Privacy Policy

MonoTools (“Company,” “we”) operates the RecipeKey service (“Service”) and complies with the Personal Information Protection Act (PIPA) and the Act on Promotion of Information and Communications Network Utilization and Information Protection of the Republic of Korea, where MonoTools is registered as a business. This Privacy Policy explains how we collect, use, retain, and protect your personal information.

1. Purpose of Processing

We process personal information for the following purposes only. If the purpose changes, we will obtain separate consent or take other measures as required by Article 18 of PIPA.

1. Account registration and management: identification through external OAuth, maintaining membership status, preventing fraudulent use, and providing notices.
2. Service provision and operation: processing recipe extraction requests and delivering results, providing related features such as saving and editing recipes, verifying payments, and managing subscription status.
3. Safe operation: detecting and blocking submissions of non-recipe or harmful content, blocking automated tool abuse, sanctioning repeat offenders, and responding to security incidents.
4. Service quality improvement: evaluating extraction quality, improving false-positive/false-negative rates, developing new features, and statistical analysis. We process only the minimum elements needed for analysis, not the full identifiable text.
5. Customer support: handling inquiries and complaints.
6. Legal compliance and dispute response: fulfilling obligations under applicable laws, dispute mediation, and responding to lawful requests by investigative authorities.

2. Information We Collect and How

1) Collected via external OAuth at sign-up

• Google sign-in: email address, name, profile image, Google unique identifier
• ※ This section will be updated if additional providers (such as Apple) are added.

2) Automatically collected during use

• Device information (OS, model, app version), IP address, cookies and local storage, access timestamps, service usage records, error/crash logs

3) Processed when you submit a recipe extraction request

• The YouTube video URL submitted by the user, request timestamp, and metadata about our AI processing (success/failure flag, error code, etc.)
• ※ The video itself is not permanently stored on our servers. Analysis is performed by an external AI service provider acting as a processor (Google Gemini API), to which we transmit the video URL.

4) Collected to safeguard the Service

• Submission pattern indicators (high-volume requests in a short period, repeated requests from the same IP/device, signs of automation), violation reason classifications, and processing result records

5) Collected at payment

• Payment receipt information (transaction ID, purchase timestamp, product ID), subscription status (start date, expiration date, renewal status)
• ※ We do not collect or store direct payment instrument data such as card numbers. These are handled directly by Google Play or the Apple App Store.

Methods of collection: automatic transmission from external OAuth, automatic collection during service use, direct entry by the user (e.g., support inquiries).

3. Retention and Use Period

1. We delete personal information without delay when membership ends or when the purpose of processing has been fulfilled.
2. However, the following information is retained until the stated cause ends or for the period required by applicable law.
• If an investigation is in progress for an alleged violation: until the investigation ends.
• If a settlement obligation remains: until completion.
• Records of contracts or withdrawals: 5 years (Korean Act on Consumer Protection in Electronic Commerce).
• Payment and supply records: 5 years (same Act).
• Records of consumer complaints or dispute handling: 3 years (same Act).
• Access logs: 3 months (Communications Privacy Act).
3. The following operational data is retained under our internal policy.
• Abuse-prevention and security analysis logs (automation patterns, violation reasons): retained for 1 year, then deleted or de-identified.
• AI processing metadata (request timestamp, result metadata, error codes): after 90 days, only de-identified statistics are retained.

4. Disclosure to Third Parties

We process personal information only within the scope set out in this policy and do not provide it to third parties without prior consent, except in the following cases:

• When the user has given prior consent to such disclosure.
• When required by law or by a lawful request from an investigative authority.

5. Outsourced Processing (“Processors”)

“Outsourced processing” (or “processing on our behalf”) means entrusting a third party to process personal data for us. Unlike disclosure to third parties, processors handle data only under our control and within the scope of the entrusted task. We outsource the following processing activities to enable smooth service operation.

