Privacy Policy

As of: 12/10/2025

1. Controller

The controller responsible for data processing under the GDPR is:
D**** P****
C*********** **
30169 Hanover
Germany
Email: datenschutz@chefito.de
For any privacy questions, please contact us via the aforementioned address.

2. Legal Bases of Processing

We process personal data solely in line with the GDPR and the German Federal Data Protection Act (BDSG).

Art. 6(1)(b) GDPR – to perform pre-contractual steps and to provide and manage your Chefito account.
Art. 6(1)(f) GDPR – to safeguard legitimate interests, in particular ensuring IT security, analysing errors and preventing misuse.
Art. 6(1)(a) GDPR – where you grant explicit consent (e.g. for optional beta features).
Art. 6(1)(c) GDPR – where processing is necessary for compliance with legal obligations.

3. Types of Data Processed

We may process the following categories of personal data:

Master data (e.g. name, email address).
Usage data (e.g. log files, IP address, access time, device and operating system information).
Content data (e.g. uploaded recipes, photos or receipts).
Communication data (e.g. support requests or feedback messages).

We do not intentionally collect special categories of personal data within the meaning of Art. 9 GDPR. Should users voluntarily upload such information, it will be processed solely to provide the core service and will not be analysed for any other purpose.

4. Services Used and Data Transfers

To operate the application we rely on services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) acting as our processor. In particular these services include:

• Firebase Authentication: Secure sign-in, session management and password reset workflows.
• Cloud Firestore: Structured storage of inventory, profile and preference data.
• Cloud Storage for Firebase: Storage of user-generated content such as photos or receipts.
• Firebase Hosting: Delivery of the web application and static assets.

Processing is governed by a data processing agreement pursuant to Art. 28 GDPR. Where data are transferred to third countries (notably the USA), Google relies on EU Standard Contractual Clauses and implements additional safeguards such as encryption and access controls. We review on a regular basis that only the data required for operating the service are processed. Additional processors will only be engaged following an update of this notice.

5. Retention Period

We retain personal data only for as long as necessary for each purpose:

• Account data remain stored until you delete your account or the testing phase ends.
• Support communications are removed after 12 months unless statutory retention periods require longer storage.
• Server log files are kept for 7 days and then deleted or anonymised.
• System backups are encrypted and overwritten automatically after no more than 30 days.

Once the respective purpose ceases to apply, data are deleted or anonymised unless legal obligations dictate otherwise.

6. Your Rights as a Data Subject

As a data subject you have the rights set out in Art. 15–22 GDPR, including access, rectification, erasure, restriction of processing, data portability and the right to object to processing based on Art. 6(1)(f) GDPR. You may withdraw consent at any time with future effect. You also have the right to lodge a complaint with the competent supervisory authority (Lower Saxony State Authority for Data Protection, https://lfd.niedersachsen.de). Please direct any requests to datenschutz@chefito.de.

7. Disclosure to Third Parties

Personal data are not transferred to third parties as a matter of course. Exceptions apply to our processors, who are engaged under data processing agreements pursuant to Art. 28 GDPR and act solely on our instructions. We do not sell data and do not share them for advertising or profiling purposes.

8. Cookies and Local Storage

We only use technically necessary cookies and local storage mechanisms required for authentication, session continuity and security (Art. 6(1)(f) GDPR in conjunction with Sec. 25 (2) No. 2 TTDSG). Optional comfort or analytics features will be activated solely on the basis of your explicit consent and described in an updated version of this notice. You may restrict cookies via your browser settings, although doing so may limit functionality.

9. Right to Amend

We reserve the right to amend this privacy policy to reflect changes in law or in the service. The current version will be published here. In the event of material changes we will notify registered users by email with reasonable advance notice.