This Privacy Policy explains what information Mise Studio LLC ("Mise", "we", "us") collects when you use the Mise website and application (misebook.io), why we collect it, how long we keep it, who we share it with, and the choices you have. Mise is the data controller for the personal information you provide to us.
If anything below is unclear, write to us at privacy@mise.app — a real person replies. For California-specific rights see Section 9. For children's privacy see Section 10.
What we collect
Everything we actually collect.
1. Account information
When you create an account or place an order we store your name, email address, country, and optionally a profile photo. We also store your membership tier (BASIC or PRO) and whether you have completed onboarding.
2. Billing and Stripe data
When you subscribe or place an order, Stripe processes your payment. We never see or store your full card number. We do receive and store from Stripe: your Stripe customer ID, subscription ID, card brand (e.g. Visa), card last four digits, and next billing date. These are stored solely to manage your subscription and display billing status in your account settings.
3. Recipe and book content
The recipes (title, ingredients, instructions, cooking times, servings, source URL), photos, and notes you add are stored so we can show them in the 3D preview and bind them into a printed book. We also store the raw HTML or OCR text you submit through the AI parser, for debugging and re-processing. Book content includes your cover images (front and back), dedication text and photo, cover author name, and any back-cover text you write. Nothing you write or upload is used to train AI models — see Section 5.
4. Order and shipping information
When you place a print order we collect your full shipping address, phone number, and print specifications (cover type, paper quality, page count, quantity, add-ons). See Section 8 for how long order data is retained.
5. Technical and device data
When you visit or use the Service, we automatically collect: your IP address (used to determine your country at signup via a third-party geolocation service and to flag internal traffic), your device type (mobile, tablet, or desktop), and your browser user-agent string. We retain the full user-agent string for bot detection and future browser-compatibility analysis.
6. Marketing attribution and UTM data
To understand how users find Mise, we capture and store the UTM parameters (source, medium, campaign, content, term) present in the URL when you first land on our site, together with the referring domain, landing page URL, and raw referrer URL. This first-touch attribution is stored to your profile at signup. We also record last-touch UTM values at the moment you create a checkout session.
7. Advertising click identifiers
If you arrive from a paid-advertising link, your URL may contain ad-platform click identifiers. We capture and store the following when present: gclid / gbraid / wbraid (Google Ads), fbclid (Meta / Facebook), ttclid (TikTok Ads), msclkid (Microsoft Advertising), li_fat_id (LinkedIn), twclid (Twitter / X), rdt_cid (Reddit), and epik (Pinterest). These identifiers are used for advertising attribution and marketing ROI analysis. They are not sold to third parties.
8. Behavioural and usage analytics
We use PostHog to record how you interact with the Service (with your consent — see Section 6). Events we track include: page views, recipe creation, AI-feature use, editor session duration, template changes, checkout steps, and interaction with the 3D preview. After you log in, PostHog events are linked to your account (they are pseudonymous before login and identified afterwards). We also maintain internal lifecycle timestamps — first login, first recipe created, first book ordered, last active time — to understand product engagement and support our business planning. The Service sends a periodic heartbeat to refresh your "last active" timestamp while the app is open in your browser.
9. Email engagement data
Our email provider (Resend) tracks whether you open transactional emails we send and whether you click links within them (including which link you clicked). This data is stored in our database to measure email deliverability and to improve our communications. Transactional emails include welcome, order confirmation, shipping notification, and subscription emails.
10. AI usage logs
Each time you use an AI feature (recipe parsing, OCR, or image generation) we log: the feature type, the AI model used, input and output token counts, an estimated cost, and a timestamp. These logs are used to enforce usage limits per tier and to manage our AI API costs. They are not shared externally.
11. Support communications
If you submit a support ticket we store the subject and description you write, any screenshots you attach, and the conversation thread with our team. Support tickets are hard-deleted when your account is deleted.
12. Pre-account session tracking
When you visit misebook.io for the first time, a random distinct_id is stored in your browser's localStorage (not a cookie) with a 30-day TTL. This identifier lets us attribute pre-signup page views and marketing data to an eventual account. At signup, the anonymous session is linked to your profile. The distinct_id persists across page loads within the same browser and is cleared after 30 days or when you clear your localStorage.
How we use it
Why we process your data.
Providing the Service. Account information, recipe and book content, billing data, and order information are processed to deliver the features you use and fulfil your print orders. Legal basis: performance of a contract.
Payment processing. Billing data is shared with Stripe to process subscription and one-off payments. Legal basis: contract performance.
Print fulfilment. Your name, address, phone number, and book PDF are shared with our print partner to manufacture and ship your book. Legal basis: contract performance.
Communications. We use your email address to send transactional emails (order confirmations, shipping updates, account notices) via Resend. Legal basis: contract performance and legitimate interests.
Product analytics. Behavioural data (PostHog events, lifecycle timestamps) is used to understand how people use the Service, identify bugs, and prioritise features. Legal basis: legitimate interests, subject to your consent for analytics cookies.
