Privacy Policy

Last Updated: February 17, 2026 · Effective Date: February 17, 2026

1. Introduction

This Privacy Policy explains how Lumon Spark Artur Lamali ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the Simmer mobile application ("the App"). Simmer transforms recipe URLs into step-by-step cooking guides with timers and intelligent step resequencing.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on the Protection of Personal Data, and all other applicable data protection legislation.

By using the App, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

Lumon Spark Artur Lamali
ul. Antoniego Malczewskiego 37/41/57
02-622 Warszawa, Poland

NIP: 8762511973
REGON: 529418968

Contact: artur.lamali@gmail.com

3. No User Accounts

Simmer does not require you to create an account. The App uses a device-based identity model. You are never asked to provide your name, email address, phone number, or any other personally identifying information to use the App. Identity is established solely through a random device identifier stored locally on your device.

4. Data We Collect

4.1. Device Identifier

We generate a random UUID (Universally Unique Identifier) that is stored securely in your device's iOS Keychain via the expo-secure-store library. This identifier:

• Is randomly generated and cannot be used to identify you personally.
• Persists across app reinstalls (as it is stored in the Keychain).
• Is used solely for rate limiting (enforcing the free-tier limit of recipe parses per day) and associating saved data with your device.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) -- necessary to prevent abuse of the service and to enforce fair usage limits.

4.2. Recipe URLs

When you submit a recipe URL for parsing, we send that URL to our backend servers for processing. The URL is logged in our database alongside your device identifier for rate-limiting purposes.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) -- necessary to provide the core service you requested (recipe parsing).

4.3. Recipe Page Content

When you submit a recipe URL, our server fetches the content of that web page. This content is sent to an AI service for structured extraction (parsing the recipe into ingredients, steps, and timers). The page content is transient -- it is processed in memory and is not stored on our servers.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) -- necessary to provide the core service you requested.

4.4. Video Transcripts

When you submit a video URL (from platforms such as TikTok, YouTube, or Instagram), a transcript of the video is extracted via a third-party service (Supadata API). This transcript data is transient -- it is used only for AI parsing and is not stored on our servers.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) -- necessary to provide the core service you requested.

4.5. Anonymous Behavioral Analytics

We collect anonymous analytics data to understand how the App is used and to improve the product. This includes:

• App events (e.g., "recipe parsed," "cooking mode started")
• Screen views
• App version and device type (generic, e.g., "iPhone")
• Session duration

This data is collected via PostHog, which is hosted on EU infrastructure (eu.i.posthog.com). We do not collect any personally identifiable information (PII) through analytics. We do not collect the Apple Identifier for Advertisers (IDFA) or any advertising identifiers.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) -- necessary to improve the App's functionality and user experience. You may opt out of analytics (see Section 9).

4.6. Subscription Data

If you purchase a subscription (e.g., Simmer Pro), the purchase is managed by RevenueCat using anonymous App User IDs. RevenueCat receives purchase data from Apple's App Store. We do not have access to your Apple ID, payment details, or billing information. RevenueCat links your anonymous App User ID to your subscription status.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) -- necessary to manage your subscription and provide premium features.

4.7. Onboarding Preferences

During onboarding, you may select preferences related to your cooking habits or pain points (e.g., "I struggle with timing multiple dishes"). These selections are stored locally on your device and may be included in anonymous analytics events.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) -- used to improve the product and tailor the experience.

5. Data We Do NOT Collect

We want to be explicit about what we do not collect:

• Name or email address -- no account creation required
• Location data -- we do not request or access GPS, Wi-Fi, or cell tower location
• Camera or photos -- we do not access your camera or photo library
• Contacts -- we do not access your address book
• Microphone -- we do not access your microphone
• IDFA or advertising identifiers -- we do not participate in ad tracking
• Health data -- we do not collect any health-related information
• Cookies -- the App is a native mobile application and does not use web cookies

6. How We Use Your Data

7. Third-Party Services and Data Sharing

We share data with the following third-party service providers, strictly for the purposes described. We do not sell your data to any third party.

7.1. Supabase

• Data shared: Device UUID, recipe URLs
• Purpose: Backend infrastructure, database, rate limiting, edge functions
• Location: United States
• Privacy Policy: supabase.com/privacy

7.2. OpenRouter

• Data shared: Recipe page content (transient, not stored)
• Purpose: AI model routing for recipe parsing
• Location: United States
• Privacy Policy: openrouter.ai/privacy

7.3. Anthropic

• Data shared: Recipe content via OpenRouter (transient, not stored)
• Purpose: AI-powered recipe parsing and extraction
• Location: United States
• Privacy Policy: anthropic.com/privacy

7.4. Supadata

• Data shared: Video URLs (transient, not stored)
• Purpose: Video transcript extraction for recipe parsing
• Location: United States
• Privacy Policy: supadata.ai/privacy

