Back to Home

Privacy Policy

Last updated: April 12, 2026

1. Privacy Officer

Origano is operated by JaffSoft. Our Privacy Officer is:

  • Name: Jean-François Côté
  • Title: Founder and Privacy Officer
  • Email: jfcote@hey.com

Any request regarding your personal information should be directed to this person. We will respond within 30 calendar days of receiving your request. This period may be extended by an additional 30 days upon written notice.

2. Personal Information We Collect

In connection with providing our services, we collect only the following personal information:

  • Email address — used to create your account, authenticate you, and communicate with you.
  • Password — stored in encrypted form (BCrypt hash); we do not have access to it.
  • User-created content — recipes, recipe books, meal plans, and preferences you enter in the application. This content belongs to you.
  • Technical data — session data necessary for the proper functioning of the application (no behavioral or advertising profile is created).

We do not collect sensitive information, payment card data, or any information about minors under 14 years of age.

3. Purposes of Collection and Use

The information collected is used solely for the following purposes:

  • Creating and managing your user account.
  • Allowing you to access your personalized data (recipes, meal plans).
  • Sending you transactional communications (password reset, account confirmation).
  • Processing Pro subscription payments.
  • Ensuring the security, reliability, and continuous improvement of the application.

We do not use your information for commercial, advertising, or profiling purposes.

4. Disclosure to Third Parties — Sub-Processors

Your personal information is not sold or rented to third parties. It may however be shared with the following sub-processors solely for the purpose of delivering our services:

  • Resend (email delivery) — your email address is transmitted for sending transactional communications.
  • Stripe (online payments) — your email address is shared to create a customer record. Payment card data is handled entirely by Stripe and never passes through our servers.
  • Anthropic (Claude AI) (AI parsing) — used to extract a recipe structure from a web page during URL import. No personal data is transmitted; only the public HTML content of the external page is sent.
  • Legal obligation — if required by law or in response to an order from a competent court.

These providers may be located outside Quebec. In such case, we ensure they provide an adequate level of protection as required by Quebec's Act respecting the protection of personal information in the private sector (Law 25).

5. Retention Period

  • Active accounts — retained for the lifetime of the account.
  • Deleted accounts — permanently deleted within 30 days of the request.
  • System logs — retained for 90 days, then destroyed.
  • Reset tokens — automatically expire after 24 hours.

Some data may be retained longer if required by a legal obligation.

6. Security Measures

We implement reasonable and appropriate security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include password encryption (BCrypt), encrypted communication (HTTPS/TLS), CSRF protection, and data access controls.

In the event of a privacy incident likely to cause serious harm, we will notify you and inform the Commission d'accès à l'information du Québec within 72 hours, in accordance with our legal obligations.

7. Cookies

Origano uses only essential session cookies necessary for the application to function (authentication, CSRF security, language and theme preferences, remember-me login). No advertising or third-party tracking cookies are set. These cookies are not used to identify you on other websites.

You may configure your browser to refuse cookies, but this may prevent you from using certain features of the application.

8. Your Rights

In accordance with Quebec's Law 25 and the Act respecting the protection of personal information in the private sector, you have the following rights:

  • Right of access — You may request to view the personal information we hold about you.
  • Right of rectification — You may correct your information directly in your account settings.
  • Right to erasure — You may delete your account and all your personal information directly in the application.
  • Right to data portability — You may download a copy of your data in JSON format directly from your account settings.
  • Right to withdraw consent — You may withdraw your consent at any time by deleting your account.

For requests that cannot be handled directly in the application, write to jfcote@hey.com. We will respond within 30 calendar days.

If you believe your rights have not been respected, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca.

9. Changes to This Policy

We may modify this policy from time to time to reflect changes in our practices or applicable law. In the event of a significant change, we will inform you by email or through a prominent notice in the application. The date of the last update appears at the top of this page.