🔒 Privacy Policy

Protecting your personal data is important to us. This privacy policy informs you about the type, scope, and purpose of the processing of personal data when using the TookAndCook app and website.

Last updated: April 2026

1. Data Controller

4WIN Creators GmbH
Telemannstraße 7a
85057 Ingolstadt, Germany

Represented by:
Managing Director: Thomas Winkelmeyr

Email: privacy@tookandcook.app

There is no legal obligation to appoint a Data Protection Officer.

2. What Data Do We Collect?

2.1 Usage Without Account (FREE)

When using without registration, your data is stored exclusively locally on your device:

Recipes, ingredients, steps, tags
Meal plans and shopping lists
App settings

This content is processed exclusively locally, unless cloud or AI features are used.

2.2 Using AI Features

When you use AI features (recipe extraction, recipe generation, image generation), the content you upload (images, texts, URLs) is transmitted to Google Cloud for processing.

Important: Processing takes place within a data processing agreement. According to Google, the content is not permanently stored and is not used for training purposes.

2.3 Usage With Account (PREMIUM/FAMILY)

When registering and using a subscription, the following additional data is collected:

Account data: Email address, name (with Google/Apple login)
Cloud data: Your recipes, plans, and lists are stored in the cloud
Subscription status: Information about your subscription

2.4 Error Analysis (Crashlytics)

To improve app stability, anonymized crash reports are transmitted to Google Firebase Crashlytics. These contain technical information about the error but no personal content.

3. Legal Basis

Contract fulfillment (Art. 6(1)(b) GDPR) – for app usage, AI features, cloud services, and subscription management
Legal obligation (Art. 6(1)(c) GDPR) – for tax and commercial retention requirements
Legitimate interests (Art. 6(1)(f) GDPR) – for error analysis and app improvement

4. Third-Party Services

4.1 Google Cloud (Firebase)

For registered users (PREMIUM/FAMILY) as well as for server-side app functions and web usage, we use Google Firebase for:

User authentication (Firebase Authentication)
Cloud storage of data (Cloud Firestore)
Cloud storage of images (Cloud Storage)
Server-side processing (Cloud Functions, e.g., recipe import from websites, family features, recipe sharing, subscription synchronization)
Configuration delivery (Firebase Remote Config, e.g., for version and feature flags)
Device integrity verification (Firebase App Check; on the web, Google reCAPTCHA Enterprise / Cloud Fraud Defense is used to prevent automated access)
Error analysis (Firebase Crashlytics)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Legal basis for App Check / reCAPTCHA: Legitimate interest in abuse and bot protection (Art. 6(1)(f) GDPR).

Privacy: Firebase Privacy Policy

4.2 Google Cloud AI Services (Vertex AI)

For AI features, we use Google Vertex AI. Your data is only used to process your request.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Data types: Uploaded images, texts, URLs

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR)

4.3 Subscription Management (RevenueCat)

For subscription management, we use RevenueCat.

Provider: RevenueCat Inc., 633 Tarava St Ste 101, San Francisco, CA 94116, USA

Data types: Anonymous user ID, purchase transactions, subscription status

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR)

Privacy: RevenueCat Privacy Policy

4.4 App Stores

Download and purchase are made through the respective app stores:

Apple App Store: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA – Privacy Policy
Google Play Store: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland – Privacy Policy

4.5 Server Logs

To ensure operation and troubleshooting, our servers log the following when using app functions:

Pseudonymous user identifier (User-ID)
Timestamp of the request
Type of request (e.g., recipe generation, image processing)
Technical error messages

No content: Your recipes, texts, or images are not stored in server logs.

Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR) in ensuring operation and troubleshooting.

Retention period: 30 days, then automatically deleted.

4.6 No Tracking Tools

TookAndCook does not use analytics or tracking tools like Google Analytics. We do not collect data about your usage behavior for advertising purposes.

5. Data Transfer to Third Countries

When using cloud features (PREMIUM/FAMILY), AI services, or subscription management, data is transmitted to servers that may be located in the USA.

The respective providers are certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.

Note: Despite certification, it cannot be excluded that US authorities may access data under surveillance laws.

6. Storage Duration

Local data: Until you delete it or uninstall the app
Cloud data: Until account deletion
Deleted cloud data: Permanently removed after 90 days
Invoice data: 10 years (legal retention requirement)

7. Your Rights

You have the following rights regarding your personal data:

Access (Art. 15 GDPR) – What data we store about you
Rectification (Art. 16 GDPR) – Correction of inaccurate data
Erasure (Art. 17 GDPR) – Deletion of your data
Restriction (Art. 18 GDPR) – Restriction of processing
Data portability (Art. 20 GDPR) – Export of your data
Objection (Art. 21 GDPR) – Objection to certain processing

Right to Withdraw Consent

You have the right to withdraw consent at any time with effect for the future. The lawfulness of processing carried out before the withdrawal remains unaffected.

Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

Account Deletion

You can delete your account and all cloud data directly in the app: Settings → Account → "Delete Account"

8. Data Security

We implement technical and organizational measures:

Encrypted transmission (TLS/HTTPS)
Encrypted cloud storage
Access controls and authentication
Regular security updates

9. Cookies

We only use technically necessary cookies for login to the web app. No tracking cookies or advertising cookies are used.

10. Minors

The app is intended for users aged 16 and older. Use by persons under 16 is not intended and requires the consent of a parent or guardian.

11. Changes

We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to the app. The current version is always available at this URL.

12. Contact & Right to Complain

Privacy inquiries:
Email: privacy@tookandcook.app
Response time: Within 30 days

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

← Back to homepage