Marketing attribution. UTM data, click IDs, and referrer data are used to measure the effectiveness of our marketing campaigns and advertising spend. Legal basis: legitimate interests.
Advertising audience creation. We may use your email address and behavioural segments to build custom audiences on Meta (Facebook/Instagram) and Google for targeted advertising. You may opt out of this use — see Section 9. Legal basis: legitimate interests, subject to opt-out.
Fraud prevention and security. Technical data (IP address, user-agent) and usage patterns are used to detect abuse, spam, and fraud. Legal basis: legitimate interests.
Legal compliance. Order data is retained to comply with tax and accounting obligations. Legal basis: compliance with legal obligations.
AI usage enforcement. Usage logs are processed to enforce per-tier AI usage limits. Legal basis: contract performance.
AI processing
The parser, explained.
We use the Google Gemini API to parse recipe text, process images (OCR), and generate recipe photos. When you use these features, the text or image you submit is sent to Google's servers for processing. Two things to know:
Training data. Under Google's current API terms, inputs submitted through the Gemini API are not used to train Google's AI models. This is a commitment in Google's API usage policy, not a commitment we can independently guarantee in perpetuity. If Google's policy changes in a way that affects how your data is handled, we will notify you and update this section. You can review Google's current API data-use policy at ai.google.dev/gemini-api/terms.
Review before printing. AI output can contain inaccuracies. Your book is printed from what you approve — read it before you order. Mise is not responsible for errors in AI-parsed content that you save without reviewing.
Our processors
Who else touches your data.
We share the minimum required with each partner. Nothing is sold for profit.
Advertising platforms. We may share hashed email addresses and profile segments with Meta (Facebook / Instagram) and Google to build Custom Audiences and Customer Match lists for targeted advertising. This constitutes "sharing" personal information for cross-context behavioural advertising under California law. You have the right to opt out — see Section 9 (California Rights) or write to privacy@mise.app with the subject "Do Not Share My Data".
Data retention
How long we keep it.
Account deletion (Settings → Data → Delete Account) hard-deletes your recipes, books, photos, PDFs, and support tickets. PII on your profile is cleared. However, order records are retained for 7 years because they are required for tax and accounting compliance and as evidence in the event of a Stripe chargeback. This is a legal obligation we cannot waive on request. The table below details retention for each data category.
Your rights
Yours to exercise.
Regardless of where you live, you have the following rights regarding your personal information. We will respond to verifiable requests within 30 days (or let you know if we need more time).
Delete. You may delete your account at any time via Settings → Data → Delete Account. This deletes all recipes, books, photos, and support data. Order records are retained for 7 years as described in Section 8. You may also request deletion of specific data by writing to privacy@mise.app.
Access. You may request a copy of the personal information we hold about you. We will provide it in a structured, commonly used, machine-readable format within 30 days.
Correct. If any personal information we hold about you is inaccurate or incomplete, you may update most of it directly in your account settings, or request a correction by writing to us.
Portability. You may download your recipes as a structured file at any time, at no cost, from within the app.
Withdraw consent (analytics). You may withdraw consent for analytics cookies and PostHog tracking at any time in the cookie preferences section below. Withdrawal does not affect the lawfulness of processing before withdrawal.
Opt out of advertising use. You may opt out of your data being used to build advertising audiences on Meta or Google by writing to privacy@mise.app with the subject "Do Not Share My Data for Advertising".
Object to processing. You may object to processing based on legitimate interests (such as certain analytics or profiling) by writing to privacy@mise.app.
Ask us anything. Write to privacy@mise.app and we will answer in plain language within 30 days.
Security
How we protect your data.
We implement reasonable technical and organisational security measures appropriate to the risk:
Encryption in transit. All data exchanged between your browser and our servers is encrypted via TLS (HTTPS).
Encryption at rest. Data stored in Supabase and Cloudflare R2 is encrypted at rest by those platforms.
Access controls. Database access is restricted by row-level security policies ensuring users can only access their own data. Administrative access requires separate authentication.
Minimal data sharing. We share only the minimum data required with each third-party processor.
No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
Data breaches
What happens if something goes wrong.
In the event of a data security breach that is likely to affect your personal information, we will notify affected users by email to their registered address within 72 hours of becoming aware of the breach, or as soon as reasonably practicable. The notification will describe the nature of the breach, the categories of data affected, and the steps we are taking to address it.
We will also notify the appropriate regulatory authorities as required by applicable law.
California residents
Your CCPA / CPRA rights.
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you additional rights over your personal information.
Categories of personal information collected
In the past 12 months we have collected: identifiers (name, email, IP address, device IDs, cookie identifiers); commercial information (order history, subscription status); internet or other electronic network activity (browsing behaviour on our site, analytics events, email engagement); geolocation data (country derived from IP); and inferences drawn from the above to create a profile about you.
Sale and sharing
We do not "sell" personal information in the traditional sense. However, we do "share" email addresses and behavioural segment data with Meta and Google for cross-context behavioural advertising, which qualifies as "sharing" under the CPRA. Do Not Sell or Share My Personal Information ↓
Your CCPA rights
Right to Know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and any third parties with whom we have shared it.
