Happi Happi

Privacy Policy for the Happi Happi App

This English text is a non-binding convenience translation. The legally binding version is the German original; in the event of any discrepancy, the German version prevails.

1. Data Controller

Responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Anja Müllner Zuspitzstraße 12b 83026 Rosenheim Germany E-Mail: [email protected] Telephone: +49 15510 664053

The complete provider information can also be found in the Legal Notice.

2. General Data Processing

2.1 Scope of Processing

We process personal data of our users in principle only to the extent that this is necessary to provide a functioning app as well as our content and services. Processing generally occurs only on the basis of the user’s consent or where another legal basis permits the processing.

  • Art. 6(1)(a) GDPR — where consent is obtained (e.g. optional profile information, push notifications).
  • Art. 6(1)(b) GDPR — where processing is necessary to perform the terms of use (see Terms of Use), including the handling of paid services.
  • Art. 6(1)(c) GDPR — where processing is necessary to comply with a legal obligation (e.g. tax retention requirements for receipts of in-app purchases).
  • Art. 6(1)(f) GDPR — where processing is justified by legitimate interests (e.g. security logs, protection against abuse, error analysis).
  • Art. 9(2)(a) GDPR — for the processing of special categories of personal data (see Section 3.2).

2.3 Data Deletion and Retention Period

Personal data is deleted or blocked as soon as the purpose of storage ceases to apply. Storage beyond that occurs if and only if it is provided for by European or national legislation in regulations, laws or other provisions (in particular tax retention periods for purchase receipts: generally 10 years). Blocking or deletion also occurs when a prescribed retention period expires, unless further storage is necessary for performance of the contract.

2.4 Minimum Age and Minors

Our service is directed toward individuals aged 16 and above. By using the app, you confirm that you are at least 16 years of age. Where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), that consent is effective only from the completion of the 16th year of life under Art. 8 GDPR; for younger individuals, consent from those with parental responsibility is required.

We do not knowingly collect personal data from children under 16 years of age without such consent. If we become aware that data of a minor has been transmitted to us without the required consent, we will delete that data without delay. Parents or guardians may contact the address named in Section 1 at any time for this purpose.

3. Data Collected in Detail

3.1 Upon Registration and Account Use

We collect the following data when creating a user account:

  • E-mail address (required — used as the login credential and needed for system e-mails such as verification and password reset)
  • Username (required — freely selectable)
  • Password (stored exclusively as a cryptographic hash, never in plain text — see 3.5)

The user may optionally supplement their profile with the following information:

  • Avatar / profile picture
  • Preferred language (for app localization)
  • Theme selection (e.g. Spring, Summer Night, Autumn, Hygge, Pâtisserie — purely aesthetic setting, without personal reference)
  • Dietary preference (e.g. vegetarian, vegan — see 3.2)
  • Allergens and allergy information (see 3.2)

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract) for mandatory information; Art. 6(1)(a) GDPR (consent) for optional information.

Retention Period: until the user deletes the account or we delete it upon contract termination.

3.2 Special Categories of Personal Data (Health)

Information about dietary preference (vegan, vegetarian, pescatarian, omnivore) as well as allergens and personal allergy notes may provide insight into health data within the meaning of Art. 9 GDPR. The processing of this data occurs exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR). Before you store dietary preference, an allergen, or allergy note for the first time, we request this consent through an explicit notice with confirmation; without your confirmation, no such information will be stored. You may withdraw consent at any time with effect for the future by removing the relevant information in profile settings or deleting your account.

This information is used to filter recipes, display warnings for allergens contained in shared cookbooks, and tailor suggestions better to your needs.

Visibility to other users: Allergen and dietary information is made visible in social functions (e.g. for jointly planned events or shared cookbooks) to the respective authorized participants insofar as this is necessary for the respective function purpose (e.g. warning: “Participant X is allergic to nuts”). You decide before joining an event or cookbook whether to participate — no further sharing to third parties occurs.

