Privacy Policy

Last updated: June 9, 2026

RouxDex (“we,” “us”) is operated by Purplemoon, the maker of the RouxDex iOS app. This policy explains what we collect, how we use it, and the choices you have. We tried to keep it plain. If anything is unclear, email hello@purplemoon.dev.

What we collect

Account information

When you create an account, we store your email address and (if you provide one) display name through Amazon Cognito. We use this to authenticate you, send transactional emails (password reset, account verification), and associate your saved recipes with your account.

Recipes and shared URLs

When you share a social-media post or web URL to RouxDex, we send the URL to our servers so the post can be fetched and the recipe extracted. The resulting recipe (ingredients, steps, title, source) is stored in our database and shown back to you in the app. We do not share your saved recipes with other RouxDex users.

App diagnostics and feature flags

We use PostHog to load remote feature flags so we can roll out changes without forcing app updates. Flag loading sends a request that includes a randomly-generated anonymous identifier and basic device info (iOS version, app version). We do not capture analytics events or session recordings unless you grant consent in the app’s onboarding or settings; if you withdraw consent later, event capture stops.

Subscription status

If you subscribe to RouxDex Pro, RevenueCat (our subscription management provider) and Apple’s App Store handle the purchase and store the subscription state. We receive a webhook with your subscription tier so we can unlock Pro features. We never see your payment details.

What we do not collect

• We do not collect your contacts, calendars, photos, location, microphone, or camera data.
• We do not sell your data to third parties.
• We do not use advertising trackers or share data for cross-app advertising.

Who processes your data

To deliver the service we share limited data with the following processors. Each one is contractually limited to using the data only to provide its service to us.

• Amazon Web Services (AWS) — account auth (Cognito), recipe storage (DynamoDB), AI recipe extraction (Bedrock running Anthropic Claude models), and file storage (S3). All data is processed in the AWS US East (N. Virginia) region.
• Apify — used as a fallback for resolving Instagram posts the official Instagram tools cannot reach. The shared URL is sent to Apify so the page can be fetched; results are returned to us and not retained.
• Edamam — used for nutrition estimates on RouxDex Pro recipes. We send the ingredient list and receive estimated calories and macros.
• PostHog — feature flag delivery and (with consent) product analytics. Hosted in PostHog Cloud US.
• RevenueCat — manages subscription state for RouxDex Pro and verifies App Store receipts.
• Apple — provides the App Store, in-app purchases, and TestFlight beta distribution.

How long we keep your data

Account and recipe data persists until you delete your account. URL resolution cache entries expire automatically after 24 hours. Backups are retained for up to 35 days for disaster recovery, then deleted.

Your choices and rights

• Access — everything tied to your account is visible in the app. Email us if you would like an export.
• Delete your account — you can delete your account from within RouxDex (Profile → Account → Delete Account). This permanently removes your recipes, account, and any cached images from our servers.
• Withdraw analytics consent — in Settings, toggle off product analytics. Feature flag loading still occurs (the app cannot work correctly without it), but no events are captured.
• California (CCPA) — we do not “sell” or “share” personal information as those terms are defined under California law. You have the right to know, delete, and opt out where applicable. Contact us to exercise these rights.
• EU/UK (GDPR) — you have the right to access, correct, port, restrict, or erase your personal data, and to lodge a complaint with your supervisory authority. Our lawful bases are contract performance (delivering the service you requested) and consent (analytics).

Children

RouxDex is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

Security

All network traffic between the RouxDex app and our servers uses TLS. Account credentials are managed by Amazon Cognito and we do not see or store your password. We follow AWS security best practices including least-privilege access controls and encrypted storage at rest.

Changes to this policy

If we make material changes we will update this page and the “Last updated” date above. For significant changes we will also notify you in-app or by email.

Contact

Questions, requests, or complaints: hello@purplemoon.dev