Privacy Policy | smartshopr - Shopping List App

1. Data Controller

UG108
Meissner Strasse 108
01445 Radebeul
Germany

2. Overview of Data Processing

smartshopr is a shopping list app with AI-powered receipt analysis. To provide these services, we process certain personal data.

                In brief: We only store data necessary for app functionality. Receipt images are only transmitted to OpenAI for analysis and are not permanently stored.
            

3. What Data We Collect

3.1 Account Data

During registration, we collect:

Email address
Encrypted password
Registration timestamp

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.2 Shopping Lists and Items

To provide core functionality, we store:

Names of your shopping lists
Products and quantities entered
Category assignments
Completion status of items

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.3 Supermarket Data

When you save supermarkets:

Supermarket name
Address (optional)
Individual category order

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.4 Expenses and Receipts

For expense tracking, we store:

Supermarket name
Purchase amount
Purchase date

Important: Receipt images are not permanently stored. They are only temporarily transmitted for AI analysis.

Legal basis: Art. 6(1)(a) GDPR (consent)

4. Third-Party Service Providers

4.1 Supabase (Authentication & Database)

We use Supabase as our backend infrastructure for user authentication and data storage.

Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
Server location: Frankfurt, Germany (eu-central-1)
Data processed: Account data, shopping lists, supermarkets, expenses
Privacy policy: supabase.com/privacy

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable infrastructure)

4.2 OpenAI (AI Receipt Analysis)

For automatic receipt recognition, we use the OpenAI Vision API.

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA
Data processed: Receipt images (temporary)
Purpose: Automatic extraction of supermarket name, amount, and date
Storage at OpenAI: Images are not used for training and are deleted after processing
Privacy policy: openai.com/privacy

                Note on data transfer to the USA: OpenAI is based in the USA. Transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
            

Legal basis: Art. 6(1)(a) GDPR (consent when using the receipt scanner)

4.3 Mailgun (Email Delivery)

For sending emails (registration confirmation, password reset, notifications for shared lists), we use Mailgun.

Provider: Mailgun Technologies, Inc., 112 E Pecan St. #1135, San Antonio, TX 78205, USA
Server location: EU (for EU customers)
Data processed: Email address, email content
Privacy policy: mailgun.com/legal/privacy-policy

Legal basis: Art. 6(1)(b) GDPR (contract performance)

4.4 OneSignal (Push Notifications)

For push notifications (e.g., changes to shared lists, budget expenses), we use OneSignal.

Provider: OneSignal, Inc., 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA
Data processed: Device token, user ID, notification content
Purpose: Delivery of push notifications to your device
Privacy policy: onesignal.com/privacy_policy

                Note: Push notifications are optional. You can disable them at any time in your device settings or in the app.
            

Legal basis: Art. 6(1)(a) GDPR (consent by enabling push notifications)

5. Shared Lists

When you share a shopping list with other users, the following data becomes visible to invited persons:

List name
All items on the list
Your email address (as list owner)

Legal basis: Art. 6(1)(a) GDPR (consent through active sharing)

6. Data Retention

Account data: Until account deletion
Shopping lists: Until manual deletion by you
Expenses: Until manual deletion by you
Receipt images: Not stored, only temporarily transmitted for analysis

7. Your Rights

Under the GDPR, you have the following rights:

Access (Art. 15): You can request information about your stored data
Rectification (Art. 16): You can have incorrect data corrected
Erasure (Art. 17): You can request deletion of your data
Restriction (Art. 18): You can request restriction of processing
Data portability (Art. 20): You can receive your data in a common format
Objection (Art. 21): You can object to processing
Withdrawal (Art. 7): You can withdraw consent at any time

To exercise your rights, contact us at: privacy@ug108.de

8. Data Deletion

You can delete your account and all associated data at any time in the app settings. Upon account deletion, the following will be permanently deleted:

Your user account
All your shopping lists and items
All saved supermarkets and layouts
All expense entries

9. Cookies and Tracking

The smartshopr app uses no cookies and no tracking. We do not analyze how you use the app and do not sell data to third parties.

10. Data Security

We employ technical and organizational measures to protect your data:

Encrypted transmission (TLS/HTTPS)
Encrypted password storage
Row Level Security (RLS) in the database
Server location in the EU (Frankfurt)

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Saxon Data Protection Commissioner
Devrientstrasse 5
01067 Dresden, Germany
www.saechsdsb.de

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or service modifications. The current version can always be found on this page.