Shuckly
FeaturesPricingAbout

Shuckly

Made in New Zealand · for home cooks

AboutFeaturesPricingLegalPrivacyTermsContact

© 2026 Einherjar Systems Limited. All rights reserved.

Privacy Policy

Effective: 25 April 2026 · Last updated: 25 April 2026

We try to keep this policy short, plain, and specific to what Shuckly actually does. If anything here is unclear, email us — we'll explain it in real words.

Contents

  1. 1. Who we are
  2. 2. What we collect
  3. 3. Third parties
  4. 4. What we don't do
  5. 5. Your rights
  6. 6. Data retention
  7. 7. Children
  8. 8. Security
  9. 9. Changes
  10. 10. Contact

1. Who we are

Shuckly is operated by EINHERJAR SYSTEMS LIMITED, a New Zealand limited company based in Auckland. In this policy, “we”, “us”, and “Shuckly” mean Einherjar Systems Limited.

You can reach us about anything in this policy at support@shuckly.app.

2. What we collect

We try to collect as little as possible. Here's the full list of what ends up on our servers when you use Shuckly:

Account information

Your email address, your display name, and a one-way hash of your password (generated with bcrypt at 12 rounds — we cannot read your actual password, even if we wanted to). If you sign up with Google, we receive your name, email, and Google account ID, but no password.

Recipes you create

The source URLs you paste, the extracted ingredients, equipment, steps, tags, cookbooks you organise them into, and any edits you make. This is the core data the product needs to work — without it, there's nothing to show you.

Grocery lists

Items generated from your recipes (or added manually), check-off state, and optional store/aisle assignments. We may also store the price quotes that appear in your list — but those are looked up from public catalogues and cached across all users, not tied to you personally.

Usage logs

Every time you extract a recipe, we record: the timestamp, which AI provider was used, and whether the request succeeded. This lets us enforce the free tier's weekly extraction limit, debug failures, and detect abuse. We do not log the contents of your AI prompts or responses beyond what is already saved as a recipe in your account.

Technical request logs

Our hosting provider (Vercel) records standard server logs — IP address, user agent, request path, response code, timestamp — for short retention windows. These are used for security, abuse prevention, and operational troubleshooting only.

What we do NOT collect

We do not collect your contacts, location, photos, microphone, advertising identifiers, biometric data, or health data. The mobile app does not request any of these permissions. We do not run third-party analytics SDKs at this time. We do not track you across other websites or apps.

3. Third parties we send data to

We use a small number of vendors to actually run the service. Each of them is listed below with what we send and why. Their own privacy policies cover what they do with that data once it reaches them.

Supabase (PostgreSQL hosting)

All the data described in section 2 (account info, recipes, grocery lists, usage logs) lives in a PostgreSQL database hosted by Supabase. Data residency is currently in their EU/US regions; this matters for GDPR users — see section 5.

Vercel (hosting)

Vercel runs the web app and API. They see standard request metadata (IP, user agent, path) but do not persistently store your application data — that lives in Supabase.

AI processing (only when you extract a recipe)

We send the content extracted from your URL (transcript text, blog article body, video metadata) to a third-party AI service to convert it into a structured recipe. That service's privacy policy applies to the request. We don't send your account info — just the recipe content needed to produce the output.

Instagram content fetching

When you paste an Instagram URL, we use a third-party service to fetch the post on our behalf. We send only the URL you pasted. We do not send or have access to your Instagram account — Shuckly doesn't connect to your Instagram account at all.

Grocery price lookup

When we look up a price for a grocery item that isn't already in our shared catalogue, we send the ingredient name(e.g. “butter 500g”) to a third-party service to query public NZ supermarket data. We don't send your account or recipe info.

Google OAuth (if you choose Google sign-in)

We use Google's standard OAuth flow only to verify your identity and retrieve your name and email. We don't request access to Drive, Gmail, Calendar, or any other Google service.

4. What we don't do

For the avoidance of doubt:

  • We do not sell your personal information to anyone.
  • We do not share your data with data brokers.
  • We do not display advertising and do not run ad-targeting cookies, pixels, or SDKs.
  • We do not build profiles for ad-targeting purposes, our own or anyone else's.
  • We do not read your AI conversations beyond what is saved as a structured recipe.
  • We do not access your phone's contacts, photos, microphone, or location.

5. Your rights

Depending on where you live, different privacy laws apply. We try to honour all of them for everyone. Specifically:

  • New Zealand (Privacy Act 2020): you have the right to access and correct any personal information we hold about you.
  • EU / UK (GDPR):in addition, you have rights to deletion (“right to be forgotten”), to portability (data export), to restrict or object to processing, and to lodge a complaint with your local supervisory authority.
  • California (CCPA / CPRA):rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We don't sell or share data for cross-context behavioural advertising, so the opt-out isn't something you need to exercise — but you still have it.

To exercise any of these rights, email support@shuckly.app. We'll respond within 30 days. We may need to verify your identity before acting on a request affecting account data.

6. Data retention

We keep your account data — recipes, cookbooks, grocery lists, settings — for as long as your account is active. If you delete your account, we permanently remove all of your personal data within 30 days.

Limited exceptions: anonymised, aggregated usage counts (e.g. “X extractions in March”) may persist in operational metrics; system backups expire on their own rotation (typically within 30 days). Backups are not independently searchable and are not used for anything other than disaster recovery.

7. Children

Shuckly is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, contact us and we'll remove it.

8. Security

Specific things we do to protect your account and your data:

  • Passwords are hashed with bcrypt at 12 rounds — we cannot read your actual password, and we never store it in plain text.
  • Mobile sessions use short-lived JWT access tokens (15 min) with audience claims, plus rotating refresh tokens (30 day) stored as a SHA-256 hash on the server — even a database compromise wouldn't expose usable session tokens.
  • All traffic uses HTTPS; we don't serve any of the app over plain HTTP.
  • Sensitive endpoints are rate-limited (signup, login, refresh, extraction) to prevent brute-force and abuse.
  • Outbound URL fetching is protected by an SSRF guard that blocks private network ranges and cloud metadata endpoints.

No security model is perfect. If you discover a vulnerability, please email us responsibly at support@shuckly.app rather than disclosing it publicly.

9. Changes to this policy

If we make material changes to this policy — for example, adding a new third-party processor or changing what we collect — we'll update the “Last updated” date at the top and email registered users at least 14 days before the changes take effect. Minor edits (typos, clarifications) may be made without notification.

10. Contact

Questions, requests, complaints, or feedback about this policy? We read every email.

Einherjar Systems Limited
Auckland, New Zealand
support@shuckly.app

See also our Terms of Service.