Chopa Chef — Privacy Policy for Android

This Privacy Policy explains how the Chopa Chef Android application (currently distributed under package name app.chopa.chopito) and its related backend services (together, the “Service”) collect, use, disclose, and protect information about you.

1) Who we are

For purposes of privacy laws, the operator of the Service (the “Company,” “we,” “us,” or “our”) is the developer/publisher of the Chopa Chef Android app. If you need our legal entity name and address, contact us and we will provide it.

2) Scope

This Privacy Policy applies to the Android app and the backend APIs that power the app. It does not apply to third parties you may access through the Service (for example, Apple, Google, or third-party websites linked from content you import). Third parties have their own privacy policies and terms.

3) What information we collect

3.1 Information you provide directly

• Account information: email address, login credentials for email/password sign-in (passwords are not stored in plain text), and identifiers from Apple Sign In or Google Sign-In (such as Apple/Google user IDs).
• Profile and preferences: display name, language, app language, measurement units, region/country, favorite cuisines, unwanted ingredients, and similar settings.
• User content: recipes, cookbooks, meal logs, grocery lists, and any other information you enter or save in the app.
• Images and media: photos you take in the app (for example, meal photos) or select from your device (for example, product photos) when using scanning/import features.
• Support communications: if you contact us, we may collect the content of your message and contact details you provide.

3.2 Information we collect automatically

When you use the Service, our servers and infrastructure may automatically receive information such as your IP address, approximate location inferred from IP (country/region), request timestamps, device and app information (for example, OS version, app version), and diagnostic data needed to operate and secure the Service (for example, logs related to authentication, abuse prevention, and error handling).

3.3 Information from third parties

• Apple Sign In / Google Sign-In: we receive data needed to authenticate you (for example, tokens and stable identifiers). The exact data depends on the provider and your settings with them.
• RevenueCat: if you purchase or restore a subscription, RevenueCat and the app stores (Google Play / Apple App Store) provide subscription status and related identifiers (for example, entitlements, purchase/renewal state). Payment details are handled by the app store and are not directly processed by us.

4) Android permissions and device access

The Android app may request permissions at runtime or via the Android manifest. You can grant or revoke permissions at any time via Android Settings. If you do not grant certain permissions, some features may not work.

• Camera: used to take photos for scanning products and meals and for image-based features.
• Photos/Media access (for example, READ_MEDIA_IMAGES): used to let you select existing images for scanning/import features and to show recent photos when you choose to use that functionality.
• Local storage: used to store cached app data on your device (for example, locally cached recipes/cookbooks for speed and offline-like access) and to store authentication tokens securely using Android’s secure storage mechanisms.

5) How we use information

We use information for purposes such as:

• Providing the Service: creating accounts, authenticating users, syncing your recipes/cookbooks/meal logs, and showing your content across sessions/devices.
• AI-assisted features: analyzing images you choose to upload (for example, meal images for nutrition estimates) and generating or improving recipe content where you request it.
• Subscriptions: enabling purchases, entitlement checks, restoring purchases, and syncing subscription status with our backend.
• Personalization: applying your preferences (such as language, region, cuisines, unwanted ingredients) to tailor content and outputs.
• Security and integrity: detecting, preventing, and investigating fraud, abuse, security incidents, and unauthorized access.
• Operations: troubleshooting, debugging, service improvement, and internal analytics (for example, diagnosing errors and performance issues).
• Legal compliance: complying with applicable laws, lawful requests, and enforcing our terms and policies.

6) AI processing, photos, and nutrition information (important)

Some features involve processing images and food-related information. When you upload a meal image for analysis, the image may be stored and referenced by a URL, and the Service may send that image (or its URL) to third-party AI providers to produce results.

Nutrition-related outputs are estimates and may be inaccurate. The Service is provided for informational and organizational purposes only and is not medical advice. If you have medical conditions, allergies, or dietary needs, consult a qualified professional.

7) How we share information

We do not sell your personal information. We may share information in the following situations:

• Service providers (processors): we use third-party vendors to host and operate parts of the Service, store media, process AI requests, and provide subscription infrastructure. Examples include:
  • Cloud hosting and storage (for example, Vercel services and blob/object storage) to store uploaded images and serve backend APIs.
  • AI providers to analyze images and generate or transform content (for example, providers accessible via OpenAI-compatible APIs).
  • RevenueCat to manage subscriptions, entitlements, and customer support flows related to subscriptions.
  • Apple and Google for sign-in and/or app store purchase processing (depending on your platform and chosen sign-in method).
• Legal and safety: to comply with law, respond to lawful requests, protect rights and safety, investigate fraud or security issues, or enforce our policies.
• Business transfers: if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to applicable law.

8) Data retention

We retain information for as long as necessary to provide the Service and for other legitimate purposes such as complying with legal obligations, resolving disputes, and enforcing agreements. Typical retention considerations:

• Account and profile data: retained while your account is active and for a reasonable period afterward as required or permitted by law.
• User content (recipes, cookbooks, meal logs): retained until you delete it or request deletion, unless we must keep it longer for legal reasons.
• Uploaded images: retained for as long as needed to provide the feature that uses them (for example, meal logs) and may persist in backups for a limited time.
• Logs: retained for a limited time to maintain and secure the Service.

9) Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. However, no security measure can guarantee absolute security.

10) Your choices and controls

• Permissions: manage camera and photo/media access in Android Settings.
• Local device storage: the app stores some data on your device (for example, cached recipes/cookbooks) to improve performance; uninstalling the app typically removes local data.
• Subscriptions: manage your subscription through Google Play (or the relevant app store) and, where available, through RevenueCat’s customer center experience.
• Access, export, and deletion requests: contact us to request access to, export of, correction of, or deletion of your personal information (see “Contact us” below).

11) Privacy rights (GDPR/UK GDPR and similar laws)

If you are located in certain jurisdictions (such as the EEA/UK), you may have rights including access, correction, deletion, restriction, objection, and data portability. You may also have the right to withdraw consent where we rely on consent. To exercise rights, contact us (see “Contact us”).

Legal bases for processing (where applicable) may include: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), compliance with legal obligations, and consent (for example, camera/media permissions).

12) California privacy rights (CCPA/CPRA notice)

If you are a California resident, you may have rights to know what personal information we collect, use, and disclose, and to request deletion or correction of certain information, subject to exceptions. We do not “sell” personal information as defined by the CCPA. To submit a request, contact us (see “Contact us”).

13) International data transfers

We may process and store information in countries other than your own, including where our vendors and infrastructure providers operate. Where required, we use appropriate safeguards for cross-border transfers.

14) Children’s privacy

The Service is not directed to children under 13 (or under the age required by local law). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us so we can take appropriate action.

15) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you (for example, by updating the “Last updated” date and/or providing in-app notice where appropriate).

16) Contact us

For privacy questions or requests, contact us at privacy@chopa.app. If that address is unavailable in your region, you can also contact support@chopa.app or reach out through the app where contact options are provided.