Last updated: April 17, 2026
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is: Lukas Schachtmaier & Johann Warkentin GbR Rosenstraße 19, 38550 Isenbüttel, Germany info@honeyapps.de Hereinafter referred to as "we" or "provider".
2. Collection and Storage of Personal Data
When using our app, the following personal data is collected and stored: • Email address (for registration and login) • Display name (freely chosen) • Profile picture (optional, uploaded by the user) • Recipe data (titles, ingredients, preparation steps, images) • Family and group memberships • Meal plans and shopping lists • Labels and categories • Comments, ratings, and "likes" on public recipes • Usage preferences (language, theme, registration and last login timestamps) When using certain features, the following data is also temporarily processed (not permanently stored): • Photos and images (for AI-powered recipe recognition) • Voice input (transcribed locally on the device; transcribed text is transmitted for AI processing) • Ingredient lists (for automatic nutrition calculation) The legal basis for processing is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(a) GDPR (consent). Use of the app is permitted from age 16. Persons under 16 require the consent of a parent or legal guardian (Art. 8 GDPR).
2a. Device Permissions
The app requests the following device permissions, which are only used when actively using the corresponding feature: • Camera — to take recipe photos and for image-to-recipe recognition • Microphone — for voice input of recipes • Photo Library — to select images for recipes • Speech Recognition — for automatic transcription of spoken recipes • App Tracking Transparency (iOS only) — for personalized advertising via Google AdMob and anonymized usage statistics (only activated with your explicit consent)
3. Use of Firebase (Google)
This app uses Google Firebase services: • Firebase Authentication — for user login (including Google Sign-In and Sign in with Apple) • Cloud Firestore — for storing recipes, plans, and user data • Firebase Cloud Storage — for storing images • Firebase Cloud Functions — for server-side processing (recipe import, AI features, social media import) • Firebase App Check — to protect against abusive access (device attestation via Apple DeviceCheck or Google Play Integrity) Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) acts as a data processor within the meaning of Art. 28 GDPR. A data processing agreement (DPA) is in place. More information: https://firebase.google.com/support/privacy
3a. Firebase Analytics & Crashlytics
The app uses the following Firebase services: a) Firebase Crashlytics (consent required) Collects technical crash reports to ensure app stability. Device type, operating system version, and technical error traces are transmitted. No personal content (recipes, names) is transmitted. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent). Crashlytics is disabled by default and is only activated after your explicit consent through the in-app consent dialog. You can revoke your consent at any time in the app settings under "Privacy". b) Firebase Analytics (consent required) Collects anonymized usage statistics (e.g., which features are used and how often, screen views). No personal content (recipes, names) is transmitted. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent). Analytics is disabled by default. You can revoke your consent at any time in the app settings under "Privacy". On iOS devices, consent for Analytics and advertising tracking is additionally requested via the system-level App Tracking Transparency (ATT) dialog. Your privacy settings (consent for Analytics and Crashlytics) are stored in your user profile to maintain them across devices. Data processing is carried out by Google Ireland Limited (see Section 3).
3b. Email Delivery (Brevo)
For sending transactional emails (e.g., email verification, password reset), we use the service Brevo (Brevo SAS, 106 boulevard Haussmann, 75008 Paris, France). Your email address is transmitted to Brevo solely for the purpose of sending the email. Brevo does not use your email address for marketing purposes and does not store it permanently after delivery. Legal basis: Art. 6(1)(b) GDPR (performance of a contract, as the email is required for account functionality). Data processing takes place within the EU. A data processing agreement (DPA) is in place. More information: https://www.brevo.com/legal/privacypolicy/
3c. Advertising (Google AdMob)
The app displays advertisements through Google AdMob (Google Ireland Limited). AdMob uses the following data to serve personalized ads: • Device Advertising ID (IDFA on iOS, Google Advertising ID on Android) • IP address (approximate location) • Device type and operating system version • App usage data (which ads were viewed/clicked) • Inferred demographic data (estimated age, interests) Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent). Personalized advertising is only activated with your explicit consent. Consent Management (Google UMP / CMP): For users in the EEA, Switzerland, and the United Kingdom, we obtain your consent before ads are first shown via the Google User Messaging Platform (UMP, IAB TCF v2.2). Through this dialog, you can consent to or object to data processing by Google and additional advertising partners. You can change your settings at any time in the app settings under "Privacy" → "Manage ad preferences". On iOS, the App Tracking Transparency (ATT) dialog is additionally shown. You can also disable personalized advertising at the device level: • iOS: Settings → Privacy & Security → Tracking • Android: Settings → Google → Ads → Opt out of ad personalization Without consent, only contextual, non-personalized ads are displayed. More information: https://policies.google.com/technologies/ads Google Privacy: https://policies.google.com/privacy
4. Artificial Intelligence (AI Features)
