Privacy

What this site stores about you, where, for how long, and how to opt out. Written in plain English. Last updated 2026-06-27.

What gets stored

1. In your browser (localStorage)

The site keeps a few preferences in your browser's localStorage so they survive page reloads. This data never leaves your machine.

  • Unit preference (metric / imperial)
  • Liked recipes (per-slug flags, e.g. like_carbonara)
  • Ratings you've given (per-slug values, e.g. rated_carbonara)
  • Your consent choice (cookie_consent_v2)

2. Standard server logs

Every HTTP request is logged for traffic analysis and security. Logs include:

  • IP address (used to derive country / network / hosting flags via ip-api.com)
  • User-Agent string and standard browser headers
  • Requested path and HTTP method
  • Response status and timing
  • TLS fingerprint (JA3/JA4) used for bot detection
  • A session cookie (bot-session, opaque UUID, HttpOnly, 7-day max-age)

Legal basis: legitimate interest (Art 6(1)(f) GDPR) for security and operational analytics. Retention: 7 days for raw request logs, rolling. Aggregated counts may be kept longer.

3. Interaction signals (consent-gated in the EU/UK/EEA)

If you accept cookies, a small first-party script sends anonymous interaction signals so I can see what's being read:

  • Page views and referrer
  • Time on page (dwell)
  • Click / scroll / keyboard event counts (not the content)
  • Viewport / screen dimensions
  • Browser features the page detects (timezone, language, canvas / WebGL fingerprint hash)

If you reject, none of this is collected. The server still keeps the request logs above (those are security data under legitimate interest, not analytics).

4. Chat widget submissions

The "Chef Marco" chat widget at the bottom-right is opt-in: messages are only submitted if you type them. The widget itself is gated behind the same consent as interaction tracking and won't load if you reject. Messages are stored to debug the bot patterns; they aren't shared, sold, or used for any other purpose.

What this site does not do

  • No third-party trackers (no Google Analytics, no Facebook Pixel, no ad networks)
  • No advertising, ever
  • No selling or sharing of personal data
  • No cross-site tracking
  • No email or contact information beyond what you choose to send via the contact form

Third parties

Two external services are touched server-side, never by your browser directly:

  • ip-api.com: each unique visitor IP is sent once for country / network / hosting / proxy lookup. No personal data beyond the IP itself. ip-api's terms: ip-api.com/docs/legal.
  • Google Fonts: the site fonts (Inter, Inter Tight) are loaded from fonts.googleapis.com, which sees your IP and User-Agent. Google's font privacy policy: developers.google.com/fonts/faq/privacy.

Your rights (EU / UK / EEA visitors)

Under GDPR / UK GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise any of these, email the address on the contact page.

You can also withdraw consent at any time by clicking Cookie preferences in the footer of any page. This wipes the consent flag in your browser and re-opens the banner on the next page load.

If you believe processing here violates GDPR, you can lodge a complaint with your local data protection authority. For the EU, see edpb.europa.eu. For the UK, the ICO (ico.org.uk).

California (CCPA / CPRA)

This site does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of under the CCPA "Do Not Sell or Share" right.

Changes

If this notice changes materially I'll update the "Last updated" date at the top and, where relevant, re-prompt for consent.