Privacy Policy
Last updated: May 2026
This privacy policy explains how Smakwise ("we", "us", "our") collects, uses, and protects your personal data when you use the Smakwise app (iOS and Android) and the website smakwise.app. The German version of this privacy policy is legally binding.
1. Controller & Contact (Art. 13(1)(a) GDPR)
The controller responsible for data processing is:
Ole ter Haseborg
c/o Postflex #9365
Emsdettener Str. 10
48268 Greven
Germany
Email for privacy inquiries: legal@smakwise.app
A Data Protection Officer is not required as fewer than 20 persons are regularly involved in automated processing of personal data (Section 38 BDSG).
2. Overview of Processed Data (Art. 13(1) GDPR)
2.1 Data Categories and Legal Bases
| Data Category | Specific Data | Legal Basis | Purpose |
|---|---|---|---|
| Registration data | Email, password (hashed) | Art. 6(1)(b) GDPR (contract) | Account management, authentication |
| Food Profile | Diet type (vegan, vegetarian, etc.), intolerances, nutrition goals, cooking skill | Art. 6(1)(b) GDPR (contract performance) | Personalized recipe recommendations |
| Usage data | Generated recipes, favorites, shopping lists, cooking mode usage | Art. 6(1)(b) GDPR (contract) | Core app functionality |
| Gamification data | XP points, level, streaks, milestones | Art. 6(1)(b) GDPR (contract) | Gamification system |
| Subscription data | Tier (Free/Premium/Ultra), duration, trial status | Art. 6(1)(b) GDPR (contract) | Subscription management |
| AI interaction data | Free-text inputs (NLP), ingredient selections, recipe requests | Art. 6(1)(b) GDPR (contract) | AI recipe generation |
| Camera/photo data | Photos of food items (processed transiently, not stored) | Art. 6(1)(b) GDPR (contract) | AI-powered ingredient recognition |
| Pseudonymous analytics | Supabase UUID, app events, device type (no PII) | Art. 6(1)(f) GDPR (legitimate interest) | Product improvement, bug fixing |
| Error/crash data | Stack traces, error context, breadcrumbs, technical AI validation details | Art. 6(1)(f) GDPR (legitimate interest) | Bug fixing, app stability |
| Payment data | Purchase confirmations via App Store / Play Store | Art. 6(1)(b) GDPR (contract) | Subscription processing |
2.2 Dietary Preferences - Framing Under GDPR
Your Food Profile describes dietary preferences (e.g., vegan or vegetarian lifestyle), food intolerances, and nutrition goals. Smakwise treats this information as contract-performance data under Art. 6(1)(b) GDPR, because the entire purpose of the app is to generate recipes that match what you want to eat and avoid. Without this information, the core service cannot be delivered.
We intentionally collect the minimum necessary: you choose a diet type, optional intolerances, and goal tags. We do not ask about medical diagnoses, medication, or clinical conditions. If you provide intolerance information, it is used only to filter recipe suggestions - it is not interpreted as a medical record and is not shared with any processor outside the recipe-generation flow described in Section 4.
You can change or clear your Food Profile at any time from within the app. Deleting your account removes the Food Profile along with all other personal data (see Section 7.1).
3. Data Processors & Third Parties (Art. 13(1)(e)/(f) GDPR)
3.1 Data Processor Overview
| Service Provider | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Authentication, database, storage, Edge Functions | All user data (auth, profile, recipes, usage) | EU (Frankfurt, AWS) | No third-country transfer |
| Cloudflare Inc. | AI backend (Worker), static hosting (Pages), rate limiting, DNS/CDN, Web Analytics | AI requests (ingredients, dietary profile, recipe data), temporary AI job state and progress events, IP address (transit), aggregate page performance data | Global Edge (incl. EU) | EU-US DPF + SCCs |
| Vercel Inc. (AI Gateway) | Routing AI requests to AI providers | Prompts with ingredients/dietary data, AI responses (transient) | USA (AWS) | EU-US DPF + SCCs |
| Anthropic PBC | AI model (Claude) for recipe generation | Prompts with ingredients, dietary profile data | USA | EU-US DPF + SCCs |
| OpenAI Inc. | AI models (GPT-4o-mini) for classification, suggestions | Prompts with ingredients, recipe data | USA | EU-US DPF + SCCs |
| Google LLC | AI model (Gemini) for recipe text, translation | Prompts with ingredients, dietary data, recipe content | USA | EU-US DPF + SCCs |
| fal.ai (fal Inc.) | AI image generation (FLUX Schnell) | Recipe descriptions, ingredient keywords (no PII) | USA | SCCs |
| PostHog Inc. | Pseudonymous product analytics | Pseudonymous events (UUID, no PII), app version, subscription tier | EU (Frankfurt) | No third-country transfer |
| Sentry (Functional Software Inc.) | Error tracking, crash reports | Stack traces, error context, breadcrumbs, device info, technical AI validation payloads | USA | EU-US DPF + SCCs |
| RevenueCat Inc. | Subscription management | Purchase events, subscription status, transaction IDs | USA | EU-US DPF + SCCs |
| Apple Inc. | App distribution (App Store), in-app purchases | Payment data (processed by Apple, not by Smakwise) | USA / Ireland | Independent controller |
| Google LLC (Play Store) | App distribution (Play Store), in-app purchases | Payment data (processed by Google, not by Smakwise) | USA / Ireland | Independent controller |
Data Processing Agreements (DPAs) are in place with all processors listed above. Apple and Google act as independent controllers for their respective app stores and payment processing.
