Get App ↗

Privacy Policy

Last updated: May 13, 2026

1. Introduction

Lauer j.d.o.o. ("we," "us") values your privacy. This Privacy Policy explains how we handle your data in the RealFoods app. We are the Data Controller for users in the EU/EEA/UK.

2. Data We Collect

We abide by the principle of data minimization; we only collect what is necessary.

2.1 Data You Provide

  • Age Confirmation: when creating an account, you self-affirm that you are 16 years or older. We do not collect or store your date of birth.
  • Health & Nutrition Data (Dietary Inputs): Photos of food, barcode scans, and chat messages you submit for AI analysis.
  • Account Data: Email address (only if you create an account).

2.2 Data Collected Automatically

  • Usage Data: Device type, OS version, and app crash logs.
  • App Usage Data: App usage data, including onboarding steps completed, screens visited, and in-app feature interactions (e.g., photo analysis attempts, paywall views), stored in our secure database.
  • Purchase Data: Transaction receipts and subscription status, collected via Apple for payment verification and fraud prevention.
  • Fraud Prevention: We use anonymized identifiers (Identifier for Vendor - IDFV and Keychain tokens) to prevent subscription abuse and verify entitlement. This is not used for advertising.

2.3 Anonymous Use and Account Linking

You can browse and try certain features (such as one free food analysis) without creating an account. During this period, your usage data is associated with a temporary anonymous identifier. If you subsequently create an account, this usage data may be associated with your account to give you a continuous experience.

3. Legal Bases for Processing (GDPR)

If you are in the EU/EEA, we process data based on:

  • Consent (Article 6 & 9): For AI processing, we process your photos and nutrition queries (Health Data) based on your explicit consent, provided through your affirmative action of submitting these inputs. You may withdraw this consent at any time by ceasing to use these features or by requesting data deletion. For Mixpanel Analytics and Session Replay, processing is based on your consent, which you can opt-in/opt-out of at any time via App Settings.
  • Contract: To deliver the App features (such as Supabase cloud sync and authentication) and manage your subscription.
  • Legal Obligation (Article 6(1)(c)): To comply with financial, tax, and consumer protection laws (e.g., managing refunds and chargebacks).
  • Legitimate Interest (Article 6(1)(f)): To prevent fraud, ensure App security, comply with Apple Store policies, and to analyze and improve the onboarding experience and overall App usability. This includes retaining pseudonymous identifiers (one-way SHA-256 hashes) to prevent account sharing and trial abuse. We also process anonymous crash diagnostics via Firebase Crashlytics on this basis to maintain App stability.

4. How We Use Artificial Intelligence

We use third-party LLMs (Large Language Models) to analyze your inputs.

  • AI Providers (e.g., Google Gemini, OpenAI, Fal.ai, Fireworks.ai, and other similar services): When you scan food or chat, your text/image is sent to these providers.
  • Privacy Controls: We send only the necessary data (the image/prompt). We do not send your email or user ID to these AI providers.

5. Sharing and Disclosure

We DO NOT sell your personal data. We share data only with "Sub-Processors" who process data on our behalf for specific functionalities:

  • AI Providers (e.g., Google Gemini, OpenAI, Fal.ai, Fireworks.ai, and other similar services): AI Food Recognition and Metabolic AI Coach features (optional; account IDs are stripped before analysis).
  • Mixpanel: Analytics and Session Replay (only if you opt-in).
  • Supabase: Backend infrastructure, cloud sync, and authentication.
  • Apple: Payment processing, subscription verification, and CloudKit for Private iCloud sync (optional).
  • Firebase Crashlytics (Google Ireland Limited): App crash diagnostics and stability monitoring. Only anonymous crash data (stack traces, device model, OS version) is collected. No personal identifiers are sent. Processed under Legitimate Interest; data is retained for 90 days.

Two analytics layers: In addition to consent-based third-party analytics (Mixpanel), we collect first-party usage data directly in our own secure database for product improvement purposes under our legitimate interests basis. This data is not shared with third parties.

6. International Data Transfers (Chapter V)

Your data may be processed by companies located in the United States (e.g., Supabase, Mixpanel, OpenAI, Google, Fal.ai, Fireworks.ai, and potential other AI providers). We ensure appropriate legal safeguards are in place. These transfers are legally protected by the execution of Standard Contractual Clauses (SCCs) or the processors' active adherence to the EU-US Data Privacy Framework (DPF).

7. Your Privacy Rights

7.1 Global/GDPR Rights

You have the right to access, correct, delete, restrict processing, object to processing, or export (port) your personal data. Your right to deletion (Right to Erasure) is subject to exceptions under Article 17(3), such as processing necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims (e.g., fraud prevention). You can delete your account directly inside the App settings. You also have the right to lodge a complaint with a supervisory authority; for users in Croatia, this is AZOP (Agencija za zaštitu osobnih podataka).

7.2 California Addendum (CCPA)

  • Right to Know: You may request details on the specific data we collect.
  • Right to Delete: You may request deletion of your data.
  • Do Not Sell/Share: We do not sell or share personal information for cross-context behavioral advertising.

To exercise these rights, email: ppa.sdooflaer@ofni.

8. Children's Privacy

Strict 16+ Policy: RealFoods is not intended for children under 16. We do not knowingly collect data from children under 16. If we discover a user is under 16, we will immediately delete their data and block access.

9. Data Retention

  • Images/Chats: Processed momentarily for the AI response. We do not retain raw user images on our servers long-term unless necessary for debugging or unless you save them to your "Food Log."
  • Account Info: Account data is permanently purged within 30 days of receiving an erasure request.
  • Crash Diagnostics: Anonymous crash data processed by Firebase Crashlytics is retained for 90 days, after which it is automatically deleted by Google Ireland Limited.
  • Fraud Prevention: For fraud prevention and Apple App Store compliance, we retain anonymized and pseudonymous identifiers (one-way hashes of device fingerprints and transaction receipts) after account deletion. This is processed under Legitimate Interest to prevent subscription abuse and cannot be used by us to identify you personally.

10. Security

We use industry-standard encryption (TLS/SSL) for data in transit and secure database practices. However, no mobile application is 100% secure.

11. Contact Us

Lauer j.d.o.o. Zagreb, Croatia Email: ppa.sdooflaer@ofni