Privacy Policy

Effective date: April 5, 2026 · Last updated: April 5, 2026

Mélange Studios LLC (“Mélange,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Mélange mobile application (the “App”), the website at getmelange.app (the “Website”), and any related services (collectively, the “Service”).

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

Contents

Information We Collect
How We Use Your Information
Legal Bases for Processing (GDPR)
How We Share Your Information
Third-Party Services
AI-Powered Features
Data Storage and Security
Data Retention
Your Rights and Choices
California Privacy Rights (CCPA/CPRA)
European Privacy Rights (GDPR)
International Data Transfers
Children’s Privacy
Cookies and Tracking Technologies
Changes to This Policy
Contact Us

1. Information We Collect

1.1 Information You Provide Directly

Account information: When you create an account, we collect your name, email address, and authentication credentials (e.g., passkey, Apple ID token, or hashed password). We never store plaintext passwords.
Profile information: Taste preferences, flavor profiles, skill level, preferred ingredients, dietary restrictions, and avatar image that you provide during onboarding or later customization.
User-generated content: Cocktail recipes you create, collections you organize, reviews, ratings, and photos you upload.
Bar inventory data: Items you add to your virtual bar, including bottle names, quantities, and barcode scan data.
Communications: Information you provide when contacting support, submitting feedback, or responding to surveys.
Newsletter sign-up: Your email address when you subscribe to launch notifications or marketing communications on the Website.
Purchase information: Records of in-app purchases and subscription status, processed and managed by Apple through the App Store. We do not collect or store your credit card number or payment instrument details.

1.2 Information Collected Automatically

Device information: Device model, operating system version, unique device identifiers (Identifier for Vendor), and device settings (e.g., language, time zone).
Usage data: Features accessed, screens viewed, actions taken within the App, session duration, and interaction patterns. We use this to improve the Service and personalize your experience.
AI generation metadata: Prompts submitted to the AI cocktail generator, tokens consumed, model used, and generation timestamps. We retain this to enforce rate limits and improve AI quality. Prompts are not shared with other users.
Crash and performance data: Error logs, crash reports, and performance metrics. We use anonymized user identifiers (not email addresses) in crash reports.
Approximate location: With your permission, we may collect your approximate location (city/region level, using reduced-accuracy location services) to show trending cocktails and regional preferences. We do not collect precise GPS coordinates, and location data is not stored on our servers — it is used transiently to determine your region.

1.3 Information from Third Parties

Apple Sign-In: If you authenticate via Sign in with Apple, we receive a unique user identifier and, optionally, your name and email address (which Apple may relay or hide at your choice).
Barcode databases: When you scan a bottle, we query third-party product databases to retrieve product name, brand, category, and description. These queries do not include your personal information.

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide the Service: Create and manage your account, deliver personalized cocktail recommendations, power the AI cocktail generator, and manage your bar inventory.
Personalize your experience: Build and refine your flavor profile, recommend recipes based on your taste and inventory, and curate content for your interests.
Process transactions: Manage your subscription status, validate in-app purchases through Apple, and enforce feature access levels.
Improve the Service: Analyze usage patterns, diagnose technical issues, optimize AI model performance, and develop new features.
Communications: Send transactional emails (account verification, password reset, magic link sign-in), and, with your opt-in consent, marketing emails about new features and launches.
Safety and security: Detect and prevent fraud, abuse, and unauthorized access. Enforce rate limits and terms compliance.
Legal compliance: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data under the following legal bases:

Legal Basis	Examples
Contract performance	Creating your account, delivering the Service, managing subscriptions
Legitimate interest	Improving the Service, analytics, fraud prevention, security
Consent	Marketing emails, optional location data, optional analytics
Legal obligation	Tax records, responding to legal requests

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

Service providers: We share data with trusted third-party vendors who assist us in operating the Service (cloud hosting, AI processing, analytics, email delivery). These providers are contractually obligated to protect your data and use it only for the purposes we specify.
Community features: If you share a cocktail recipe or collection publicly, your display name and shared content will be visible to other users. You control what you share.
Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred. We will notify you via email or prominent notice within the App before your information becomes subject to a different privacy policy.
With your consent: We may share information for other purposes with your explicit consent.

We never sell your personal data. Mélange does not participate in data brokering, targeted advertising networks, or any practice that sells or shares your information for third-party marketing purposes.

5. Third-Party Services

The Service integrates with the following categories of third-party providers:

Category	Purpose	Data Shared
Cloud infrastructure	Database, authentication, storage	Account data, user content (encrypted at rest)
AI processing	Cocktail recipe generation	User prompts, taste preferences (anonymized)
Video generation	Cocktail creation videos	Text prompts and reference images (no PII)
Analytics	Usage statistics and crash reporting	Anonymized usage events, device info (no email or name)
Product databases	Barcode lookups for bottle scanning	UPC/EAN codes only (no user data)
Payment processing	In-app purchases and subscriptions	Managed entirely by Apple — we never receive payment details
CAPTCHA	Bot prevention on authentication	Browser challenge tokens (no PII)

Each third-party provider is subject to their own privacy policy. We select providers that demonstrate strong commitments to data security and privacy.

