← Back to freshcook DE

Privacy Policy — App

As of: April 2026

This privacy policy applies to the mobile app freshcook (Android). It explains what personal data we process when you use the app, why we do so, and what rights you have. A separate privacy policy applies to the website.

1. Controller

Manuel Thalhofer — REBELUTIONS
Zur schwarzen Muttergottes 9
89335 Ichenhausen, Deutschland
Email: info@rebelutions.org

2. Overview: What Data Do We Process?

freshcook is a recipe app that uses artificial intelligence (AI) to recognize food items in photos and generate recipe suggestions from them. Below we explain for each data type what is collected, why, and for how long.

3. Local Data (Only on Your Device)

The following data is stored exclusively on your device and is not transmitted to us or any third parties:

• Inventory (recognized food items, manually added entries)
• Shopping list
• App settings (language, preferences)
• Saved recipes

Legal basis: This data does not leave your device. No processing of personal data within the meaning of the GDPR takes place in this regard.

4. Photos and Videos (Camera Scans)

What happens?

When you take a photo or video of your fridge, it is sent to our server. There it is forwarded to the Google Gemini API to recognize the food items shown.

What is stored?

The photo/video is not permanently stored — neither on our server nor at Google. It is held in memory only for the duration of processing (a few seconds). Only the recognized ingredients are returned as a text list.

Audio in video scans

During video scans, audio may optionally be recorded (narration). This audio is processed together with the video and is likewise not permanently stored.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — image recognition is a core function of the app).

5. Recipe Generation by Artificial Intelligence

What happens?

The recognized ingredients (as a text list, no photo) are sent to the Anthropic Claude API to generate personalized recipe suggestions.

What is sent?

• List of recognized ingredients
• Desired cooking time
• Language setting (German/English)

No personal data (name, email, location) is sent to the recipe AI.

Notice regarding AI-generated content

In accordance with Art. 50 of EU Regulation 2024/1689 (AI Act), we inform you that recipes generated by freshcook are AI-generated content. They are labeled as such within the app. AI-generated recipes are suggestions and not guaranteed results. Please check all ingredients yourself for compatibility and allergens.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

6. Device ID

When the app is first launched, a random identifier (UUID) is generated and stored on your device. This device ID is transmitted to our server to associate your credits with your device.

The device ID is a technical identifier with no connection to your name, email, or other personal data — unless you later link it to a Google account (see section 7).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — credit allocation is part of the service).

7. Google Account (Optional, Only for Purchases)

When you purchase credits for the first time, we offer you the option to sign in with your Google account. In doing so, we receive:

• Name
• Email address
• Google User ID

This data is used to associate your credits and purchases with your account across devices. Signing in is optional — you can use the app without a Google account.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

8. Purchases and Payments

Credit purchases are processed through Google Play Billing. We receive a purchase receipt (Purchase Token) from Google, which we validate and store on our server. We do not receive or store any payment data (credit card number, bank details, etc.) — this information remains with Google.

We store: package name, purchase timestamp, Purchase Token, credit amount. This data serves traceability and fraud prevention purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation for tax record-keeping).

9. Data Processors

We use the following service providers who process personal data on our behalf:

Service Provider	Purpose	Location	Legal Basis for Transfer
Google LLC (Gemini API)	Image recognition (photo → ingredient list)	USA	EU-US Data Privacy Framework
Anthropic PBC (Claude API)	Recipe generation (ingredients → recipes)	USA	Standard Contractual Clauses (SCCs)
Hetzner Online GmbH	Server hosting (Supabase backend)	Germany	No third-country transfer
Google LLC (Play Billing)	Payment processing	USA	EU-US Data Privacy Framework

Data processing agreements (Art. 28 GDPR) or comparable contractual safeguards are in place with all data processors.

10. Data Transfers to Third Countries

Data is transferred to service providers in the USA (Google, Anthropic). These transfers are based on the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) or on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

11. Retention Period and Deletion

Data Type	Retention Period
Photos/Videos	A few seconds (only during processing, no permanent storage)
Device ID	Until account deletion or upon request
Google account data	Until account deletion or upon request
Purchase history	10 years (statutory retention obligation, HGB/AO)
Local data	Until you uninstall the app or manually delete the data

12. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15 GDPR) — Information about what data we have stored about you
• Rectification (Art. 16 GDPR) — Correction of inaccurate data
• Erasure (Art. 17 GDPR) — Deletion of your data
• Restriction (Art. 18 GDPR) — Restriction of processing
• Data portability (Art. 20 GDPR) — Receive your data in a machine-readable format
• Objection (Art. 21 GDPR) — Object to the processing of your data
• Complaint — Lodge a complaint with a data protection supervisory authority

The supervisory authority responsible for us is the Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

13. Data Deletion

You can request the deletion of your data at any time:

• By email to info@rebelutions.org

We will then delete all data associated with your account or device ID on our server, provided no statutory retention obligations apply (e.g., purchase receipts: 10 years). You can delete local data on your device by uninstalling the app or through your device settings.

14. App Permissions

Permission	Purpose	Required?
Camera	Taking photos and videos for food recognition	Yes (core function)
Microphone	Audio recording during video scans (narration for improved recognition)	Only for video scan
Photo gallery	Import existing photos for food recognition	Optional
Internet	Communication with the server for image recognition and recipe generation	Yes (for AI features)

The app does not request permission for location, contacts, calendar, or other sensitive data.

15. No Automated Decision-Making

The app does not make automated decisions within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you. Recipe suggestions are non-binding suggestions that you are free to accept or decline.

16. No Processing of Special Categories of Data

freshcook does not collect or process special categories of personal data within the meaning of Art. 9 GDPR. In particular, no health data (e.g., allergies, intolerances, medical conditions) is collected or stored. freshcook is not an allergy management tool and does not offer allergen detection or filtering.

17. Children and Minors

freshcook is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it without undue delay.

18. Changes

We reserve the right to update this privacy policy as needed, for example in the event of changes to the app or new legal requirements. The current version is always available at this URL.