This is a convenience translation. The legally binding version is the German original.

Privacy Policy

Last updated: January 2026

1. Data Controller

Provider (Controller within the meaning of the GDPR):
MixBuch UG (haftungsbeschränkt)
Markgrafenstraße 41
74564 Crailsheim
Managing Director: Kai Strecker
Commercial Register: Amtsgericht Schwäbisch Hall (registration pending)
Email: info@mixbuch.de

2. Purpose and Scope

This privacy policy explains which personal data we process when you use our mobile app "MixBuch", the purposes for which this processing takes place, and the rights you have as a data subject. It applies to all functions of the app, including account creation, AI-powered recipe conversion, personal cookbook, community feed, in-app purchases/subscriptions, push notifications, and support.

3. Categories of Personal Data

  • Account and profile data: Email address (required), password (hashed), optional profile picture.
  • Usage/log data: Device information (e.g. model, OS, app version), technical IDs (e.g. installation/advertising ID), IP address, timestamps, interactions, crash logs.
  • Content data: Content you enter/upload (recipe texts, URLs, photos) and metadata (title, ingredients, steps, tags, favourites).
  • Community data: Publicly shared recipes, comments, likes, display name/profile picture.
  • Push data: Device/push tokens, OneSignal/FCM IDs, notification preferences, interaction events.
  • Subscription/purchase status: Product IDs, durations, status (active/expired), transaction references from Apple App Store / Google Play; no complete payment data is stored by us.
  • Support data: Content of your enquiries (e.g. emails), any attachments, response history.

4. Purposes of Processing

  • Provision and operation of the app: Account creation, login (Firebase Authentication), storage of content/recipes (Firebase), display of personal library.
  • AI conversion: Processing your recipes (photos/URLs/text) to generate step-by-step instructions.
  • Community features: Sharing content, comments/likes, moderation, abuse prevention.
  • Subscriptions/in-app purchases: Management of purchase and subscription status (RevenueCat), activation of premium features.
  • Notifications: Sending push notifications (OneSignal/FCM) regarding updates, community events, or alerts.
  • Analytics & quality: Reach/feature usage, debugging, stability (Firebase Analytics/crash logs).
  • Legal & security: Abuse prevention, enforcement of claims, fulfilment of legal obligations (e.g. tax documentation).

5. Legal Bases (Art. 6(1) GDPR)

  • (b) Performance of a contract / pre-contractual measures: Registration, login, content processing, subscription status verification, provision of essential app features.
  • (a) Consent: Push notifications (system consent), analytics (where required), camera access (system permission). Consent may be withdrawn at any time with effect for the future (e.g. via device settings).
  • (f) Legitimate interest: IT security, fraud prevention, product improvement, anonymous/aggregated usage analysis (balancing of interests).
  • (c) Legal obligation: Retention of billing records, disclosure to authorities, tax and commercial law requirements.

6. Specific Processing Operations

6.1 Account & Login (Firebase Authentication)

An account is required to use the app. We process your email address and an encrypted password for authentication purposes. You may optionally upload a profile picture. Without this data, use of the app is not possible.

6.2 Content, Camera & Storage (Firebase Storage/Database)

When using the camera function, you capture recipe photos. The app requires a system permission for this purpose. Photos and the recipe data derived from them (text/steps) are stored in Firebase to make your content available in your account. Please do not upload photos containing personal data of third parties.

6.3 Community & Public Features

When you share content in the community feed, it becomes visible to other users (including your display name/profile picture). You can delete shared content at any time; caches/backups may be cleared with a technical delay.

6.4 Subscriptions & Purchases (Apple/Google, RevenueCat)

Transactions are processed through the Apple App Store or Google Play. We do not receive any payment data. For status verification/management, we use RevenueCat (receiving product IDs, durations, active/inactive status). Without subscription status data, premium features cannot be activated.

6.5 Analytics & Diagnostics (Firebase Analytics/Crash)

We use Firebase services to understand usage and stability of the app (e.g. screens viewed, session duration, error messages). Depending on your platform, you may limit analytics/personalisation via your device settings.

6.6 Push Notifications (OneSignal / FCM)

For push notifications, a token/ID is assigned to your device. OneSignal may process device-related information (e.g. device type, language, app version, advertising ID) for delivery/segmentation purposes. You can disable push notifications at any time in the system/app settings.

6.7 Support & Communication

When you contact us (e.g. by email), we process your information to handle your enquiry. Legal basis: Art. 6(1)(b)/(f) GDPR.

6.8 Web Portal (mixbuch.app)

The MixBuch portal is also available as a web version. Additional services are used in this context:

Fonts

We use system fonts that are already installed on your device. No connection to external servers (e.g. Google Fonts) is established and therefore your IP address is not transmitted to third parties for fonts. This serves both data protection and website performance.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a privacy-compliant, fast-loading website presentation).

jsDelivr CDN

To accelerate the loading of libraries (e.g. font icons, JavaScript frameworks), we use the Content Delivery Network (CDN) provided by jsDelivr (ProspectOne Sp. z o.o., Poland). When files are retrieved, they are loaded from jsDelivr servers, whereby your IP address is transmitted. Further information: https://www.jsdelivr.com/privacy-policy

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in fast, reliable website operation).

Algolia Search

For the search functionality on our website, we use Algolia Inc., 589 Howard St., San Francisco, CA 94105, USA ("Algolia"). Search queries and your IP address are transmitted to Algolia servers to deliver relevant search results. Algolia may process this data in accordance with its own privacy policy. Further information: https://www.algolia.com/policies/privacy/

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, fast search feature).

Vimeo Videos

We embed videos from Vimeo LLC, 555 West 18th Street, New York, NY 10011, USA ("Vimeo") on our website. When a video is played, a direct connection to Vimeo servers is established, whereby your IP address is transmitted to Vimeo. Vimeo may set cookies and analyse your usage behaviour. We have enabled the "Do Not Track" mode (dnt=1) to reduce tracking. Further information: https://vimeo.com/privacy

Legal basis: Art. 6(1)(a) GDPR (consent through use of the website) or Art. 6(1)(f) GDPR (legitimate interest in multimedia presentation of our content).

Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics 4 uses cookies and similar technologies to analyse your use of the website (e.g. pages visited, time spent, device information, referral source). The information generated by cookies about your use of this website is transmitted to and stored on a Google server.

Consent Mode v2: We use Google Consent Mode v2, a privacy-friendly implementation. This means:

  • Without your consent: Google Analytics loads technical components but does not set cookies and does not perform tracking. Data collection is disabled by default (analytics_storage: denied).
  • With your consent: After confirmation in the cookie banner, data collection is activated (analytics_storage: granted) and Google Analytics sets cookies to analyse your website usage.

We have enabled IP anonymisation, so that your IP address is truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area prior to transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide us with other services relating to website and internet usage.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner). Consent is given through active confirmation in the cookie consent banner and may be withdrawn at any time.

Right of withdrawal: You may withdraw your consent at any time with effect for the future by:

  • Clicking "Cookie Settings" in our website footer and disabling Google Analytics,
  • Deleting cookies in your browser settings,
  • Installing the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout

Data transfers to third countries: Google Analytics may transfer data to the USA. Google LLC is certified under the EU-US Data Privacy Framework and is committed to complying with EU data protection standards. Further information: Data Privacy Framework

Further information about Google Analytics can be found at: https://policies.google.com/privacy and https://marketingplatform.google.com/about/analytics/terms/de/

Retention period: Cookies set by Google Analytics have a default validity of up to 2 years. Usage data is automatically deleted after 14 months. You can end the cookie lifetime at any time by deleting the cookies.

7. Recipients / Categories of Recipients

  • Hosting & backend: Google Firebase (Ireland/EU, global infrastructure) for Auth, databases, Storage, Functions, Analytics, Messaging.
  • Web analytics: Google Ireland Limited (Ireland) or Google LLC (USA) for Google Analytics 4 for website analysis (only with consent).
  • Search & CDN: Algolia Inc. (USA) for search functionality; jsDelivr/ProspectOne (Poland) for content delivery.
  • Notifications: OneSignal Inc. (USA) for push notifications.
  • Subscription management: RevenueCat Inc. (USA) for licence/subscription status.
  • App stores: Apple (Ireland/USA) and Google (Ireland/USA) as independent controllers for store processes, payments, and diagnostics.
  • IT service providers: Strictly instruction-bound processors where applicable (e.g. email/support tools).
  • Authorities/lawyers: Where required by law or for legal enforcement.

