Back to Home

Privacy Policy for the FooDB Mobile App

Last Updated: May 2026

1. Data Controller

The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Viktoriia Hrodetska
Heidenheimer Strasse 24
85748 Garching bei Muenchen
Germany
Email: info.foodb@gmail.com

2. Overview of Data Processing

We process your personal data only to the extent absolutely necessary to provide the features and functionality of the FooDB mobile application. Depending on how you interact with the app, we may process:

  • Account and profile details (if you choose to register)
  • Logs of meals, food intake, and bodily symptoms
  • Health-related information (special category data)
  • Device diagnostics and crash logs
  • Identifiers required for push notifications

3. Processing of Health Data (Art. 9 GDPR)

A core feature of FooDB allows you to track personal health metrics, including physical symptoms, dietary intolerances, and bodily reactions to specific foods. Under the GDPR, this information is classified as highly sensitive "Special Category Data" (Art. 9).

  • Purpose: We process this data exclusively to provide you with the app's tracking, analysis, and logging functionalities.
  • Legal Basis: We only process this data based on your explicit, active consent (Art. 9(2)(a) GDPR in conjunction with Art. 6(1)(a) GDPR), which we request when you set up your profile or first use these features.
  • Data Control: You maintain full control over this data and can delete specific entries or your entire account at any time within the app.

4. Third-Party Services and Infrastructure

To operate the app securely and efficiently, we utilize the following third-party service providers.

4.1. Supabase (Backend and Database)

We use Supabase as our primary backend-as-a-service to host our database and securely store your app data.

  • Provider: Supabase, Inc., USA.
  • Data Processed: User profile information, encrypted account credentials, app usage data, and user-generated content (food/symptom logs).
  • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
  • Data Transfer: Data transferred to the USA is safeguarded by Standard Contractual Clauses (SCCs).

4.2. Apple In-App Purchases (Payments and Subscriptions)

We do not process payments directly. All subscriptions and payments, including the 3-day free trial, are handled securely through Apple's App Store via your Apple ID.

  • Provider: Apple Distribution International Ltd., Ireland.
  • Data Processed: We do not receive or store your credit card or billing details. Apple provides us only with an anonymous receipt validation token to confirm whether you have an active subscription or are currently on a free trial, allowing us to unlock the app's features for you.
  • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) and legal accounting obligations (Art. 6(1)(c) GDPR).

4.3. RevenueCat (Subscription Management and Receipt Validation)

We use RevenueCat to manage subscriptions, validate App Store purchase receipts, restore purchases, and determine whether you have an active subscription or free trial.

  • Provider: RevenueCat, Inc., USA.
  • Data Processed: App Store transaction information, purchase receipts, product identifiers, subscription status, entitlement information, and a pseudonymous user identifier used to associate subscriptions with your account.
  • Purpose: Subscription management, entitlement verification, receipt validation, purchase restoration, and fraud prevention.
  • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
  • International Transfers: RevenueCat may process data in the United States. Such transfers are protected through appropriate safeguards, including Standard Contractual Clauses (SCCs), where required.

4.4. Google Generative AI (Image Analysis and Health Insights)

Our app utilizes Google's Generative AI API (Gemini) to provide you with intelligent insights. The AI analyzes your uploaded meal images to identify ingredients and evaluates your personal correlation database (connecting specific foods to your recorded physical symptoms).

  • Provider: Google Ireland Limited, Ireland (via Google Cloud).
  • Data Processed: Meal images you upload, identified ingredients, and your logged bodily symptoms and reactions (Health Data).
  • Data Minimization (No Direct Identifiers): We strictly separate your identity from your health data. No direct personal identifiers—such as your name or email address—are ever transmitted to Google. The AI processes the health and image data in a pseudonymized format.
  • Legal Basis: Your explicit consent (Art. 9(2)(a) GDPR in conjunction with Art. 6(1)(a) GDPR), which you grant when enabling the AI insight features.
  • Data Security & Privacy: This data is transmitted via secure API endpoints exclusively to generate your personal insights. Google processes this data strictly as our processor; your pseudonymized images and health logs are not used by Google to train their public AI models.

4.5. Google Sign-In & Apple Sign-In (Authentication)

We offer third-party Single Sign-On (SSO) options to simplify your registration.

  • Providers: Google Ireland Limited (Ireland) and Apple Distribution International Ltd. (Ireland).
  • Data Processed: Depending on the provider, we receive your email address, name, and a unique user ID. If using Apple, you may utilize the "Hide My Email" feature for enhanced privacy.
  • Legal Basis: Your consent (Art. 6(1)(a) GDPR) and performance of a contract (Art. 6(1)(b) GDPR).

4.6. Push Notifications (Expo, APNs, FCM)

To deliver updates and reminders, we utilize push notifications managed through Expo, which routes through native device services.

  • Providers: Expo (USA), Apple Push Notification service (APNs), and Firebase Cloud Messaging (Google LLC, USA).
  • Data Processed: Anonymous, device-specific push tokens.
  • Legal Basis: Your explicit consent (Art. 6(1)(a) GDPR) granted via your device's operating system. You can revoke this at any time in your device settings.

5. Data Retention

Your personal data is stored only for as long as you maintain an active account with FooDB. If you choose to delete your account, your personal data and health logs will be permanently erased from our active databases, subject only to technical delays in backup deletion or mandatory legal retention periods (e.g., commercial or tax laws regarding payment records).

6. International Data Transfers

Because some of our essential service providers (e.g., Supabase, Stripe, Google) are headquartered in the United States, your data may be processed outside the European Economic Area (EEA). We ensure that all such transfers comply with the GDPR by relying on the EU-US Data Privacy Framework (DPF) for certified companies, or by executing Standard Contractual Clauses (SCCs) and ensuring appropriate Technical and Organizational Measures are in place.

7. Your Rights as a User

Under the GDPR, you have comprehensive rights regarding your personal data:

  • Right of Access (Art. 15): Request details about the data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request the deletion of your data.
  • Right to Restriction (Art. 18): Limit how your data is processed.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, or to withdraw previously granted consent, please email us at: info.foodb@gmail.com.

8. Data Security

We implement robust, industry-standard technical and organizational security measures (such as SSL/TLS encryption in transit and encrypted databases at rest) to protect your personal data from unauthorized access, accidental loss, destruction, or manipulation.

9. Automated Decision-Making

While FooDB utilizes artificial intelligence (Google Gemini) to analyze images and provide dietary suggestions, these evaluations are purely informational. We do not engage in any legally binding automated decision-making or profiling that produces legal effects concerning you, as defined under Article 22 of the GDPR.

10. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection laws, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). You may contact the data protection authority in your habitual residence, your place of work, or the location of the alleged infringement.