7.5. PostHog

• Data shared: Anonymous analytics events (no PII)
• Purpose: Product analytics and improvement
• Location: European Union (eu.i.posthog.com)
• Privacy Policy: posthog.com/privacy

7.6. RevenueCat

• Data shared: Anonymous purchase data, anonymous App User IDs
• Purpose: Subscription management and purchase verification
• Location: United States
• Privacy Policy: revenuecat.com/privacy

7.7. Apple Push Notification Service (APNs)

• Data shared: Push notification token (device-generated)
• Purpose: Delivering local timer notifications when the App is in the background
• Location: United States
• Privacy Policy: apple.com/privacy

8. International Data Transfers

Lumon Spark Artur Lamali is established in the European Union (Poland). Some of our third-party service providers are located in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework: Where applicable, we rely on service providers that have been certified under the EU-US Data Privacy Framework.
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on the European Commission's Standard Contractual Clauses as the legal mechanism for data transfers.
• EU-hosted services: PostHog analytics data is processed and stored within the EU (eu.i.posthog.com), avoiding international transfers for analytics data entirely.

9. Data Retention

10. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise these rights at any time by contacting us at artur.lamali@gmail.com or by using the in-app "Delete My Data" feature where applicable.

10.1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data and receive information about the processing.

10.2. Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate personal data concerning you.

10.3. Right to Erasure ("Right to Be Forgotten") (Art. 17 GDPR)

You have the right to request the deletion of your personal data. You can exercise this right:

• In-app: Using the "Delete My Data" button in the App's settings. This will delete all server-side data linked to your device UUID.
• By email: Contacting us at artur.lamali@gmail.com with your request. We will process your request within 30 days.

10.4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your personal data under certain conditions.

10.5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

10.6. Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data based on legitimate interest (Art. 6(1)(f) GDPR), including:

• Analytics: You may opt out of anonymous analytics collection by contacting us or, where available, through in-app settings.
• Rate limiting: Objection to rate-limiting processing may result in inability to use the free tier of the service.

10.7. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The relevant authority for Poland is:

Urzad Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warszawa, Poland
Website: uodo.gov.pl

11. Data Deletion

You may request deletion of all data associated with your device at any time:

1. In-app: Navigate to Settings and tap "Delete My Data." This will immediately delete all server-side records linked to your device UUID (including parse logs and rate-limiting records). Local data (saved recipes) will also be cleared from your device.
2. By email: Send a request to artur.lamali@gmail.com. Please include your device UUID if possible (available in Settings). We will process your request within 30 days.
3. Uninstalling the App: Uninstalling the App removes all locally stored data. Server-side data (parse logs) will be automatically deleted after the retention period (90 days). To request immediate server-side deletion, use one of the methods above before uninstalling.

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted between the App and our servers is encrypted using HTTPS/TLS.
• Secure local storage: The device UUID is stored in the iOS Keychain, which is hardware-encrypted and protected by the device passcode.
• Server-side key management: API keys and secrets are stored exclusively on our backend servers (Supabase Edge Functions). No API keys are embedded in the App.
• Access control: Supabase Row Level Security (RLS) ensures that data access is restricted to authorized operations only.
• Minimal data collection: We follow the principle of data minimization -- we collect only the data strictly necessary for the App's functionality.

13. Children's Privacy

The App is not directed at children under the age of 16, which is the applicable age threshold under Polish implementation of the GDPR (Art. 8 GDPR in conjunction with Polish data protection law). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided data to us, please contact us at artur.lamali@gmail.com.

14. Data Protection Officer

Pursuant to Art. 37 GDPR, we are not required to appoint a Data Protection Officer (DPO) as our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data.

For all data protection inquiries, please contact:

Artur Lamali
Email: artur.lamali@gmail.com

15. Automated Decision-Making

The App uses artificial intelligence (Anthropic Claude via OpenRouter) to parse recipe content into structured cooking steps. This processing:

• Does not involve profiling of individuals.
• Does not produce legal effects or similarly significant effects on you.
• Is limited to recipe content transformation and does not process personal data for automated decision-making purposes within the meaning of Art. 22 GDPR.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this document.
• We will notify you through an in-app notice upon your next use of the App.
• Continued use of the App after the updated Privacy Policy has been posted constitutes your acknowledgment of the changes.

We encourage you to review this Privacy Policy periodically.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Lumon Spark Artur Lamali
ul. Antoniego Malczewskiego 37/41/57
02-622 Warszawa, Poland

Email: artur.lamali@gmail.com

18. Governing Law

This Privacy Policy is governed by the laws of the Republic of Poland and the European Union, including the General Data Protection Regulation (EU) 2016/679.