3.3 Content Entered While Using the App

During app use, you may generate additional personal data, such as:

  • self-created or imported recipes (title, ingredients, instructions, notes, photos)
  • cookbooks and their contents
  • shopping lists
  • meal plans / calendar entries
  • events (date, location, participants, confirmations/cancellations, photos, event chat, and an optional expense or cost split, e.g. who paid what amount)
  • shared cooking sessions (real-time “cook together” feature with invited persons)
  • friendships, groups, and invitations
  • ratings and comments on recipes
  • high scores from “Kitchen Arcade” (see 3.7)
  • push notification tokens (for Android, see 4.4)

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract).

Retention Period: until deleted by the user or account deletion.

Shared content (e.g. cookbooks, events, shared cooking sessions) is partly synchronized in real-time among the respective authorized participants.

3.4 Server Logs and Technical Data

The following technical data is automatically collected upon access to our server:

  • IP address of the requesting device
  • Date and time of the request
  • API route called, HTTP method, and status code
  • User-Agent (app version, platform)

This data is used exclusively to ensure operation of the service, for error analysis, and to prevent attacks.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Retention Period: generally 14 days, after which automatic deletion or anonymization occurs.

3.5 Authentication and Security

  • Passwords are stored exclusively as PBKDF2-SHA256 hash (Django default, ≥ 600,000 iterations) with random salt. It is not possible under current technology standards to reverse-calculate the plaintext password.
  • Login attempts are counted; after multiple failed attempts, a temporary lock occurs (currently: 5 failed attempts per 15 minutes per e-mail hash). For this purpose, an irreversible hash of the e-mail address is cached.
  • E-mail addresses are verified before certain social functions are activated.
  • Authentication occurs via short-lived Access Tokens and longer-lived Refresh Tokens, which are stored in the platform-secure storage of the device (Android Keystore, iOS Keychain, Windows Credential Vault).

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in protection against misuse).

3.6 Purchase and Billing Data (Paid Services)

Upon purchase of paid services (“Happi Plus” subscription, Cosmetic Packs, support contributions / “Tip Jar”), the following data is processed:

  • Anonymous app user ID (assigned internally; no personal reference outside our database)
  • Store-specific transaction ID (generated by Google Play, Microsoft Store or Paddle)
  • Purchased product ID, purchase time, status (active / cancelled / expired / refunded)
  • Platform and country of the store

We do not process payment methods (no credit card numbers, no account information, no PayPal addresses). This data remains exclusively with the respective app store or payment service provider.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract), additionally Art. 6(1)(c) GDPR (tax retention requirements).

Retention Period: at least for the duration of tax retention obligations (generally 10 years, Section 147 AO [German Fiscal Code]), even beyond account deletion — however, then decoupled from the person to the extent legally permissible.

3.7 High Scores from “Kitchen Arcade”

The app contains an optional mini-game (“Kitchen Arcade”). If you use it, we store your achieved scores/high scores (daily high scores, recipe-specific high scores, freeplay high score) as well as simple game counters (e.g. number of rounds played). These values may be visible in leaderboards together with your public username to other users (see Section 5).

The game can be disabled in profile settings.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract).

Retention Period: until account deletion.

4. Recipients / Processors and Third Parties

4.1 Hosting

The app servers (backend, database) are operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The server location is in Germany; transfer to a third country does not occur as part of hosting.

All app data that occurs during operation on the server (see Section 3) is transmitted and processed, as well as technical access data (in particular IP address, time, and content of the request).

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract) or Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation of the app).

A data processing agreement under Art. 28 GDPR exists with Hetzner Online GmbH.

Further information: https://www.hetzner.com/de/en/legal/privacy-policy/

4.2 Object Storage (Avatars, Recipe and Event Photos)

Uploaded image files (profile pictures and recipe and event photos) are stored in S3-compatible object storage. Cloudflare R2 from Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA is used.

The storage bucket is private. The app delivers images exclusively via short-lived, signed download URLs that expire after a short time. The uploaded image file and technical processing data (filename, time of access, access key) are transmitted.

