Create Meal

Privacy Policy

Effective June 4, 2026 · Published by D2X Enterprises LLC

This Privacy Policy applies to the Create Meal mobile app for iOS and Android.

This Privacy Policy explains how D2X Enterprises LLC (“D2X,” “we,” “us,” or “our”) collects, uses, and shares information when you use the Create Meal mobile app (the “App”). We are located in Pennsylvania, USA.

By using the App, you agree to this Policy. If you do not agree, please do not use the App.

1. Who We Are

The App is operated by:

D2X Enterprises LLC 30 S 15th St Ste 1550 PMB 852931 Philadelphia, Pennsylvania 19102-4806 US Privacy contact: privacy@d2xenterprises.com Support: support@d2xenterprises.com

We are the controller of the personal information described in this Policy.

2. How the App Works (and What Stays on Your Device)

Create Meal suggests recipes based on ingredients you enter. To keep your information minimal, the ingredient-to-recipe matching runs entirely on your device. The recipe catalog is downloaded from our servers and cached on your device so the App works offline.

This means some things never leave your device and are not sent to or stored by us, including:

  • The raw text of your searches and the specific ingredients you type in.
  • Your on-device language, cuisine, and theme preferences.

We only collect and store on our servers the categories described in Section 3 below.

3. Information We Collect

Information you give us

  • Account data — when you create an account, your email address, an optional display name, and a password. We never store your password in plain text. It is stored only as a salted PBKDF2-SHA256 hash (see Section 9). We also store the sign-in method you used (today, email/password; Google sign-in is planned for the future) and opaque session tokens that keep you signed in.
  • Favorites — the recipe IDs you save while signed in, so your favorites sync across your devices.
  • Support requests — if you contact us through the support form, your name, email address, and message.

Information collected automatically

  • Engagement (product analytics) events — to understand which dishes and features people like, we record limited, privacy-minimizing events. Each event includes only:

    • the event type (one of: search, recipe view, favorite added, favorite removed),
    • the recipe ID for views and favorites,
    • the app interface language (locale), and
    • for searches, a count of results returned (a number — not your search terms).

    When you are signed in, these events are linked to your account ID. We deliberately do not collect raw search text or typed ingredients, precise geolocation, device advertising identifiers, or your contacts in these events.

  • Server logs — when your device contacts our servers, our hosting provider (Cloudflare) automatically records standard technical information such as your IP address and request timestamps, as is normal for serving internet requests.

We do not collect precise location, contacts, photos, advertising identifiers, or payment card numbers. (If in-app purchases are introduced in the future, the app stores’ payment processors handle them — see Section 4.)

Note on diet/allergy preferences: Any allergen or dietary filtering you use is applied on your device and is not transmitted to or stored by us. We do not maintain a server-side record of your allergies.

4. How We Use Your Information

We use your information to:

  • Create and operate your account and keep you signed in.
  • Sync your favorites across your devices.
  • Produce aggregate analytics (for example, the most-favorited dishes and overall usage trends) to understand what people find useful and to improve the App.
  • Respond to your support requests.
  • Keep the App secure, prevent and investigate abuse or fraud, and debug problems.
  • Comply with our legal obligations.

We do not sell your personal information, and we do not use it for third-party advertising. (See Section 5 on planned monetization.)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

PurposeLegal basis
Creating and operating your account; syncing favoritesPerformance of a contract (Art. 6(1)(b))
Product analytics to improve the App; security and abuse prevention; serving requests (server logs)Legitimate interests (Art. 6(1)(f)) — improving and securing the service, balanced against your rights; our analytics are minimized as described above
Responding to support requestsPerformance of a contract / legitimate interests
Meeting legal, tax, or compliance obligationsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, you may object as described in Section 7.

Notice for U.S. state-law residents (e.g., California — CCPA/CPRA)

We collect the categories described in Section 3 for the business purposes described in this Section 4. We do not “sell” personal information and do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not collect or process sensitive personal information for the purpose of inferring characteristics. California and other eligible residents have the rights described in Section 7.

5. Planned Monetization (Not Yet Live)

The App is currently free and contains no third-party advertising or analytics SDKs.

