Privacy Policy
Version 2.1 · Effective 14 July 2026
Shop Chop Chow is a household meal-planning app operated by Joshua Camman (ABN 71 163 089 011), a sole trader ("we", "us"), based in Victoria, Australia. This policy explains what we collect, why, where it goes, how long we keep it, and the controls you have. We've kept it honest and specific — it describes what the app actually does, not boilerplate.
Our approach to privacy law. We handle your information in line with the Australian Privacy Principles and applicable Victorian health privacy principles, and we don't rely on any small-business exemption to do less. Some of what the app holds (allergies, intolerances, nutrition and weight goals, and religious dietary observance such as halal or kosher) can be sensitive information, so we treat it that way — see §2.
The short version: we collect what you give us (account details, your household's recipes, plans, lists and kitchen data) plus a small amount of service data (push tokens, AI usage counters, optional analytics). We use it to run the app for your household — we don't sell it, and we don't use it for advertising. Your household members can see the household's shared data and some things about you. Our servers are run by Google (Firebase) and located overseas.
1. What we collect
You give us:
- Account details — email address, display name, and profile photo. If you sign in with Google
- Household content — recipes (including photos you upload or import), weekly meal plans,
- Health and dietary information (sensitive — see §2) — allergies and intolerances, dietary
- Subscription and billing records — your plan, entitlement status, transaction identifiers and
- Waitlist email — if you join the launch waitlist on our website, just your email address,
we also receive the Google account identifier and standard authentication metadata (such as sign-in provider and timestamps). We record when you accepted the Terms and which version, and separately when you gave or withdrew consent to the sensitive-data handling in §2.
shopping lists, pantry/fridge/leftover records, cook sessions and ratings, budgets, home essentials, and household settings.
requirements including religious ones (halal, kosher), and optional per-member nutrition or weight goals (for example a daily calorie or protein target).
renewal/refund state, received from RevenueCat/Stripe. We never see or store your card number.
used to tell you when we launch (§6).
Collected automatically:
- Push notification tokens for your devices, if you allow notifications.
- AI usage records — when you use an AI feature we record counters (which feature, how many
- Estimated expiry dates — the app estimates how long an item keeps, from its name and how you
- Optional analytics (§7) — product events like "recipe imported", with identifying details
- Server logs — standard Cloud Function logs kept by Google for a limited period.
characters/tokens, success or error) against your household to enforce fair-use limits. We do not store the content of AI prompts or responses in these records.
store it. Expiry dates in your kitchen are therefore either entered by you or estimated by the app; the estimates are guidance, not a food-safety guarantee.
stripped, if analytics is enabled in your build and you've allowed it.
Scanning items. When you scan a product, the barcode reading and text recognition happen on your device (Google ML Kit) — the photo itself is never uploaded, and is held only temporarily on your device. If you then tap "Identify with AI", a short extract of the recognised text (up to 600 characters) is sent to Google Gemini to work out what the product is. If you don't tap it, nothing from the scan leaves your device except the barcode lookup below.
What we deliberately don't collect: your location, contacts, microphone, advertising identifiers, or payment card numbers (payments are handled entirely by Stripe/RevenueCat — §5).
2. Health and dietary information — and your consent
Allergies, intolerances, nutrition and weight goals, and religious dietary requirements can be sensitive information under privacy law. We don't pretend otherwise, and we don't ask you to accept this as part of the Terms — it's a separate, express choice, recorded against your account with the date and version.
- Before any of this is used to personalise AI recipe suggestions, the app asks you, in a screen
- Declining changes nothing else. The app works normally; AI suggestions simply don't take your
- You can withdraw at any time — Settings → Privacy → Withdraw consent. It takes effect on
- Children in the household. If a household profile belongs to a child you look after, the adult
that says what's collected, that your whole household can see and edit it, and that it will be sent to Google Gemini overseas (§5).
household's saved dietary details into account. Dietary filters you tick on the suggestion screen itself are used for that request, because that's what you asked for.
your next AI suggestion; nothing further is sent.
giving consent is asked to confirm they're doing so as that child's parent or guardian (§11).
We do not use this information for advertising, profiling, or any purpose other than the meal planning features you're using it for.
