Privacy Policy

A data protection officer is not legally required and has not been appointed.

We only process personal data to the extent necessary to provide our service. Below is an overview of the data categories:

• Account data (email address, encrypted password)
• Authentication data (JWT token, OAuth token)
• Health data / dietary preferences (diet type, exclusions, allergies — only with consent)
• Location data (coordinates, ZIP code, city — only with consent)
• Device information (platform, app version)
• Usage data (recipe selection, shopping lists, feedback)
• Payment data (processed via RevenueCat, not stored by us)

Our website and app infrastructure are hosted by external service providers. When you access our service, the server automatically collects technical connection data (server logfiles) that are necessary for secure operation and protection against cyberattacks (DDoS protection).

This data includes, among others:

• IP address of the requesting device
• Date and time of access
• Browser type and version
• Operating system used
• Referrer URL

This data is typically stored for 7–14 days and then automatically deleted. No merging of this data with other data sources takes place.

Using Flyva requires a user account. We collect the following:

Alternatively, you can sign in via Google Sign-In or Apple Sign-In. We receive an identity token from the respective provider. Google and Apple may transmit your email address and name — no further data from these services is processed by us.

Authentication is handled via JWT (JSON Web Token) with ES256 signature. Tokens are stored on your device in a secure storage (AsyncStorage on mobile devices) and transmitted with every API request for verification.

For personalized meal planning, we collect the following preferences, some of which constitute health data (such as allergies or intolerances). We process this data exclusively with your explicit consent:

Additionally, we store your selected recipes, your weekly plan (assignment of recipes to weekdays), and your shopping list (consolidated ingredients, checked-off items, and manually added items).

Flyva uses location data to find supermarkets and deals near you. Collection occurs exclusively with your explicit consent, obtained via a consent dialog.

Alternatively, you can manually enter your location (ZIP code or city) without granting GPS access. Geocoding is performed via the service Geoapify (see Third Parties section).

Permissions: On Android, ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION are requested. On iOS, locationWhenInUsePermission is required. Permission can be revoked at any time in device settings.

We collect minimal technical information to ensure app functionality:

We do not collect device IDs, fingerprints, advertising IDs, or similar identifiers for user tracking.

For services based in the USA (e.g., Google, Apple, Supabase, RevenueCat), data transfer is based on the EU-US Data Privacy Framework (DPF) or, if providers are not certified, on Standard Contractual Clauses (SCCs) of the EU Commission.

Flyva uses OpenRouter to connect various AI models for automatic generation of recipe suggestions and data extraction. Only the following non-personal data is transmitted to the service:

• Current deal items from your selected supermarket
• Your chosen diet type (e.g., Vegan)
• Your ingredient exclusions (e.g., nuts)
• Previously generated recipe titles (to avoid duplicates)

Important note on health data:

The transmission of this data (including potential health data such as allergies or intolerances) to the AI is fully anonymized and without any reference to your user account.

Your user ID is only used internally for logging the generation process (token consumption, cost estimation, error messages), but is not transmitted to OpenRouter or the model providers. Log data is only accessible to the system operator.

Payments are processed exclusively through the app stores (Google Play / Apple App Store) and the service RevenueCat. We do not store any payment information such as credit card numbers or bank details.

We only store:

Flyva does not use tracking cookies. For performance measurement and basic visitor statistics, we use Vercel Web Analytics and Speed Insights. These services operate without cookies and anonymize visitor data (e.g., IP addresses) immediately, so no conclusions about individual users are possible.

• Encrypted transmission of all data via HTTPS/TLS (enforced)
• Passwords are stored exclusively in hashed form (Supabase Auth)
• JWT-based authentication with ES256 signature and JWKS verification
• Row Level Security (RLS) — users can only access their own data
• We do not maintain our own IP logging for user tracking (aside from temporary server logs at the hosting provider)
• API access control via webhook secrets and admin API keys
• Data storage at Supabase (PostgreSQL) with encryption at rest

You have the right at any time to:

You can delete your account at any time. When your user account is deleted, all associated data is automatically removed (cascading):

• Profile data (location, dietary preferences)
• Selected recipes and weekly plans
• Shopping lists
• Subscription status
• Feedback entries
• Generation logs

Account deletion can be requested via the app settings or via our account deletion page.

For questions about data protection, information requests, or withdrawal of consent, you can contact us at any time: