Hearth Application
Last updated: 28 March 2026
527Studios Limited ("527Studios", "we", "us", "our"), a company incorporated in England and Wales (company registration number 17067398), operates the Hearth mobile application (the "App"). This Privacy Policy is a transparency notice. It explains what personal data we collect about you, why we collect it, the lawful basis on which we process it, who we share it with, how long we keep it, and what rights you have in relation to it.
We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. Where users are located in the European Union, we apply the EU General Data Protection Regulation ("EU GDPR") to the extent applicable.
For any questions about this Policy, contact us at 527studioslimited@gmail.com.
The data controller responsible for your personal data is:
527Studios Limited
Company number: 17067398
Registered office: Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom
Email: 527studioslimited@gmail.com
Website: https://www.527studios.co.uk/
What we collect: Your email address; a securely hashed credential (email/password sign-in); or an identity token and, subject to your Apple privacy settings, your name and email address (Sign in with Apple). We also store authentication tokens and session identifiers required to keep you signed in.
Source: Provided directly by you at registration.
Lawful basis: Performance of a contract — this data is necessary to create and maintain your account and provide access to the App.
What we collect: Your chosen username (if set) and avatar selection (if set). Your username and avatar are visible to other registered users if you publish content to the Social Feed.
Source: Provided directly by you.
Lawful basis: Performance of a contract.
What we collect: Recipes you save, including: title, ingredients, steps, cooking time, difficulty, estimated macronutrient and calorie information, personal notes, star ratings, cook counts, and display preferences (emoji).
Source: Provided directly by you, or generated via AI extraction at your request.
Lawful basis: Performance of a contract.
What we collect: The recipe collections you create and the recipe assignments within them.
Source: Provided directly by you.
Lawful basis: Performance of a contract.
What we collect: Your weekly meal plan, mapping saved recipes to specific days and meal slots across multiple weeks.
Source: Provided directly by you.
Lawful basis: Performance of a contract.
What we collect: The last 6 recipes you have extracted via the scan feature (from a URL or an image), including the extracted recipe data and a timestamp. Entries beyond this limit are deleted automatically.
Source: Generated by your use of the scan feature.
Lawful basis: Performance of a contract.
What we collect: The publication status of your recipes (whether and when you chose to post them to the Social Feed), votes you cast on other users' recipes, your friend connections, and your accumulated ranking points. Your posted recipes, username, and avatar are visible to other registered users of the App.
Source: Generated by your use of the social features.
Lawful basis: Performance of a contract, and our legitimate interests in operating community features, preventing abuse, and maintaining the integrity of the Social Feed.
What we collect: Timestamps associated with recipe saves, scans, and publications; the source type of each extraction (video URL or image).
Source: Generated automatically by your use of the App.
How used: Solely to operate and maintain the App. Not used for advertising, profiling, or any purpose beyond service operation.
Lawful basis: Our legitimate interests in operating and maintaining the App.
What we collect: Confirmation of whether your subscription is active, managed by RevenueCat on our behalf. We do not receive, store, or process your payment card details; these are handled exclusively by Apple.
Source: Received from RevenueCat following an App Store transaction.
Lawful basis: Performance of a contract.
What we collect: A randomly generated device identifier, created and stored locally on your device before you create an account. Used solely to enforce rate limits on recipe extraction during onboarding.
Source: Generated automatically on your device at first launch.
Lawful basis: Our legitimate interests in preventing service misuse and managing operating costs.
What we collect: Your IP address, processed server-side when you submit a recipe extraction request, solely as a secondary rate-limiting measure. IP addresses are not stored persistently and are not linked to your account profile.
Source: Transmitted automatically as part of network requests.
Lawful basis: Our legitimate interests in preventing service misuse and managing operating costs.
At the time of writing, we do not collect or process:
This section reflects the current state of the App. It will be updated before any new SDK or data collection capability is introduced.
The App is not directed at persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that personal data has been collected from a person under 18, we will suspend the account and delete or anonymise the associated data within a reasonable period, subject to any retention required by law. If you are a parent or guardian and believe your child has used the App, please contact us at 527studioslimited@gmail.com.
The App is a native iOS application and does not use cookies. We do not use web beacons, pixel trackers, or any cross-site or cross-app tracking technologies. No advertising identifiers are collected or used.
7.1 Camera — requested only when you choose to scan a recipe by taking a photograph. The image is transmitted securely to our servers for AI extraction and is not retained by us after the extraction response is returned.
7.2 Photo Library — requested only when you choose to select an existing image from your gallery. The image is handled in the same manner as section 7.1.
Both permissions are requested at the point of use, are never accessed in the background, and can be revoked at any time in iOS Settings → Privacy & Security → Camera or Photos. Revoking a permission only prevents that specific scan method from being used; all other App functionality is unaffected.
