Who we are
ChefCart is operated by Michael Stadler (sole proprietor), Esterbergstraße 40, 81377 München, Germany — the data controller under Art. 4(7) GDPR. Email: contact@chefcart.com. This policy covers the chefcart.app website and the ChefCart mobile app on iOS and Android. We collect the minimum needed to run the service, never run ads, and never sell your data.
Information we collect
We collect three kinds of data — what you give us, what's collected automatically, and what processors send us:
- Account data — email, display name, and authentication identifiers from Supabase when you sign in with email/password, Apple, Google, or Facebook. Household members on your plan.
- Your content — recipes, shopping lists, pantry items, meal plans. Recipes imported from a URL are stored as public by default. Cookbook scans, manual entries, and free-text imports are private unless you choose to make them public.
- Device & usage data — app version, OS, language preference, and anonymous diagnostics. Analytics events are only collected if you've opted in.
- Subscription data — if you upgrade to Pro, RevenueCat sends us your purchase status. Payment is processed by Apple or Google; we never see your card details.
How we use it
Run the service (auth, sync, family sharing), send transactional messages about your account or subscription, deliver push notifications you've subscribed to, improve the product through opt-in anonymous analytics, prevent abuse, and comply with our legal obligations. We do not show ads and do not engage in direct marketing.
Legal bases (GDPR Art. 6)
We process data on these bases: contract (Art. 6(1)(b)) — running your account and Pro subscription; consent (Art. 6(1)(a)) — analytics and non-essential cookies, which you can withdraw any time; legitimate interest (Art. 6(1)(f)) — security, fraud prevention, basic operation; legal obligation (Art. 6(1)(c)) — tax records, lawful requests.
Who we share data with
We share data only with processors needed to operate the service, each under a data processing agreement. None of them sell your data:
- Supabase (Ireland, EU) — authentication and database.
- Vercel (US, EU edge) — hosts this marketing site at the edge and provides cookieless web analytics (anonymous page-view counts) that only load after you consent.
- PostHog Cloud EU — anonymous product analytics, loaded only after you've consented.
- RevenueCat — manages your Pro subscription and talks to Apple / Google.
- Resend — delivers transactional email.
- Firebase Cloud Messaging / Apple Push Notification Service (via Expo) — delivers push notifications you've subscribed to.
We may also disclose data to comply with a valid court order or law-enforcement request. We tell you whenever the law allows.
International transfers
Most data stays in the EU. Some processors (Vercel, RevenueCat, push services) operate globally and may transfer data outside the EU. We rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Contact us if you'd like details on a specific transfer.
Security
Data in transit is encrypted with TLS. Data at rest is encrypted by our infrastructure providers. Authentication is handled by Supabase using industry-standard hashing and OAuth flows. Cookbook scans run on-device — photos never leave your phone unless you choose to import the extracted recipe.
Retention
We keep your data while your account is active. When you delete your account from the app, we erase everything within 30 days, except where law requires us to keep records longer (for example, invoice records under § 257 HGB / § 147 AO for up to 10 years).
Your rights
If our processing falls under GDPR, you have the right to:
- access — get a copy of the data we hold about you;
- rectify — correct inaccurate data;
- erase — delete your data;
- restrict — limit how we process it;
- object — to processing based on legitimate interest;
- portability — receive your data in a structured, machine-readable format;
- withdraw consent — at any time, for processing based on consent;
- lodge a complaint — with your local supervisory authority. In Bavaria: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach.
Most rights can be exercised directly in the app (Settings → Account). For anything else, email contact@chefcart.com. We respond within 30 days.
Users under 16
ChefCart is for users aged 16 and over. We do not knowingly collect data from anyone younger. If you believe a child has shared data with us, contact us and we will delete it.
Changes
We update this policy when our practices change. Material changes are announced in the app and via email at least 30 days before they take effect.
Contact
Questions, requests, or complaints: Michael Stadler, Esterbergstraße 40, 81377 München, Germany — contact@chefcart.com.