8. Transfers to Third Countries

Transfers to third countries (particularly the USA) may occur when using Firebase, Google Analytics, OneSignal, Algolia, and RevenueCat. We base such transfers -- where necessary -- on appropriate safeguards (e.g. EU Standard Contractual Clauses, EU-US Data Privacy Framework). Additionally, we configure Firebase with EU regions where possible. Nevertheless, access from third countries cannot be entirely ruled out on a technical level. For Google Analytics 4, tracking only takes place after your explicit consent in accordance with Consent Mode v2.

9. Retention Period / Criteria

  • Account/profile: For the duration of the user relationship; deletion upon account closure, subject to statutory retention obligations.
  • Content/recipes: Until deleted by you or upon account deletion; backups are periodically overwritten/deleted.
  • Subscription/purchase status: As long as the subscription is active; purchase-related records are retained in accordance with statutory periods (typically up to 10 years).
  • Analytics/logs: Technically/organisationally limited retention periods (e.g. 14 months analytics retention; crash logs typically 60-90 days), followed by deletion/aggregation.
  • Support: Until the matter is resolved; longer retention where required by law.

10. Obligation to Provide Data / Consequences of Non-Provision

Providing your email address and password is required to use the app. Without this data, account creation and therefore use of the app is not possible. Profile picture, community participation, push notifications, and analytics are optional; if not used, certain convenience features may be unavailable.

11. Security (Technical and Organisational Measures)

We implement appropriate technical and organisational measures (including encryption in transit/at rest with Firebase, access restrictions, logging, authorisation concepts) to protect your data against loss, misuse, and unauthorised access. Access is only granted to persons/service providers who require it for task fulfilment and who are contractually/legally bound to confidentiality.

12. Minors

The app has no age restriction but is not specifically targeted at children. We do not knowingly request data from children under the age of 16. Parents/legal guardians may request the deletion of children's accounts.

13. Rights of Data Subjects

You have the following rights at any time (Art. 15-21 GDPR):

  • Access to your personal data processed by us,
  • Rectification of inaccurate or completion of incomplete data,
  • Erasure ("right to be forgotten"), provided no retention obligations apply,
  • Restriction of processing in the cases provided by law,
  • Data portability in a structured, commonly used, and machine-readable format,
  • Objection to processing based on legitimate interest on grounds relating to your particular situation; objection to direct marketing at any time without giving reasons,
  • Withdrawal of given consent with effect for the future.

To exercise your rights, an informal message to the contact details provided above is sufficient. We may request proof of identity to prevent misuse. Statutory deadlines: generally a response within one month.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement. The competent supervisory authority for us is, for example, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg).

15. Third-Party Information & Opt-Out Options

  • Firebase (Google): Information on data protection/processing can be found at firebase.google.com/support/privacy. In your device settings (iOS: "Privacy > Advertising"; Android: Google advertising settings), you can limit personalised advertising/Ad ID.
  • OneSignal (Push): Privacy information: onesignal.com/privacy. You can disable push notifications at any time in the system/app settings.
  • RevenueCat (Subscriptions): Privacy information: revenuecat.com/privacy. Subscription management/cancellation is done via Apple/Google account settings.
  • Apple/Google Stores: Please refer to the respective privacy policies of Apple (apple.com/de/legal/privacy) and Google (policies.google.com/privacy).

16. Automated Decision-Making / Profiling

No automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you. Any segmentation (e.g. for push notification target groups) is based on simple usage characteristics and serves exclusively to provide relevant app features/notifications.

17. Changes to this Privacy Policy

We may update this privacy policy if features/processes or legal requirements change. The current version is always available in the app. In the event of material changes, we will notify you within the app or by email.

18. Contact

For questions about data protection or to exercise your rights, please contact:
MixBuch UG (haftungsbeschränkt), Markgrafenstraße 41, 74564 Crailsheim, Managing Director: Kai Strecker — Email: info@mixbuch.de