Privacy Policy

Last updated: May 21, 2026 · Effective: May 21, 2026

Hotpot Club (“Hotpot Club,” “we,” “us,” or “our”) operates the Hotpot Club mobile application and this website (together, the “Service”). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have over it. By using the Service, you agree to the practices described here.

We have written this policy to be plain. If anything is unclear, write to us at privacy@joinhotpot.com and we will explain.

1. Who this policy applies to

This policy applies to anyone who uses Hotpot Club, including people who create an account, people whose phone numbers are used to verify identity, and people who appear in another user's posts (for example, because someone tagged them as having cooked with or for them).

2. Information we collect

2.1 Information you provide directly

• Phone number. We use your phone number to verify your identity at sign-up and sign-in via an SMS one-time passcode (OTP). Your phone number is stored with your account in normalized international format (E.164). It is never shown publicly on your profile or in search results.
• Username, display name, bio. These are public. Anyone who can find your profile can see them.
• Profile photo (avatar). Optional. If you upload one, it is stored on our servers and may be visible to other users of the Service.
• Privacy preference. Whether your account is public or private.
• Email address. Optional. If you choose to attach an email to your account in the future, we will use it only for account-related communication.

2.2 Content you create on the Service

• Dish posts. Photos, dish names, notes, and the date the dish was made.
• Rankings. The order in which you've placed your own dishes.
• Tags. When you tag another user as having cooked with you or for whom you cooked, we associate that user's account with your post. The tagged user is notified and can remove the tag at any time.
• Comments and reactions. Text comments and likes you leave on dish posts.
• Saved dishes. A private list of dishes you've saved. Only you can see this list.
• Photo metadata. When you post a photo from your library, we read the photo's creation date so the dish can be archived on the correct day (this is the EXIF DateTimeOriginal field). Photos you upload may retain other metadata embedded by your camera. We do not display this metadata, but we recommend disabling location data in your phone's camera settings if you do not want any location information embedded in photos you post.

2.3 Social graph data

• Who you follow and who follows you, including follow requests that are pending or accepted.
• Users you have blocked.
• In-app notifications generated by other users' actions toward you.

2.4 Device and technical data

• Device identifiers and push tokens. If you enable push notifications, we store a device token so we can deliver them. You can disable notifications at any time in your operating system settings.
• Camera and photo library access. Used only when you choose to post a dish or set a profile photo. We do not access your camera or photo library in the background.
• Log data. Our servers automatically receive standard log information when the app contacts them — including IP address, approximate region inferred from IP, request timestamps, app version, and device operating system. We use this to keep the Service running and to investigate abuse or errors.
• Crash and diagnostic data. The app stores and ships only the information needed to diagnose crashes and bugs.

2.5 Information we do not collect

• We do not collect precise GPS location.
• We do not use third-party advertising or tracking SDKs.
• We do not buy data about you from data brokers.
• We do not access your contacts unless you explicitly share an individual contact with us.

3. How we use your information

We use your information to:

• Create and operate your account, including verifying your phone number with an SMS code.
• Show you a chronological feed of dishes from people you follow, plus your own profile, rankings, and saves.
• Deliver notifications you have asked for (in-app and, if enabled, push).
• Apply the account-level privacy settings and per-post visibility rules you've chosen.
• Enforce our Terms of Use, including detecting and preventing abuse, spam, harassment, and fraud.
• Diagnose problems, secure the Service, and improve the app.
• Comply with legal obligations and respond to lawful requests.

4. How we share your information

4.1 With other users of the Service

Hotpot Club is a social product, so some information is visible to other users by design:

• Your username, display name, bio, profile photo, and follower / following / dish counts are visible to anyone who can find your profile (this includes non-followers when your account is public, and even when it is private the basic header is visible so people can request to follow you).
• Your dish posts are visible according to each post's visibility setting (public, followers, or private) and your account-level privacy setting. Private accounts make dish content visible only to accepted followers, regardless of per-post visibility.
• When you tag another user, your post can appear in their followers' feeds (subject to the tag and follow rules described in the app). Tagged users can remove the tag at any time.
• Comments, reactions, and remakes you make on someone else's dish are visible to anyone who can see that dish.

4.2 With service providers (sub-processors)

We use a small number of independent companies that process data on our behalf, only to run the Service:

• Supabase, Inc. — our database, authentication, and file storage provider. Your account record, posts, photos, and social graph are stored on infrastructure operated by Supabase, which in turn runs on Amazon Web Services.
• Twilio Inc. — sends the SMS verification code to your phone when you sign in. Twilio receives your phone number and message content for this purpose.
• Expo (650 Industries, Inc.) — delivers push notifications. If you enable push, your device token is sent to Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) via Expo's push relay.
• Resend, Inc. — sends transactional and community email from this website. Resend processes your email address when you contact us or join our mailing list.
• Cloudflare, Inc. (Turnstile) — provides bot protection on our website's forms. Cloudflare receives a short-lived verification token and your IP address.
• Vercel Inc. — hosts this website. Vercel receives standard request logs.
• Apple App Store and Google Play. When you install or update the app, these stores collect installation and crash data subject to their own privacy policies.
• hCaptcha (Intuition Machines, Inc.) — when enabled, helps us prevent automated abuse of phone-OTP sign-up.

