Sesame
Privacy Policy
Your privacy is sacred.
Let's be real: nobody likes the idea of their data being sold to strangers on the internet. At MidBox, we hate it just as much as you do.
Sesame is designed to be your personal cooking assistant, not a spy. We only use your data to make the app work (like saving your recipes or keeping you from having to log in every time). We will never sell your personal information. Period.
Following is the official, detailed version of how we protect your secret ingredients (and your data).
1. PREAMBLE AND COMMITMENT TO TRUST
Protecting your privacy and securing your data are absolute priorities for MidBox Technologies Inc. ("MidBox", "we", "us", "our", "the Company"). In the course of operating the Sesame mobile application (the "Application"), we are committed to managing your personal information with the utmost transparency and in accordance with the strictest legislative standards.
This Privacy Policy comprehensively describes how we collect, use, store, and share your information. It has been drafted to specifically comply with the requirements of:
Law 25 (Act to modernize legislative provisions as regards the protection of personal information) of Quebec;
The General Data Protection Regulation (GDPR - Regulation (EU) 2016/679);
The Children’s Online Privacy Protection Act (COPPA) of the United States.
By installing and using the Sesame Application, you acknowledge that you have read and accepted the practices described in this document.
2. PRIVACY OFFICER
In accordance with Law 25, we have appointed a Privacy Officer (PO) within our organization. This person is responsible for ensuring compliance with legislation and handling your requests.
For any questions regarding this policy, to exercise your rights, or to file a complaint, you may contact:
Data Protection Officer:
Title: Data Compliance Director
Email Address: privacy@midboxtech.com
Mailing Address: 6300 avenue Auteuil, Suite 505-147, Brossard, Quebec, J4Z 3P2, Canada
3. DATA COLLECTED AND METHODS OF COLLECTION
We apply the principle of data minimization, collecting only what is strictly necessary for the proper functioning of the Application and the improvement of our services.
3.1 Data You Provide Directly to Us
This data is collected when you create an account or interact with the Application.
Account Information (Essential): Email address, password (encrypted), and username. This data is necessary for the performance of the Terms of Service and to secure your access via our authentication services (Firebase).
User Content: Recipe texts, ingredient lists, personal notes, and food photos that you upload or create in the Application.
Nutritional Goals and Recipe Import: The Application acts as a smart recipe book. Sesame does not generate recipes autonomously, but only imports and structures the recipes that you expressly identify and submit. If you choose to set personal nutritional goals (calorie or macronutrient targets), you consent to our use of this data to analyze the recipes you have imported. Sesame does not manage any dietary restrictions, specific diets, or allergies. The Application is not a medical device, provides no diagnosis or weight tracking, and the data entered therein does not in any way constitute a health record.
Data Imported via Third-Party Links (Automated Extraction): When you use the Application to import recipe instructions from an external hyperlink (e.g., social networks) via our automated extraction tools (Apify), you warrant that you have the legal right to access this content and import it for your personal use. The Application acts solely as an automated technical intermediary that extracts and formats public text at your express request. We disclaim all liability for any potential violations of copyright or third-party platform terms of service resulting from the links you choose to submit.
Support Communications: The content of your exchanges with our customer service or your bug reports.
3.2 Automatically Collected Data
This data is collected via cookies, pixels, and Software Development Kits (SDKs) integrated into the Application.
Technical Data: IP address, device model, operating system version, unique device identifier (UUID), language, time zone. (Legal basis: Legitimate interest for security and compatibility).
Analytical Data: Diagnostic and performance data (collected via Firebase and Crashlytics) are aggregated and are not persistently linked to your personal identity or name. They are used solely to resolve technical bugs and measure the Application's effectiveness, without tracking or marketing purposes.
Transactional Data: Subscription history, renewal dates, and Receipt Tokens. This data is collected via our partner, RevenueCat.
Important Note: MidBox never collects, processes, or stores your full banking information (credit card numbers). All financial transactions are processed exclusively and securely by the Apple App Store or the Google Play Store.
3.3 Data Imported via Third-Party Links
When you use the Application to import a recipe from an external hyperlink, we use an automated tool to extract and format the text at your request. This extracted information is processed and stored solely for the purpose of being added to your private recipe book.
4. ARTIFICIAL INTELLIGENCE AND TRANSPARENCY (LAW 25 / GOOGLE VERTEX AI)
The Sesame Application integrates advanced generative artificial intelligence features to help you structure your recipes, generate images, or suggest ingredients. These services are provided by Google Cloud Vertex AI (Gemini models).
4.1 Transparency, Consent, and Culinary Assistant (AI)
In accordance with Law 25 (Quebec) and transparency principles: The Application integrates an interactive Culinary Assistant powered by Google Cloud's artificial intelligence models (Vertex AI). By using this assistant to ask questions about your recipes, request ingredient substitutions, or preparation advice, you consent to the content of your query being transmitted to this third-party service.
4.2 Protection of Your Data in AI ("No Training" Guarantee)
We understand your concerns regarding the use of your data to train public AI models.
Non-Training Commitment: We use the "Enterprise" version of Google Vertex AI. Under the applicable terms of service, Google is contractually committed not to use your data (prompts, recipes, photos) to train its generative foundation models.
Isolation: Your data is processed in a secure and isolated environment. It is only used to generate the specific response to your request and is then deleted from the active processing context. It does not enrich a shared knowledge base with other users or with Google.
