Sumac

Privacy Policy

Last updated: March 26, 2026

Sumac ("we," "us," "our") operates the website getsumac.com and the Sumac mobile application. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

What We Collect

  • Account information: email address, display name, and authentication credentials (via Apple Sign-In or Google Sign-In).
  • Taste profile: dietary restrictions, allergies, cuisine preferences, skill level, household size, and nutrition targets you provide during onboarding.
  • Recipe data: recipes you generate, adapt, save, and rate — including ingredients, instructions, and your personal notes.
  • Usage data: generation counts, feature interactions, and anonymous analytics to improve the product (via Vercel Analytics).
  • Payment information: if you subscribe to Sumac Pro, billing is processed by Stripe. We never store your full card number — Stripe handles all payment data under PCI-DSS compliance.

How We Use Your Data

  • Personalization: your taste profile and recipe history power AI-generated recipes tailored to your preferences.
  • AI processing: recipe generation and adaptation use third-party AI models. We send your preferences and recipe context to the model — never your email, name, or payment details.
  • Product improvement: anonymous, aggregated usage data helps us understand which features matter and where to invest.
  • Communication: transactional emails (password resets, billing receipts) and, only with your opt-in, product updates.

Data Storage & Security

Your data is stored in Supabase (PostgreSQL) with row-level security policies. Data is encrypted in transit (TLS) and at rest. Our application is hosted on Vercel with automatic HTTPS.

Third-Party Services

  • Supabase — database hosting and authentication.
  • Stripe — payment processing for Sumac Pro subscriptions.
  • Vercel — hosting, analytics, and performance monitoring.
  • AI providers — recipe generation (no personal identifiers are sent).

Google User Data

When you sign in with Google, we access the following data from your Google account:

  • Email address: used to create and identify your Sumac account.
  • Display name: used to personalize your experience within the app.
  • Profile photo: displayed as your avatar within Sumac. Stored as a URL reference only.

Sumac's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it to third parties, and do not use it for purposes unrelated to providing Sumac's core recipe functionality.

We Never Sell Your Data

We do not sell, rent, or trade your personal information to third parties. Period.

Your Rights

Depending on your location, you may have rights under the GDPR (EU/EEA) or CCPA (California). These include:

  • Access: request a copy of the data we hold about you.
  • Correction: update or correct inaccurate information.
  • Deletion: request that we delete your account and associated data.
  • Portability: receive your data in a structured, machine-readable format.
  • Opt-out: you can opt out of non-essential data collection at any time.

To exercise any of these rights, email us at privacy@getsumac.com. We will respond within 30 days.

Cookies

We use essential cookies for authentication and session management. Vercel Analytics is privacy-friendly and does not use cookies or track users across sites. We do not use advertising cookies.

Children's Privacy

Sumac is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of Sumac after changes constitutes acceptance.

Contact Us

Questions about this policy? Reach us at privacy@getsumac.com.