CurinationBack to app

Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you use this website. Personal data is any data that can be used to personally identify you.

Responsible Party

MR2Consulting Ltd.
Evagora Pallikaridi 38
8010 Paphos, Cyprus
Email: info@curination.com

2. Data Collection on Our Website

Registration and User Account

During registration, we collect the following data:

  • Email address
  • Password (stored encrypted)
  • Display name
  • First and last name (optional)

This data is processed to provide your user account and app features. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).

Profile Information

You may voluntarily provide additional information (country, region, experience level, equipment, social media profiles). This data is used to personalize your experience and is only processed with your consent (Art. 6(1)(a) GDPR).

Project Data

All project data you enter (purchases, spice mixtures, smoking sessions) is stored in our database to provide you with app functionality. Legal basis: Art. 6(1)(b) GDPR.

3. Voice Input

Curination offers an optional voice input feature. When you use it:

  • Your audio recording is sent to OpenAI (Whisper API) for transcription.
  • The transcribed text is sent to Anthropic (Claude API) for analysis.
  • Audio recordings are not permanently stored — they are only transmitted for the duration of processing.
  • The use of voice input is voluntary. All features are also available without voice input.

Legal basis: Art. 6(1)(a) GDPR (consent through active use of the feature).

4. External Service Providers

Hosting: Vercel

Our website is hosted by Vercel Inc. (San Francisco, USA). When visiting our website, information (e.g. IP address, browser type) is automatically stored in server log files. Legal basis: Art. 6(1)(f) GDPR.

Database: Neon

Your data is stored in a PostgreSQL database at Neon Inc. (USA). Data transfer is encrypted (SSL/TLS).

Image Storage: Cloudflare R2

Uploaded images (profile pictures, recipe photos) are stored at Cloudflare Inc. using R2 object storage with EU data residency and delivered via a Content Delivery Network (CDN).

Speech Recognition: OpenAI

For optional voice input, we use the Whisper API from OpenAI Inc. (USA). Audio recordings are transmitted for transcription and are not used by OpenAI for training purposes (API usage).

AI Analysis: Anthropic

For analysis of voice input and automatic translations, we use the Claude API from Anthropic (USA). Transmitted texts are not used for training purposes (API usage).

Email: Resend

For sending transactional emails (verification, password reset, notifications), we use the service Resend Inc. (USA). Only your email address and the email content are transmitted.

5. Your Data, Your Recipes

All recipes, projects, and personal data you create in Curination belong to you. We only use your data to provide the app's functionality. Specifically:

  • Your recipes and projects are never used for AI training.
  • Your data is never sold or shared with third parties for marketing purposes.
  • If you share a recipe publicly, other users can view, rate, and comment on it. You can revoke public sharing at any time.
  • You can export all your data at any time (Art. 20 GDPR).

Account Deletion

You can request account deletion at any time in your settings. During the request, you choose whether your public recipes should remain in the library or be deleted entirely. An admin reviews and confirms the deletion. After confirmation, your personal data is permanently removed within 30 days.

6. Data Transfer to Third Countries

Some of our service providers are based in the USA. Data transfer is based on the EU-US Data Privacy Framework or Standard Contractual Clauses (Art. 46 GDPR).

7. Your Rights

You have the right to:

  • Access to your stored data (Art. 15 GDPR)
  • Rectification of incorrect data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of given consent (Art. 7(3) GDPR)

To exercise your rights, contact: info@curination.com

8. Cookies

We only use technically necessary cookies:

  • Session-Cookiefor authentication (login)
  • Language cookiestores your preferred language (DE/EN)
  • Theme-Cookiestores your preferred appearance (light/dark)

We use Vercel Analytics for anonymous, privacy-friendly website analytics. No personal data is collected, no cookies are set by Analytics, and no data is shared with third parties. No additional tracking, analytics, or advertising cookies are used.

9. Data Security

We implement the following security measures:

  • SSL/TLS encryption for all data transfers
  • Passwords stored with bcrypt hashing (12 rounds)
  • Security tokens (password reset, email verification) are hashed in the database (SHA-256)
  • Rate limiting on authentication endpoints to prevent brute force attacks
  • Server-side file validation (magic bytes) for all uploads
  • Security headers (X-Frame-Options, Content-Type-Options, Referrer-Policy)
  • SSRF protection on external URL imports
  • Session expiration after 7 days of inactivity
  • Audit logging for all administrative actions
  • Access to production databases restricted to authorized personnel

10. Changes

We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to the service. The current version published on the website always applies.

Last updated: May 2026