The app uses AI-powered features based on Google Gemini (a generative AI model by Google LLC). Processing takes place through our own Firebase Cloud Functions, which serve as intermediaries to the Gemini API. Data is only transmitted upon your active request. a) Image-to-Recipe Recognition When you use a photo for recipe recognition, the compressed image is transmitted to our Cloud Function and forwarded to the Google Gemini Vision API. Gemini analyzes the image and returns structured recipe data (title, ingredients, steps, servings, times). The image is not permanently stored on Gemini servers after processing. b) Speech-to-Recipe For voice input, speech is first transcribed locally on your device (on-device Speech-to-Text). The transcribed text is then sent to Google Gemini to create structured ingredients and preparation steps. The audio recording itself does not leave the device. c) Automatic Nutrition Calculation Your recipe ingredient list is sent to Google Gemini to estimate nutritional values (calories, protein, carbohydrates, fat). These values are automatically generated estimates and provided without guarantee. d) Recipe Generation from Ingredients When you provide a list of available ingredients, it is sent to Google Gemini to generate a matching recipe. e) AI-Powered Recipe Modification When you modify an existing recipe via AI (e.g., "make it vegan"), the recipe data and your modification request are sent to Google Gemini. f) Food Identification from Photos When you use a photo to identify ingredients, the image is sent to Google Gemini to identify individual food items. g) Text Input Interpretation and Recipe Import Cleanup For text-based recipe input and imported recipes, the entered or extracted text is sent to Google Gemini to extract and structure relevant recipe information. Legal basis: Art. 6(1)(b) GDPR (performance of a contract, as the AI function is executed upon active request). Google LLC acts as a data processor in this context. According to the Gemini API terms of use, data transmitted via the API is not used for training AI models. More information about the Gemini API: https://ai.google.dev/gemini-api/terms Google AI Privacy: https://policies.google.com/privacy
5. Recipe Import from Third-Party Sources
The app allows importing recipes from external sources. Only the extracted recipe data is stored — no personal data from third-party platforms. • Website Import (URL): The specified URL is accessed server-side by our Cloud Function. Page content and structured recipe data (JSON-LD, Microdata) are extracted. • Social Media Import (Instagram, TikTok, Pinterest): Publicly accessible posts are retrieved via public interfaces or publicly viewable content. Only the extracted recipe data is stored. • Chefkoch: The app uses the public recipe API of chefkoch.de to retrieve recipe data. • iOS Share Extension: When you share content (e.g., URLs or text) with ReciBee via the iOS share sheet, that content is transmitted directly to our Cloud Function and processed there like a regular import (including AI-based structuring via Google Gemini, see Section 4). Only the extracted recipe data is stored. You are responsible for ensuring that you are authorized to use the imported content and do not infringe on third-party copyrights.
6. Data Transfer to the USA
Some of the services we use process data on servers in the USA: • Firebase services (partially in region us-central1) • Google Gemini API (AI processing by Google LLC) The transfer is based on the EU-U.S. Data Privacy Framework (DPF), under which Google LLC is certified, as well as on EU Standard Contractual Clauses (Art. 46 GDPR). More information about the Data Privacy Framework: https://www.dataprivacyframework.gov
7. Data Retention
Your data is retained according to the following schedule: Permanent data (while account is active): • Profile data, recipes, meal plans, shopping lists, comments, ratings • Deleted immediately and completely upon account deletion Temporary data: • Firebase Analytics: max. 14 months (Google default) • Firebase Crashlytics crash reports: 90 days • Server logs (Cloud Functions): 30 days • Google AdMob advertising data: per Google Ads policies (approx. 13–24 months) AI processing: • Images, text, and voice input transmitted to the Gemini API are not permanently stored after processing and are not used for training AI models. Legal retention obligations: • Tax and commercial records: 10 years (German law, § 147 AO, § 257 HGB) • In case of legal disputes, data may be retained longer as required by law
8. Your Rights
Under the GDPR, you have the following rights: • Right of access (Art. 15 GDPR) • Right to rectification (Art. 16 GDPR) • Right to erasure (Art. 17 GDPR) • Right to restriction of processing (Art. 18 GDPR) • Right to data portability (Art. 20 GDPR) • Right to object (Art. 21 GDPR) To exercise your rights, contact us at the email address stated above. Data Export (Art. 15 & 20 GDPR): You can download all your data at any time in the app under Profile Settings → "Export my data" as a JSON file. Account Deletion (Art. 17 GDPR): You can permanently delete your account and all associated data at any time in the app under Profile Settings → "Delete Account".
9. Automated Decision-Making
No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place. AI-powered features (see Section 4) are used solely for assistance and do not produce legally binding or similarly significant decisions.
10. Contact & Right to Complain
If you have questions about data protection, you can contact us at any time at info@honeyapps.de. You also have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority depends on the federal state of the provider.
11. In-App Purchases and Subscriptions
The app offers optional paid features through in-app purchases and subscriptions. Payment processing is handled exclusively by Apple (App Store) or Google (Play Store). To manage subscriptions, we use the service RevenueCat (RevenueCat Inc., San Francisco, USA). The following data is transmitted to RevenueCat: • Anonymized app user ID • Purchase receipts and subscription status • Platform (iOS/Android) No personal data such as name or email address is transmitted to RevenueCat. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). More information: https://www.revenuecat.com/privacy
12. Children's Privacy and Minimum Age
This app is intended for users aged 16 and older. This corresponds to the minimum age for independent consent to the processing of personal data in connection with information society services in Germany (§ 22 BDSG in conjunction with Art. 8(1) GDPR). For users under 16, use of the app is only permitted with the consent of a parent or legal guardian. The parent or legal guardian must have read this Privacy Policy and consented to the processing. We do not knowingly collect personal data from children without the parental consent required by Art. 8 GDPR. If we become aware that personal data has been transmitted without the required consent, we will delete such data immediately. Parents who believe their child has provided data to ReciBee can contact us at info@honeyapps.de.