3. Why we use it
| Use | Data | Basis |
|---|---|---|
| Run the app for your household | Account, household content, per-member settings | Providing the service you asked for |
| AI features you trigger (recipe import/analysis, categorisation, dish images, scan identification) | The recipe text/URL content, the recognised scan text, or the prompt for that action | Providing the feature; sent to Google Gemini (§5) |
| Personalising AI recipe suggestions to your household's dietary needs | Your household's saved dietary profile (allergies, halal/kosher, etc.) | Your express consent (§2) — not used unless you allow it, and stopped when you withdraw |
| Fair-use limits and billing | AI usage counters, subscription status | Running the free tier and PRO |
| Notifications you or your household trigger (prep/cook assignments, join requests) | Push tokens, assignment names | Providing the feature; you can turn notifications off in your device settings |
| Understanding and improving the product | Optional, scrubbed analytics events | With your consent, asked before anything is collected (§7) |
| Telling waitlist members we've launched | Waitlist email | Your request when you signed up |
We don't sell personal information, don't share it for advertising, and don't use your content to train AI models. AI features send the content for that action to Google's Gemini API on a paid plan, under which Google does not use it to train or improve its models (§5).
4. What your household sees
Shop Chop Chow is a shared app, and you should know exactly what's shared before you join a household:
- All household content (recipes, plans, lists, pantry, leftovers, budgets) is visible to
- Members can see your display name, profile photo and email address, your **cook/prep
- Any member (not only the owner) can approve someone's request to join the household, and can
- If your household has PRO, members can see the subscription status, including which member pays.
- Household usage counters (AI calls this month) are visible to the household.
and editable by every member.
assignments, and any per-member serving sizes, dietary requirements or nutrition goals set for you. Any member can edit these, including yours** — the app has no private-to-you dietary data. If that isn't what you want, don't record it.
remove another non-owner member. Only the owner can transfer ownership or delete the household.
You can leave a household at any time (Settings → Leave household). Leaving removes your assignments and your access; the household keeps its shared content.
Exporting. Settings → Export produces a JSON file. If you're the household owner it contains the whole household's data. If you're not the owner, it contains your own data plus the household's shared content, with other members' nutrition goals and photos left out — those aren't yours to export. Either way the file says which kind it is, and lists what it deliberately excludes. Only share it with people you'd share the household with.
5. Who we share data with (our providers)
We use a small set of service providers. They process data to provide their service to us, not for their own marketing.
| Provider | What they process | Where |
|---|---|---|
| Google Firebase (Authentication, Firestore, Storage, Cloud Functions, Hosting) | Everything we store: accounts, household content, photos, tokens, logs | Firestore household content: Singapore (asia-southeast1); Storage photos and Cloud Functions: United States (us-central1); Cloud Logging: global; Authentication and Hosting use Google's global infrastructure |
| Google Gemini API | The recipe text, page content, recognised scan text, or prompt for each AI action you trigger; generated dish images | United States |
| Google FCM | Push delivery to your devices | Global (Google) |
| RevenueCat | Subscription state keyed to your account id; checkout hosting | United States |
| Stripe | Payment details for web subscriptions (card numbers never touch our systems) | United States/global |
| PostHog | Optional analytics events (§7), keyed to your account id | United States |
| Open Food Facts and related open databases | When you scan a barcode, the app looks it up against the Open Food Facts, Open Beauty Facts, Open Pet Food Facts and Open Products Facts databases (your device connects to their servers, which see your IP address). We fetch the product name, brand, quantity and category — we do not fetch the ingredients or allergen fields. Product images are displayed directly from their servers (hotlinked), so your device requests them from Open Food Facts when shown. Product data is used under the Open Database Licence | France |
We don't disclose personal information to anyone else except: with your direction (e.g. the export/share feature), or where the law requires it.
Firebase Analytics is not enabled. The only analytics we use is PostHog, described in §7.
AI content and model training. We use the Google Gemini API on a paid plan. Under Google's paid-tier terms, the content you send for an AI action (recipe text, page content or prompt) and the result it returns are not used by Google to train or improve its models and are not human-reviewed for that purpose. We only send the content needed for the action you trigger.
Overseas storage. Our infrastructure is hosted by Google and our other providers on servers outside Australia, including Singapore, the United States and global infrastructure. Before your information is disclosed overseas we tell you here, and — for the sensitive information in §2 — we ask for your express consent (§2). We take reasonable steps to ensure our providers handle it consistently with the Australian Privacy Principles.
6. Waitlist and email
If you join the waitlist we store your email and use it to tell you when Shop Chop Chow launches. That's the scope of the consent — we won't add you to an ongoing marketing list without asking separately. Launch and any service emails will identify us and include a working unsubscribe. We'll delete waitlist emails within 90 days of launch.
7. Analytics and crash reporting — and turning it off
If our build has analytics enabled, we use PostHog to understand product usage (events like "meal planned" or "recipe imported") and to receive crash reports.
