Privacy Policy
This Privacy Policy informs you about the processing of personal data in connection with the use of Superkitchen (the "Service"), provided as a mobile app for iOS.
1.Controller
The controller within the meaning of Art. 4 No. 7 GDPR is: DBBC Ventures GmbH Platanenstr. 45, 13156 Berlin, Germany Phone: +49 30 9798 2686 Email: hello@getsuperkitchen.com Registered with the Local Court of Berlin (Charlottenburg) under HRB 256898.
2.Data protection officer
We have not appointed a data protection officer, as the legal requirements for this are currently not met (sec. 38 of the German Federal Data Protection Act, BDSG). For privacy questions, you can reach us at hello@getsuperkitchen.com.
3.Roles under the GDPR
For personal data that you as a family enter while using the Service (e.g. names of family members, birthdays, recipes, weekly plans, pantry items, wishes, photos), the respective family acts as controller and we act as processor.
For the processing of your account data, authentication data, and technical logs, we are the controller ourselves. This policy covers both types of processing.
4.Categories of data processed
Account and profile data: email address, name, avatar, language setting.
Family profile: family name, members with name, photo, birthday, gender, dietary preference, and family role (Owner, Chef, Sous Chef, Kid).
Authentication data: hash of the email address, OAuth provider IDs (Google, Apple), session tokens, one-time code tokens.
Device tokens: a technical push token of your device, if you enable push notifications.
Usage data: recipes, weekly plans, pantry items, wishes, ratings, comments, photos you create, and timestamps.
Consent records: document version, timestamp, and association with account and family, as proof of acceptance of the Terms of Use, Privacy Policy, and parental consent.
Technical logs: IP address, HTTP status code, requested path, timestamp, user agent, for error analysis and abuse prevention.
Communication data: content you send to us by email or via support channels.
Purchase and subscription data: subscription status and plan of your family, transaction and renewal identifiers from the App Store (e.g. the original transaction ID), start and end of the billing period, and the state of the AI quota. We do not receive payment or credit card data from Apple.
5.Purposes and legal bases
Provision of the Service and account management: Art. 6 (1) (b) GDPR (contract).
Provision and management of the paid AI subscription and assignment of the quota to your family: Art. 6 (1) (b) GDPR (contract).
Authentication (OAuth, one-time code): Art. 6 (1) (b) GDPR.
Security, abuse prevention, log files: Art. 6 (1) (f) GDPR (legitimate interest).
Proof of acceptance of the Terms of Use and Privacy Policy: Art. 6 (1) (f) GDPR (documentation and legal defense); Art. 6 (1) (c) GDPR where statutory retention obligations exist.
Support communication: Art. 6 (1) (b) and (f) GDPR.
Statutory retention obligations (e.g. invoices): Art. 6 (1) (c) GDPR, sec. 257 of the German Commercial Code (HGB), sec. 147 of the German Fiscal Code (AO).
6.Hosting (Supabase)
The application database, authentication, and file storage (e.g. for recipe photos) are operated by Supabase in the EU (AWS region eu-central-1, Frankfurt). A data processing agreement pursuant to Art. 28 GDPR is in place with Supabase.
6a.Transactional emails (login)
For login via one-time code, we send transactional emails on our behalf through the service Resend (Resend, Inc., USA) to the address you provide. Only your email address and the respective login content (e.g. the login code) are processed. Sending is handled via EU infrastructure (region Ireland). A data processing agreement pursuant to Art. 28 GDPR is in place with Resend; any transfer to the USA is based on EU standard contractual clauses and, where applicable, the EU-U.S. Data Privacy Framework.
Invitations to the family and to befriended families work via an invitation link or code, not via email. Product notifications (e.g. a requested vote) are delivered as push notifications (see 7b.), not by email.
7.OAuth login (Google, Apple)
When you sign in with an OAuth provider, the data required for authentication (email address, possibly name, provider ID) is exchanged between the provider and us. The legal basis is Art. 6 (1) (b) GDPR. Details on data processing by the providers can be found in their privacy policies.
7a.AI feature (Anthropic, Google)
When you use the optional AI features to create a recipe suggestion from a photo of a dish or to recognize the food contained in photos of your fridge or pantry, the images you select (up to five for the pantry scan) together with an optional note are transmitted to the provider of the AI model you have chosen and processed there to generate the suggestion or recognition. Which provider this is depends on the model selected in the AI settings (see below). Such photos may show people, including children, or parts of your home. Please choose the photos deliberately.
