Privacy Policy
Last updated: July 10, 2026
This policy explains how we process your personal data when you use the CookZone app (on iOS, Android, or in the browser at my.cookzone.app), open a shared recipe on share.cookzone.app, visit our website cookzone.app, or receive our emails. CookZone is built and operated in Germany, and your data is processed under the EU General Data Protection Regulation (GDPR) — one of the strictest privacy laws in the world. We apply this standard to all users, wherever you live.
1. Who is responsible
The controller for all processing described here is:
EichGnomies GmbH & Co. KG
Peter-Händel-Str. 10
91334 Hemhofen, Germany
Email: support@cookzone.app
Further company details are in our imprint.
2. What data we process
- Account data: email address, username, and password. Passwords are stored only as a cryptographic hash. If you sign in with Google or Apple instead, we receive your name and email address from them; Apple lets you hide your real email address.
- Your content: recipes, photos and PDFs you upload, links you import, collections, shopping lists, meal plans, and messages you send to the recipe assistant.
- Purchase data: your subscription status and purchase events (product, price, currency, country). We never receive your full payment details — payments are handled by the App Store, Google Play, or Paddle.
- Usage and technical data: pseudonymous usage statistics, crash reports, and — for security — the IP address and browser/device identifier (user agent) of your login sessions, plus temporary server logs.
- Consent records: if you opt in to the newsletter or personalized ads, we store what you consented to and when.
3. Why we process it (purposes and legal bases)
| Purpose | Data | Legal basis |
|---|---|---|
| Providing CookZone: your account, storing and syncing your recipes and lists | Account data, your content | Contract, Art. 6(1)(b) GDPR |
| Recipe import and AI features (see section 4) | Content you submit or import | Contract, Art. 6(1)(b) GDPR |
| Purchases and subscription management | Purchase data | Contract, Art. 6(1)(b) GDPR |
| Usage statistics and crash reporting, to understand how CookZone is used and keep it stable (see section 5) | Pseudonymous usage data, crash reports | Legitimate interest, Art. 6(1)(f) GDPR — you can object at any time (see section 12) |
| Security: login protection, abuse and rate limiting, session records | IP address, user agent | Legitimate interest, Art. 6(1)(f) GDPR |
| Counting views on shared recipe pages (see section 8) | Random cookie identifier (cz_vid) | Legitimate interest, Art. 6(1)(f) GDPR |
| Newsletter (see section 6) | Email address, consent records | Your consent, Art. 6(1)(a) GDPR (together with §7(2) No. 2 of the German Act Against Unfair Competition, UWG) |
| Personalized ads via hashed email matching (see section 7) | Hashed email address | Your consent, Art. 6(1)(a) GDPR |
| Proving that you gave consent | Consent records | Legitimate interest, Art. 6(1)(f) GDPR |
4. Recipe import and AI features
CookZone uses AI to extract recipes from the content you submit — photos, PDFs, and links — and to power features like the recipe assistant, nutrition estimates, translations, and generated cover images. For this, the content you submit or import (including your messages to the assistant) is processed by our AI providers: Mistral AI (France) and, for generated cover images, fal.ai (USA). We do not attach your name, email address, or account ID to these requests. We keep per-account usage records (request counts and cost) to prevent abuse.
When you import a recipe from a link, our servers and/or your device retrieve that page. The website you are importing from sees the request — including the IP address it comes from (your device's or our server's) — as it would with any normal visit.
5. Usage statistics and crash reporting
Analytics (TelemetryDeck). We use TelemetryDeck GmbH (Augsburg, Germany, hosted in the EU) to understand how CookZone is used. Events include things like device model, operating system version, app version, language, and which features are used. Your user identifier is transmitted only as a SHA-256 hash, so TelemetryDeck cannot identify you; for us this data remains pseudonymous. According to TelemetryDeck, IP addresses are not stored and no advertising identifiers or tracking cookies are used. RevenueCat, which validates purchases for us (see section 9), also forwards purchase events (product, price, currency, country) to TelemetryDeck under the same hashed identifier, so we can see aggregate revenue statistics. Our marketing website cookzone.app uses TelemetryDeck's cookieless page-view counter.
Crash reporting (Sentry). If the app or our servers hit an error, a crash report (error details plus device and OS information) is sent to Sentry, received on EU servers in Germany. We do not attach your name or email address to crash reports.
6. Newsletter
If you opt in to the newsletter, we send you occasional product news by email. Signing up uses double opt-in: we first send you a confirmation email, and you only receive the newsletter after clicking the confirmation link. We store your consent and confirmation (with timestamps) to be able to prove it. Emails are sent via Amazon Web Services (Amazon SES) from servers in Frankfurt, Germany.
You can unsubscribe at any time — via the toggle in the app's settings or the unsubscribe link in any newsletter. After you unsubscribe, we record the withdrawal and send you no further marketing; the record of your earlier consent is kept only so we can document it, at most for as long as your account exists.
7. Personalized ads (hashed email matching) — only if you opt in
If — and only if — you enable "Personalized ads" in the app, we share your email address in hashed form (SHA-256) with Meta Platforms Ireland Limited and Google Ireland Limited. The platforms compare the hash against their own user base so that CookZone's ads can be shown to you and to people with similar interests ("custom audiences" and "lookalike audiences"). Hashing means the platforms never receive your readable email address, and under their terms they delete the uploaded hashes once the matching is complete; only the resulting audience membership remains until you withdraw. Note that a hashed email address is still personal data.
