Privacy Policy

Last updated: May 23, 2026

shy-tomato is a recipe app I run by myself. This policy describes what I collect from you, what I don't, what I do with it, and what your rights are. I've tried to keep it short and concrete instead of long and lawyerly.

When this says "I" or "me," that's Wescott Sharples, the operator of shy-tomato. When it says "you," that's you, the user.

1. What I collect

Only what the service needs to work for you:

  • Your email address. This is how you sign in and how I send you account-related messages (magic links, billing receipts, account notices).
  • Sign-in events. When you request a magic link and when you use it, I record that fact and the time. I do this so I can show you a session list later and detect abuse.
  • Session and CSRF cookies. A session cookie identifies you to the service after sign-in. A CSRF cookie helps prevent a class of attacks on forms. Both are HttpOnly, Secure, and SameSite. No third-party cookies.
  • Content you create. Saved recipes, meal-plan entries, notes you write, and the URLs you paste in for import (along with the status of each import).
  • Audit log of account actions. Sign-ins, account deletions, subscription changes, and similar. This lets me reconstruct what happened on an account if you ask or if there's a security question.
  • Server-side logs. Standard request logs needed to run a web service: timestamps, request paths, response codes, IP address. I do not log request bodies, and I do not log personally identifying information beyond what's necessary to operate the app.
  • Billing data, via Stripe. If you subscribe, Stripe collects your payment details on my behalf. I receive a Stripe customer ID, the subscription state, and event notifications. I never see your full card number.

2. What I don't collect

I want to be explicit about this, because the absence of these is itself a feature:

  • No third-party analytics in your browser. No Google Analytics, no Mixpanel, no Amplitude. (At public launch I may add a privacy-respecting analytics tool — Plausible, which uses no cookies and no personal identifiers — and I'll update this policy if I do.)
  • No advertising pixels. No Facebook Pixel, no Google ad tags, no retargeting.
  • No marketing-tracking cookies. Just the session and CSRF cookies above.
  • No precise location data. I don't ask for or receive GPS coordinates.
  • No contacts, address book, or social graph. shy-tomato has no "find friends" surface.
  • No microphone or camera access. shy-tomato doesn't request those.
  • No data brokers, no data sales. I don't sell your data, and I don't buy data about you to enrich your profile.

3. How I use what I collect

  • To run the service: show you your recipes, sign you in, process your imports, run your meal plan.
  • To send you transactional email: magic links, billing receipts, account notices, and replies when you write to me.
  • To detect and prevent abuse: rate-limit attacks, blocked accounts, fraudulent payments.
  • To improve the service: I look at aggregate, non-identifying patterns (how many imports succeed, where extraction fails, which pages error) to fix bugs and prioritize work.

I do not use your data for marketing emails without your explicit opt-in. If I ever add a marketing newsletter, signing up will be a separate, voluntary choice.

I do not use your data to train AI models. Vertex AI (Google's hosted AI service) is used as part of the extraction pipeline — when you paste a link, the recipe content and a prompt are sent to Vertex so it can extract structured fields. Google's terms for Vertex AI commit to not using customer prompts and responses to train its general models. I don't use your data to train models for any other purpose either.

4. Cookies

Two cookies, both first-party:

  • A session cookie that identifies you after sign-in. HttpOnly, Secure, SameSite=Lax.
  • A CSRF cookie that protects mutations against cross-site request forgery. HttpOnly, Secure, SameSite=Lax.

No third-party cookies. No marketing or tracking cookies. No fingerprinting.

If I add Plausible analytics at launch, I'll note it here — Plausible is explicitly cookieless and uses no personal identifiers, so the description above still holds.

5. Who I share data with

shy-tomato uses a small number of service providers to run. Each one is a processor I rely on, not a partner I sell data to.

