Privacy Policy

A1. Hosting

When you visit this website, the hosting provider automatically collects technical data such as IP address, browser type, operating system, and pages accessed in server log files. This is based on our legitimate interest in the secure operation of the website (Art. 6(1)(f) GDPR). The data is not merged with other sources.

A2. Cookies

This website uses cookies. On your first visit, you will be asked for consent via a cookie banner.

• Necessary Cookies – required for the website to function (e.g. storing your cookie preferences). Legal basis: Art. 6(1)(f) GDPR.
• Analytics Cookies – only set with your consent (see Google Analytics). Legal basis: Art. 6(1)(a) GDPR. You can revoke your consent at any time via the cookie settings.

A3. Google Analytics

This website uses Google Analytics 4 (Google Ireland Limited). Google Analytics is only activated if you give consent via the cookie banner. Data collected includes pages visited, time on site, browser, and approximate geographic origin. IP addresses are anonymized. If you revoke consent, analytics cookies are automatically deleted.

More information: policies.google.com/privacy

A4. Fonts (Self-Hosted)

This website uses the fonts "DM Sans" and "Fraunces". All fonts are self-hosted on our own server. No connection to external servers (e.g. Google) is made, so no personal data is transmitted to third parties.

B1. What Data We Collect

• Account Data – Email address and password (stored encrypted) upon registration. Optional: name, profile picture, language preference.
• Usage Data – Content you create in the app: kitchens, pantry items, recipes, shopping lists.
• AI Data – When you use AI features (recipe generation, image recognition), your prompts and AI responses are stored.
• Billing Data – For in-app purchases: transaction IDs, amounts, and timestamps for subscription management and statutory retention obligations.
• Push Notification Data – Pseudonymous user identifier and notification content, if you have allowed push notifications in your device settings.
• Server Log Data – IP address and technical connection data for security purposes (max. 14 days).

B2. Legal Basis

• Contract performance (Art. 6 Abs. 1 lit. b DSGVO) – Registration, login, app features, AI-based recipe generation and image recognition as core features, subscription management, sending transactional emails, delivery of functional push notifications (e.g. reminders for expiring pantry items)
• Consent (Art. 6 Abs. 1 lit. a DSGVO) – Optional profile information (name, profile picture). System-level push notifications are additionally only displayed if you allow them in your device settings.
• Legal obligation (Art. 6 Abs. 1 lit. c DSGVO) – Retention of billing data (§ 147 German Fiscal Code)
• Legitimate interest (Art. 6 Abs. 1 lit. f DSGVO) – Platform security, automated content moderation, abuse prevention, short-term server log retention

B3. Third Parties

We use the following data processors. Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.

• Hetzner Online GmbH – Hosting of the backend infrastructure (Germany)
• OpenAI, L.L.C. / OpenRouter, Inc. – AI features and content moderation (USA)
• RevenueCat, Inc. – Subscription management (USA)
• OneSignal, Inc. – Push notification delivery (USA)
• Amazon Web Services EMEA SARL (Amazon SES) – Transactional email delivery; processed in the Frankfurt am Main region (Germany, EU). The provider belongs to the US-based Amazon group.
• Apple Inc. / Google LLC – Social login and in-app purchase processing (USA)
• Open Food Facts – Product data lookup via barcodes (no personal data, France)

Data transfers to the USA are based on the EU-US Data Privacy Framework (EU Commission adequacy decision of 10 July 2023) and/or Standard Contractual Clauses pursuant to Art. 46 GDPR. Transactional emails are sent via Amazon Web Services within the EU (Frankfurt am Main); insofar as access from the USA cannot be excluded due to its affiliation with a US group, the same safeguards apply.

B4. Use of AI

The app uses AI for recipe generation, image recognition and automated content moderation. Only the data required for the respective function (e.g. pantry items, uploaded images, submitted text) is transmitted to the AI provider. Processing at the provider is governed by its privacy policy; images are not permanently stored there and are not used for AI model training. There is no automated individual decision-making, including profiling, within the meaning of Art. 22 GDPR.

B5. Data Retention and Deletion

• Account, usage, and AI data: until account deletion
• Pantry items marked as "consumed": automatic deletion after 14, 30, 60, or 90 days (based on your in-app setting, default: 30 days)
• Server log data (incl. IP address): max. 14 days for security purposes
• Billing data: 10 years (statutory retention requirement under § 147 German Fiscal Code)

You can delete your account at any time in the app. After a 30-day grace period, all your data is permanently deleted. Before the grace period ends, you will receive a reminder email allowing you to cancel the deletion. Billing data is retained for the legally required period.

B6. Social Login

You can sign in via Apple or Google. Only the data you authorize with the respective provider is shared.

• Apple Privacy
• Google Privacy

B7. Email Communication

We send emails only for email verification, password resets, confirmation of an account deletion, and a reminder 7 days before final deletion. No marketing emails are sent. Legal basis: Art. 6(1)(b) GDPR.

B8. Push Notifications

You can disable push notifications at any time in your device settings. The delivery provider is OneSignal, Inc. (USA), see B3.