Privacy Policy
Last updated: April 22, 2026
Quick links
1. Data Controller
The data controller responsible for your personal data is:
Alenzo Collective B.V.
Amsterdam, The Netherlands
Email: Bowie@alenzocollective.com
If you have questions about how your data is processed or wish to exercise your rights, contact us at the email above.
2. What Data We Collect
We collect the following categories of personal data:
Account Data
When you create an account, we collect your email address and, optionally, your name. If you sign in via Google, we receive your name, email address, and profile picture from Google.
Profile & Preferences
During onboarding or in your profile settings, you may provide your cooking skill level, dietary preferences, allergies, and household size. This data is used to personalize recipes and meal suggestions.
Usage Data
We collect anonymized analytics data such as pages visited, features used, and device type. This is collected via Google Tag Manager and processed by Google Analytics.
AI Interaction Data
When you use the AI cooking assistant, your inputs (ingredients, questions, preferences) are sent to our AI provider to generate responses. We may store conversation history to improve your experience.
Technical Data
Our hosting and infrastructure providers automatically collect IP addresses, browser type, and device information for security and performance purposes.
Error and Diagnostic Data
When something breaks in Bowie, we automatically collect error messages, stack traces, the page path where the error happened, and non-identifying browser metadata (browser version, OS, screen size). This is sent to our error-monitoring processor (Sentry — see Section 4) so we can fix bugs before they affect more users. We deliberately disable IP collection and PII forwarding on this pipeline. Legal basis: legitimate interest in service security and reliability (GDPR Art. 6(1)(f)).
3. Why We Process Your Data
We process your data for the following purposes, each with a specific legal basis under GDPR Article 6:
| Purpose | Legal Basis | Retention |
|---|---|---|
| Account creation & authentication | Art. 6(1)(b) — contract performance | Duration of account + 30 days |
| Personalized recipes & meal plans | Art. 6(1)(b) — contract performance | Duration of account |
| AI cooking assistant | Art. 6(1)(b) — contract performance | 90 days (conversation history) |
| Analytics & service improvement | Art. 6(1)(a) — consent | 26 months |
| Security & fraud prevention | Art. 6(1)(f) — legitimate interest | 12 months |
| Email communications | Art. 6(1)(a) — consent | Until unsubscribed |
4. Third-Party Processors
We share data with the following third-party processors. Each acts under a Data Processing Agreement (DPA) with us:
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Supabase | Supabase Inc. | Database, authentication, storage | EU (Frankfurt) |
| Vercel | Vercel Inc. | Hosting, edge functions, deployment | US/EU (SCCs) |
| Stripe | Stripe Payments Europe Ltd. / Stripe, Inc. | Subscription billing, payments, invoices | EU/US (SCCs) |
| Resend | Resend, Inc. | Transactional email (auth, receipts) via SMTP | US (SCCs) |
| OpenAI | OpenAI, L.L.C. | AI recipe generation for Bowie+ subscribers (no training on inputs) | US (SCCs) |
| Nebius AI | Nebius B.V. | AI recipe generation for the free tier and anonymous visitors | EU |
| Google Gemini | Google Ireland Ltd. | Vision (photo-to-recipe) — image processed in-memory, never stored | EU/US (SCCs) |
| fal.ai | fal.ai, Inc. | AI hero-image generation for saved recipes | US (SCCs) |
| Google Analytics | Google Ireland Ltd. | Website analytics (via GTM, consent-gated) | EU/US (SCCs) |
| Google Ads | Google Ireland Ltd. | Advertising and conversion measurement (via GTM, consent-gated) | EU/US (SCCs) |
| Microsoft Advertising | Microsoft Ireland Operations Ltd. | Advertising and conversion measurement via UET (consent-gated) | EU/US (SCCs) |
| Google OAuth | Google Ireland Ltd. | Social sign-in | EU/US (SCCs) |
| Sentry | Functional Software, Inc. (d/b/a Sentry) | Error monitoring and crash diagnostics. Stack traces, browser metadata, and route paths only — no user- identifying request bodies, IP addresses, or auth headers (we set sendDefaultPii: false). Legitimate-interest basis: necessary for service security, debugging, and reliability. | US (SCCs) |
SCCs = Standard Contractual Clauses, the EU-approved mechanism for transferring data to countries without an adequacy decision.
6. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of your data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to restriction (Art. 18) — limit how we process your data
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7) — withdraw consent at any time without affecting prior processing
You can delete your account and all associated data at any time from your profile page. This permanently removes your profile, saved recipes, usage history, and cancels any active subscription. For all other requests, email Bowie@alenzocollective.com. We will respond within 30 days.
