Cookie Policy

What cookies and similar technologies Spoonify uses, why we use them, and the controls you have.

Effective: May 26, 2026
Applies to: Spoonify web and mobile apps

The short version

Like most modern websites and apps, Spoonify uses cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Service is used. We do not use third-party advertising cookies and we do not sell your personal information.

This Cookie Policy is part of our Privacy Policy. Words like “personal information” and “Service” have the same meaning there.

What cookies and similar technologies are

A cookie is a small text file that a website asks your browser to store. When you come back, the browser sends the cookie to the website so it knows things like “this person is signed in” or “they prefer metric measurements.”

We also use a few related technologies:

Local storage — a larger, longer-lived version of a cookie that stays on your device until cleared.
Session storage — storage that is cleared when you close the tab.
Pixels and beacons — tiny images or scripts embedded in emails or pages so we can tell whether they were opened.
Mobile SDKs — libraries inside the Spoonify mobile app that perform similar functions to cookies (e.g., storing a session token securely on your device).

We refer to all of these collectively as “cookies” in the rest of this page for simplicity.

The categories we use

Strictly necessary

These cookies are required for the Service to work. They sign you in, keep your session active, protect forms from cross-site request forgery, and remember the cookie choices you have made. You cannot turn these off through the cookie banner, although you can block them in your browser — doing so will break parts of the app.

Functional

These cookies remember choices you make to give you a more personalized experience, such as your measurement units (metric vs. imperial), language, and saved display preferences.

Analytics

These cookies help us measure and understand how the Service is used in aggregate — which pages are popular, where people drop off, and which features are working. We use privacy-protective analytics tools with IP anonymization and we do not use them for advertising.

We do not use advertising or targeting cookies, and we do not allow third parties to drop advertising cookies through the Service.

Cookies we use

The exact list of cookies you encounter depends on whether you are signed in, which features you use, and whether you have opted in to analytics. The table below covers the cookies most users will see.

Name	Provider	Purpose	Duration	Category
sb-access-token	Spoonify (Supabase)	Authenticates your session so you stay signed in across page loads.	1 hour (rotated)	Strictly necessary
sb-refresh-token	Spoonify (Supabase)	Lets us refresh your authenticated session without asking you to sign in again.	30 days	Strictly necessary
spoonify-csrf	Spoonify	Prevents cross-site request forgery attacks against forms and account actions.	Session	Strictly necessary
spoonify-prefs	Spoonify	Remembers display preferences like measurement units, theme, and language.	1 year	Functional
spoonify-consent	Spoonify	Stores your cookie consent choices so we do not ask you again on every visit.	12 months	Strictly necessary
_ga, _ga_*	Google Analytics 4 (anonymized)	Aggregated analytics that help us understand which pages are useful. IP addresses are truncated and we do not enable advertising features.	Up to 24 months	Analytics
__stripe_mid, __stripe_sid	Stripe	Set by Stripe on checkout pages to detect fraudulent payment activity.	1 year / 30 minutes	Strictly necessary

Cookie durations are the maximum lifetime; we may rotate or clear them sooner. Names with a wildcard (*) cover related cookies set by the same provider.

SDKs in the mobile apps

The Spoonify mobile apps use SDKs from a small number of vendors to provide core functionality. These do not set browser cookies, but they may store identifiers and tokens on your device.

SDK	Provider	Purpose
Supabase SDK	Supabase	Authentication, database, and storage. Stores session tokens in secure on-device storage.
Stripe SDK	Stripe	Processes payments for subscriptions and paid recipes; runs anti-fraud checks.
Expo Notifications	Expo / APNs / FCM	Delivers push notifications you have opted into, such as comments or new posts from chefs you follow.
Sentry SDK	Sentry	Captures crashes and errors so we can fix bugs. Configured to redact personal data from event payloads.

Third-party cookies

A few of the cookies described above are set by third parties on our behalf. We choose vendors carefully and configure them to minimize the personal data they receive.

Stripe — for fraud detection on payment pages. See Stripe’s cookie settings.
Google Analytics (anonymized) — for aggregated usage analytics. You can install the Google Analytics opt-out browser add-on to opt out across all sites that use it.

When you embed Spoonify content on another site (for example, via an oEmbed link), that site’s own cookies and privacy practices apply.

Your choices

Cookie banner

The first time you visit Spoonify on the web from a region where consent is required, you will see a cookie banner. You can accept all, reject non-essential, or open the details panel to choose category by category. You can change your choices at any time from the “Cookie preferences” link in the footer.

Browser settings

Most browsers let you block or delete cookies through their settings. Blocking strictly necessary cookies will prevent you from signing in or using parts of the Service. The guides below explain how:

Mobile app

In the Spoonify mobile app you can control analytics and crash reporting from Settings → Privacy → Diagnostics & usage. To reset your device’s advertising identifier or limit ad tracking at the OS level, use your phone’s privacy settings.

Do Not Track and Global Privacy Control

Browsers send signals that express your preferences about tracking. There is no consistent industry standard for “Do Not Track,” so we do not respond to it. Where required by law, we treat the Global Privacy Control signal as a valid opt-out of sales or sharing of personal information — though, as noted above, we do not sell or share personal information.

Regional notes

EEA, UK, and Switzerland

Where required by the GDPR, UK GDPR, ePrivacy rules, or the Federal Act on Data Protection, we ask for your prior consent before setting non-essential cookies. You can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

California

Spoonify does not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA. California residents can still exercise their other privacy rights described in our Privacy Policy.

Changes to this policy

We may update this Cookie Policy from time to time as we add features or change providers. When we make material changes we will update the “Effective” date at the top of this page and, where appropriate, notify you in the Service.

Also worth reading

The bigger picture: what we collect and how we use it across the Service.

The agreement that governs your use of Spoonify, including paid features.