Privacy Policy

The data controller within the meaning of the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) is:

• Entity: PickEat (Riad Mahi, sole trader)
• Country: France
• Contact: privacy@pickeat.io

For any request relating to your personal data, please contact us at the address above. We will respond within thirty (30) days as required by applicable law.

2.1 Account data

When you create an account, we collect your email address and a hashed password (via Firebase Authentication). Anonymous accounts are also supported and do not require an email address.

2.2 Profile data

You voluntarily provide: first name, age, gender (optional), and dietary preferences (e.g., vegan, gluten-free, IBS). This data is used solely to personalize compatibility analysis.

2.3 Scan history

Each product scan generates a record containing: product barcode or AI-generated identifier, product name, brand, compatibility verdict, flagged ingredients, and timestamp. This data is stored in your account.

2.4 AI interaction data

When you use the AI question feature, the following data is transmitted to our AI sub-processor (OpenAI): the product name, ingredient list, your dietary profile, and your question. No directly identifying information (name, email, device ID) is included in AI requests.

2.5 Technical and usage data

We collect, via Firebase Analytics (Google), anonymized usage data including: app version, device type, OS version, session duration, and feature interactions. No precise geolocation is collected.

2.6 Payment data

Premium subscriptions are processed by Apple (App Store) and RevenueCat. PickEat does not receive, store, or process your payment card details. RevenueCat receives a pseudonymous user identifier to verify subscription status.

Dietary preferences may constitute special category data under GDPR Article 9 where they reveal health information (e.g., IBS, celiac disease, diabetes). We process this data on the basis of your explicit consent (Art. 9(2)(a)), which you provide when setting up your dietary profile. You may withdraw this consent at any time by deleting your profile.

We engage the following sub-processors to operate PickEat. Each has been assessed for GDPR compliance and, where applicable, a Data Processing Agreement (DPA) is in place.

4.1 Google Firebase (Google LLC / Google Ireland Limited)

• Role: Authentication, cloud database (Firestore), analytics
• Data transferred: Email, hashed password, scan history, profile
• Location: EU (eur3 region) and United States
• Safeguard: Standard Contractual Clauses (SCCs) — Google Cloud DPA
• DPA: cloud.google.com/terms/data-processing-addendum

4.2 OpenAI, LLC

• Role: AI sub-processor — product analysis and natural language responses
• Data transferred: Product name, ingredient list, dietary profile tags, user question (no PII)
• Location: United States
• Safeguard: Standard Contractual Clauses (SCCs) — OpenAI Data Processing Addendum
• DPA: platform.openai.com/docs/data-privacy
• Important: OpenAI does not use API data to train its models by default, pursuant to its API data usage policy. Inputs and outputs are not retained beyond 30 days for abuse monitoring.

4.3 RevenueCat, Inc.

• Role: Subscription and premium status management
• Data transferred: Pseudonymous user ID, purchase receipt (from Apple)
• Location: United States
• Safeguard: Standard Contractual Clauses (SCCs) — RevenueCat DPA
• DPA: revenuecat.com/dpa

4.4 Apple Inc.

• Role: App distribution and in-app purchase processing
• Data transferred: As required by App Store usage; governed by Apple's privacy policy

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Scan history: Retained for the duration of your account. Deleted on account deletion.
• AI request logs: Not retained by PickEat. OpenAI retains API inputs/outputs for up to 30 days for abuse monitoring only, then deletes them.
• Analytics data: Aggregated and anonymized; retained for 14 months (Firebase Analytics default).
• Backup data: Encrypted backups may persist for up to 90 days after deletion before being purged.

If you are located in the European Economic Area (EEA), you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data. Most data can be corrected directly in the app.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). You can delete your account directly in the app under Profile → Delete Account, which triggers immediate deletion of all associated data.
• Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format. Contact us at privacy@pickeat.io.
• Right to object (Art. 21): Object to processing based on legitimate interests (e.g., analytics).
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent (special category data), you may withdraw at any time by deleting your dietary profile.
• Right to lodge a complaint: You may lodge a complaint with your national supervisory authority. In France: CNIL (cnil.fr).

To exercise any of the above rights, contact us at privacy@pickeat.io. We will respond within 30 days. We may ask you to verify your identity before processing certain requests.

Some of our sub-processors (OpenAI, RevenueCat) are located in the United States. These transfers are conducted on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46 GDPR, ensuring an equivalent level of data protection. Links to the applicable SCCs are provided in Section 4.

We implement appropriate technical and organizational security measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for all stored data
• Firebase Security Rules restricting data access to authenticated owners only
• API key management — OpenAI API keys are stored server-side and never exposed to clients
• Minimal data principle — AI requests contain no directly identifying information
• Regular dependency and security audits

No method of transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in high risk to your rights, we will notify you within 72 hours as required by GDPR Article 33.

PickEat is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us at privacy@pickeat.io for immediate deletion.

We may update this Privacy Policy from time to time. Material changes will be notified via in-app notification or email. Your continued use of PickEat after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree, you may delete your account.

For any questions, requests, or concerns regarding this Privacy Policy or your personal data:

• Email: privacy@pickeat.io
• Data controller: PickEat (Riad Mahi, sole trader), France