6. AI-Powered Features

Mélange uses artificial intelligence to generate cocktail recipes, suggest ingredient substitutions, and personalize your experience. When you interact with AI features:

Your text prompts are sent to our AI processing provider to generate responses. Prompts may include your taste preferences and current bar inventory to improve relevance.
We do not use your prompts or personal data to train AI models. Your inputs are used solely to generate a response for you.
AI-generated content (recipes, descriptions) is provided for informational and entertainment purposes. Always verify ingredient information, especially regarding allergens and dietary restrictions.
We log generation metadata (prompt length, model used, token count, timestamp) for rate limiting and quality assurance. Prompt text is retained for up to 90 days for abuse prevention, then deleted.

7. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Encryption in transit: All communication between the App, Website, and our servers uses TLS 1.2 or higher encryption.
Encryption at rest: Personal data stored in our database is encrypted at rest. Sensitive fields (email, name) are additionally encrypted with application-level encryption.
On-device security: API keys and authentication tokens are stored in the iOS Keychain with hardware-backed protection. The local database is encrypted using iOS Data Protection (NSFileProtectionComplete).
Access controls: Access to production data is restricted to authorized personnel through role-based access control and multi-factor authentication.
Row-level security: Our database enforces row-level security policies so users can only access their own data through the API.
Authentication: We support passkeys (WebAuthn/FIDO2), Sign in with Apple, magic links, and email/password authentication. Passwords are hashed with salted key derivation functions and are never stored in plaintext.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data Type	Retention Period
Account information	Until you delete your account
Taste preferences and inventory	Until you delete your account
AI generation prompts	90 days, then deleted
AI generation metadata	1 year for analytics, then aggregated
Analytics events	12 months, then aggregated or deleted
Crash reports	90 days
Newsletter email	Until you unsubscribe
Purchase records	As required by tax law (typically 7 years)

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

9. Your Rights and Choices

Depending on your location, you may have some or all of the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data. You can delete your account directly within the App (Settings → Delete Account), or contact us.
Portability: Request your data in a structured, machine-readable format (JSON export available in Settings).
Restriction: Request that we limit processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Where processing is based on consent, withdraw it at any time.
Opt out of marketing: Unsubscribe from marketing emails at any time using the link in each email, or by contacting us.
Location permissions: Revoke location access at any time in your device Settings. The App will continue to function without location data.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

Right to know: You have the right to request the categories and specific pieces of personal information we have collected about you, the sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
Right to correct: You have the right to request correction of inaccurate personal information.
Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to limit use of sensitive personal information: We only use sensitive personal information (such as account credentials) for purposes authorized by the CPRA.
Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a verifiable consumer request, email [email protected] with the subject line “CCPA Request.” We will verify your identity before fulfilling any request.

Categories of Personal Information Collected (CCPA Disclosure)

CCPA Category	Examples	Sold?
Identifiers	Name, email, device ID	No
Commercial information	Subscription status, purchase history	No
Internet/electronic activity	App usage, features accessed, search queries	No
Geolocation (approximate)	City/region (with consent)	No
Inferences	Taste preferences, persona classification	No
Sensory data	Photos you upload (recipes, avatar)	No

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

All rights listed in Section 9 above, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe our processing of your personal data violates applicable law.
Data Protection Officer: For GDPR-related inquiries, contact us at [email protected].

The data controller is Mélange Studios LLC, a California limited liability company.

12. International Data Transfers

Mélange Studios LLC is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
Ensuring our data sub-processors maintain equivalent data protection standards.

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other countries where our service providers operate.

13. Children’s Privacy

The Service is intended for users who are of legal drinking age in their jurisdiction. We do not knowingly collect personal information from individuals under the age of 21 in the United States, or under the legal drinking age in other jurisdictions. If we learn that we have collected personal information from a minor, we will take steps to delete that information promptly. If you believe a minor has provided us with personal information, please contact us at [email protected].

14. Cookies and Tracking Technologies

The Website (getmelange.app) may use the following technologies:

Essential cookies: Required for basic website functionality (e.g., session management). These cannot be disabled.
Analytics: We may use privacy-focused analytics to understand how visitors interact with the Website. We do not use third-party advertising cookies or tracking pixels.

The App does not use cookies. The App uses on-device storage (Keychain for credentials, local database for content) as described in this policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last updated” date at the top of this page.
Notify you via email or an in-app notification for material changes that affect how we use your personal data.
Where required by law, obtain your consent before applying changes to data already collected.

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
General legal inquiries: [email protected]
Mailing address: Mélange Studios LLC, California, United States

We aim to respond to all privacy-related inquiries within 30 days.