This Privacy Policy applies to the Yapa app and related website content. Processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR), applicable EU member-state law, and German data protection rules, including the Federal Data Protection Act (BDSG) and section 25 of the Telecommunications Digital Services Data Protection Act (TDDDG) for access to information on user devices.

Please replace the controller details below with your final legal company information before release.

• Controller: [Legal entity name]
• Address: [Street, ZIP, City, Country]
• Email: [privacy@your-domain.com]
• Data Protection Officer (if appointed): [Name and contact]

Yapa is designed for local-first processing. Your recipe data, meal plans, and most app content are stored on your device, not on Yapa servers.

When no external service is used, your personal data remains on-device under your control.

• Locally stored content: recipes, meal plans, cooking preferences, and app settings
• No continuous central user profile database for core recipe content
• You can remove local data by deleting content in-app or uninstalling the app

For the image import feature, OCR is performed on-device. The extracted text (not the original image) is sent to AI providers through OpenRouter to generate the requested import result.

Data sent to OpenRouter and model output are not stored by Yapa servers. After processing, results are returned to your app and remain on your device unless you choose to export or share them.

Legal basis: Article 6(1)(b) GDPR (performance of requested app functionality).

• Processor/recipient: OpenRouter (and the selected downstream model provider)
• Transferred data: OCR-extracted text and technical request metadata required for processing
• Purpose: perform the user-requested recipe import workflow

For paid subscriptions and purchases, Yapa uses RevenueCat as payment infrastructure. RevenueCat processes subscription and transaction data required to validate purchases and manage entitlements.

Legal basis: Article 6(1)(b) GDPR (contract/performance of subscription) and, where applicable, Article 6(1)(c) GDPR (legal obligations, including accounting/tax retention by payment participants).

• Provider: RevenueCat
• Typical data: app user ID or anonymous app instance ID, product identifiers, purchase/receipt status, timestamps, and technical device metadata
• Additional payment processing is handled by app-store operators under their own privacy terms

Analytics and A/B testing are disabled by default and only activated after you explicitly accept tracking.

If consent is not provided, no non-essential analytics or experiment tracking is performed via PostHog.

Legal basis: Article 6(1)(a) GDPR (consent) and, where applicable for device storage/access, section 25(1) TDDDG. You can withdraw consent at any time with future effect in the app settings.

• Provider: PostHog
• Purpose: product analytics, feature experiments, and service improvement
• Condition: active only after opt-in consent

Depending on feature use, data may be disclosed to OpenRouter, selected AI model providers, RevenueCat, app-store operators, and PostHog (only when consent is active).

Where recipients process data outside the EU/EEA, transfers are based on GDPR Chapter V mechanisms, such as an adequacy decision (Article 45 GDPR) or appropriate safeguards including Standard Contractual Clauses (Article 46 GDPR).

Core app content remains on your device until you delete it.

Yapa does not maintain a server-side archive of OCR text inputs or AI output results from the OpenRouter flow.

For external providers (for example RevenueCat and PostHog, if enabled), retention periods are defined by those providers and applicable legal requirements.

You have the rights to access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent at any time (for consent-based processing).

You also have the right to lodge a complaint with a supervisory authority under Article 77 GDPR, including in your EU member state of residence, place of work, or place of the alleged infringement. In Germany, this is generally the competent state data protection authority (Landesdatenschutzbehoerde) or other competent authority.

Requests are handled according to Article 12 GDPR, typically within one month unless a lawful extension applies.

For all privacy requests, please contact: [privacy@your-domain.com].

If required by Article 13 GDPR, include your full controller details and (if appointed) your Data Protection Officer details in this section.

This policy may be updated to reflect legal, technical, or product changes. Material changes will be communicated in-app or on this page.