Skip to main content
WWicked Smart HQ

Privacy Policy

Effective April 12, 2026

1. Introduction

Wicked Smart HQ (“we,” “us,” or “our”) operates the websites wickedsmarthq.com and app.wickedsmarthq.com (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and display name. If you sign in using a third-party provider (such as Google or Apple), we receive the basic profile information authorized by that provider.

2.2 Household Data

As you use the Service, you create and store household data including but not limited to calendar events, tasks, bills, recipes, shopping lists, and meal plans. This data is stored on our servers to provide the Service to you and your household members.

2.3 Usage Data

We automatically collect certain usage information when you access the Service, including pages visited, features used, session duration, device type, browser type, operating system, and approximate geographic location derived from your IP address. This data is collected through our analytics provider and is used to improve the Service.

2.4 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not receive or store your full credit card number, debit card number, or bank account details. Stripe provides us with limited information such as the last four digits of your card, card brand, expiration date, and billing address for record-keeping purposes.

2.5 Error and Performance Data

We collect error reports, crash data, and performance metrics through our error monitoring service to identify and resolve issues with the Service. This data may include browser information, device information, and the sequence of actions leading to an error.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To operate, maintain, and deliver the features and functionality of Wicked Smart HQ.
  • Processing payments: To process subscription payments and manage billing through Stripe.
  • Transactional communications: To send you account-related emails such as subscription confirmations, billing receipts, password resets, and security alerts.
  • Improving the Service: To analyze usage patterns, diagnose technical issues, and develop new features.
  • Content moderation: To review community-shared content for compliance with our Terms of Service.
  • AI features: To power AI-assisted features such as recipe generation, recipe suggestions, and logo generation.
  • Security: To detect, prevent, and address fraud, abuse, and security incidents.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service to you under our Terms of Service (e.g., account management, payment processing, data storage).
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your data protection rights.
  • Consent: Where required by law, we obtain your consent before processing, such as for optional marketing communications and non-essential analytics cookies.

5. Data Sharing and Third-Party Processors

We do not sell your personal information to third parties. We share your data only with trusted third-party service providers who assist us in operating the Service. Each provider processes data only as necessary for the specific service they provide:

  • Supabase — Database, authentication, and file storage. Data hosted on AWS in the United States.
  • Stripe — Payment processing. Operates in the United States. Subject to Stripe's own privacy policy.
  • Resend — Transactional email delivery. Operates in the United States.
  • Open-Meteo — Weather data. No personally identifiable information is sent; only geographic coordinates are transmitted.
  • fal.ai — AI image generation for recipe photos and household logos. Only text prompts are sent; no personal data is transmitted.
  • Anthropic — AI text features for recipe generation and content moderation. Only recipe-related text and content for moderation are sent; no personal data is transmitted.
  • PostHog — Product analytics. Hosted in the European Union. Data is collected only with your consent.
  • Sentry — Error monitoring and performance tracking. Operates in the United States.
  • Vercel — Application hosting and edge functions. Utilizes a global CDN.

We may also disclose your information when required by law, to respond to legal process, to protect our rights, or in connection with a merger, acquisition, or sale of assets.

6. Data Retention

We retain your personal data and household data for as long as your account is active and as needed to provide the Service.

  • Account deletion: When you delete your account, we remove your personal data and household data within thirty (30) days.
  • Backups: Encrypted backups containing your data are purged within ninety (90) days of account deletion.
  • AI generation logs: Logs related to AI-generated content (prompts and outputs) are retained for twelve (12) months for quality assurance and abuse prevention, then permanently deleted.
  • Legal obligations: Certain data may be retained beyond these periods where required by applicable law, such as for tax or fraud prevention purposes.

7. Your Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  • Right of access: You have the right to request a copy of the personal data we hold about you.
  • Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions.
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to restriction: You have the right to request that we restrict processing of your personal data in certain circumstances.
  • Right to object: You have the right to object to processing of your personal data based on legitimate interests.

You may exercise these rights through Settings > Account within the Service, or by contacting us at hello@wickedsmarthq.com. We will respond to your request within thirty (30) days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You have the right to know what personal information we collect, use, and disclose about you.
  • Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale: We do not sell your personal information to third parties. As such, there is no need to opt out of the sale of personal information.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise your rights, please contact us at hello@wickedsmarthq.com. We will verify your identity before processing any request.

9. Children's Privacy (COPPA)

Wicked Smart HQ does not knowingly collect personal information from children under the age of thirteen (13) without verifiable parental consent. Our Service allows parents and legal guardians to create “kid profiles” for minor household members. These kid profiles are subject to the following restrictions:

  • Kid profiles are created and managed exclusively by the parent or legal guardian who holds an account on the platform.
  • Kid profiles collect only minimal information: a first name and an optional avatar image.
  • Kid profiles have restricted permissions and cannot access community features, send or receive emails through the Service, or interact with users outside their household.
  • Parents and guardians may review, modify, or delete kid profiles at any time through their account settings.

If we become aware that we have collected personal information from a child under 13 without appropriate parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child under 13, please contact us at hello@wickedsmarthq.com.

10. International Data Transfers

Your data is primarily stored on servers located in the United States (AWS us-west-2 region). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism to ensure an adequate level of data protection. We also ensure that our third-party processors maintain appropriate safeguards for international data transfers.

11. Data Security

We take the security of your personal information seriously and implement industry-standard measures to protect it, including:

  • Encryption of data at rest and in transit using TLS 1.2 or higher.
  • Row Level Security (RLS) policies on our database to ensure users can only access data belonging to their own household.
  • Regular security reviews and vulnerability assessments.
  • Passwords are never stored in plaintext; we use secure hashing algorithms provided by our authentication provider.
  • Access controls and the principle of least privilege for internal systems.

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

12. Cookies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you at least thirty (30) days in advance by sending an email to the address associated with your account. The updated policy will be posted on this page with a revised effective date. We encourage you to review this Privacy Policy periodically.

14. Data Protection Officer / Contact

If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your data protection rights, please contact us at:

Wicked Smart HQ
Attn: Data Protection
Email: hello@wickedsmarthq.com
[Address placeholder]