4.3 Algorithmic Recommendations and Automated Processing
Recipe suggestions provided by the Application (for example, recommending a recipe from your own catalog that you haven't cooked recently) are based on the analysis of your usage history. In accordance with Law 25, we inform you that these automated suggestions are intended only to facilitate the management of your culinary book. They do not constitute profiling for advertising purposes and do not result in any automated decision having a legal consequence or significant impact on you. You remain the sole decision-maker regarding whether to follow or ignore these recommendations.
5. DATA SHARING AND INTERNATIONAL TRANSFERS
We never sell, rent, or trade your personal data to third parties for advertising purposes. We only share your data with technical subprocessors necessary for providing the service.
5.1 Our Certified Subprocessors
To ensure the operation of Sesame, we use the services of third-party providers located in the United States.
Google Cloud Platform
Provided Service: Hosting, Database (Firestore), AI (Vertex), Authentication
Location: United States
Compliance Mechanism (Law 25 / GDPR): Data Privacy Framework and International Security Agreements.
RevenueCat
Provided Service: Subscription and purchase receipt management
Location: United States
Compliance Mechanism (Law 25 / GDPR): Data Privacy Framework & Data Processing Agreement (DPA).
Apify Technologies
Provided Service: Indexing of recipes from public sources
Location: European Union (Czech Republic) / United States
Compliance Mechanism (Law 25 / GDPR): Built-in GDPR compliance (EU-based provider) and Standard Contractual Clauses (SCCs) for non-EU transfers.
5.2 Legal Framework for Transfers (Data Privacy Framework)
Your data is transferred to and processed on servers located in the United States.
EU and Swiss Users: These transfers are covered by the European Commission's adequacy decision (July 10, 2023) regarding the EU-U.S. Data Privacy Framework. Our providers (Google LLC and RevenueCat) are certified under this framework, ensuring a level of data protection substantially equivalent to that of the European Union.
Quebec and Canadian Users: In accordance with Law 25, we have conducted a Privacy Impact Assessment (PIA - a rigorous risk analysis) prior to authorizing these transfers.
6. YOUR RIGHTS AND DATA CONTROL
You have extensive rights regarding your data, which we are committed to respecting regardless of your place of residence.
6.1 List of Your Rights
Right of Access: You may request a copy of the data we hold about you.
Right to Rectification: You may correct inaccurate information directly within the Application or by contacting us.
Right to Erasure and Destruction: You may demand the permanent deletion of your account and associated data from our databases. (Note: The right to de-indexing provided by Law 25 does not apply to our service, as the Sesame Application is a private environment that does not broadcast any of your personal information on public search engines).
Right to Withdraw Consent: You may withdraw your consent to the processing of specific data (e.g., notifications, health data) at any time.
Right to Restriction and Objection: You may request to limit the processing of your data or object to certain uses.
6.2 Right to Data Portability (New - Law 25 & GDPR)
Since September 2024, Law 25 (like the GDPR) grants you the right to data portability. This means you may request to receive the computerized personal information you have provided to us in a structured and commonly used technological format (such as JSON or CSV).
This right is intended to allow you to reuse your data or transfer it to another service provider.
To exercise this right, please contact our Privacy Officer. We are committed to providing you with an exportable file containing your recipes and profile information within 30 days of receiving your written request.
6.3 Right to Erasure (Right to be Forgotten) and Revocation
You may delete your account and all associated data directly from the Application (Profile > Settings > Delete my account). This action triggers an irreversible deletion of your data from our active databases (Firestore) and our authentication system.
"Sign in with Apple" Users: In accordance with App Store guidelines, deleting your account from within the Application will also trigger a call to the Apple API (Sign in with Apple REST API) to immediately and permanently revoke the user token associated with your Sesame account. This severs all technical links between your Apple ID and our system.
For any other requests (portability, complex access requests, or if you no longer have access to the Application), contact us at: privacy@midboxtech.com.
7. SECURITY AND DATA RETENTION
7.1 Security
Although no computer system can guarantee absolute security, we implement reasonable technical and organizational measures, adapted to the nature of the data processed, to protect your information. This includes using recognized cloud infrastructure providers (Google Cloud) that ensure the encryption of your data in transit (TLS) and at rest. We limit access to our databases strictly to technical necessities related to the maintenance and improvement of the service.
7.2 Retention
We retain your data only for as long as necessary for the purposes for which it was collected.
Active Account: Data retained as long as the account is active.
Inactive Account: If no activity is detected on your account for a period of 24 months, we will send you a notification. In the absence of a response, your personal data will be deleted or irreversibly anonymized.
Technical Data: Server logs and raw analytical data are retained for a maximum period of 14 months.
8. CHILDREN'S PRIVACY (COPPA)
The Sesame Application is not intended for children under 13 years of age (or the applicable digital age of consent in your jurisdiction, e.g., 16 years in certain EU countries).
No Intentional Collection: We do not knowingly collect data from minors.
Corrective Action: If we learn or have reason to believe that an account has been created by a child in violation of this policy ("actual knowledge" standard), we will immediately delete this account and all associated data from our systems. If you are a parent or guardian and believe your child has provided us with data, please contact us immediately at privacy@midboxtech.com.
9. CHANGES TO THIS POLICY
We may update this policy to reflect technological, legal, or business developments. In the event of a material change (e.g., a change in the purposes of AI usage or the addition of a new major subprocessor), we will notify you via a prominent notice within the Application or by email, at least 15 days before the new terms become effective. Continued use of the Application after this period will constitute acceptance.