7. Your U.S. Privacy Rights (CCPA / CPRA and state laws)
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another U.S. state with a comprehensive privacy law, you have additional rights regarding the personal information we collect about you. We extend the rights described in this section to all U.S. residents, regardless of the state they live in.
Categories of personal information we collect (CCPA)
In the past 12 months we have collected the following CCPA categories of personal information from U.S. consumers:
| CCPA category | Examples | Source |
|---|---|---|
| Identifiers | Email address, name, IP address, account ID | You (signup), Google OAuth (if used), Vercel |
| Commercial information | Subscription status, billing history, payment method last-4 | Stripe |
| Internet or other network activity | Pages visited, recipes generated, ad-click attribution | Google Analytics, Google Ads, Microsoft Advertising |
| Geolocation (approximate) | Country and city inferred from IP address | Vercel edge geo headers |
| Inferences | Cooking skill, dietary preferences (only what you tell us) | You (onboarding / profile) |
We do not collect: precise geolocation, biometric information, sensitive personal information (race, religion, health, sexual orientation, immigration status, union membership, communications content), or personal information from minors under 16.
Purposes
We use this information to provide and improve the Service, to process your subscription, to personalize recipes, to measure the performance of our marketing campaigns, to prevent fraud, and to comply with legal obligations.
“Selling” and “sharing”
We do not sell personal information for money. However, when you consent to advertising cookies, we share certain identifiers and internet-activity information with Google Ads and Microsoft Advertising for cross-context behavioural advertising (commonly called “sharing” under the California CPRA). You can opt out at any time — see Do Not Sell or Share My Personal Information below. We do not knowingly sell or share personal information of consumers under 16 years of age.
Your rights
If you live in a U.S. state with a comprehensive privacy law, you have the right to:
- Know — what personal information we have collected about you and how we use it
- Access / Portability — receive a copy of your personal information in a portable format
- Correct — fix inaccurate personal information
- Delete — request deletion of your personal information (subject to certain exceptions, e.g. tax records we are legally required to keep)
- Opt out of sale or sharing for cross-context behavioural advertising — see below
- Limit use of sensitive personal information — not applicable to us, since we do not collect such information
- Non-discrimination — we will never charge you a different price, deny service, or provide a lower quality of service because you exercise any privacy right
- Appeal a denied request (Virginia, Colorado, Connecticut residents)
How to exercise these rights: Email Bowie@alenzocollective.com with the subject line “U.S. privacy request” and tell us which right you want to exercise. We will verify your identity by asking you to confirm the request from the email associated with your Bowie account, and respond within 45 days (extendable to 90 days for complex requests). You can also delete your account and all associated data instantly from your profile page with no email required.
Authorized agents: California, Virginia, and Colorado residents may use an authorized agent to submit requests on their behalf. The agent must provide written permission signed by you, and we may still ask you to verify your own identity.
California Shine the Light
California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes.
8. Do Not Sell or Share My Personal Information
You have the right to opt out of any “sale” or “sharing” of your personal information for cross-context behavioural advertising. To opt out:
- Cookie banner.Open the cookie preferences from the link in our footer and turn off “Advertising”. Your choice is stored in a cookie on your browser and signalled to our ad partners through Google Consent Mode v2.
- Global Privacy Control (GPC). If your browser or browser extension sends a Global Privacy Control signal, we treat it as a valid opt-out request for that browser automatically — no further action needed.
- Email. Send a request to Bowie@alenzocollective.com with the subject “Do Not Sell or Share” and the email address associated with your Bowie account.
We honour opt-out requests for the device or account they apply to. If you opt out and later log in on a new device, you will need to opt out again on that device (or send an email request we can apply account-wide).
9. Data Security
We protect your data with industry-standard measures including encryption in transit (TLS), encryption at rest, Row Level Security (RLS) on our database, and secure authentication via Supabase Auth. Access to production data is restricted to authorized personnel only.
10. Children's Privacy (COPPA)
Bowie is not directed to children under 13 in the United States and we do not knowingly collect personal information from them. The Service is intended for users aged 16 and older (or the age of digital consent in your country, whichever is higher). We rely on the age statement you make at signup and do not knowingly market to children.
If you are a parent or legal guardian and believe your child under 13 has created an account or provided us with personal information, please contact us at Bowie@alenzocollective.com and we will delete the account and all associated personal information promptly, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§6501 et seq.
11. Supervisory Authority
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
12. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be communicated via email or an in-app notice. The “last updated” date at the top reflects the most recent revision.
Questions? Reach out at Bowie@alenzocollective.comand we'll get back to you within 30 days.