1. Identity and Contact Details of the Controller
The data controller responsible for the processing of your personal data is:
| Controller | ChefBear |
|---|---|
| Contact Email | chefbearsupport@icloud.com |
| Data Protection Officer (DPO) | chefbearsupport@icloud.com |
You may contact the DPO at any time regarding any questions or concerns about the processing of your personal data or the exercise of your rights under the GDPR.
2. Categories of Personal Data We Collect
We collect and process the following categories of personal data when you use ChefBear:
| Category | Specific Data | Source |
|---|---|---|
| Account & Identity Data | Email address, display name, authentication provider identifiers (Google, Apple, or anonymous ID), user ID | Directly from you at registration / sign-in |
| Menu & Scan Data | Photographs of menus, OCR-extracted text, dish names, restaurant names | Directly from you when using the scan feature |
| Preference & Profile Data | Dietary preferences, allergies, cuisine preferences, language settings, dark mode preference | Directly from you via app settings |
| AI Interaction Data | Queries submitted to AI services, AI-generated recommendations, AI-generated dish images | Generated through your use of AI features |
| Purchase & Subscription Data | Subscription status, purchase receipts, entitlement records, transaction identifiers | From Apple App Store via RevenueCat |
| Device & Technical Data | Device model, OS version, app version, IP address, crash logs, performance metrics, anonymous analytics identifiers | Automatically collected during app usage |
| Usage Data | Feature usage patterns, session duration, screens visited, interaction events | Automatically collected during app usage |
3. Purposes of Processing and Legal Basis (Art. 6 GDPR)
We process your personal data only where we have a valid legal basis under the GDPR. The table below sets out each processing activity, its purpose, and the applicable legal basis:
| Processing Activity | Purpose | Legal Basis |
|---|---|---|
| Account Management | Creating and maintaining your user account, authenticating your identity, managing your profile and preferences | Performance of contract — Art. 6(1)(b) GDPR. Processing is necessary for providing the ChefBear service you requested. |
| Menu Scanning & Dish Recognition | Processing menu photographs via OCR and AI to extract dish names, descriptions, and translations | Performance of contract — Art. 6(1)(b) GDPR. This is the core service you use ChefBear for. |
| AI-Powered Recommendations | Generating personalised dish recommendations based on your dietary preferences, allergies, and cuisine interests | Performance of contract — Art. 6(1)(b) GDPR, as personalised recommendations are a core feature of the service. Legitimate interest — Art. 6(1)(f) GDPR, to improve recommendation quality and relevance. Our legitimate interest is providing a better user experience; we have assessed that this does not override your rights and freedoms given the non-sensitive nature of dietary preference data and the direct benefit to you. |
| AI Image Generation | Creating AI-generated visual representations of dishes when no photograph is available on the menu | Performance of contract — Art. 6(1)(b) GDPR. AI image generation is a feature you actively invoke within the service. |
| Crash Analytics & Performance Monitoring | Collecting crash reports, performance metrics, and error logs to maintain service stability, diagnose issues, and improve app reliability | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is ensuring the stability and security of our application. We have conducted a balancing test and concluded that this processing is proportionate, as only technical data is collected and it directly benefits you through a more reliable service. |
| In-App Purchases & Subscriptions | Processing subscription purchases, managing entitlements, verifying receipts, handling billing inquiries, and maintaining financial records | Performance of contract — Art. 6(1)(b) GDPR, to fulfil the subscription agreement. Legal obligation — Art. 6(1)(c) GDPR, to comply with tax, accounting, and consumer protection laws applicable in EU member states. |
Right to Object: Where we rely on legitimate interest (Art. 6(1)(f)), you have the right to object to such processing at any time. Upon receiving your objection, we will cease the processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. Contact chefbearsupport@icloud.com to exercise this right.
4. Recipients and Third-Party Processors
We share personal data with the following categories of recipients, each acting as a data processor on our behalf (unless otherwise noted). Appropriate data processing agreements (Art. 28 GDPR) are in place with each processor:
| Recipient | Purpose | Data Types Shared | Transfer Safeguards |
|---|---|---|---|
| Google Firebase (Google LLC) | Authentication, cloud database (Firestore), crash reporting (Crashlytics), analytics | Account data, authentication tokens, device info, crash logs, anonymised usage events | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); Google Cloud data processing terms |
| RevenueCat (RevenueCat, Inc.) | Subscription management, receipt validation, entitlement tracking | User ID, purchase receipts, subscription status, transaction IDs | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); RevenueCat DPA |
| AI Service Providers (OpenAI, Inc. and/or other AI providers) | Menu text analysis, dish recognition, AI recommendations, AI image generation | Menu text/photographs, dish queries, dietary preferences, prompt content. No account credentials, real names, or device identifiers are transmitted. | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); API data not used for model training (per provider policies) |
| Apple Inc. | App distribution, in-app purchase processing, Apple Sign-In | Purchase data, Apple ID tokens (when using Apple Sign-In) | EU-US Data Privacy Framework (DPF); Apple acts as independent controller for App Store purchases |
We do not sell your personal data to any third party. We do not share your data with data brokers or advertising networks.
5. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. For each such transfer, we ensure an adequate level of data protection through one or more of the following safeguards as required by Chapter V of the GDPR:
- EU-US Data Privacy Framework (DPF): Where the recipient is certified under the EU-US Data Privacy Framework, as recognised by the European Commission's adequacy decision of 10 July 2023.
- Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a transfer mechanism, supplemented with additional technical and organisational measures where necessary following a Transfer Impact Assessment.
- Supplementary Measures: Where appropriate, we implement additional safeguards such as encryption in transit and at rest, pseudonymisation, and access controls.
You have the right to obtain a copy of the safeguards relating to international transfers by contacting us at chefbearsupport@icloud.com.
6. Data Retention Periods
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The following table sets out our retention periods:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account & Identity Data | Duration of account existence + 30 days after deletion request | Necessary to provide the service; grace period for accidental deletion recovery |
| Menu & Scan Data | Cached locally on device; server-side processed data deleted within 90 days of last access | Performance optimisation; no longer necessary after inactivity period |
| Preference & Profile Data | Duration of account existence; deleted upon account deletion | Necessary for personalisation while account is active |
| AI Interaction Data | Not persistently stored; processed transiently and discarded after response delivery. Locally cached results: until app cache is cleared. | Minimisation principle; data is not needed beyond the immediate request |
| Purchase & Subscription Data | Duration of subscription + 7 years | Legal obligation under EU tax and accounting regulations |
| Crash Logs & Analytics | 90 days (crash logs); 14 months (aggregated analytics) | Debugging and trend analysis; aggregated data is not personal data |
| Device & Technical Data | 90 days | Security monitoring and incident response |
When retention periods expire, data is securely deleted or irreversibly anonymised.
7. Your Rights Under the GDPR
As a data subject in the European Union, you have the following rights. You may exercise any of these rights free of charge by contacting chefbearsupport@icloud.com. We will respond within 30 days (extendable by up to 60 additional days for complex requests, with notification).
7.1 Right of Access (Art. 15)
You have the right to obtain confirmation as to whether we process your personal data and, where that is the case, to access that data together with the following information: the purposes of processing, the categories of data, the recipients, the retention periods, the existence of your other rights, the source of the data (if not collected from you), and the existence of automated decision-making. You may request a copy of your personal data free of charge (reasonable fees may apply for further copies).
7.2 Right to Rectification (Art. 16)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
7.3 Right to Erasure ("Right to Be Forgotten") (Art. 17)
You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies:
- The data is no longer necessary for the purposes for which it was collected;
- You withdraw consent (where processing was based on consent);
- You object to the processing and there are no overriding legitimate grounds;
- The data has been unlawfully processed;
- Erasure is required for compliance with a legal obligation under EU or member state law.
This right does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for other grounds specified in Art. 17(3).
7.4 Right to Restriction of Processing (Art. 18)
You have the right to obtain restriction of processing where:
- The accuracy of the data is contested (for a period enabling us to verify accuracy);
- The processing is unlawful and you oppose erasure, requesting restriction instead;
- We no longer need the data but you need it for legal claims;
- You have objected to processing under Art. 21(1) pending verification of our legitimate grounds.
7.5 Right to Data Portability (Art. 20)
You have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance, where the processing is based on consent or contract and is carried out by automated means.
7.6 Right to Object (Art. 21)
You have the right to object at any time to the processing of your personal data based on our legitimate interests (Art. 6(1)(f)). We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing is necessary for the establishment, exercise, or defence of legal claims.
7.7 Rights Related to Automated Decision-Making and Profiling (Art. 22)
See Section 8 below for full details on automated decision-making and your associated rights.
7.8 Right to Withdraw Consent (Art. 7(3))
Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent by contacting us at chefbearsupport@icloud.com or by adjusting your settings within the app.
7.9 Right to Lodge a Complaint (Art. 77)
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at the European Data Protection Board website.