Third Country Transfer: Cloudflare, Inc. is headquartered in the USA, so a transfer to a third country occurs; storage and processing may occur on servers outside the EU. Cloudflare is bound by Standard Contractual Clauses under Art. 46 GDPR; a data processing agreement (Data Processing Addendum) under Art. 28 GDPR is in place.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract) or Art. 6(1)(f) GDPR (legitimate interest in scalable and fault-tolerant storage of content you have uploaded).

Further information: https://www.cloudflare.com/privacypolicy/

4.3 E-mail Sending

For the sending of transactional e-mails (registration confirmation, password reset, e-mail address change), we use Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Processing occurs on servers within the EU; transfer to a third country does not occur. A data processing agreement under Art. 28 GDPR exists with Brevo.

At minimum, the following is transmitted: recipient’s e-mail address, subject, message content, time of sending.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract) or Art. 6(1)(f) GDPR.

Further information: https://www.brevo.com/de/en/legal/privacypolicy/

4.4 Push Notifications

This section applies exclusively to server-triggered push notifications via third-party services. Purely local notifications scheduled on the device itself (e.g. cooking timer in cook mode) do not transmit data to third parties and are described in Section 6.

For sending server-triggered push notifications on Android, the Firebase Cloud Messaging (FCM) service from Google Ireland Ltd. is used. For iOS, the Apple Push Notification Service (APNs) from Apple Distribution International Ltd. will be added in the future.

A pseudonymous device token and the content of the notification (title and text) are transmitted to the respective service. The notification text may contain personal information — such as the display name of the triggering person or names of shared content (e.g. recipe, shopping list, or event names). Transmission to the USA may occur; Google bases this on EU Standard Contractual Clauses.

A push notification is displayed only if you have granted system notification permission on your device (under Android version 13 and above, an explicit consent dialog). You may withdraw this permission at any time in your device’s system settings.

Legal Basis: Art. 6(1)(a) GDPR (consent).

4.5 Fonts

The app uses the Nunito font. The font files are delivered with the app and loaded locally by the device (happi_frontend/assets/fonts/). No transmission to Google or other external servers occurs — neither during app use nor during PDF generation (recipe export). Your IP address is in particular not transmitted to third parties for the purpose of loading fonts.

In the web version, the necessary software components of the app (the rendering engine “CanvasKit”) are delivered with the app and obtained from the same server as the app itself. They are not reloaded from Google servers (e.g. gstatic.com); your IP address is not transmitted to Google.

4.6 AI Interface for Recipe Import (Google Gemini)

The app contains a recipe import feature with which you can read recipes in three ways: via the address (URL) of a website, by uploading a photo (camera or gallery), or by uploading a PDF file.

Important distinction of processing paths:

  • Import via URL: The specified website is retrieved and evaluated exclusively on our own server. The contents are not transmitted to Google or other third parties in this process.
  • Import via photo or PDF: To structure the image or PDF content, the Gemini API from Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) is used. In this case, the content you have uploaded is transmitted to Google.

Upon photo/PDF import, the following are transmitted to Google:

  • the image or PDF file you have uploaded (or the text extracted from it) with the recipe content contained therein;
  • technical processing data (timestamp, API key, token consumption).

Note on Image Metadata: Photo files may contain technical metadata (e.g. EXIF information, possibly GPS location data). This metadata is removed before a file is transmitted to Google: already on your device and additionally once more on our server, which re-encodes the image before forwarding it to Google. EXIF and GPS location data and document metadata of PDF files therefore do not reach Google.

Your e-mail address, username, allergen data, or dietary information are not transmitted to Google.

We use the paid Gemini API. The transmitted content is used by Google exclusively to provide the requested processing (structuring of the recipe) and is not used for training or improving Google models.