We require each of these providers to use your information only to perform the service we have contracted them for, and to protect it appropriately. We do not sell your personal information to anyone, and we do not share it with advertisers.

4.3 For legal and safety reasons

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a valid government request, enforce our Terms of Use, protect the rights, property, or safety of Hotpot Club, our users, or the public, or detect, prevent, or address fraud, security, or technical issues. Where permitted, we will attempt to notify the user whose information is requested.

4.4 In a business transfer

If Hotpot Club is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will give notice through the Service before your information becomes subject to a different privacy policy.

5. How long we keep your information

We keep your account information and content for as long as your account is active. When you delete your account, we delete your account record and the content associated with it as described in Section 7. We may retain a minimal amount of information for longer where we are required to by law, to resolve disputes, to enforce our agreements, or in backups that are deleted on a rolling schedule.

6. Your choices and controls

• Account privacy. Toggle a public or private account from the Profile tab.
• Per-post visibility. Set each dish post to public, followers, or private.
• Tag removal. If someone tags you in a dish, you can remove the tag from your notification or the dish itself.
• Blocking. You can block any user from the kebab menu on their profile.
• Push notifications. Manage in your phone's system settings.
• Camera and photo library access. Manage in your phone's system settings.
• Community email unsubscribe. Every Hotpot Club community email contains a one-click unsubscribe link. We honor it immediately.

7. Deleting your account

You can permanently delete your Hotpot Club account at any time from inside the app: go to Profile → Settings → Delete Account. When you delete your account, we delete your account record and the personal information attached to it, including your dish posts, comments, reactions, saves, follows, blocks, and uploaded photos. Content you posted that is co-owned by another user (for example, a comment on someone else's dish) may be retained in anonymized form so the other user's view of their own content is not disrupted. Server backups containing your information are deleted on a rolling schedule, typically within 30 days. After deletion is complete the action cannot be reversed.

If you cannot reach the in-app delete option for any reason, email privacy@joinhotpot.com from the phone number or email associated with your account and we will process the deletion within 30 days.

8. Your rights

8.1 If you are in the European Economic Area, United Kingdom, or Switzerland

You have the right under applicable data-protection law (including the GDPR and the UK GDPR) to: access the personal information we hold about you; correct it if it is inaccurate; have it deleted; restrict or object to certain processing; receive a copy of it in a portable format; and withdraw consent where processing is based on consent. The lawful bases on which we process your information are the performance of our contract with you (operating your account and the Service), our legitimate interests (running the Service securely, preventing abuse, improving the product), your consent where required (for example, push notifications), and compliance with legal obligations. You also have the right to lodge a complaint with your local supervisory authority.

8.2 If you are a California resident

Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what personal information we collect, to access and receive a copy of it, to request deletion, and to correct inaccurate information. You also have the right to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information in the sense those terms are defined in the CCPA, and we do not knowingly process the personal information of minors under 16 for sale or sharing.

8.3 Exercising your rights

The fastest way to exercise most rights is from inside the app: view your profile to access your information, edit your profile to correct it, and use Delete Account to delete it. To make any other request, email privacy@joinhotpot.com from the phone number or email tied to your account so we can verify your identity. We will respond within the period required by applicable law (typically 30 days). You may also authorize an agent to make a request on your behalf. We will not discriminate against you for exercising any of these rights.

9. International transfers

Hotpot Club operates in the United States. The infrastructure we use to provide the Service (notably Supabase on AWS) is also located in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States and possibly other countries whose data-protection laws may differ from those in your jurisdiction. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

10. Children

Hotpot Club is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you live in the European Economic Area or the United Kingdom, you must be at least 16 (or the age of digital consent in your country) to use the Service. If we learn that we have collected information from a child under the applicable minimum age, we will delete it. If you believe a child has provided us information, please contact privacy@joinhotpot.com.

11. Security

We use reasonable technical and organizational measures designed to protect your information — including encryption in transit, encrypted storage at rest, scoped access controls inside our database, and access logging. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If we ever become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

12. Third-party links

The Service may include links to third-party websites or content (for example, when a user sets a dish's source to an external recipe URL). We are not responsible for the privacy practices of those third parties; their policies govern their handling of your information.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you in the app or by other reasonable means before the changes take effect, and we will update the “Last updated” date at the top of this page. Your continued use of the Service after a change indicates that you accept the updated policy.

14. Contact us

For privacy questions, requests, or complaints, write to privacy@joinhotpot.com. We read every message and respond promptly. If you prefer postal mail, contact us by email first to request a mailing address.