Privacy Policy

Preamble

This privacy policy is intended to inform you about the types of your personal data (hereinafter also referred to briefly as "data") we process, for what purposes, and to what extent. The privacy policy applies to all data processing activities we carry out, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

As of: January 28, 2024

Table of Contents

• Preamble
• Data Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• RevenueCat and In-App Purchases
• OpenAI
• Data Deletion
• Rights of Data Subjects
• Provision of Online Offering and Web Hosting
• Contact and Inquiry Management
• Push Notifications
• Change and Update of Privacy Policy
• Definitions

Data Controller

Florian Zandberg
Am Bahnhof 8A
21739 Dollern

Email Address:

privacy@foodlog.life

Imprint:

https://foodlog.life/imprint.html

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

• Contact details.
• Content data.
• Usage data.
• Meta, communication, and process data.

Categories of Data Subjects

• Communication partners.
• Users.

Purposes of Processing

• Contact requests and communication.
• Security measures.
• Management and response to inquiries.
• Feedback.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below, we provide you with an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our home country or in the country where we are based.

• Consent (Art. 6 (1) (a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR): Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Compliance with a legal obligation (Art. 6 (1) (c) GDPR): Processing is necessary for compliance with a legal obligation to which the data controller is subject.
• Protection of vital interests (Art. 6 (1) (d) GDPR): Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 (1) (e) GDPR): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
• Legitimate interests pursued by the data controller or a third party (Art. 6 (1) (f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes, processing for purposes of scientific or historical research purposes or for statistical purposes, and the duties of the data protection officer. Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation, or termination of employment relationships as well as consent (Section 26 (2) BDSG) in connection with the provision of health services (Section 22 BDSG), with regard to social services (Section 67 BDSG), and in other areas.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, availability, and separation of data. We have also set up procedures to ensure the exercise of data subjects' rights, the deletion of data, and the response to data breaches. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the context of our processing of personal data, it may be necessary to transfer data to other places, companies, or persons, including to recipients located in countries outside the European Union (EU) or the European Economic Area (EEA) (hereinafter referred to as "third countries").

The transfer of data to third countries is carried out either when it is required by law, when it is necessary for the fulfillment of a contract, or when we have obtained consent from the data subjects.

Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g., for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

International Data Transfers

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this will only take place if it occurs for the fulfillment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests.

Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g., for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

For residents of Canada: The personal information you provide to us may be transferred to and stored on servers in the United States and may be accessible to U.S. law enforcement and authorities in accordance with applicable U.S. laws.

For residents outside the United States: Please note that the personal information you submit to us may be transferred to and stored on servers located outside your home country, and you consent to the transfer, storage, and processing of such information outside of your home country.

If data is transferred to third countries, this is done on the basis of Art. 44 et seq. GDPR, in particular on the basis of contractual arrangements such as the standard contractual clauses. Information on this can be provided on request.

Any data subject affected by the transfer of data to third countries has the right to obtain information about the appropriate guarantees in connection with the transfer.

RevenueCat and In-App Purchases

We use RevenueCat, a third-party service, to manage in-app purchases and subscriptions. RevenueCat is operated by RevenueCat, Inc., 548 Market St PMB 91152, San Francisco, California 94104-5401, USA.

When purchasing a digital product or subscription through our app, RevenueCat processes the following data:

• Purchase and subscription data (e.g., product ID, price, renewals, cancellations)
• Pseudonymous customer ID for managing purchases
• Device and app data (e.g., operating system, app version)
• IP address

Processing this data is necessary to confirm purchases, manage subscriptions, and prevent fraud. Data processing is carried out based on Article 6(1)(b) of the GDPR (contract performance) and Article 6(1)(f) of the GDPR (legitimate interest, particularly fraud prevention and purchase validation).

Data Transfer to the USA
Since RevenueCat is a US-based company, the data mentioned above is transferred to the USA. To ensure an adequate level of data protection, RevenueCat uses Standard Contractual Clauses (SCCs) in accordance with Article 46 of the GDPR. However, we would like to point out that the USA does not provide a level of data protection equivalent to the EU, and US authorities may have access to the transmitted data.

Data Deletion and Management
RevenueCat retains purchase and subscription data as long as necessary to manage transactions. If you wish to have your pseudonymous customer ID deleted, you can contact us, and we will initiate the removal from RevenueCat.

