ForkdBack to Forkd
Forkd Legal

Privacy Policy

What we collect, why we collect it, where it lives, and how to ask us to stop. Written to be readable first and lawyer-readable second.

Last updated

Introduction

WeaveHub Technologies LLC, doing business as Forkd (“Forkd,” “we,” “us,” or “our”) operates the Forkd mobile and web applications and the marketing site at tryforkd.com. We help you decide what to order on any menu by comparing it against your personal taste profile.

This Privacy Policy explains what data we collect when you use Forkd, how we use it, who we share it with, and the rights you have over it. It applies to all users worldwide; specific regional rights are called out below.

Plain-English summary. Your taste profile and dining history are yours. We use them to recommend dishes for you. We do not sell your data. Payments are handled by Apple, Google, and RevenueCat — we never see your card. Menu scans are deleted from our storage within 30 days unless they correspond to a recognized restaurant menu we’re caching for everyone’s benefit.

Information we collect

Account identifiers

When you create an account we receive an identifier from your sign-in provider (Apple, Google, or email + phone) via Firebase Authentication. This includes a stable user id, your email address, a display name if you provide one, and a phone number if you choose to sign in with Phone OTP. We do not receive your password from any provider.

Taste profile data

To recommend dishes you would actually love, we build a taste profile for you. It includes: favorite cuisines, ingredient affinity (the things you like and dislike), spice tolerance, texture preferences, allergen flags you have set, regret patterns (dishes you have rated poorly), and a vector embedding that represents the above in a form our recommendation engine can compare against menu items.

Dining history

We store the dining sessions you create in the app: which restaurant, when, what you ordered, what you rated, what you favorited, and what you marked as a dislike. You can delete any session at any time from the app.

Device and usage data

Our hosting provider (Cloudflare) generates access logs containing IP address, user agent, and request metadata. If you opt in, we collect crash reports via Sentry and product analytics via Google Analytics for Firebase. Both are opt-in for EU users; the in-app settings let you turn them on or off at any time.

Payment data

Subscriptions are processed entirely by the Apple App Store, Google Play Store, and RevenueCat. We receive a subscription status (active, trial, expired) and an anonymous subscriber id from RevenueCat. We never see your card number, CVV, or billing address.

Menu scans and photos

When you scan a menu, the image is uploaded to our region-segregated object storage, processed by Google Cloud Vision OCR, and then structured into menu items by an AI model (Gemini). The original image is deleted within 30 days unless the menu is recognized as a published restaurant menu we are caching to save scans for other users.

How we use your information

We use the data we collect to:

  • Generate personalized dish recommendations on every menu you scan.
  • Authenticate your account and keep your taste profile consistent across your devices.
  • Manage your subscription, free trial, and billing through RevenueCat.
  • Detect and prevent fraud, abuse, scraping, and other Terms violations.
  • Improve our recommendation models in aggregate. We do not train general-purpose AI models on your individual data.
  • Communicate with you about service updates, security notices, and (with your consent) occasional product announcements.

We do not sell your personal data, and we do not share it with advertisers.

Where your data lives

Forkd is built on Cloudflare D1 and Cloudflare R2 with strict regional isolation. We operate two independent regions:

  • US region — D1 and R2 in the United States.
  • EU region — D1 and R2 in the European Union.

Your account is pinned to one home region at signup. Application data (your taste profile, dining history, scans) never crosses regions. Your region is encoded into a verified custom claim on your sign-in token so the API can route every request correctly without trusting the client.

Third-party services

The following providers process data on our behalf. Each is bound by a data-processing agreement.

  • Firebase Authentication (Google LLC) — identity and sign-in. Receives the sign-in challenge and returns a verified token.
  • RevenueCat (RevenueCat, Inc.) — subscription and entitlement management. Receives an anonymous subscriber id and store receipts.
  • Google Cloud Vision (Google LLC) — optical character recognition for menu scans.
  • Google AI Studio / Gemini (Google LLC) — converts OCR text into structured menu items behind our AI Gateway.
  • Cloudflare (Cloudflare, Inc.) — hosting, edge compute, database, object storage, and edge analytics.
  • Sentry (Functional Software, Inc., dba Sentry) — opt-in crash reporting. Required opt-in for EU users.

We do not authorize any of these providers to use your data for their own marketing or advertising.

Marketing communications

When you create an account we ask whether you would like to receive occasional product updates from Forkd — new feature announcements, launch news, and the occasional restaurant story. The checkbox is presented during sign-up and your choice is recorded as consent at that moment.

For users who select a European Union region, the checkbox is unchecked by default; you must explicitly opt in for us to email you. For users who select a United States region, the checkbox is checked by default and you may uncheck it before completing sign-up.

Marketing emails are sent through WeaveMarketing, a service operated by our parent company. We pass along your email address, an optional first name, and a consent timestamp. We never share or sell this information with third parties for their own marketing, and we never subscribe you without your consent.

You can unsubscribe at any time using the link in the footer of any marketing email, or by emailing privacy@tryforkd.com. Unsubscribing from marketing does not affect transactional emails (security notices, receipts, account changes) which you continue to receive as long as your account is active.

Your rights

Depending on where you live, you have some or all of the following rights under the GDPR (Articles 15–21), the California Consumer Privacy Act (CCPA), and equivalent laws:

  • Access — ask us for a copy of the personal data we hold about you.
  • Portability — export your taste profile and dining history in a machine-readable format.
  • Correction — ask us to fix anything that is inaccurate.
  • Deletion — ask us to permanently delete your account and all associated data.
  • Restriction and objection — ask us to stop certain processing of your data.
  • Withdraw consent — turn off opt-in analytics and crash reporting at any time from the in-app settings.

To exercise any of these rights, email privacy@tryforkd.com. We will respond within 30 days. We may need to verify your identity before acting on a request.

Children’s privacy

Forkd is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@tryforkd.com and we will delete it.

Data retention

  • Account data — retained until you ask us to delete your account. Deletion is permanent and irreversible.
  • Menu scan photos — deleted from R2 within 30 days of upload unless cached as a recognized restaurant menu.
  • Structured menu data — cached for 1–90 days depending on menu type (specials are shorter; static menus are longer).
  • Taste profile vector — retained for as long as your account is active.
  • Access logs — retained by Cloudflare for the period set in our hosting agreement, typically 30 days.

Security

We protect your data with encryption at rest (Cloudflare D1 and R2), TLS in transit, short-lived JWT-based authentication, and the principle of least privilege for internal access. We require multi-factor authentication for all engineering staff, and we follow a documented incident-response process.

No system is perfect. If you discover a security issue, please email security@tryforkd.com and we will respond promptly.

International data transfers

Your data is stored in the region your account is pinned to. EU users stay in the EU. US users stay in the US. If you travel, your device may briefly route through edge locations outside your home region, but application data is read from and written to your home region only.

For users outside the US and EU, your data is stored in whichever region was closest at signup. [REVIEW WITH COUNSEL] Standard contractual clauses cover any onward transfer between Forkd and our processors.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and via an in-app banner at least 14 days before the changes take effect. The “Last updated” date at the top of this page always reflects the current version.

Contact us

Questions, concerns, or rights requests? Email privacy@tryforkd.com.

Mailing address: [REVIEW WITH COUNSEL] WeaveHub Technologies LLC, [Street Address], [City, State ZIP], United States.

For users in the European Union, you also have the right to lodge a complaint with your local data protection authority.