For the matching step, Meta and Google process your hashed email address on our behalf; everything they do afterwards inside their own services — including showing ads and building similar audiences — is their own responsibility under their own privacy policies — see the Meta Privacy Policy and the Google Privacy Policy. You can also manage the ads you see at Meta ad preferences and Google My Ad Center.
You can withdraw this consent at any time in the app's settings. We then stop sharing your hash and remove you from the audience lists we control.
8. Sharing recipes publicly
If you share a recipe, CookZone creates a public web page for it at share.cookzone.app showing the recipe and your username. Anyone who has the link can view this page. To count unique views, the share page sets a cookie called cz_vid — a random identifier, valid for 12 months, not linked to any account and not used for advertising. You can block or delete this cookie in your browser; the page still works without it. If you open a shared recipe while logged in to CookZone, the view is counted under your account instead.
Beyond this cookie, the app and web app store on your device what is needed to work — your login token, settings, and cached content — plus a random identifier used for the usage statistics described in section 5. We do not use third-party advertising or tracking cookies.
9. Who receives your data
We use the following service providers.
| Provider | What for | Location |
|---|---|---|
| Amazon Web Services (AWS) | Servers, database, file storage (your photos and PDFs), sending our emails | Frankfurt, Germany (eu-central-1) |
| Cloudflare | Traffic to our API and websites is routed through Cloudflare (security, performance) | Global network; US parent |
| TelemetryDeck GmbH | Pseudonymous usage statistics (section 5) | Germany |
| Sentry | Crash and error reports (section 5) | EU servers (Germany); US parent |
| Mistral AI | AI recipe extraction and assistant (section 4) | France |
| fal.ai | AI-generated recipe cover images (section 4) | USA |
| RevenueCat | Purchase validation and subscription status | USA |
| Paddle | Merchant of record for purchases in the web app | UK / USA |
| Apple / Google | Purchases in the iOS/Android app; sign-in if you use "Sign in with Apple/Google" | Per their terms |
| Expo (650 Industries) | The app checks for app updates at launch; this transmits your IP address and app version | USA |
| Meta Platforms Ireland / Google Ireland | Hashed email matching for ads — only with your opt-in (section 7) | Ireland; US parents |
If our company is ever involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We would inform you before your data becomes subject to a different privacy policy.
10. Data transfers outside the EU
Your data is primarily processed in the EU (AWS Frankfurt, TelemetryDeck Germany, Sentry EU, Mistral France). Some providers listed above are based in the USA or have US parent companies. Where personal data is transferred to the USA, this is safeguarded by the provider's certification under the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (Art. 46 GDPR). Transfers to the United Kingdom (Paddle) are covered by the EU Commission's adequacy decision for the UK. You can request a copy of the relevant safeguards via support@cookzone.app.
11. How long we keep data
- Account and content: for as long as your account exists. If you delete your account (in the app's settings), your recipes, uploaded files including previews, collections, lists, sessions, and account data are deleted.
- Session records (IP address, user agent): stored while the login session exists; deleted when you log out, change your password, or delete your account.
- AI usage records: retained after account deletion for abuse prevention, keyed to a technical ID that is no longer linked to your name or email address.
- Newsletter consent records: for as long as your account exists; deleted with your account. When you unsubscribe, we record the withdrawal.
- Server logs: kept only temporarily. Crash reports: deleted after 90 days at the latest.
12. Your rights
You have the right to access your data (Art. 15 GDPR), to rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). We honor these rights for every CookZone user worldwide, not only where the GDPR requires it. Where processing is based on consent, you can withdraw it at any time — for the newsletter and personalized ads directly in the app's settings. Withdrawal does not affect processing that already happened.
To exercise any of these rights, email support@cookzone.app. You also have the right to complain to a data protection supervisory authority — for us that is the Bavarian Data Protection Authority (BayLDA, Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de), but you may also contact the authority where you live — inside the EU the authority of your member state, elsewhere your local data protection authority (for example the UK ICO or the Swiss FDPIC).
13. A few more things
What you must provide: to create an account you need an email address and password (or a Google/Apple sign-in) — without them we cannot provide an account. Everything else, including the newsletter and personalized ads, is voluntary.
No automated decision-making: we do not make automated decisions about you that have legal or similarly significant effects (Art. 22 GDPR).
Security: all connections are encrypted (TLS); passwords and login tokens are stored only as cryptographic hashes. No online service can guarantee absolute security, but we work hard to protect your data.
"Do Not Track" signals: some browsers can send "Do Not Track" or "Global Privacy Control" signals. There is no common standard for these yet, and our websites do not respond to them — we do not follow your browsing across other websites in any case.
Children: CookZone is not directed at children. You must be at least 18, or use CookZone with the consent of a parent or guardian. We do not knowingly collect personal data from children under 13; if you believe a child has given us personal data, email us and we will delete it.
Changes: if we change this policy in a way that matters — for example new purposes or new recipients — we will inform you in the app or by email before the change takes effect.