4. AI Processing - Transparency (EU AI Act + GDPR)
Smakwise uses Artificial Intelligence (Large Language Models and image generation) to create personalized recipes.
4.1 Data Flow
When you generate a recipe, your data flows through the following chain:
- Smakwise App → sends your ingredient selection and dietary profile
- Cloudflare Worker (our server) → processes the request, manages temporary job state, and forwards it
- Vercel AI Gateway → routes the request to the appropriate AI provider
- AI Provider (Anthropic, OpenAI, or Google) → generates the recipe
4.2 What Data Is Sent to AI Providers
- Ingredient selections and preparation preferences
- Dietary profile (diet type, intolerances, goals)
- Free-text inputs (NLP input)
- Photos of food items (for ingredient recognition - see Section 4.6)
- Language preference (EN/DE)
4.3 What Data Is NOT Sent to AI Providers
- Email address
- Password
- Payment information
- Device IDs or IP addresses
4.4 Data Retention and Training
- Zero Data Retention: Prompts and responses are deleted after processing (Vercel AI Gateway ZDR)
- Temporary backend job state: To support reconnects, retries, background completion, and cleanup, our Cloudflare-hosted backend may temporarily store the AI job input, progress events, and generated output during recipe generation or translation. This temporary state is deleted after completion confirmation, cancellation, or automatically after up to 1 hour.
- No model training: Your data is not used to train AI models (API usage, not training data)
- Vercel AI Gateway acts as a transient routing service and does not permanently store content
4.5 Image Generation (fal.ai)
Only recipe metadata (name, description, ingredient keywords) is used for image generation. No personal data is sent to fal.ai. Generated images are stored in Supabase Storage.
4.6 Photo Recognition (Ingredient Identification)
Smakwise offers an AI-powered photo recognition feature that identifies food ingredients from photos of your fridge, pantry, or kitchen counter.
- Camera access: The App requests camera permission to capture photos. You can also select photos from your device's gallery (no additional permission required).
- Transient processing: Photos are sent directly to an AI provider (Google Gemini) for ingredient identification. Photos are not stored on our servers - they are processed in real time and discarded immediately after analysis.
- No model training: Your photos are not used to train AI models.
- Data sent: The photo, your available ingredient list, and dietary profile are sent to the AI provider for accurate matching.
- No facial recognition: The AI is instructed to identify food items only. No facial recognition, person identification, or biometric processing takes place.
- On-device storage: The captured photo is held temporarily in app memory during the recognition session and is discarded when you leave the screen.
5. International Data Transfers (Art. 44–49 GDPR)
| Destination | Providers | Transfer Mechanism |
|---|---|---|
| USA | Cloudflare, Vercel, Anthropic, OpenAI, Google, fal.ai, Sentry, RevenueCat | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) as backup |
The EU-US Data Privacy Framework is based on the adequacy decision of the European Commission of July 10, 2023 (C(2023) 4745). We additionally rely on Standard Contractual Clauses as a backup mechanism.
Despite the DPF, a residual risk remains with US data processing due to potential access by US authorities under FISA Section 702. You can verify DPF participation at dataprivacyframework.gov.
6. Analytics & Tracking
6.1 PostHog Analytics
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: product improvement)
- Hosted in the EU (Frankfurt) - no third-country transfer
- Pseudonymous user IDs (Supabase UUID, not linkable to PII)
- Memory-only persistence (no cookies, no AsyncStorage, no LocalStorage)
- No IP tracking, no geolocation
- No session replay
You have the right to object to analytics processing under Art. 21 GDPR by contacting us at legal@smakwise.app.
