SmoulderLab

Privacy Policy

Effective from 19th May 2026

We are SmoulderLab, a small UK BBQ and live-fire technique app. When you use the app or visit our website at smoulderlab.com, we collect some information about you in order to provide the service. This page sets out what we collect, why we collect it, what we do with it, and what rights you have over it.

We have written this in plain English. Where we have to use a technical or legal term, we explain it the first time it appears. If anything here is unclear, contact us at hello@smoulderlab.com and we will explain.

1. Who we are

SmoulderLab is operated by Woodside Advisors Limited, a company registered in England and Wales under company number 14363008. Our registered office is at Woodside, Stockport, Cheshire, SK12 1AQ.

For data protection purposes we are the data controller — that is, we decide how and why your personal information is processed.

We are registered with the Information Commissioner's Office (ICO) under registration number ZC151121.

Contact for privacy queries: hello@smoulderlab.com.

2. The information we collect

2.1 Account information

When you create an account in the SmoulderLab app, we collect:

  • Your email address
  • A password (stored as a one-way cryptographic hash — we never store the password itself in readable form)

You can also use the app in guest mode, in which case no account information is held by us — your data stays only on your device for the duration of the session.

2.2 Information you give us in the app

As you use the app, we store the following so that the app can work as intended:

  • Your allergen profile — which of the 14 UK legal allergens you have selected, so we can filter recipes appropriately
  • Your preferences — temperature unit (Celsius/Fahrenheit), measurement system (metric/imperial)
  • Your favourite recipes and any custom recipes you create
  • Your cooking sessions — the food name, method, doneness target and timing for cooks you complete
  • Your multi-timer grill grid configurations and active cook state
  • Guest cook details, if you use Guest Mode — total headcount and per-guest allergens, retained only for the session

2.3 AI Chef interactions

When you use the Ask the Chef or What Can I Cook? features, your messages are sent via our backend to Anthropic's Claude API for processing. We log the number of requests you make per day (to enforce fair use limits on Pro subscriptions) but we do not retain the content of your conversations beyond what is required to deliver a response.

2.4 Connected Tools credentials

If you connect a third-party thermometer (currently MEATER or FireBoard), you provide your account credentials for that brand. We use those credentials only to obtain an authentication token from the brand's own cloud service. The token is stored securely on your device (iOS Keychain or Android Keystore) and never transmitted to SmoulderLab servers. Your third-party passwords are never persisted or logged.

2.5 Subscription information

If you take out a Pro subscription, payment is processed by Apple via the App Store. We do not see your payment card details. We do receive confirmation from Apple, via our subscription management partner RevenueCat, that an active entitlement applies to your account.

2.6 Information collected via smoulderlab.com

On the website itself we collect minimal information:

  • Email address if you sign up to our newsletter or for early access (only with your explicit opt-in)
  • Standard, privacy-respecting web analytics so we can understand which pages are read and how visitors find us (we use Plausible, which does not use cookies or track individuals across sites)
  • Server logs — IP address, user agent, request paths — held for a maximum of 30 days for security and operational purposes

3. How we use your information

We use the information described above to:

  • Provide and maintain the SmoulderLab app and website
  • Authenticate your account and let you sign in across devices
  • Filter recipes against your allergen profile and any guests you are cooking for
  • Deliver responses from the AI Chef features
  • Stream live readings from any thermometers you have connected
  • Manage your subscription and entitlement to Pro features
  • Communicate with you about your account or the service — including, where you have opted in, the newsletter
  • Investigate problems, fix bugs, and improve the product
  • Comply with our legal obligations

4. Our legal bases for processing your data

Under UK GDPR, we must have a lawful basis for everything we do with your personal information. Our bases are:

  • Contract — most of what we do is necessary to deliver the service you have signed up for. We could not run the app for you without storing your account, your settings and your sessions.
  • Consent — where we send marketing or newsletter communications, this is on the basis of your explicit opt-in, which you can withdraw at any time.
  • Legitimate interest — for security, fraud prevention, basic web analytics and product improvement. We balance our interest in running a sustainable service against any impact on your privacy, and only use this basis where we believe the balance lies in your favour or is neutral.
  • Legal obligation — where we are required to retain or disclose data by UK law.