For more information on how RevenueCat processes data, please refer to their privacy policy: https://www.revenuecat.com/privacy

OpenAI and Journal Analysis

We use the API access of the US-based company OpenAI in our app to provide you with an enhanced and interactive user experience – particularly through the function of analyzing your journal entries. This function is only activated if you explicitly consent to the transmission of the following data:

• Date and time of the respective journal entries
• Additional content of your entries (depending on usage)
• Your IP address

The data is transmitted exclusively for the purpose of analysis. Before each transmission, you will be explicitly informed, and no data will be transmitted without your consent. The transmission is encrypted (e.g., via TLS/SSL).

Responsible Entities for Data Processing through OpenAI:

• For users in the European Economic Area and Switzerland:
  OpenAI Ireland Limited
  1st Floor, The Liffey Trust Centre
  117-126 Sheriff Street Upper
  Dublin 1, D01 YC43, Ireland
• For users in the United Kingdom:
  OpenAI OpCo, LLC
  1960 Bryant Street
  San Francisco, California 94110, USA
• For users in the USA:
  OpenAI, L.L.C.
  3180 18th Street
  San Francisco, California 94110, USA

The processing of the above-mentioned data is based on your consent according to Article 6(1)(a) of the GDPR and our legitimate interest (Article 6(1)(f) of the GDPR) in optimizing our service. You may withdraw your consent at any time, preventing future data transmissions.

For more information on how OpenAI processes data, please refer to OpenAI’s privacy policy: https://openai.com/policies/privacy-policy

Processed Data

The data stored depends on your inputs. All inputs made in the selected period in the diary are processed when you start an analysis. We explicitly notify you before any transmission to OpenAI. No data is transferred without your consent. In general, OpenAI processes natural language, images, and other data formats that can be used to create machine learning models. This data is used to improve or train the capabilities of the respective tool. When you use OpenAI products, your IP address is processed. However, in general, if you do not enter personal data, they will not be processed or stored (except for the IP address). All input data is anonymized and encrypted for maximum privacy protection. The tool also does not use cookies to store and process data without your consent. The input data is used exclusively to improve the quality of the AI results.

Here is an overview of the most common data collected by OpenAI products:

• Information about the content of chat conversations
• Information about the type of questions asked
• Information about device type, browser, and operating system
• Information about the user's IP address
• Audio recordings
• Image inputs

Duration of Data Storage

Generally, the input data remains stored at OpenAI because the tools use the corresponding data to train themselves. However, there is also a function with which we can deactivate the transmitted data so that the data cannot be used for training purposes. We have activated this function so that ChatGPT or OpenAI only stores your data for 30 days after collection or input by you.

Data Deletion or Prevention of Data Storage

Under the data protection law of the European Union, you have the right to access, update, delete, or restrict your data. However, you can only prevent complete data processing by not using OpenAI products.

Legal Basis for Processing Personal Data

If personal data is collected, the use of OpenAI products requires consent. According to Art. 6 para. 1 lit. a GDPR (consent), this consent is the legal basis for the processing of personal data by OpenAI products.

In addition to consent, we have a legitimate interest in optimizing our service and thus improving our offering technically and economically. With the help of OpenAI products, we improve your user experience in our app. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests).

OpenAI processes your data, among other places, in the USA. We would like to point out that, according to the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This can be associated with various risks for the legality and security of data processing.

As the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the USA) or for data transfers to them, OpenAI uses so-called standard contractual clauses (= Art. 46. Abs. 2 and 3 GDPR). Standard contractual clauses (Standard Contractual Clauses – SCC) are model templates provided by the EU Commission and are intended to ensure that your data is processed in accordance with European data protection standards even when transferred and stored in third countries (such as the USA). Through these clauses, OpenAI undertakes to comply with European data protection standards when processing your personal data, even if the data is stored, managed, or otherwise processed in the USA. These clauses are based on an implementing decision of the EU Commission (Implementing Decision (EU) 2021/914 of the Commission of 4 June 2021). You can find the decision and the corresponding standard contractual clauses, among other places, here: 

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

We hope we have provided you with the most important information about the data processing by OpenAI. You can learn more about data processing by OpenAI in the privacy policy here:

https://openai.com/policies/privacy-policy

Data Deletion

The data processed by us will be deleted in accordance with legal requirements as soon as the consents allowing processing are revoked or other permissions are no longer valid (e.g., if the purpose of processing this data has ceased to exist or they are no longer required for the purpose). If the data is not deleted because it is necessary for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. Our privacy policy may also contain further information on the storage and deletion of data that primarily apply to the respective processing.