We may, when and if introduced in the future:

  • Offer a one-time “Pro” purchase (planned at US $1.99). Any such purchase would be processed by the Apple App Store or Google Play, and their payment processors — not us — would handle your payment details and receipts.
  • Show ads on the free tier. If ads are introduced, ad providers may collect device or ad-related identifiers under their own policies, and we will update this Policy and provide any consent choices required in your region before doing so.

We will not begin advertising or third-party-SDK data collection without updating this Policy first.

6. Third Parties We Share Information With

We use a small number of trusted service providers (processors / sub-processors). We share only what each service needs:

Service ProviderWhat they doWhat they may receive
CloudflareHosting, database (Cloudflare D1), and edge servingAccount data, favorites, engagement events, and standard server logs (incl. IP address) needed to store and serve the App
BrevoDelivering support emailsYour name, email address, and message when you use the support form
App stores’ payment processors (Apple / Google)Processing the optional Pro purchase when/if introducedPurchase and receipt data they handle directly
Google (Sign-In)plannedLetting you sign in with a Google account when/if introducedBasic profile info (such as name and email) you authorize

These providers process data under their own privacy policies.

We may also disclose information if required by law, to protect our rights or users’ safety, or as part of a business transfer (such as a merger or sale).

We do not sell your personal information.

7. Your Rights and Choices

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you.
  • Correct information that is wrong (for example, your email or display name).
  • Delete your information.
  • Object to or restrict certain processing, and withdraw consent where we rely on it.
  • Opt out of the “sale” or “sharing” of personal information — though, as noted, we do not sell or share your personal information.
  • Be free from discrimination for exercising these rights.

Account deletion (in-app): You can delete your account directly in the App on the Account screen. Deleting your account removes your account and favorites from our active systems and de-identifies your engagement events (the link to your user ID is removed), subject to the retention limits in Section 8.

To exercise any other right, or to ask a question, contact us at privacy@d2xenterprises.com. We will respond within the time required by applicable law and may need to verify your identity first. EEA/UK users may also lodge a complaint with their local supervisory authority.

8. Data Retention

We keep personal information only as long as needed for the purposes in this Policy:

  • Account data and favorites — kept while your account is active; deleted when you delete your account.
  • Engagement events — when you delete your account, these are de-identified (the user link is removed) and retained only in de-identified, aggregate form for analytics.
  • Support messages — kept as needed to handle and follow up on your request.
  • Server logs — retained for a limited period for security and operations, then overwritten.

We may retain limited records longer where necessary to comply with legal, tax, or accounting obligations, resolve disputes, or enforce our agreements. Backups may persist for a limited time before being overwritten.

9. Security

We use reasonable technical and organizational measures to protect your information. In particular:

  • Passwords are never stored in plain text or logged. They are stored only as a salted PBKDF2-SHA256 hash.
  • Sessions use opaque tokens rather than exposing your credentials.
  • Access to administrative tools (which show only aggregate statistics and a basic user list — email, join/last-seen dates, and favorite counts) is access-controlled and limited to authorized personnel.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. International Users and Data Transfers

We are based in the United States, and your information is stored and processed in the United States (our hosting region is Cloudflare’s North America “ENAM” region). If you use the App from outside the United States — including the EEA or UK — you understand that your information will be transferred to and processed in the U.S., which may have different data protection laws than your own. Where required for such transfers, we rely on appropriate safeguards (for example, Standard Contractual Clauses with our processors).

11. Children’s Privacy

The App offers general-audience cooking content and is not directed to children. It is intended for users 13 years of age and older, and we do not knowingly collect personal information from children under 13 (or under the higher minimum age set by local law, such as 16 in parts of the EEA). If you believe a child below the applicable age has provided us personal information, contact us at privacy@d2xenterprises.com and we will take steps to delete it.

12. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the “Effective date” above and, where appropriate, notify you in the App. Material changes — such as introducing advertising — will be made before the relevant processing begins. Your continued use of the App after changes take effect means you accept the updated Policy.

13. Contact Us

If you have questions about this Policy or your information, contact us at:

D2X Enterprises LLC 30 S 15th St Ste 1550 PMB 852931 Philadelphia, Pennsylvania 19102-4806 US Privacy: privacy@d2xenterprises.com Support: support@d2xenterprises.com