What we collect, and why.

Last updated: 5 May 2026

Yami is designed to collect as little of your data as possible. This page explains what we do collect, why, on what legal basis, who we share it with, and how to remove it. Yami is operated from Sweden, in the EU, and the GDPR is our primary regulatory regime — so this policy is built around your GDPR rights, not as an afterthought.

1. Who we are (data controller)

Yami is operated by Adam Bergman Karlsson, based in Sweden, who acts as the data controller under the GDPR. For any privacy question or request, write to support@yamiapp.eu. Because Yami is established in the EU, no Article 27 representative is required.

2. Scope

This policy covers personal data we process when you use the Yami iOS app, the iOS share extension, and the yamiapp.eu website. It does not cover the practices of third-party services you reach via outbound links (recipe sources, App Store, payment processors, etc.); those services have their own policies.

3. What we collect

3.1 Account and authentication

When you sign up, we store your email address and a hashed password. We never see your plain-text password. Authentication is handled by Supabase, hosted in the European Union.

3.2 Recipes, collections, and saved content

Anything you save in Yami — recipe links, ingredients, photos you upload or take, the collections you build, the recipes you mark as cooked, your ratings and notes — is stored in your account so the app can show it back to you and to anyone you've explicitly invited to a shared collection. Photos are stored in Supabase Storage in the EU.

3.3 Subscription state

If you subscribe to Yami Premium, Apple handles the payment. We receive only an entitlement signal that says "this account has an active subscription". We never see your card details, your full Apple ID, or your purchase history outside of Yami. Subscription state is processed via Superwall and Apple StoreKit 2.

3.4 Diagnostics and usage data

To find and fix bugs and to understand how features are used, Yami sends anonymized usage events and crash reports to PostHog (which uses PLCrashReporter for crashes). These events describe what screens were visited, what taps happened, and what errors occurred — not who you are or what's in your recipes. We do not link these events to your email or your saved content.

3.5 Onboarding preferences

When you set up your account, we ask a few optional questions to personalize your experience: your age range, dietary preferences (vegan, vegetarian, pescatarian, keto, high-protein, etc.), cooking frequency, and what you'd like to get out of Yami. These are voluntary, never used for advertising, and only used to surface recipes that are more relevant to you. You can skip them, change them, or clear them anytime under Settings.

3.6 Device and technical data

Like most apps, Yami receives basic technical data when you connect: device model and OS version, app version, language and region settings, and the IP address used to make the request. We use this to deliver the service, fight abuse, and debug platform-specific issues.

3.7 Communications

If you email support@yamiapp.eu, we keep that thread to follow up on your issue. We don't add support correspondents to a marketing list.

4. What we do not collect

Your contacts, calendar, or microphone
Your precise or background location
Advertising identifiers (IDFA) — Yami has no ads
Browser history or activity outside the Yami app
Anything from this marketing site beyond standard, anonymous Cloudflare traffic logs

5. Special categories of data

Some dietary preferences (e.g. religious dietary restrictions, certain allergies) could be considered sensitive data under GDPR Article 9. We treat any dietary preference you supply with that level of care, only use it to filter and personalise recipes inside the app, never share it with third parties, and ask for your explicit consent during onboarding. You can clear or change it at any time.

6. How we use your data — purposes

We process personal data for the following purposes:

Providing the Service: storing your library, syncing across devices, handling shared collections, generating AI plate images, translating recipes
Account management: authentication, password reset, account deletion, customer support
Subscriptions: granting Yami Premium entitlements when Apple confirms a purchase
Security and fraud prevention: rate limiting, abuse detection on shared collections and invites, login anomaly detection
Improving Yami: anonymized analytics on which features are used, where users get stuck, and what crashes
Legal compliance: responding to lawful requests, preserving records when required, enforcing the Terms

We do not use personal data for advertising, profiling for marketing purposes, or training third-party machine-learning models.

7. Lawful bases for processing (GDPR Article 6)

Each processing activity is grounded in a specific lawful basis:

Contract performance (Art 6(1)(b)) — providing the core service: storing your library, syncing, processing your imports, delivering shared collections, processing subscription state.
Legitimate interests (Art 6(1)(f)) — security, abuse prevention, anonymized analytics, debugging, basic platform operations. We balance these against your rights and can describe the analysis on request.
Consent (Art 6(1)(a)) — optional onboarding preferences (including any sensitive dietary data — see §5), product-update emails if you opt in, and any future processing where consent is required.
Legal obligation (Art 6(1)(c)) — responding to lawful requests, retaining tax-relevant records for subscription transactions, complying with court orders.

