Mealyo
Back to home

Privacy Policy

How we handle your data — transparent, GDPR-compliant, and only as much as needed.

Last updated: May 2026

Note: Mealyo is a project of Enactus Mannheim e. V., registered in Germany. The association is the controller under the GDPR. The legally binding version of this policy is the German one, available at /datenschutz. For all data-related questions you can reach us directly at team@mealyo.de.

1. Controller

Enactus Mannheim e. V., P4 9, 68161 Mannheim, Germany. The current board members are listed at enactus-mannheim.com/impressum. Direct contact for the Mealyo team: team@mealyo.de.

2. What we process

This policy covers both the website (mealyo.de) and the mobile app.

  • Account data — email address, display name, profile picture (when logging in with Google or Apple), birthday (optional), internal user ID.
  • Preferences — diet, allergies, dislikes, and optionally height, weight, activity level and goals. Always optional, editable any time.
  • Content — your inventory, shopping lists, weekly plans, cooking history, recipes. Stored under your user ID and only accessible to you and any household members you invite.
  • Receipt scans & AI — receipt images are sent to our servers to be parsed by AI (see section on OpenAI below). We retain receipts only as long as needed for processing.
  • Technical data — IP address, device and browser info, timestamps. Used only to operate secure services. IP addresses are not stored long-term.
  • Waitlist — name and email saved in a Google Sheet, used only to notify you once at launch. You can opt out any time by replying to our confirmation email.

3. Processors and third-party services

We use the following providers under data processing agreements (Art. 28 GDPR) where applicable:

  • Firebase (Google Ireland Limited) — Authentication, Cloud Firestore (EU, europe-west), Storage, Cloud Functions and App Check.
  • RevenueCat (USA) — subscription management. Receives a pseudonymous user ID and subscription status. No payment data.
  • PostHog — pseudonymous product analytics. No cross-app tracking, no advertising IDs. Can be disabled in app settings.
  • OpenAI (USA) — receipt parsing, recipe generation, translations. We send only the data required for the feature, never your name, email or profile. Training is disabled for our requests.
  • Tavily — used as a fallback to look up unknown receipt abbreviations. Only the abbreviation is sent.
  • Google Mobile Ads (AdMob) — only in the free tier. Uses device/advertising IDs. iOS asks for your tracking consent (App Tracking Transparency). Mealyo Pro and Family disable ads entirely.
  • Google Sign-In / Sign in with Apple — used only for login; we receive only the minimum required info.
  • Google Fonts — Poppins is self-hosted via next/font. No live request to Google when the page loads.

Where data may be transferred outside the EU (e.g. to the USA), we rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

4. Cookies and local storage

On the website we only store technically necessary data in your browser's local storage (theme, preferred language). No tracking or marketing cookies. The mobile app stores login tokens and caches in the OS-protected app sandbox.

5. Push notifications

With your permission, Mealyo sends reminders for items expiring soon or planned meals. You can disable them any time in your device settings.

6. Retention

We retain personal data only as long as your account is active or legal retention obligations apply. You can delete your account any time from the in-app settings — this irreversibly removes your inventory, shopping lists, plans and recipes.

7. Your rights

Under the GDPR you have the rights of:

  • access (Art. 15)
  • rectification (Art. 16)
  • erasure (Art. 17)
  • restriction (Art. 18)
  • data portability (Art. 20)
  • objection (Art. 21)
  • lodging a complaint with a supervisory authority (Art. 77) — for us this is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

To exercise any of these rights, just email us at team@mealyo.de.

8. Security

All connections between the app, website and our servers are TLS-encrypted. Data within Firebase is additionally encrypted at rest. Access to personal data is limited to the small Mealyo team members who need it to do their job.

9. Changes

We update this policy when our services, processors or applicable laws change. The latest version is always available on this page; the date above shows the last update.

This English text is provided for convenience. The legally binding version is the German one at /datenschutz.