Legal

Privacy Policy

Last updated: July 16, 2026

Twist Labs, SIREN 807437645, located at 8 Bis Rue Abel, 75012 Paris, France, is the operator of Cookping and the data controller identified in this policy (“Cookping”, “we”, “us”). This policy explains what personal data we process, why, and what rights you have over it. It covers the marketing site, the creator dashboard, public recipe pages, and the Instagram comment-to-DM delivery service.

1. Data we collect about creators

  • Account data — your name, email address, and authentication identifiers, managed through our sign-in provider, Clerk.
  • Content you create — recipe content and cover image files, recipe page settings, automation configuration (keywords, messages, button labels, links), and any custom URLs you configure.
  • Instagram data — when you connect an Instagram account: account and profile metadata, your posts and Reels metadata, comments on those posts, and message delivery events, received through the official Meta APIs and webhooks.
  • Billing data — your plan, subscription status, and payment history. Card details are handled by our payment processor (Stripe); we never store full card numbers.
  • Usage and diagnostics — product analytics events (pages viewed, features used) and error and performance diagnostics, as described in section 4.

2. Data we process about followers, for creators

When a follower interacts with a creator's automation or recipe page, we process a limited set of data so the service can work:

  • comments containing a trigger keyword, and the Instagram-scoped user ID of the commenter;
  • direct-message events and their timestamps — we keep the time of the last inbound message so we never send outside Instagram's allowed 24-hour messaging window;
  • when a creator enables follow-gating, the result of Instagram's follow-status check;
  • recipe page visits and link clicks, aggregated into creator analytics;
  • email addresses that followers voluntarily submit on a recipe page, shared with the creator who owns that page.

We process this data to provide the service to the creator whose account or page the follower interacted with. Followers can exercise the rights in section 9 with us or with that creator.

3. How we use data

  • operating the service: publishing recipe pages and delivering automated messages;
  • enforcing Instagram's messaging rules, plan quotas, and abuse limits, and sending service emails such as quota alerts (via our email provider, Resend);
  • parsing recipes you import: the text or caption you submit is sent to our AI provider (OpenAI) solely to structure it into a recipe;
  • billing and account management;
  • measuring, debugging, and improving the product;
  • security, fraud and abuse prevention, and compliance with legal obligations.

We do not sell personal data, and we do not use it for third-party advertising.

4. Cookies and analytics

  • Authentication cookies — Clerk sets cookies required to keep you signed in.
  • Product analytics — we use PostHog, hosted in the EU, to understand how the product is used.
  • Error monitoring — we use Sentry to collect errors and performance data. Session replays are masked: text, inputs, and media are blocked from capture.

5. Service providers

We share data with processors only as needed to run the service: Clerk (authentication), Meta/Instagram (messaging and webhooks), Stripe (payments), OpenAI (recipe import parsing), Resend (transactional email), Sentry (error monitoring), PostHog (analytics, EU-hosted), Render (cloud hosting in the Frankfurt region), and our database (PostgreSQL) and object storage providers for recipe images. Each provider is bound by its own data-processing terms.

We may also disclose data if required by law, to protect our rights or users, or as part of a merger, acquisition, or sale of assets.

6. Instagram platform data

Data received from Meta's APIs is used only to provide the features you asked for, in line with Meta's Platform Terms. Disconnecting an Instagram account stops the connection and clears its access credentials. A verified Meta data-deletion request also removes our copies of the matched account profile, media metadata and thumbnails, comments, messaging events, delivery records, contacts, and credentials. It does not delete accounts, posts, Reels, comments, or messages held by Meta, and a message already delivered to another person's inbox cannot be recalled.

Once an Instagram caption has been successfully imported and converted into a Cookping recipe, the recipe and its Cookping-hosted recipe image are treated as content you created in Cookping. They remain after Meta-only deletion, while the original Instagram URL, caption, account identifier, and other Meta source metadata are removed from the import record. Deleting your full Cookping account also deletes those imported recipes and images. You can request deletion at any time using the dashboard or the contact below.

7. Legal bases

Where the GDPR applies, we rely on: performance of a contract (running your account and automations), legitimate interests (security, abuse prevention, product analytics, service communications), consent where required (for example a follower submitting their email), and legal obligations (accounting and tax records).

8. Retention

We keep personal data for as long as your account is active and as long as needed for the purposes above. A valid deletion request starts immediately. We delete active-system data as soon as reasonably possible and no later than 30 days, except for narrow records we are legally required to retain. Inaccessible backups expire on a rolling schedule of no more than 30 days. A temporary, pseudonymous deletion request reference is retained for 30 days to prevent account recreation and support safe retry or backup recovery, then removed.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data, and to object to or restrict certain processing. To exercise these rights, email cookping.app@gmail.com. If you are in the EU/EEA, you can also lodge a complaint with your supervisory authority (in France, the CNIL).

10. Security

Data is encrypted in transit, access is restricted to what operating the service requires, and provider credentials are stored as secrets. No system is perfectly secure, but we work to protect your data and will notify you of breaches as the law requires.

11. International transfers

Some of our providers process data outside the EU/EEA (for example in the United States). Where they do, transfers rely on safeguards such as the EU Standard Contractual Clauses or an adequacy decision (including the EU-US Data Privacy Framework where the provider is certified).

12. Children

Cookping accounts are for adults (18+). The service is not directed at children, and we do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we will delete it.

13. Changes to this policy

We may update this policy as the service evolves. If a change is material, we will give notice (for example by email or an in-app notice) before it takes effect. The date at the top shows the latest revision.

14. Contact

For any privacy question or request, email cookping.app@gmail.com or write to Twist Labs, 8 Bis Rue Abel, 75012 Paris, France.