6.2 Sentry Error Tracking
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: app stability)
- Processes: stack traces, error context, breadcrumbs, device/app diagnostics, pseudonymous user IDs, subscription tier, route/action, and technical AI error context
- AI validation errors may include generated AI response snippets or schema validation payloads when needed to debug recipe-generation failures
- We do not intentionally send passwords, payment data, emails, names, raw photos, or IP/geolocation data to Sentry
- PII scrubbing/filtering and IP/geolocation suppression are enabled
6.3 Cloudflare Web Analytics
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: website performance monitoring)
- Cookieless - no cookies, no localStorage, no fingerprinting
- Collects aggregate performance data (page load times, referrer, page path)
- No individual visitor tracking or profiling
- Data processed by Cloudflare Inc. (USA) under Cloudflare DPA with EU Standard Contractual Clauses
6.4 Cookies & Tracking Technologies
- Smakwise App: No cookies, no tracking pixels, no fingerprinting
- Smakwise Website (smakwise.app): No cookies are set. Cloudflare Web Analytics is fully cookieless. If technically necessary cookies are added in the future, a cookie consent banner will be provided.
- No advertising: No ad tracking or third-party trackers are used
7. Your Rights (Art. 12–23 GDPR)
| Right | Article | How to Exercise |
|---|---|---|
| Access | Art. 15 | Email request → we provide a data export |
| Rectification | Art. 16 | Edit your profile in-app or email request |
| Erasure ("right to be forgotten") | Art. 17 | Delete your account in-app (Settings) or email request |
| Restriction of processing | Art. 18 | Email request |
| Data portability | Art. 20 | Data export in machine-readable format (JSON/CSV) |
| Objection | Art. 21 | Object to analytics: email request |
| Withdraw consent | Art. 7(3) | Applies to any optional feature that asks for explicit consent (email request) |
| Complaint to supervisory authority | Art. 77 | Contact your local data protection authority |
To exercise any of these rights, contact us at legal@smakwise.app. We will respond within 30 days.
7.1 Account Deletion
- In-app: Delete your account directly in Settings (already available)
- Timeframe: All personal data is fully deleted within 30 days
- Scope: All personal data at Supabase (auth, database, storage) is deleted
- Third parties: Anonymized/pseudonymous data at analytics providers may not be deletable
8. Data Security (Art. 32 GDPR)
We implement the following technical and organizational measures:
- Encryption in transit: TLS/SSL for all connections (Supabase, Cloudflare, API calls)
- Encryption at rest: Supabase (AWS encryption), Cloudflare (encrypted secrets)
- Access control: JWT-based authentication, Row Level Security (RLS) in Supabase
- Password security: Passwords are hashed (Supabase Auth, bcrypt)
- API security: Rate limiting (Cloudflare + Supabase), server-side JWT validation
- Secrets management: All API keys stored as secrets (not in code)
- Data minimization: Only necessary data is sent to third-party providers
9. Data Retention (Art. 13(2)(a) GDPR)
| Data Category | Retention Period | Deletion |
|---|---|---|
| Account data | Until account deletion | With account deletion |
| Food Profile | Until account deletion or when you clear your profile | With account deletion or on request |
| Recipes & shopping lists | Until account deletion | With account deletion |
| Gamification data | Until account deletion | With account deletion |
| Subscription data | Until account deletion + statutory retention (6–10 years) | After retention period expires |
| Analytics data (PostHog) | Pseudonymized, max. 12 months | Automatic deletion/aggregation |
| Error logs (Sentry) | 90 days (Sentry default) | Automatic deletion |
| AI provider prompts | Not permanently stored by routing/model providers (transient) | After processing |
| Temporary AI job state | During generation/translation, up to 1 hour | After completion confirmation, cancellation, or automatic cleanup |
10. Minors (Art. 8 GDPR)
Smakwise is intended for users aged 16 and older. In Germany, individuals aged 16 and above can independently consent to data processing (Art. 8 GDPR).
If you are under 16, you may only use Smakwise with the consent of your parent or legal guardian.
Smakwise is not directed at children under 13 (in compliance with the US Children's Online Privacy Protection Act, COPPA).
11. In-App Purchases & Payments
All payments are processed exclusively through Apple App Store or Google Play Store. Smakwise does not receive or store your credit card data or payment details.
RevenueCat receives transaction IDs and subscription events from the app stores but has no access to your payment methods.
12. Changes to This Privacy Policy
We may update this privacy policy from time to time. For material changes, we will notify you via an in-app notification. The date of the last update is shown at the top of this page.
13. California Privacy Rights (CCPA)
If you are a California resident, you have the following additional rights:
- Right to know: What personal information we collect, use, and disclose
- Right to delete: Request deletion of your personal information
- Right to opt-out: Opt out of the sale or sharing of your personal information
- Non-discrimination: You will not be treated differently for exercising your rights
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
To exercise your CCPA rights, contact us at legal@smakwise.app.
14. UK GDPR
If you are located in the United Kingdom, this privacy policy also applies under the UK GDPR. The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO).
Data transfers to the UK are covered by the UK adequacy decision and UK Standard Contractual Clauses.