5. Who we share your information with

We do not sell your data. We share it only with the service providers we need to operate the app, and only the data those providers need to perform their function. The current set is:

  • Supabase — hosts our database, authentication and backend functions. Data is stored in the U.K.. Supabase Inc. is our processor under a Data Processing Agreement.
  • Anthropic — operates the Claude AI model used by Ask the Chef and What Can I Cook?. Your messages to these features are processed by Anthropic; they do not retain the content for training under the API terms we use.
  • RevenueCat — manages subscription entitlements. Receives a user identifier from us and subscription status from Apple.
  • Apple — processes App Store payments and provides anonymous app analytics if you have opted in via your iOS settings.
  • MEATER / FireBoard / Connected Tools — if you connect their hardware, you communicate with their cloud directly via tokens stored on your device. We never see your third-party credentials.

We may also disclose information if required by UK law, court order or legitimate government request.

6. International transfers

Some of the service providers above are based outside the UK. In particular:

  • Anthropic is based in the United States
  • Apple is based in the United States (with UK and Ireland operations)
  • RevenueCat is based in the United States
  • Supabase operations may include US-based infrastructure depending on region

Where personal data is transferred outside the UK, we rely on the protections provided by either the UK's adequacy decisions (where they exist), the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses, depending on the destination and processor.

7. How long we keep your information

We keep your information only for as long as we need it:

  • Account data — for as long as you have an account with us, plus 30 days after deletion to allow for accidental deletion recovery, after which it is permanently removed.
  • Cooking session history and recipes — for as long as your account is active. You can delete individual sessions or custom recipes at any time from within the app.
  • AI usage logs — 30 days, then deleted.
  • Web server logs — 30 days.
  • Newsletter email addresses — until you unsubscribe.
  • Subscription records — we retain financial records for the period required by UK tax law (currently six years from the end of the relevant accounting period).

8. Your rights under UK GDPR

You have a number of rights over your personal data:

  • Access — you can ask for a copy of the information we hold about you.
  • Rectification — you can ask us to correct anything that is wrong.
  • Erasure — you can ask us to delete your data (the right to be forgotten). Some data we are required by law to keep for set periods (e.g. financial records); we will delete everything we are not required to retain.
  • Restriction — you can ask us to limit how we use your data while a dispute or question is resolved.
  • Portability — you can ask for a copy of your data in a structured, machine-readable format.
  • Objection — you can object to processing based on legitimate interest, including direct marketing.
  • Withdrawal of consent — where we rely on consent (for example, the newsletter), you can withdraw it at any time without affecting prior processing.
  • Rights related to automated decision-making — we do not use your data for automated decisions that have a legal or similarly significant effect on you.

To exercise any of these rights, email us at hello@smoulderlab.com. We will respond within one month.

9. Marketing and the newsletter

We will only send you marketing email — including the SmoulderLab newsletter — if you have explicitly opted in. Every marketing email includes an unsubscribe link in the footer. Unsubscribing takes effect immediately.

10. Cookies and similar technologies

The SmoulderLab app itself does not use cookies.

On smoulderlab.com:

  • We use a privacy-respecting analytics provider (Plausible) that does not set cookies and does not track individuals across sites.
  • We use functional cookies only where strictly necessary for the website to operate (for example, remembering your form input during a multi-step sign-up).
  • We do not use advertising cookies, third-party tracking cookies, or cross-site tracking pixels.

11. Children's data

The SmoulderLab app is intended for users aged 13 and over. It involves live fire and high temperatures and is not designed for use by children. We do not knowingly collect personal information from anyone under 13. If you believe we have collected information from a child under 13, please contact hello@smoulderlab.com and we will delete it.

12. Security

We protect your data with reasonable technical and organisational measures:

  • All data is transmitted over HTTPS
  • Account passwords are stored only as cryptographic hashes
  • Third-party authentication tokens are stored in iOS Keychain or Android Keystore, never on our servers
  • Row-level security policies on our database ensure each user can only access their own data
  • API keys for third-party services are held server-side and never embedded in the app

No system can be guaranteed completely secure. If we become aware of a data breach affecting your personal information, we will notify you and the ICO within the timescales required by law.

13. Changes to this policy

We may update this policy from time to time. Where the changes are material, we will give you reasonable notice — typically via email if we have your address, or via a notice in the app. The effective date at the top of this policy is updated whenever we make changes.

14. How to complain

If you are unhappy with how we have handled your personal information, please contact us at hello@smoulderlab.com in the first instance — we will always try to resolve your concern directly.

You also have the right to complain to the UK Information Commissioner's Office at any time:

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15. Governing law and jurisdiction

This policy and any dispute arising from it or from the use of SmoulderLab is governed by the laws of England and Wales. You agree that the courts of England and Wales have exclusive jurisdiction to resolve any such dispute, except that nothing in this clause prevents you from bringing proceedings in your country of residence if you live elsewhere in the United Kingdom.

Thank you for trusting us with your data. We take it seriously.