Your data, our commitment

Privacy Policy

Last updated: 1er mai 2026 · Compliant with Regulation (EU) 2016/679 (GDPR)

The essentials in 30 seconds

  • • We only collect what's necessary for the service (email, recipes, payment).
  • • Your bank details never pass through our servers (Stripe is PCI-DSS certified).
  • • We don't sell your data. Ever. To anyone.
  • • You remain in control: access, rectification, deletion, portability — an email is all it takes.
  • • Data hosted in the European Union whenever possible.

1. Data Controller

The data controller is Un Interlude, a simplified joint-stock company with a sole shareholder (SASU) registered under SIREN 880 245 931, publisher of the Thermoremix.ai service. For any questions regarding your personal data, contact us at hello@thermoremix.com.

2. Data We Collect

We apply the principle of data minimization: we only collect data strictly necessary for the service to function.

Identity and Account

Email, username, password (argon2id hashed — never stored in plain text), Thermomix® model owned, preferred language. If connecting via Google or Apple: unique identifier provided by the provider and associated email.

Content You Provide Us

Recipes you submit (text, URL, photos, descriptions), adapted recipes stored in your notebook, notes and comments. Photos are kept for the duration of the adaptation process and then deleted after 30 days, unless you save them with a recipe.

Payment Data

Stripe customer ID, subscription ID, chosen plan, payment status. Bank details (card number, CVV, IBAN) never pass through our servers — Stripe collects and stores them directly, in compliance with PCI-DSS Level 1 standard.

Technical and Usage Data

IP address (anonymized after 30 days), approximate country/city deduced from IP, device type, browser, service usage events (pages viewed, adaptations launched) for product improvement purposes.

3. Purposes and Legal Basis

In accordance with Article 6 of the GDPR, each processing operation is based on a specific legal basis:

  • Contractual performance — creation and management of your account, recipe adaptation, subscription and payment management (Art. 6.1.b GDPR).
  • Legal obligations — retention of invoices for 10 years (Article L.123-22 of the Commercial Code), tax traceability.
  • Legitimate interest — service security, fraud prevention, product improvement based on aggregated usage statistics (Art. 6.1.f).
  • Consent — post-registration email sequence (cancellable in 1 click via the 'unsubscribe' link), non-essential cookies (Art. 6.1.a).

4. Sub-processors and Transfers

We use a limited number of sub-processors selected for their security level and GDPR compliance. They only have access to your data within the scope of their mission.

Sub-processorPurposeLocation
Stripe Payments Europe Ltd.Payment processingIrlande (UE)
MongoDB AtlasDatabase hostingUE (Francfort)
Heroku (Salesforce, Inc.)Application hostingUE (Dublin)
Google Gemini APIAutomatic recipe adaptationUSA
OVH SASTransactional email sendingFrance (UE)
Google / Apple OAuthSocial login (optional)USA

Transfers to the United States (Google, Apple) are governed by the standard contractual clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (EC 2023/1795) certifying the US subcontractors involved.

5. How long do we keep your data?

  • Active account: as long as you use the service.
  • Inactive account: 24 months without logging in → warning email, then automatic deletion 30 days later.
  • Unsaved uploaded photos: 30 days after adaptation.
  • Invoices and billing data: 10 years (legal accounting obligation).
  • Technical logs and IP: 30 days, then anonymization.
  • Account deleted upon request: immediate deletion of identifying data; invoices are kept in anonymized form.

6. Your Rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access — obtain a copy of the data we hold about you.
  • Right to rectification — correct inaccurate information (can be modified directly from your account).
  • Right to erasure — delete your account and data ("right to be forgotten").
  • Right to data portability — retrieve your recipes and data in a readable format (JSON or CSV export).
  • Right to object — object to certain processing based on legitimate interest (analytics).
  • Right to restriction of processing — temporarily freeze the processing of your data.
  • Right to withdraw your consent — at any time for marketing emails.
  • Post-mortem directives — you can tell us what happens to your data after your death.

To exercise these rights, write to hello@thermoremix.com specifying the subject of your request. We will respond within a maximum of one month. Proof of identity may be requested to verify your identity.

7. Cookies and Local Storage

The service uses a minimal number of browser-side storage mechanisms:

  • Session JWT (essential) — stored locally to keep you logged in. Not shared with third parties.
  • Anonymous session ID (essential) — UUID generated to track your registration funnel before account creation.
  • Language preference (essential) — to display the interface in the correct language for you.

We do not use any advertising cookies, third-party tracking pixels (Facebook, TikTok, etc.), or external analytics tools (Google Analytics). Our usage tracking is entirely first-party and anonymized.

8. Security

All communications are encrypted in transit (HTTPS/TLS 1.2+). Passwords are hashed with argon2id (OWASP standard, with adaptive memory cost). Authentication tokens are signed with a secret stored as an environment variable, never in the source code. Database access is restricted by IP and requires authentication. In the event of a data breach affecting your rights and freedoms, we will notify you within 72 hours in accordance with Article 34 of the GDPR.

9. Minors

In accordance with Article 8 of the GDPR and French law, the service is open to individuals aged 16 and over. Users under 16 must obtain prior consent from a parent or guardian. If we discover that an account has been created by a minor without parental consent, we will delete it.

10. Changes to this policy

This policy may be updated to reflect legal or technical changes. In the event of substantial changes, you will be informed by email with 30 days' notice. The most recent version is always accessible at this URL.

11. Complaint to the CNIL

If you believe your rights are not being respected despite a request addressed to Thermoremix.ai, you can file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr/fr/plaintes — 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07.