Privacy Policy

1. Data Controller

PrevAI UG (limited liability) Prof. Dr. Johannes Haubold Vossbergring 17A, 45259 Essen, Germany Email: info@prevai.net

2. Overview of Processing

This privacy policy informs you about the processing of personal data when using the "The Flavour Circle" app.

3. Data Collected

• Email address (registration and login) • Profile name and optional profile photo • Recipe data (texts, photos, ratings) • Family membership and invitation data • AI quota usage • In-app purchase transaction data (StoreKit 2) • Location data (only when actively using the Discover feature) • Device information for technical troubleshooting

4. Legal Basis (Art. 6 GDPR)

• Contract performance (Art. 6(1)(b)): Provision of app features, account management • Legitimate interest (Art. 6(1)(f)): Bug fixing, security, abuse prevention • Consent (Art. 6(1)(a)): Use of AI features for recipe processing

5. AI Processing

When you use AI features (e.g. recipe recognition from photos, voice recordings, recipe generation, nutrition prediction, or image generation), the relevant data is transmitted to OpenAI via our servers (Supabase Edge Functions). Processing is exclusively server-side — your data is not sent directly from the device to OpenAI. OpenAI processes data according to their privacy policy (https://openai.com/policies/privacy-policy). When using the API, OpenAI states that submitted data is not used for training their models.

6. Hosting and Infrastructure

The app uses Supabase as a backend service for authentication, database, file storage, and serverless functions. Supabase operates the infrastructure based on Amazon Web Services (AWS). Data processing takes place on servers in the EU. Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 Privacy Policy: https://supabase.com/privacy

7. In-App Purchases

Payments are processed via Apple StoreKit 2. We receive a transaction confirmation from Apple for server-side validation. Payment data (credit card etc.) is processed exclusively by Apple and is not accessible to us.

8. Data Sharing with Third Parties

Personal data is only shared with third parties: • Supabase (hosting, data storage) • OpenAI (AI features, only when actively used) • Apple (in-app purchases) No further sharing takes place unless we are legally obligated to do so.

9. Storage Duration

Your data is stored as long as your account is active. After deletion of your account, personal data will be deleted within 30 days, unless legal retention obligations apply.

10. Your Rights (Art. 15-21 GDPR)

You have the right at any time to: • Access your stored data (Art. 15) • Rectify inaccurate data (Art. 16) • Delete your data (Art. 17) • Restrict processing (Art. 18) • Data portability (Art. 20) • Object to processing (Art. 21) • Withdraw consent (Art. 7(3)) To exercise your rights, contact us at: info@prevai.net You also have the right to lodge a complaint with a data protection authority (Art. 77 GDPR).

11. Data Security

We implement technical and organizational measures to protect your data. Communication between the app and server is exclusively encrypted (TLS). Database access is secured through Row Level Security (RLS) at the database level.

12. Changes to this Privacy Policy

We reserve the right to modify this privacy policy to adapt it to changed legal situations or changes to the app. The current version is always available in the app.