We use your personal data exclusively to:
We do not sell, rent, trade, or otherwise disclose your personal data to any third party for their own marketing, advertising, or commercial purposes.
We share personal data only with the following service providers. Where they act as processors, they do so on our behalf under appropriate data processing terms, processing data only as instructed by us.
Role: Data Processor
Purpose: Cloud database hosting, user authentication, and server-side function execution.
Data shared: Account data, profile data, recipes, collections, meal plans, recent scan records, social interaction data, and ranking points.
Location: Core user data is primarily stored within the EEA, in Supabase's West EU (Ireland) data centre. Where personal data is transferred outside the UK or EEA, we rely on appropriate transfer safeguards as required by applicable law.
Privacy policy: supabase.com/privacy
Role: Data Processor
Purpose: Server-side AI recipe extraction.
Data shared: When you scan a video URL — the video platform name, title, caption, and a thumbnail image fetched by our server. When you scan a photograph — a resized copy of the image you submit (up to 1.5 MB). This data is transmitted transiently and is not retained by us after the extraction response is received. Under OpenAI's standard API terms, submitted data is not used for model training and is retained by OpenAI for up to 30 days for abuse monitoring purposes before deletion.
Location: United States. When you use the scan feature, relevant image or video metadata is transferred to OpenAI in the United States for recipe extraction. Where required, we put appropriate safeguards in place for that transfer.
Privacy policy: openai.com/policies/privacy-policy
Role: Data Processor
Purpose: Subscription entitlement management and verification.
Data shared: An anonymised user identifier linking your App Store subscription to your App account. RevenueCat does not receive your recipe data, meal plans, email address, or any other personal data beyond this identifier.
Location: United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate transfer safeguards as required by applicable law.
Privacy policy: revenuecat.com/privacy
Role: Independent Data Controller (for App Store distribution, subscription billing, and Sign in with Apple)
Purpose: App Store distribution, subscription billing, and (where you choose it) Sign in with Apple authentication.
Data shared: Apple independently processes all App Store transactions. If you use Sign in with Apple, Apple provides us with a secure identity token and, subject to your privacy settings, your name and email address. We do not transmit personal data to Apple beyond what is inherent in app distribution and in-app purchasing.
Privacy policy: apple.com/legal/privacy/
10.1 Core user data is primarily stored within the EEA, in Supabase's West EU (Ireland) data centre. Where personal data is transferred outside the UK or EEA, we rely on appropriate transfer safeguards as required by applicable law.
10.2 When you use the scan feature, relevant image or video metadata is transferred to OpenAI in the United States for recipe extraction. Where required, we put appropriate safeguards in place for that transfer.
10.3 An anonymised user identifier is transferred to RevenueCat in the United States for subscription verification. Where required, we put appropriate safeguards in place for that transfer.
11.1 Your personal data is retained for as long as your account remains active.
11.2 Recent scan history is capped at 6 entries per user. Older entries are deleted automatically when new scans exceed this limit.
11.3 When you delete your account (Settings → Delete Account), your account and all associated personal data — including your recipes, collections, meal plans, scan history, social profile, vote history, friend connections, and files stored on our servers — will be deleted or anonymised within a reasonable period, subject to any retention required by law. This action cannot be undone.
11.4 Aggregated or fully anonymised data that cannot reasonably be used to identify you — for example, ranking points credited to other users as a result of their interactions with your content — may be retained indefinitely, as it does not constitute personal data.
11.5 Where we are required by law to retain certain data for a specified period, we will retain only that data, for only that period, in compliance with the relevant legal obligation.
12.1 All data is transmitted using HTTPS/TLS encryption. Passwords are never stored in plain text; authentication is managed using industry-standard cryptographic methods. Session tokens are stored securely on your device using platform-provided secure storage mechanisms.
12.2 We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, disclosure, or alteration.
12.3 No method of electronic transmission or storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security.
12.4 In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and will notify affected individuals without undue delay, as required by applicable law.
You have the following rights in respect of your personal data. These rights are subject to certain conditions and exemptions under applicable law.
To exercise any of these rights, contact us at 527studioslimited@gmail.com. We will respond within one calendar month of receipt. We may ask you to verify your identity before acting on your request.
14.1 If you are located in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14.2 If you are located in the European Union, you may lodge a complaint with the supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement.
14.3 We would always welcome the opportunity to address your concerns before you contact a supervisory authority and encourage you to reach out to us first.
15.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, the App's functionality, or applicable law. The "Last updated" date at the top of this Policy reflects the most recent revision.
15.2 Where a change is material, we will notify you via the App before it takes effect.
For any questions, concerns, data subject requests, or complaints regarding this Privacy Policy or your personal data:
527Studios Limited
Company number: 17067398
Registered office: Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom
Email: 527studioslimited@gmail.com
Website: https://www.527studios.co.uk/