← Back

Privacy Policy

Last updated: February 2026

This Privacy Policy describes how Recipe Lab collects, uses, and protects your personal data in accordance with the Republic of Indonesia's Law No. 27 of 2022 on Personal Data Protection (UU PDP), Law No. 11 of 2008 on Electronic Information and Transactions (UU ITE) as amended, Government Regulation No. 71 of 2019, and Ministerial Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (Permenkominfo 20/2016). Where applicable, we also align with international standards including the General Data Protection Regulation (GDPR).

1. Data Controller

Recipe Lab is the data controller responsible for your personal data. For all data-related inquiries, contact us at support@recipelab.id.

2. Information We Collect

We collect the following categories of personal data:

  • Account data — name, email address, hashed password, organization name
  • Business data — recipes, ingredients, costs, pricing, and margins you enter into the service
  • Billing data — subscription plan; payment details are processed and stored by Midtrans, not by us
  • Technical data — IP address, browser type, device type, access times, and session identifiers
  • Communication data — support requests and correspondence with us

3. Legal Basis for Processing

We process your personal data on the following legal bases under UU PDP and applicable regulations:

  • Contract performance — to provide the service you have subscribed to
  • Consent — for optional features and communications, which you may withdraw at any time
  • Legitimate interest — to maintain service security, prevent fraud, and improve the service
  • Legal obligation — to comply with applicable Indonesian law and regulations

4. How We Use Your Information

We use your personal data to: (a) create and manage your account; (b) provide and maintain the service; (c) process subscription payments; (d) send transactional emails (account verification, password reset, team invitations); (e) respond to support requests; (f) maintain service security and prevent unauthorized access; (g) comply with legal obligations; (h) improve and develop the service based on aggregated, anonymized usage patterns.

We do not sell your personal data to third parties. We do not use your data for advertising or marketing purposes without your explicit consent.

5. Data Storage, Security & International Transfers

Your data is stored in secure PostgreSQL databases hosted by Neon (United States). Passwords are hashed using industry-standard bcrypt algorithms. All data in transit is protected using TLS/HTTPS encryption. Access to your data is restricted to authorized personnel on a need-to-know basis.

International data transfers: Some of our third-party service providers are located outside Indonesia (see Section 6). By using the service, you acknowledge that your data may be transferred to and processed in countries outside Indonesia that may have different data protection laws. We take reasonable steps to ensure adequate protection is in place, including contractual safeguards with our service providers.

While we implement industry-standard security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

6. Third-Party Service Providers

We engage the following sub-processors who may process your personal data on our behalf:

  • Midtrans (Indonesia/Singapore) — payment processing; subject to Bank Indonesia regulations and PCI-DSS compliance
  • Resend (United States) — transactional email delivery; processes your email address
  • Neon (United States) — PostgreSQL database hosting; processes all application data
  • OpenAI (United States) — AI-powered recipe idea generation in Idea Lab; processes text prompts you submit to this feature only

Each provider is bound by data processing agreements and their respective privacy policies. We are not responsible for the independent data practices of these third parties.

7. Cookies & Local Storage

We use essential cookies and session tokens solely for authentication and maintaining your logged-in state. We use browser local storage for preferences such as language and currency settings. We do not use tracking, advertising, or analytics cookies. You may disable cookies in your browser settings, but this will prevent you from using authenticated features of the service.

8. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the service. When you request account deletion, we will delete your personal data within 30 days of the request. Technical logs may be retained for up to 90 days for security purposes. Aggregated, anonymized data that cannot identify you may be retained indefinitely for service improvement purposes. Data required to be retained by Indonesian law will be kept for the legally mandated period.

9. Your Rights Under UU PDP

Under the Indonesian Personal Data Protection Law (UU PDP No. 27/2022) and applicable regulations, you have the right to:

  • Access — request a copy of your personal data we hold
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data, subject to legal retention requirements
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdrawal of consent — withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at support@recipelab.id. We will respond to your request within 14 business days as required by UU PDP. We may ask you to verify your identity before processing your request.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (Kementerian Komunikasi dan Digital / Komdigi) within 14 days of becoming aware of the breach, as required by UU PDP. We will also notify affected users without undue delay if the breach is likely to result in a high risk to your rights.

11. Children's Privacy

Recipe Lab is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors under 18. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at support@recipelab.id and we will delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes at least 14 days before they take effect via email or in-app notification. Your continued use of the service after the effective date constitutes acceptance of the revised policy. We encourage you to review this page periodically.

13. Supervisory Authority & Complaints

If you believe your personal data rights have been violated, you have the right to lodge a complaint with the competent supervisory authority in Indonesia: Kementerian Komunikasi dan Digital Republik Indonesia (Komdigi). We encourage you to contact us first at support@recipelab.id so we may address your concerns directly.

14. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at support@recipelab.id.