How to Exercise Your Rights: Send your request to chefbearsupport@icloud.com. We may need to verify your identity before processing your request. We will not charge a fee unless requests are manifestly unfounded or excessive. If we refuse a request, we will inform you of the reasons and your right to lodge a complaint with a supervisory authority.
8. Automated Decision-Making and Profiling (Art. 22)
ChefBear uses artificial intelligence to provide the following automated features:
- AI Dish Recommendations: Based on your stated dietary preferences, allergies, and cuisine interests, our AI algorithms analyse menu items and generate personalised dish recommendations. This constitutes profiling as defined in Art. 4(4) GDPR.
- AI Dish Recognition: Our AI models analyse photographs of menus to identify and classify dishes.
- AI Image Generation: When dish photographs are unavailable, AI generates representative images of dishes.
8.1 Nature and Significance
The AI-powered recommendations are designed to assist and enhance your dining experience. They do not produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22(1). The recommendations are suggestions only — you always retain full autonomy over your dining choices.
8.2 Logic Involved
The recommendation system analyses your stated preferences (dietary restrictions, allergies, favourite cuisines) against menu item attributes (ingredients, preparation style, cuisine type) to rank dishes by predicted relevance. No special categories of personal data (Art. 9) are used for profiling purposes.
8.3 Your Rights Regarding Automated Processing
Even though our automated processing does not fall within the scope of Art. 22(1), we voluntarily offer you the following rights as a matter of best practice:
- Right to human intervention: You may request that a human reviews any AI-generated recommendation or decision by contacting chefbearsupport@icloud.com.
- Right to express your point of view: You can provide feedback on recommendations directly within the app or by emailing us.
- Right to contest the outcome: If you believe an AI recommendation is incorrect or inappropriate, you may contact us to request a review.
- Right to opt out: You may disable personalised recommendations in your app settings and use ChefBear in a non-personalised mode.
9. Cookies, Tracking, and Similar Technologies
ChefBear is a native mobile application and does not use browser cookies. However, the following tracking-related technologies may be in use:
| Technology | Purpose | Legal Basis |
|---|---|---|
| Firebase Analytics (anonymous identifiers) | Aggregated usage statistics to improve the app | Legitimate interest (Art. 6(1)(f)) |
| Firebase Crashlytics (device identifiers) | Crash detection and debugging | Legitimate interest (Art. 6(1)(f)) |
| Local storage / device cache | Caching scan results, preferences, and AI responses for performance | Strictly necessary for service delivery |
We do not use advertising trackers, cross-app tracking, or fingerprinting technologies. We do not participate in any advertising ID programmes.
For our website (seeplate.app), we may use essential cookies only. If we introduce non-essential cookies in the future, we will implement a compliant cookie consent mechanism in accordance with the ePrivacy Directive (2002/58/EC) and applicable member state law.
10. Children's Privacy
ChefBear is not directed at children. We do not knowingly collect personal data from children under the age of 16 years (or such lower age as provided by the applicable EU member state under Art. 8 GDPR, but in no case below 13 years).
If we become aware that we have collected personal data from a child below the applicable age without valid parental consent, we will take immediate steps to delete that data. If you believe that a child has provided us with personal data, please contact us at chefbearsupport@icloud.com.
11. Data Protection by Design and by Default (Art. 25)
In accordance with Art. 25 GDPR, ChefBear implements the following principles:
- Data minimisation: We collect only the data strictly necessary for each processing purpose. AI queries are processed transiently and are not stored beyond the immediate request-response cycle.
- Pseudonymisation: Where possible, data is pseudonymised. AI providers receive only the minimum data required (menu text, dish queries) and never receive your account credentials or identity.
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest. Firebase and our infrastructure employ industry-standard encryption.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
- Privacy by default: The most privacy-protective settings are applied by default. Features that involve additional data processing (e.g., personalised recommendations) can be disabled by the user.
- Regular review: We periodically review and update our technical and organisational measures to ensure ongoing compliance.
12. Personal Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR);
- Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR), describing the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through:
- An in-app notification;
- An updated version posted at this URL with a revised effective date;
- Email notification (where you have provided an email address and the change is significant).
We encourage you to review this Privacy Policy periodically. Continued use of ChefBear after changes become effective constitutes your awareness of the updated Privacy Policy. Where required by law, we will seek your renewed consent before applying material changes to data processing.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
| General Privacy Inquiries | chefbearsupport@icloud.com |
|---|---|
| Data Protection Officer | chefbearsupport@icloud.com |
| Data Subject Rights Requests | chefbearsupport@icloud.com |
Effective Date: This Privacy Policy is effective as of 7 April 2026.