Provider What they do What they see
Stripe Payment processing for Pro subscriptions Your name (if you give it), email, payment method, billing address, subscription history
Resend Sending transactional email (magic links, receipts, account notices) Your email address and the contents of the email I send you
Google Cloud Hosting (Cloud Run), database (Cloud SQL), object storage (GCS), AI extraction (Vertex AI Gemini) Whatever your account and recipes consist of; the content of pages and videos you paste for extraction
ScraperAPI A third-party HTTP proxy. When the publisher's page resists a direct fetch, I route the request through ScraperAPI The URL you pasted; they do not see your shy-tomato account
Instacart (when cart-fill is enabled) If you click the Shop button on a recipe, I send the recipe's ingredient list to Instacart so they can pre-fill a cart The ingredient list; they do not see your shy-tomato account

Each provider has their own privacy commitments and uses your data only to deliver their service to me.

I will share data with law enforcement or other parties when I'm legally required to (subpoena, court order). If I get such a request, I'll review it for legitimacy and, where the law allows, notify you before complying.

6. Data retention

  • Active accounts. I keep your data for as long as your account is open.
  • Deleted accounts. When you delete your account at shytomato.com/me/delete, your account is marked deleted, your sessions end, your Stripe customer is detached, and your personal data is removed from active query paths. Your row remains as a tombstone (so I can prove the deletion happened) but is not surfaced anywhere a logged-in user can reach. Export at shytomato.com/me/export BEFORE you delete. If you have deleted and still need a copy, email me at [email protected] — I will send your data by hand for 30 days after deletion.
  • Audit log. I log every audit row with user_id, ip_inet (IP address), user_agent, action, metadata, and occurred_at. The IP and user-agent are personal data, and they are retained as part of the tombstone for safe-harbor record-keeping. I keep this so I can answer DMCA and safe-harbor questions later if I'm asked.
  • Backups. Standard backups roll forward and age out on a normal schedule. Deleted data persists in older backups for a short window before it's overwritten.
  • Server logs. Standard operational log retention — typically 30 days.

I want to be honest about the tension here: "delete everything immediately" and "keep an audit trail for safe-harbor protection" are partly in conflict, and I've drawn the line at "mark the account deleted, take the personal data out of active query paths, and preserve a tombstone with the IP / user-agent / action history for safe-harbor."

7. Security

  • All traffic to shy-tomato is over TLS.
  • The app runs on Google Cloud Platform infrastructure — Cloud Run, Cloud SQL (Postgres), Cloud Storage. GCP handles the underlying physical and network security.
  • I don't store passwords. Sign-in is magic-link only.
  • The database is in a single region with point-in-time recovery.
  • Sensitive operational secrets are stored encrypted, not in plain text.

No system is perfectly secure. If something goes wrong and your data is involved, I'll notify you and, where required, the relevant authorities, within the timeframes the law sets.

8. Children

shy-tomato is not for children under 13. I don't knowingly collect personal information from anyone under 13. If you believe a child under 13 has signed up, email me at [email protected] and I'll delete the account.

9. Your rights

You can do the following at any time:

  • Export your data. Go to shytomato.com/me/export while you're signed in. You get a JSON file containing your profile, saved recipes, meal-plan entries, and import history. If you have already deleted your account and need a copy, email me at [email protected] within 30 days of deletion and I will send it by hand.
  • Delete your account. Go to shytomato.com/me/delete. See section 6 for what happens to your data.
  • Update your email address. Use the account settings, or write to me.
  • Ask me a question or make a request. Email [email protected].

If you live in a jurisdiction with formal privacy rights (the EU under GDPR, California under CCPA, and others), the export and delete surfaces above cover the core of those rights — access and erasure. For anything else (correction, objection, restriction of processing, complaints to a supervisory authority), write to me and I'll respond.

10. International users

shy-tomato is hosted in the United States. If you use it from outside the US, your data will be transferred to and processed in the US.

If you're in the EU or UK and want to know more about the basis on which I do that, write to me — at this scale the answer is short and personal, not a legal essay.

11. Changes to this policy

I'll update this policy from time to time. I will post material changes — affecting what I collect or who I share it with — on this page and email registered users when feasible. Smaller changes (clarifications, formatting, address updates) I'll just post.

Your continued use of shy-tomato after a posted change means you accept the updated policy. If you don't want to, delete your account.

12. Contact

Email: [email protected]

Mail: Wescott Sharples, 3727 77th Pl SE, Mercer Island, WA 98040, USA

For DMCA notices, see shytomato.com/dmca.