Back·Privacy Policy

Privacy Policy

Last updated: 17 June 2026

1. Who We Are (Controller)

The controller responsible for your personal data is Kryptix GmbH, Kolpingring 2, 82041 Oberhaching, Germany (Amtsgericht München, HRB 277150) ("Gourmate", "we", "us", "our"), which operates the Gourmate recipe discovery and meal planning app and website. You can reach us about privacy at [email protected]. This Privacy Policy explains how we collect, use, and protect your personal data.

2. Data We Collect

  • Account information: name, email address, and password (hashed, never stored in plain text).
  • Profile preferences: cuisine preferences, cooking skill level, household size, and food likes and dislikes.
  • Health-related dietary data: allergies, intolerances, and diet types (e.g. vegan, keto) that you choose to enter. This is treated as special category data — see "Special Category (Health) Data" below.
  • Content you provide to AI features: prompts and cravings you type, and photos you submit to the Scan feature.
  • Usage data: recipes saved, meal plans created, shopping lists, ratings, and circle/sharing activity, used to personalise your experience.
  • Device information: device type, OS version, app version, and anonymous crash reports.
  • Payment data: if you subscribe, payments are processed directly by Apple (App Store) or Google (Google Play). We do not collect or store your payment card details.

3. How We Use Your Data

  • To provide and improve the Gourmate service, including personalised recipe suggestions and meal plans.
  • To process your account registration, login, and subscription.
  • To send transactional emails (e.g. password reset). Marketing emails are opt-in only.
  • To generate AI output you request, by processing your prompts, photos, and preferences (see "AI Features and Profiling").
  • To analyse aggregated, anonymised usage trends for product development.
  • To detect and prevent fraud or abuse of our platform.

4. AI Features, Personalisation, and Profiling

  • Gourmate uses your ratings, preferences, and activity to build a personal "taste profile" and to tailor recipes, plans, and suggestions to you. This involves profiling within the meaning of Article 4(4) GDPR.
  • These features support and personalise the Service. We do not use them to make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR. You can object to profiling based on legitimate interests, and you can reset preferences or delete your account at any time.
  • AI output is generated with the help of third-party model providers acting as our processors; your inputs are sent to them only to produce your results and under data processing agreements.

5. Special Category (Health) Data

Information about allergies, intolerances, and health-related diets may constitute special category data under Article 9 GDPR. We process it only to filter and personalise recipes for you, and only on the basis of your explicit consent (Article 9(2)(a) GDPR), which you give by choosing to enter this information. You can withdraw consent at any time by removing the data or deleting your account; withdrawal does not affect processing carried out before withdrawal. Because these filters are an automated aid that can fail, you must always verify ingredients yourself, as explained in our Terms.

6. Legal Basis for Processing (GDPR)

For users in the EEA, we rely on: (a) contract performance (Art. 6(1)(b)) to deliver the Service, including AI personalisation you request; (b) legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and improving the Service; (c) consent (Art. 6(1)(a)) for optional marketing and (Art. 9(2)(a)) for health-related dietary data; and (d) legal obligation (Art. 6(1)(c)) where we must retain certain records. You may withdraw consent at any time.

7. Data Sharing and Sub-processors

We do not sell your personal data. We share it only with trusted sub-processors acting on our behalf under data processing agreements, including cloud hosting and infrastructure, analytics, crash reporting, AI model providers, email delivery, and subscription management (Apple, Google). We may disclose data where required by law or to protect our rights.

8. International Data Transfers

Some of our sub-processors are located outside the EEA, including in the United States. Where we transfer personal data outside the EEA, we rely on an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with additional measures where needed. You can contact us at [email protected] for more information about these safeguards.

9. Data Retention

  • Active accounts: we retain your account data for as long as your account is active or as needed to provide the service.
  • Account deletion: when you request account deletion, your account is immediately deactivated and becomes inaccessible. We retain your account data for up to 90 days to allow account recovery in case the deletion was accidental. After this period, your personal data is permanently deleted or anonymised.
  • Recovery window: you can restore your account within 90 days of requesting deletion by contacting [email protected] or by logging back in.
  • Legal obligations: certain records (e.g. billing history, fraud-prevention logs) may be retained beyond 90 days where required by applicable law.
  • You may request deletion of your account at any time via Settings → Delete Account inside the app.

10. Your Rights

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: request deletion of your data ("right to be forgotten").
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests, including profiling.
  • Restriction: request that we restrict processing of your data.
  • Withdraw consent: where processing is based on consent (including health-related dietary data and marketing), withdraw it at any time without affecting prior processing.
  • Complaint: you have the right to lodge a complaint with a data protection supervisory authority. Our lead authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA); you may also contact the authority in your country of residence.

11. Use of Data to Improve Our AI

We may use content and usage data to evaluate and improve the quality of our models and the Service. Where this data is personal, we rely on our legitimate interest in improving the Service and apply measures such as aggregation or pseudonymisation, and we do not use special category (health) data for model training without your explicit consent. You can object to processing based on legitimate interests as described in "Your Rights".

12. Security

We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, and regular security reviews. No method of transmission over the internet is 100% secure and we cannot guarantee absolute security.

13. Children

Gourmate is not directed at children under 16 in the EEA (or under 13 where a lower age is permitted by local law). We do not knowingly collect data from children below the applicable age. If you believe a child has provided us personal data, please contact us immediately.

14. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice. The current version is always available in the app and on our website.

Questions? Contact us at [email protected]