8. AI processing of your content

Yami uses AI in a few specific places. We want to be transparent about each one:

Recipe extraction: when you import a URL, we send the page content (and any visible image on the page) to Google Gemini to pull out a structured recipe (title, ingredients, steps, image link). We then store the structured recipe in your account.
Translation: if you read a recipe in a language different from its source, we send the recipe text to Google Gemini for translation. The translation is cached against the recipe so it doesn't need to be re-generated.
AI plate images: for some recipe-card surfaces, Yami generates a stylised "plate" image with Runware (FLUX). We send the recipe title and a short description; we do not send your name, email, or the image you took.
AI chef assistant: when you use the Ask-the-chef feature, we send your question and a representation of your saved library to Google Gemini, and receive a recommendation in return.
Popular Recipes (AI-original content): the recipes shown in the home tab's "Popular Recipes" section are generated by Yami itself using Gemini and Runware from category prompts. They are not based on your account or your data; they are pre-generated, public, and the same for every user (subject to dietary filtering you've set).

None of these providers use your content to train their general-purpose models on Yami's behalf, and we do not authorise them to do so. Outputs (translations, plate images) become part of Yami's content (operator-provided per the Terms §5.3).

9. Who we share data with — sub-processors

The third parties that help run Yami:

Supabase (Ireland / EU) — database, authentication, file storage
Google Cloud Run (Belgium / EU) — recipe import API and other backend services
Google Gemini API — recipe extraction, translation, ingredient matching, AI chef recommendations. Recipe text and source images are sent for processing.
Apify — fetching public posts from Instagram, TikTok, YouTube, and Facebook when you import them. Only the URL you shared is sent; we never share your social-media credentials.
Runware — AI-generated plate images for recipe cards and the Popular Recipes section
Cloudflare (global CDN) — yamiapp.eu marketing site only
PostHog — anonymized analytics and crash reporting
Apple — subscription billing via StoreKit, push notifications via APNS
Superwall — paywall presentation and subscription state

We do not sell, rent, or share your data with advertisers or data brokers — full stop.

10. International data transfers

Yami's database and file storage live with Supabase in the EU. Backend services run on Google Cloud Run in europe-west1 (Belgium). Some processors (Google Gemini, Runware, PostHog, Apify, Cloudflare, Apple) operate globally and may process data outside the EU/EEA. Where that happens, we rely on the European Commission's Standard Contractual Clauses, adequacy decisions, or other GDPR-approved transfer safeguards.

11. Security and storage

We use TLS in transit, encrypted storage at rest where the underlying provider supports it, hashed passwords (never plain text), and least-privilege access controls. We don't claim a system is impossible to breach — we claim we apply current good practice and respond seriously when something goes wrong. Material security incidents affecting your data will be notified to you and (where required) to the supervisory authority within 72 hours of discovery.

12. How long we keep data

Active accounts: as long as your account exists and you use Yami
Deleted accounts: removed within 30 days; certain backups, audit logs, and dispute records may persist for up to 90 days
Anonymized analytics: retained on a rolling basis as PostHog defines
Tax-relevant subscription records: retained as required by Swedish tax law (typically 7 years)
Support correspondence: kept for as long as needed to follow up on the issue, then archived

13. Your rights under the GDPR

If you live in the EU, EEA, UK, or Switzerland, you have the right to:

Access — receive a copy of the personal data we hold about you
Rectify — correct anything that's inaccurate or incomplete
Erase — delete your account and the data tied to it
Restrict — limit processing in certain circumstances (e.g. while we investigate an accuracy dispute)
Object — object to processing based on legitimate interests, or to direct marketing at any time
Port — receive a machine-readable copy of the data you've given us
Withdraw consent — for any processing based on consent (with future effect; this won't undo lawful processing that already happened)
Lodge a complaint — with your local data protection authority, including IMY (Integritetsskyddsmyndigheten) in Sweden

You can exercise most rights directly in the app (export and delete are under Settings → Account). For anything else — or if something doesn't work — email support@yamiapp.eu and we'll respond within 30 days, as the GDPR requires.

14. Account deletion

The simplest path: open the app and tap Settings → Account → Delete account. A full data wipe completes within 30 days, with backups rolling off within 90 days. There's no "undo" — once deleted, your library is gone. If you can't access the app, email us from the address on file.

15. Children

Yami is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe a child has created an account, write to support@yamiapp.eu and we will delete it.

16. California, Virginia, and other US state regimes

If you're a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with a comprehensive privacy law, you generally have rights similar to those in §13 (access, deletion, opt-out of "sale" or targeted advertising). Yami does not "sell" personal information in the sense those laws use, and Yami does not run targeted advertising. To exercise a state-law privacy right, email support@yamiapp.eu from the address on your account; we may need to verify your identity before responding.

17. Changes to this policy

If we make a material change to how we handle your data, we'll update the date at the top of this page and notify you in-app or by email. Continued use of Yami after a change means you accept the updated policy.

18. Contact

Privacy questions, data requests, or anything that feels off — write to support@yamiapp.eu. We read every email.