• Google LLC
  • OAuth login authentication (account identification).
  • Google Gemini API — recipe extraction by analyzing video data. The video URL submitted by the user and the resulting processing metadata are transmitted.
  • YouTube API Services — we query public metadata (such as embeddability) for the YouTube videos you submit, in order to block videos that are unsuitable for extraction (e.g., where rights holders have disabled embedding). We do not access your YouTube account or collect or store your YouTube activity history, watch history, subscriptions, or other personal data through this process.
• Cloudflare, Inc.: traffic delivery, DDoS protection, and network security.
• Google Cloud Platform: payment notifications (Pub/Sub) and cloud computing infrastructure.
• Supabase, Inc.: database hosting.

※ If a processor or the entrusted task is added or changed, we will update and announce this policy.

YouTube API Services Notice

RecipeKey uses YouTube API Services to operate the Service. By using the Service, you are deemed to have agreed to be bound by the following terms and policies:

• YouTube Terms of Service
• Google Privacy Policy

You can revoke RecipeKey's access at any time via the Google account permissions page. That said, RecipeKey calls the YouTube Data API using its own server-side API key to read only public metadata, and we do not store your personal YouTube data through this Service.

6. International Transfer

We transfer personal information across borders to operate the Service stably. Transferred data is deleted upon termination of the outsourcing agreement or expiration of the retention period.

• Recipients: Google LLC, Cloudflare, Inc., Supabase, Inc.
• Countries: the United States and other locations of the recipients' data centers.
• Timing and method: encrypted transmission over the internet during service use (continuous).
• Categories transferred: registration data, automatically collected data, video URL, and processing metadata as described in Section 2.
• Recipient's purpose of use: performing the outsourced tasks described in Section 5.
• Retention period: until termination of the outsourcing agreement.

7. Deletion Procedure and Method

1. We delete personal information without delay when its retention period expires or its processing purpose is fulfilled.
2. The procedure and method are as follows:
• Procedure: We identify the personal information for which a deletion cause has occurred and delete it after approval by our Data Protection Officer.
• Method: Electronic files are permanently deleted using technical means that prevent recovery; printed materials are shredded or incinerated.

8. Rights of Data Subjects and How to Exercise Them

1. Users may at any time request to access, rectify, delete, restrict the processing of, or withdraw consent for their personal information.
2. You can exercise these rights directly in the Service profile screen or by contacting us at [email protected]. We will respond and act on your request without undue delay.
3. If a legal representative or authorized agent exercises these rights on your behalf, a power-of-attorney form prescribed by Korean law must be submitted.
4. We do not knowingly collect personal information from children under 14. The Service is not intended for children under 14.

9. Security Measures

We implement the following measures to protect personal information.

• Administrative measures: establishing and operating an internal management plan, minimizing the number of personnel handling personal data, and providing regular training.
• Technical measures: minimizing and controlling access to systems that process personal information, secure storage of authentication tokens, transport encryption (HTTPS/TLS), and operating and updating security software.
• Access logs and tamper protection: separately retaining access logs and periodically inspecting them to detect tampering.
• Physical measures: physical access controls at data centers operated by our cloud processors (subject to each processor's own security policy).

10. Cookies and Automatic Collection

1. We may use cookies and local storage to provide a better service experience.
2. You can refuse cookie storage and tracking through your browser or operating system settings. Some service features may be limited if you do.

11. Notice on Automated Decision-Making

1. Some areas of the Service, such as recipe extraction processing and abuse detection, involve AI-based automated processing (including profiling).
2. You may request an explanation of, or object to, the result of automated processing. We will provide manual review where reasonable.

12. Data Protection Officer

• Data Protection Officer: Hyunsoo Kim (Representative)
• Email: [email protected]

You may direct any privacy-related inquiries, complaints, or requests for remedies to the address above. We will respond and process them without undue delay.

13. Remedies

To seek remedies for personal information infringement, you may contact the following Korean authorities:

• Personal Information Dispute Mediation Committee: +82-1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Report Center: +82-118 (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: +82-1301 (www.spo.go.kr)
• National Police Agency: +82-182 (ecrm.police.go.kr)

14. Changes to This Policy

This policy may be amended in response to changes in applicable laws, government policies, or our internal policies. We will post any changes on the Service at least 7 days before they take effect. For changes that are unfavorable to users or material in nature, we will provide at least 30 days' prior notice and may notify users individually by electronic means.

This policy takes effect on May 8, 2026. (Previous effective date: May 5, 2026 — added YouTube API Services disclosure.)