Rights of Data Subjects

Rights of data subjects under the GDPR: As data subjects, you have various rights under the GDPR, in particular, arising from Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time.
• Right to Information: You have the right to request confirmation as to whether data concerning you is being processed, and on request, access to this data and further information, according to legal requirements.
• Right to Rectification: You have the right, in accordance with legal requirements, to demand the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to demand that data concerning you be deleted without delay, or alternatively, to demand a restriction of the processing of the data.
• Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in accordance with legal requirements, in a structured, commonly used, and machine-readable format or to request their transmission to another controller.
• Complaint to a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

Provision of the Online Offering and Web Hosting

We process the data of users to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

• Processed Data Types: Usage Data (e.g., websites visited, interest in content, access times); Meta, Communication, and Process Data (e.g., IP addresses, times, identification numbers, consent status); Content Data (e.g., entries in online forms).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures.
• Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR).

Further Information on Processing Procedures, Procedures, and Services:

• Provision of Online Offering on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from an appropriate server provider (also known as a "web hoster"); Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR).
• Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transmitted, message about successful access, browser type and version, user's operating system, referrer URL (previously visited page), and, in general, IP addresses and the requesting provider. Server log files can be used, on the one hand, for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure the load and stability of the servers; Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR). Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the final clarification of the respective incident.
• Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders, as well as other information regarding email transmission (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails are generally not encrypted when sent over the Internet. In general, emails are encrypted in transit, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission of emails between the sender and receipt on our server; Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR).
• WebGo: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service Provider: webgo GmbH, Heidenkampsweg 81, 20097 Hamburg, Germany; Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR); Website: https://www.webgo.de; Data Protection Policy: https://www.webgo.de/datenschutz/. Data Processing Agreement: Provided by the service provider.

Firestore

We use Firestore to securely store the data generated when using our apps. Without data storage, all user and profile data would be lost. Data storage is therefore necessary for the functionality of our apps. Furthermore, the storage of user data serves to prevent fraud and manipulation attempts by third parties. The functionality of the service, its further development, and ensuring the integrity and security of our information technology systems are legitimate interests within the meaning of Art. 6(1)(f) GDPR. Therefore, the processing in the form of storage is carried out with a legal basis.

The privacy policy of Google can be found by users at https://www.google.com/policies/privacy/

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) as well as in the context of existing user and business relationships, the information of the inquiring individuals is processed as far as necessary to answer the contact inquiries and any requested measures.

• Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Concerned Parties: Communication partners.
• Purposes of Processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form). Providing our online offering and user-friendliness.
• Legal Bases: Legitimate interests (Art. 6(1) lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6(1) lit. b) GDPR).

Further information on processing procedures, procedures, and services:

• Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context for the purpose of processing the reported issue; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1) lit. b) GDPR), Legitimate interests (Art. 6(1) lit. f) GDPR).

Push Notifications

With the consent of users, we can send users so-called "push notifications." These are messages that are displayed on the screens, devices, or browsers of users, even when our online service is not actively being used.

To sign up for push notifications, users must confirm the request of their browser or device to receive push notifications. This consent process is documented and stored. Storage is necessary to determine whether users have consented to receive push notifications and to be able to prove the consent. For these purposes, a pseudonymous identifier of the browser (so-called "push token") or the device ID of an end device is stored.

Contents:

"Reminder of a set medication"

Our settings and unsubscribe options:

"You can adjust or unsubscribe from our push notifications in the "Settings" section of your mobile phone."

• Processed Data Types: Usage data (e.g., visited websites, interest in content, etc.) and Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, etc).
• Concerned Parties: Communication partners.
• Purposes of Processing: Providing our online offering and user-friendliness.
• Legal Bases: Consent (Art. 6(1) lit. a) GDPR). Contract performance and pre-contractual inquiries (Art. 6(1) lit. b) GDPR).

Change and Update of the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to check the information before contacting them.

Term Definitions

In this section, you will find an overview of the terminology used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are primarily intended for understanding.

• Personal Data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Controller: The term "Controller" refers to the natural or legal person, authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" encompasses any operation or set of operations performed upon personal data, whether or not by automated means. The term is broad and includes virtually any handling of data, including collection, evaluation, storage, transmission, or deletion.