Privacy Policy
Last updated: May 2026
1. Data Controller
Responsible for data processing in the mangia app:
Dominik Stolz, Basel, Switzerland Email: info@mangia-app.com
2. What data we process
Account and sign-up
When you create an account, we process your email address and your password (stored encrypted). This data is managed by Supabase and is required to operate your account.
Usage data
Your recipes, meal plans and shopping lists are stored on our servers so you can access them across devices. The family (workspace) includes: workspace name, member IDs and an invitation code.
Child profiles (optional, Family module)
When you create a child profile in the Family module, you store the following information about your child:
- First name or nickname
- Birth month and year (for age-appropriate portion sizes, no exact date)
- Allergies and intolerances
- Taste feedback from the meal plan (likes / dislikes)
This information is used exclusively to personalise the meal plan and is only visible to members of your family.
AI processing
For AI features (recipe import from PDF or website, meal plan generation, recipe search), recipe texts, images and meal plan context are sent to Google Gemini. Requests and responses are stored in our database for up to 90 days for quality assurance, then automatically deleted.
Push notifications
When you enable push notifications, we store a device token (FCM token) of your mobile device as well as your time zone and language setting, so that notifications can be sent at the right time and in your language. You can disable push notifications at any time in app settings or in your device's system settings.
Analytics
We use PostHog (servers in the EU) to analyse app usage. PostHog is activated only with your consent. Session recordings are disabled; your IP address is not stored.
What is collected (only with consent given):
- Page views
- App events: sign-up, recipe created/imported (URL/photo/PDF), AI recipe generated, meal plan used, shopping list created
- No content of your recipes, lists or child profile data
Revoke or grant consent:
You can change your consent at any time in app settings under Account → Privacy.
Payment data
If you subscribe to a plan, Google Play processes your payment data. We only receive information about your plan status and an anonymous user ID from RevenueCat. No credit card or bank account data is stored by mangia.
Image search
When you tap "Search image" while editing a recipe, the recipe title is sent to Brave Search as the search term to find a suitable image. No personal search terms of yours are collected; the request only contains the recipe title. Search queries are not stored permanently.
3. Legal basis
We process your data on the following legal grounds:
- Performance of contract (Art. 6(1)(b) GDPR / Art. 31(2)(a) FADP): account management, recipes, meal plan, shopping lists, push notifications, AI processing
- Consent (Art. 6(1)(a) GDPR): analytics via PostHog
- Legitimate interest (Art. 6(1)(f) GDPR): security logging
4. Third-party providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | USA (EU region) |
| Google Gemini | AI-assisted recipe and planning features | USA |
| Google Firebase (FCM) | Push notifications | USA |
| RevenueCat | Subscription management | USA |
| Brave Search | Image search when editing recipes | USA |
| PostHog | App analytics (only with consent) | EU |
| Vercel | Hosting and infrastructure | USA |
All US providers are either certified under the EU-US Data Privacy Framework (DPF) or covered by Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.
5. Retention periods
- Account data: until you delete your account
- AI call logs (`ai_calls`): 90 days, then automatic deletion
- Subscription billing log: 10 years (statutory retention obligation)
- Push tokens: until logout or account deletion
6. Your rights
You have the following rights regarding your personal data:
- Access: you can find out at any time which data we have stored about you.
- Rectification: you can have incorrect data corrected.
- Erasure: you can request deletion of your data.
- Restriction: you can have processing restricted under certain circumstances.
- Data portability: you can request your data in a common format.
- Objection: you can object to processing based on legitimate interest.
You can delete your account and all associated data yourself under Settings → Delete account. For questions regarding your data protection rights, contact us at info@mangia-app.com.
You have the right to lodge a complaint with:
the Federal Data Protection and Information Commissioner (FDPIC) (Switzerland): www.edoeb.admin.ch
Or with the competent data protection authority in your EU member state.
7. Children and minors
mangia is intended for users aged 18 and over. The Family module allows legal guardians to create and manage profiles for their children. Children do not use the app independently — all data is managed via the parent account.
Child profiles contain: first name or nickname, birth month and year (no exact date), allergies, preferences and taste feedback. This information serves exclusively to personalise recipe suggestions.
8. Data security
All data transmissions are encrypted via TLS. Data in the database is stored encrypted (Supabase Encryption at Rest). Database access is strictly limited to your workspace via Row-Level Security (RLS).
9. Changes to this policy
If we make material changes to this privacy policy, we will inform you via push notification or email. The current version is always available at mangia-app.com/datenschutz.
10. Contact
For questions regarding privacy, you can reach us at info@mangia-app.com.