Privacy policy
This policy explains what data proof. collects, why, how long it is kept, and the rights you
hold over it. It covers the proof. application and the marketing site at proofcook.com.
proof. is operated by the proof. project maintainer, an individual (the "controller"). There is no company. The controller is contactable at privacy@proofcook.com. No Data Protection Officer is appointed; data-protection queries go to the same address.
What data is collected
proof. collects only the data needed to run the service:
- Account data — the email address you sign up with and the display name you choose. Authentication is session-based; a session cookie is set in your browser when you sign in.
- Recipe content — the recipes, variations, drafts, and annotations you write. This is the content you create and own.
- Cook logs and outcomes — the attempts you log, the ratings you record, and the outcome annotations attached to them.
- Media — photos or screenshots you attach to recipes or feedback. Stored as files, addressed by an opaque per-user key.
- Feedback — when you send feedback or report a bug, the text you write and any screenshot you choose to attach.
- Crash telemetry — if the application encounters an error, a sanitised report (error message and stack trace) is logged. Email addresses, session tokens, and bearer tokens are stripped server-side before the report is written.
- Waitlist email — if you request access while signups are invite-only, the email address you submit to the waitlist.
proof. does not run third-party analytics, advertising, or behavioural-tracking scripts at launch. There is no cross-site tracking.
Why data is collected, and the legal basis
Each category is processed for a specific purpose under a specific GDPR legal basis:
- Account data — to create and secure your account and keep you signed in. Legal basis: performance of a contract (Art. 6(1)(b)).
- Recipe content, cook logs, outcomes, media — to provide the core service: storing, versioning, and rendering your cookbook. Legal basis: performance of a contract (Art. 6(1)(b)).
- Bot mitigation — Cloudflare Turnstile is used on signup and the waitlist form to block automated abuse. Legal basis: legitimate interest in protecting the service (Art. 6(1)(f)).
- Transactional email — to send verification, invite, and account-related messages. Legal basis: performance of a contract (Art. 6(1)(b)).
- Feedback and crash telemetry — to diagnose defects and improve the service. Legal basis: legitimate interest in maintaining a working product (Art. 6(1)(f)).
- Waitlist email — to notify you when access opens. Legal basis: consent (Art. 6(1)(a)); you may ask for removal at any time.
Sub-processors
proof. relies on a small set of infrastructure providers. Each processes data only as needed to deliver its function:
| Sub-processor | Function | Data involved |
|---|---|---|
| Cloudflare | Hosting, database and file storage, transactional email, bot mitigation | All account, recipe, cook, media, and email data; Turnstile challenge tokens |
| GitHub | Receives in-app feedback as issues for triage | Feedback text and your synthetic account identifier (see note below); no email or display name |
| Stripe | Payment processing — only if and when a paid tier launches (not active at launch) | Billing details, when applicable |
Disclosure — feedback and GitHub. When you send feedback or report a bug, the report is filed as a GitHub issue so it can be triaged. That issue body contains your synthetic account identifier (an opaque UUID) so that multiple reports can be linked to one account. Your email address and display name are deliberately excluded from that issue and never reach GitHub. Any screenshot you attach is stored by Cloudflare and referenced only by an opaque key, never a public link.
Data retention
- Account, recipe, cook, and media data — retained while your account is open. It is deleted when you delete your account (see below).
- Waitlist email — if your request is rejected or expires, the record is purged automatically within 30 days by a scheduled job. Redeemed waitlist records are purged within 180 days.
- Feedback — retained for the lifetime of your account; deleted with your account in the same cascade.
- Crash telemetry — retained for the platform log-retention window and not tied to your identity beyond the sanitised payload.
- Deletion audit record — after an account is deleted, a single minimal record (a one-way irreversibly-derived token of the email, plus timestamps) is kept for up to 12 months as proof that the deletion was performed, then purged. It contains no recipe content, display name, or readable email.
Account deletion
You can delete your account yourself from within the application. Deletion is irreversible. On confirmation, your sessions end and the account enters a 30-day grace period; signing back in during that window cancels the deletion. After 30 days, a scheduled job runs an irreversible cascade that removes your account data, recipe content, cook logs, media, and feedback records. Published recipe links then return a neutral "removed" response. This satisfies the right to erasure (GDPR Art. 17).
Your rights
Under the GDPR and comparable laws, you have the right to:
- Access — ask what data is held about you.
- Rectification — correct inaccurate account data.
- Portability — export your library yourself, at any time, as an Obsidian vault, Notion-compatible files, or a plain markdown zip. Your data leaves in an open format you own.
- Erasure — delete your account and its data (Art. 17), self-serve as described above.
- Objection and restriction — object to processing based on legitimate interest.
Export and deletion are self-serve in the application. For the other rights, or any privacy question, write to privacy@proofcook.com. You may also lodge a complaint with your local data-protection authority.
Cookies and tracking
proof. sets one essential cookie: the session cookie that keeps you signed in. There are no advertising cookies, no third-party analytics, and no cross-site trackers at launch. Cloudflare Turnstile may set a short-lived token on signup and waitlist forms purely to verify you are not a bot.
International transfers
Data is hosted on Cloudflare's global network and may be processed in regions outside your own. Where data leaves the European Economic Area, transfers rely on the relevant safeguards (standard contractual clauses) offered by the sub-processors listed above.
Governing law
This policy is governed by the laws of [governing-law country — operator to confirm].
Changes to this policy
Material changes are reflected in the "Last updated" date above. Continued use of the service after a change constitutes acceptance of the revised policy.
Contact
Privacy questions: privacy@proofcook.com. Security matters: the vulnerability-disclosure policy.