Processing may, depending on Google API routing, occur on servers outside the EU. The basis for transmission is Standard Contractual Clauses under Art. 46 GDPR; a data processing agreement with Google exists in the form of the “Data Processing Addendum for Products Where Google is a Data Processor” (https://business.safety.google/processorterms/), which includes Standard Contractual Clauses.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract — the import function is part of the service), additionally Art. 6(1)(a) GDPR (consent, insofar as you actively trigger the import function).

Further information on data processing by Google: https://policies.google.com/privacy and https://ai.google.dev/gemini-api/terms

4.7 Payment Processing (App Stores, RevenueCat, Paddle)

For the processing of paid services, we use the following service providers:

(a) App Stores (mandatory in-app billing):

  • Google Ireland Ltd. (Google Play Store) — Android purchases.
  • Microsoft Ireland Operations Ltd. (Microsoft Store) — Windows purchases, if in-app purchases are offered there.
  • (Phase 2) Apple Distribution International Ltd. (App Store) — iOS/macOS purchases.

The app stores process all payment method data (credit card, account information, device account) independently as controllers within the meaning of the GDPR. We receive neither payment data nor the clear identity of the buyer, but only the transaction data named in 3.6.

The privacy provisions of the respective store additionally apply:

(b) Entitlement Management (RevenueCat):

For cross-platform management of premium entitlements and for verification of store receipts, we use the services of RevenueCat, Inc., 4 Embarcadero Center, Suite 1455, San Francisco, CA 94111, USA.

The following are transmitted: an anonymous app user ID, the store transaction ID, the product ID, and status updates over the lifecycle of a purchase/ subscription (e.g. renewal, cancellation, refund).

Transmission to the USA occurs on the basis of Standard Contractual Clauses under Art. 46 GDPR; RevenueCat is additionally certified under the EU-U.S. Data Privacy Framework. A data processing agreement exists with RevenueCat.

Legal Basis: Art. 6(1)(b) GDPR (performance of the contract).

Further information: https://www.revenuecat.com/privacy

(c) Web Payments (Paddle, optional):

If you make a voluntary support contribution via the marketing website (happihappi.app), processing occurs via Paddle.com Market Ltd., Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom, as “Merchant of Record”. In this case, Paddle receives your payment and billing data directly and acts as its own controller.

We receive from Paddle only anonymized reports and the receipt data necessary for accounting. Transmission to the United Kingdom occurs on the basis of an adequacy decision of the EU Commission.

Further information: https://www.paddle.com/en/legal/privacy

4.8 Error Monitoring (Sentry)

To identify and resolve programming errors, we use the service Sentry from Functional Software, Inc. (132 Hawthorne Street, San Francisco, CA 94107, USA). Only technical error data is transmitted to Sentry: error stacktraces, app or backend version, operating system and device type, and the time of the error.

Personal content is not transmitted: transmission of IP addresses, request content, and cookie data is disabled on the server side; e-mail addresses, recipes, and allergen and dietary data are likewise not sent to Sentry.

We use the EU region of Sentry; error data is stored and processed on servers within the European Union. Functional Software, Inc., headquartered in the USA, is the operator; insofar as access from a third country occurs, this is based on EU Standard Contractual Clauses under Art. 46 GDPR. A data processing agreement (Data Processing Addendum) under Art. 28 GDPR is in place.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation).

Further information: https://sentry.io/privacy/

4.9 Website Audience Measurement (Cloudflare Web Analytics)

On our website (happihappi.app), we use Cloudflare Web Analytics from Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) for anonymous audience measurement. The tool operates cookieless: no cookies are set and no information is stored on or read from your device. Cross-device recognition or profiling does not occur.

Only aggregated usage data not attributable to you personally is collected, in particular pages visited, referring page (referrer), approximate country of origin, and browser and device type, as well as metrics on page load performance. Your IP address is processed only briefly for the creation of these statistics and is not stored permanently.

As no cookies or comparable technologies are used, separate consent under Section 25 TDDDG (German Telecommunications Digital Services Data Protection Act) is not required. This audience measurement applies only to website visits, not to app use itself.