Right to Delete. You may request deletion of your personal information, subject to certain legal exceptions (including the 7-year order retention described in Section 8).
Right to Correct. You may request correction of inaccurate personal information we hold about you.
Right to Opt Out of Sale / Sharing. You may opt out of the sharing of your personal information for cross-context behavioural advertising at any time — see the "Do Not Sell or Share" section below.
Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those necessary to provide the Service.
Non-discrimination. We will not discriminate against you for exercising any CCPA rights.
To submit a verifiable consumer request under the CCPA, write to privacy@mise.app or to: Mise Studio LLC, Attn: Privacy Request, [LEGAL ENTITY ADDRESS]. We will verify your identity using the email address on your account. You may designate an authorised agent to make a request on your behalf.
Children's privacy
No data from children under 13.
The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. This is consistent with the requirements of the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501 et seq.).
If you are between 13 and the age of majority in your jurisdiction, your parent or legal guardian must have agreed to these Terms and this Privacy Policy on your behalf before you use the Service.
If we learn that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe we have done so, please notify us at privacy@mise.app.
Cookies & local storage
What stays in your browser.
We use a small number of cookies and localStorage values. Essential cookies are required for the Service to function. Analytics cookies (PostHog) require your consent. We do not use advertising cookies.
Ad-blocker proxy note: PostHog analytics requests are routed through a first-party path on misebook.io (specifically /ingest) so that they reach our analytics server even when ad-blocking browser extensions are active. This means PostHog analytics data is collected at approximately the same rate regardless of whether you use an ad blocker — but only after you have given consent. The proxy does not bypass the consent requirement.
To manage your cookie preferences (accept or withdraw consent for analytics), please visit misebook.io/privacy once the full site launches.
Browser extension
The Mise Recipe Saver Chrome extension.
Mise publishes a free Chrome extension that detects schema.org/Recipe structured data on food blogs and lets you save the recipe to your Mise Recipe Box in one click. This section describes the data flows specific to the extension. Everything in the rest of this Privacy Policy still applies — the extension is a thin client over the same Mise account you use on misebook.io.
What the extension reads from third-party sites
When you visit a webpage, a small content script reads only the page's structured Recipe data — the same machine-readable JSON sites publish for Google's rich-results indexing. The extension never inspects, transmits, or stores any other part of the page. If no Recipe data is present, the extension does nothing.
When data leaves your browser
The extension transmits data to Mise's servers in exactly two cases, both initiated by you:
When you click "Save to Recipe Box": the recipe (title, description, ingredients, instructions, prep/cook times, servings, category, hero image URL, source page URL) and your Mise account access token are sent to
https://misebook.io/api/recipes/saveover HTTPS, where the recipe is stored in your Mise account.When your sign-in session expires: the extension sends a refresh token to
https://misebook.io/api/extension/refresh-sessionto obtain a new access token. No recipe content is transmitted on this call.
What the extension stores locally
Your Mise account session token (received from misebook.io's session bridge) is stored in chrome.storage.local, encrypted at rest by Chrome and isolated from other extensions. A short-lived per-tab cache of detected recipes is held in chrome.storage.session (cleared when you close the browser). Both stores are local to your device.
What the extension never does
No tracking of your browsing history. The extension does not record which pages you visit.
No analytics or telemetry from inside the extension. No PostHog, Google Analytics, or any third-party scripts run in the extension.
No data is transmitted on page load. The toolbar badge updates locally; nothing is sent to our servers until you explicitly click Save.
No advertising, no data brokers, no sale or sharing with third parties.
No access to cookies, passwords, financial information, health information, or location.
Permissions explained
Host permission for all URLs — required to detect <script type="application/ld+json"> tags on third-party food blogs. The content script reads only this structured data; page content is never transmitted to Mise unless you click Save.
storage — persists your Mise session token and per-tab recipe cache locally on your device.
activeTab — lets the popup read the currently detected recipe from the tab you have open when you click the icon.
AI processing on save
Recipes saved via the extension are passed through Mise's AI ingredient parser (Google Gemini) to convert free-text ingredient lines into structured {name, amount, unit, note} fields before storage. This is the same processor used by the main app's import feature, and uses count against the same monthly AI import limit (see Section 5 above for our AI training-data policy).
Uninstalling and deletion
Recipes you have already saved are part of your Mise account — uninstalling the extension does not delete them. To remove them, delete the recipes in your Mise Recipe Box, or delete your account (see Section 7 — Your rights). Removing the extension from Chrome clears all locally-stored tokens and the per-tab cache.
Policy updates
When this policy changes.
We may update this Privacy Policy from time to time. For material changes — changes that affect your rights or the way we use your personal information — we will provide at least 14 days' advance notice by email to your registered address before the new policy takes effect. For non-material corrections, we may update the policy immediately. The "Last updated" date at the top of this page always reflects the current version. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy.