Kōji

Privacy Policy

Last updated: 15 June 2026

Koji (koji.kitchen) is operated from Australia. Data ownership is a design principle of the product, and this policy follows from it: we collect what the service needs to work, and we don’t sell your personal data. Contact for anything privacy-related: hello@koji.kitchen.

What we collect

  • Account — email address, display name, and authentication data.
  • Your food data — recipes, ingredients, meal plans, shopping lists, kitchen locations, equipment, prices you record, and personal food rules. Food rules may include health-related information you choose to record (such as allergies); because this can be sensitive information, we collect it only with your consent — captured when you record a rule, and withdrawable at any time — and it is stored as private data, visible only to you and anyone you explicitly share it with.
  • Usage — feature events and AI token consumption, used for rate limits, plan caps, and improving the product.
  • Billing — handled by Stripe; we store your subscription state and Stripe customer reference, never your card details.
  • Waitlist — the email you give us, used to send your invitation.

How we use it

To run the service. AI features (the assistant, recipe import, meal-plan generation) send the relevant parts of your data to a third-party AI provider to generate responses. We use your email address to send you service-related communications — things like account and security notices, billing, and important updates about the product. We don’t sell your personal data.

Who processes it

We rely on a small set of trusted service providers, each acting only on our instructions, in these categories:

  • Cloud hosting, database, authentication & storage — runs the application and stores your data.
  • Payment processing — handles subscriptions and billing.
  • Transactional email — sends sign-in, billing, and account notices.
  • AI processing — powers the assistant, recipe import, and meal-plan generation.
  • Product analytics — cookieless, aggregate usage measurement.

Our full list of named sub-processors, and the safeguards for any overseas transfers, is available on request — email hello@koji.kitchen.

What others can see

Nothing, unless you share it. Share links make the linked recipe, plan, or list visible to anyone with the URL. Household groups see only the items you (or your auto-share settings) put into the group.

Your rights

You can export all of your data (Settings → Data) and delete your account at any time; deletion removes your personal data and anonymises residual usage records. You have rights of access and correction under the Australian Privacy Act 1988 (including the Australian Privacy Principles), and if you’re in the EEA or UK, the equivalent GDPR rights — including portability, which the export feature exists to honour. Complaints can go to us first, or to the Office of the Australian Information Commissioner (OAIC).

Cookies

Visiting koji.kitchen sets no cookies at all. Signing in sets the session cookies needed to keep you signed in — strictly necessary, nothing else. Our analytics are cookieless and aggregate, and there is no cross-site tracking of any kind. This is why you won’t see a cookie banner here.

How long we keep it

We keep your account and food data for as long as your account is active. When you delete your account we remove your personal data and anonymise any residual usage records, so what remains can’t be tied back to you. We also de-identify usage and AI-activity logs after 24 months — the records stay for aggregate analytics but can no longer be linked to you. Files you upload for recipe import are deleted within about 48 hours of processing. Billing records are kept as long as financial and tax rules require, and backups age out on a rolling cycle.

Changes

If this policy changes materially we’ll email account holders before the change takes effect. This policy was last updated on 15 June 2026.

Terms · Privacy · hello@koji.kitchen