Cloudflare is headquartered in the USA (third country). Transmission is based on EU Standard Contractual Clauses under Art. 46 GDPR; a data processing agreement under Art. 28 GDPR exists (the same Cloudflare Processor Terms as for object storage, see 4.2).

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in data-sparse, anonymous audience measurement to improve our service).

Further information: https://www.cloudflare.com/web-analytics/

4.10 App Store Platforms (App Distribution)

Once the app is delivered via Google Play Store, Microsoft Store, or Apple App Store, Google, Microsoft, and Apple respectively process user data in connection with downloads and app distribution. The respective privacy notices of the platform operators are authoritative for this; we have no influence over them.

4.11 No Other Sharing

Personal data is not shared with any other third parties. Beyond anonymous, cookieless audience measurement of the website (see 4.9), we use no tracking, no personally identifying analytics tools, and no advertising networks.

5. Shared Content and Visible Profile Information

The app contains social features (friendships, groups, shared cookbooks, shared events). When sharing, the following information is visible to the respective authorized other users:

  • public username and Friend ID (format name#1234)
  • avatar (if provided)
  • in shared cookbooks / events: the respective contents
  • in events additionally: posts, comments, and — if activated — the expense/cost split, visible to the other participants
  • in “Kitchen Arcade” leaderboards: your public username and your achieved score (see 3.7)
  • in social functions, allergen and dietary markings are additionally displayed as warnings insofar as this is necessary for the respective function purpose (Art. 9 GDPR — visibility exclusively to participants in the same function and only on the basis of your consent under 3.2)

The user themselves decides with whom to share content. Public findability via search engines does not occur.

6. Local Storage on the Device

The app stores technically necessary information locally on your device:

  • authentication tokens in platform-secure storage (Keystore, Keychain, Credential Vault).
  • local settings (theme selection, language) via the platform’s standard key-value storage.
  • cache for loaded images and, if necessary, fonts.

Additionally, the app uses local notifications: timers scheduled in cook mode trigger a local notification managed by the operating system, so that a timer’s expiration is signaled even if the app is closed or running in the background. These notifications are created exclusively on the device; no data is transmitted to us or to third parties (no device token, no FCM/APNs — see Section 4.4 for the distinction). Display requires one-time granting of system notification permission, which you may revoke at any time in your device settings. The legal basis is Art. 6(1)(b) GDPR (performance of the contract — the feature is part of the cooking timer you have actively initiated).

These are not cookies within the meaning of the TDDDG (formerly TTDSG) or the ePrivacy Directive; separate consent is not required because storage is absolutely necessary for the delivery of the explicitly requested service (Section 25(2) no. 2 TDDDG [German Telecommunications Digital Services Data Protection Act]).

7. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR) — see also in-app function for account deletion
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of given consent with effect for the future (Art. 7(3) GDPR)

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data (Art. 77 GDPR). As a non-public entity headquartered in Bavaria, the competent authority for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach (https://www.lda.bayern.de/). Regardless, you may also contact the supervisory authority of your habitual place of residence.

To exercise your rights, an informal message to the contact e-mail address named in Section 1 suffices.

8. Data Security

Data transmitted between the app and the server is encrypted via HTTPS/TLS. Passwords are stored as PBKDF2-SHA256 hash (see 3.5). Authentication occurs via Access and Refresh Tokens, which are stored on the device in the respective platform-secure storage (Keychain / Keystore / Credential Vault).

9. Automated Decision-Making / Profiling

Automated decision-making within the meaning of Art. 22 GDPR, including profiling, does not occur. The AI-assisted recipe import function (see 4.6) serves exclusively for structuring content that you yourself have authorized for processing — no evaluation of you as a person or of your behavior occurs.

10. Changes to This Privacy Policy

We reserve the right to adjust this privacy policy so that it always complies with current legal requirements or to implement changes in our services, such as upon introduction of new features or new third-party providers. Upon your next visit, the new privacy policy will apply.

Last updated: 24 June 2026