

2.5 Notification Data

The App's internal and push notification system may store:

  • notification type;
  • a payload associated with the notification, which may include:
    • who sent the request or shared the recipe;
    • name of the user who accepted the friendship;
    • name of the shared recipe;
  • read status (read / unread);
  • creation date and date of reading.

2.6 Push Notification Data

To send push notifications to the device, the following data is processed:

  • a notification token associated with the device (provided by the push service);
  • platform information (e.g. android or ios);
  • data strictly necessary for the notification content, such as notification type and references to the recipe or user that triggered the event.

3. Purposes and Legal Bases

3.1 Providing the App and Core Features

Data is processed to enable the operation of the App, the creation and management of recipes, the use of the friends list, and the sharing of recipes between users.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR), constituted by the App's Terms and Conditions.

3.2 Account Management and Authentication

Account data is processed to uniquely identify the user, maintain profile settings (including language), and enable secure access to the App.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3.3 Push Notifications

The App sends push notifications when, for example, another user:

  • sends you a friend request;
  • accepts your friend request;
  • shares a recipe with you.

Users can enable or disable notifications both at the operating system level and within the App.

Legal basis: user consent (Art. 6(1)(a) GDPR), expressed through enabling notifications on the device and the App's internal settings. The user may withdraw consent at any time by changing these settings.

3.4 Security, Abuse Prevention and Service Improvement

Some processing may be carried out to:

  • ensure the technical security of the App and infrastructure;
  • prevent unlawful or abusive use;
  • fix bugs and improve stability and functionality.

Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR) in maintaining a safe and efficient service.

3.5 Marketing and Profiling

The App currently does not carry out direct marketing activities or profiling of users based on their behaviour within the App.

Should marketing or profiling features be introduced in the future, this will only occur following an update to this policy and, where required, after obtaining the user's consent.

4. Processing Methods and Retention Periods

Personal data is processed using electronic and IT tools, with appropriate technical and organisational security measures to protect it from unauthorised access, loss or unlawful use.

4.1 Retention Periods

  • Account and recipe data: retained for the duration of the user's use of the App and, thereafter, for the time strictly necessary to handle any deletion requests or legal obligations. Data is generally deleted or anonymised when the user requests account closure or when it is no longer necessary for the purposes for which it was collected.
  • Technical log data (where implemented): normally retained for up to 12 months for security purposes, technical diagnostics and abuse prevention.
  • Notifications stored in the database: retained for the duration of the account so that users can view their notification history, and deleted or anonymised when the account is closed or when they are no longer necessary.

5. Recipients and Third-Party Services

Personal data may be processed not only by the Controller, but also by parties providing technical and organisational services connected to the operation of the App.

Possible recipients include:

  • hosting and infrastructure service providers, where the App's servers and database reside. These servers are in principle located within the European Union (specific information on the country or provider may be updated in the future);
  • file storage service providers used to store recipe images and profile pictures;
  • push notification services, such as Firebase Cloud Messaging (Google), which receive device tokens and the data strictly necessary to send notifications;
  • potential analytics service providers (e.g. App usage statistics services), which will be specified in the future should they be permanently activated;
  • parties providing technical support or consultancy to the Controller, to the extent strictly necessary for the provision and maintenance of the service.

Such parties generally act as Data Processors, on the basis of contractual agreements compliant with Art. 28 GDPR.

5.1 Transfers Outside the EU

The use of services such as Firebase Cloud Messaging may involve the transfer of some data (e.g. notification tokens) to countries outside the European Union. In such cases, the transfer takes place on the basis of the mechanisms provided for by the GDPR (e.g. standard contractual clauses approved by the European Commission or adequacy decisions).

More information on the privacy policies of individual third-party services (e.g. Google/Firebase) is available in their respective policies, accessible directly from their official websites.

6. User Rights

As a data subject, you may exercise, within the limits and conditions set out in the GDPR, the following rights:

  • right of access to your personal data;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure ("right to be forgotten"), where applicable;
  • right to restriction of processing;
  • right to data portability, where technically feasible;
  • right to object to processing based on legitimate interest;
  • right to withdraw consent, where processing is based on consent (e.g. for push notifications), without affecting the lawfulness of processing carried out before withdrawal.

To exercise these rights or to request any clarification regarding the protection of personal data, please contact the Controller at: support@ierakos.com.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or the supervisory authority of your country of residence.

7. Minors

The App is primarily intended for adult users. Use by minors is permitted only with the consent or under the supervision of parents or legal guardians.

The Controller does not deliberately collect personal data from minors beyond what may be inadvertently provided by the user. Should the Controller become aware of data relating to minors processed without an adequate legal basis, it will proceed with their deletion where possible.

8. Data Security

The Controller adopts appropriate technical and organisational measures to protect personal data processed through the App, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing.

Notwithstanding this, no computer system or internet data transmission can be considered completely secure; therefore, the absolute security of transmitted or stored information cannot be guaranteed.

9. Third-Party Content and Data (Open Food Facts)

The App may use data relating to ingredients or food products from external sources, in particular:

Contains data from Open Food Facts — © OFF contributors. Database: ODbL 1.0; contents: DbCL 1.0. No affiliation with or endorsement by Open Food Facts.

For more information on licences and terms of use, please refer to the official Open Food Facts documentation (section "Data/Terms", licences ODbL 1.0 and DbCL 1.0).

This data is used solely to provide lookup and support functionality to the user within the App, and is not combined with personal information for profiling purposes.

10. Updates to this Policy

This Privacy Policy may be updated over time, for example due to the evolution of the App, the introduction of new features (such as PRO services or analytics tools), or regulatory changes.

Updated versions will be made available within the App. In the event of material changes, users may be informed via dedicated notifications or in-app messages.

Continued use of the App after the publication of changes will constitute acceptance of the new data processing terms.

11. Applicable Law

The processing of personal data carried out through the App is subject to Regulation (EU) 2016/679 ("GDPR") and applicable Italian data protection law, including Legislative Decree 196/2003 as amended and supplemented.