If a Claude model is selected, the content is transmitted to Anthropic PBC (USA). The transfer to the USA is based on EU standard contractual clauses and, where applicable, the EU-U.S. Data Privacy Framework. According to Anthropic, content sent via the API is not used to train models and is only retained for a limited time for abuse prevention.
If a Gemini model is selected, the content is transmitted to Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and processed in the European Union. A data processing addendum is in place with Google, ensuring that Google processes the data only according to our instructions and does not use it for its own purposes such as training its own AI models. Any transfer to third countries (such as the USA) is safeguarded by EU standard contractual clauses.
The legal basis is Art. 6 (1) (b) GDPR (provision of the feature you requested). The AI feature is voluntary. If you do not use it, no content is transmitted to these providers.
7b.Push notifications (Apple)
If you enable push notifications (for example to learn that someone in the family has requested a vote on a dish), the app registers a device-specific push token. We store this token and use it via the Apple Push Notification service (APNs) of Apple Inc. to deliver the notification to you.
The legal basis is Art. 6 (1) (a) GDPR (your consent given via the system prompt) and (b) for providing the feature. You can revoke push notifications at any time in the device or app settings; the token will then no longer be used and will be removed.
7c.Purchase and subscription (Apple App Store)
If you take out a paid AI subscription, Apple transmits technical purchase and status information to us (in particular transaction and renewal identifiers, the selected plan, and the start and end of the billing period). We process this server-side to assign the booked AI quota to your family and to maintain the subscription status (among other things via App Store Server Notifications that Apple sends to our server).
Payment processing is handled solely by Apple; we do not receive payment or credit card data. The legal basis is Art. 6 (1) (b) GDPR (performance of the subscription); Apple is responsible for its own processing in the context of the purchase.
8.Children
Superkitchen may be used together with children under 16. We process children's data (name, photo, birthday, gender, dietary preference, recipe ratings, wishes) exclusively on the basis of the consent of the parent or guardian who created the family.
Legal responsibility for content relating to children lies with the parents or guardians of the respective family. On request, we delete children's data immediately and irrevocably.
9.Visibility in the friends network
Family content is private by default. In the friends network, other families only see content you have explicitly shared per recipe. As long as a recipe is not actively shared, it remains visible only within your own family.
10.Cookies and local storage
In the app we use only technically necessary local storage (session tokens, selected language, locally cached content for offline use). These are exempt from consent under sec. 25 (2) no. 2 of the German Telecommunications Digital Services Data Protection Act (TDDDG). We do not use marketing or analytics cookies.
11.Retention periods
Account data: until the family account is deleted by the owner.
Usage data (recipes, plan, ingredients, wishes, photos): until deleted by a member with a sufficient role or until the account is deleted.
Technical logs: max. 30 days, then deletion or aggregation.
Consent records: for the duration of the business relationship + 3 years (proof).
Purchase and subscription data: for the duration of the subscription and your family; tax-relevant transaction records 10 years (sec. 147 AO).
Invoices and tax-relevant data: 10 years (sec. 147 AO).
12.Recipients and third-country transfers
We share personal data only with the processors named above and with public authorities where we are legally obliged to do so. Third-country transfers may occur with individual services (e.g. to Anthropic in the USA for the AI feature with a Claude model; with a Gemini model, Google processes the data in the EU, see 7a.; for email delivery via Resend see 6a.); they are based on EU standard contractual clauses and, where applicable, the EU-U.S. Data Privacy Framework.
13.Automated decision-making
No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place.
14.Your rights
Right of access (Art. 15 GDPR) Right to rectification (Art. 16 GDPR) Right to erasure (Art. 17 GDPR) Right to restriction of processing (Art. 18 GDPR) Right to data portability (Art. 20 GDPR) Right to object (Art. 21 GDPR) Right to withdraw consent with effect for the future, where processing is based on consent (Art. 7 (3) GDPR) An informal message to hello@getsuperkitchen.com is sufficient to exercise these rights.
15.Right to lodge a complaint with a supervisory authority
Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority. The authority responsible for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information) Alt-Moabit 59 bis 61 10555 Berlin, Germany www.datenschutz-berlin.de
16.Security
We use technical and organizational measures to protect your data against unauthorized access, loss, or alteration. These include in particular: TLS encryption, row-level security at the database level (tenant-separated visibility per family), encrypted storage of authentication data, access restrictions on a need-to-know basis, and regular reviews.
17.Changes to this Privacy Policy
We adjust this Privacy Policy when features, the legal situation, or the services we use change. The current version is always available in the app. In the event of material changes, we additionally inform active users by email or in the app.