- We ask first. Nothing is collected until you answer the notice — no app-open event, no
- The events are pseudonymous, not anonymous. They're keyed to your account id. That's not the
- No content. Event properties are stripped of anything that looks personal — no recipe text,
- Firebase Analytics is not enabled — PostHog is the only analytics in the app.
usage data. Choosing "No thanks" means nothing is sent; you can change your mind later in Settings.
same as anonymous, and we won't describe it that way.
names, emails or free text. Crash reports are scrubbed too: the error message and stack are put through a redactor, so a message that happens to quote a recipe title, an email address or a web address doesn't carry it out with the report. We don't use session replay.
You can turn it off at Settings → This device → Analytics & diagnostics — the switch stops collection from that device immediately. (If analytics isn't enabled in your build, nothing is collected at all and you'll never see the notice.)
8. How long we keep things (retention)
| Data | Kept |
|---|---|
| Account (profile, preferences, push tokens) | Until you delete your account — deletion removes them and your sign-in |
| Household content | Until the household deletes it, or the household itself is deleted (deleting a household deletes its recipes, plans, lists, pantry data and photos) |
| Health/dietary information (§2) | With the household until deleted in-app, or until the household is deleted. Withdrawing consent stops it being used for AI; it doesn't delete it — delete it in-app if that's what you want |
| Consent record (§2) | Kept while your account exists, including after withdrawal, so we can show what you agreed to and when |
| AI usage event records | 90 days (automatic expiry) |
| Monthly AI usage counters | While the household exists (they're the billing/fair-use record) |
| Waitlist emails | Until 90 days after launch (§6) |
| Server logs | Google Cloud _Default bucket: 30 days |
| Caches on your device | Recipe/content caches up to 7 days; saved AI results up to 1 year; the offline sign-in snapshot up to 1 year. Signing out clears your household's cached content, recipes and AI results from that device. Device settings you chose (theme, notification and analytics preferences) are kept, and anything you saved while offline that hasn't synced yet is kept so it isn't lost. Deleting the app removes everything |
| Backups | Firestore: seven-day point-in-time recovery plus daily scheduled backups retained for 60 days. Firebase Storage objects are not covered by Firestore backups |
9. Your controls and rights
All of these exist in the product today:
- Access / portability: Settings → Export produces a JSON file — the whole household if
- Correction: edit anything in-app; or email us.
- Deletion: Settings → Delete account removes your profile, preferences, push tokens, any
- Consent to health/dietary handling: give or withdraw at Settings → Privacy (§2).
- Notifications: control per-device in system settings.
- Analytics: allow or decline when asked, and change it any time (§7).
you're the owner, or your own data plus shared content if you're not (§4). If a read fails, the export fails with an error rather than quietly giving you an incomplete file.
recipe ratings you left, and your sign-in, and detaches you from your household. Household content you contributed stays with the household — that's the shared model in §4, so delete specific content in-app first if you don't want that. If any part of the deletion fails, we stop and tell you, and your account is left intact so you can try again — we won't delete your sign-in and leave your data behind. Household owners can delete the entire household, which deletes all of its data and photos. A web deletion path is at https://shopchopchow.com/delete-account.
We'll respond to emailed requests within 30 days. We may need to verify you control the account's email address before acting.
10. Security
Household data is isolated per household and enforced server-side (security rules with deny-by- default, tested in CI); billing and usage records can't be written by clients; AI keys never leave our servers; transport is encrypted (HTTPS); stored data is encrypted at rest by Google. No system is perfectly secure — use a strong, unique password. If we become aware of a data breach likely to cause you serious harm we'll assess it promptly and notify you (and the OAIC where required).
11. Children
Shop Chop Chow accounts are for people 16 and over.
Households routinely include children — you can create a member profile for a child (their name, serving size, dietary needs and any nutrition goals) without them having an account. That profile is managed by the adults in the household, and when an adult consents to the handling in §2 they're asked to confirm they're doing so as that child's parent or guardian.
If you believe someone under 16 has created their own account, email us and we'll delete it.
12. Changes to this policy
Material changes will be announced in-app before they take effect, with the version and date updated above. Where a change means we'd handle your information in a way your existing consent doesn't cover, we'll ask you again rather than assume it. The current version always lives at https://shopchopchow.com/privacy.
13. Complaints and contact
Questions, requests or complaints: [email protected]. We'll acknowledge within a week and aim to resolve within 30 days.
If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au). If your concern relates to health information and you're in Victoria, you can also contact the Office of the Victorian Information Commissioner (ovic.vic.gov.au) or the Health Complaints Commissioner (hcc.vic.gov.au).