Last updated: April 2026 · Version 2.0
This Privacy Policy explains, in accordance with Art. 13 and 14 GDPR, how personal data is collected, processed and used when you use the mobile application "Pin Your Plate" (the "App") and the website pinyourplate.app.
The controller within the meaning of Art. 4 No. 7 GDPR is:
Marius Wenk
Arcostraße 48
15831 Mahlow
Germany
E-mail: support@pinyourplate.app
Phone: +49 1578 2045200
A data protection officer is not legally required and has not been appointed.
This Privacy Policy applies to the mobile app "Pin Your Plate" (Android and iOS) as well as to the website pinyourplate.app. For linked third-party offerings, their respective privacy policies apply.
Pin Your Plate enables users to save food-related locations ("pins") on a map, add photos and notes, organize gatherings ("meetups") and share content with other users. We process personal data exclusively for the purposes described below.
Purpose: providing the account, authentication, operating social features.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Purpose: core functionality of the App.
Legal basis: Art. 6(1)(b) GDPR.
Important: coordinates of created pins are stored permanently, as they are integral to the functionality. Photos may contain personal metadata (EXIF); we recommend removing sensitive metadata before uploading.
The App accesses the current device location when you grant the corresponding permission. Location is used:
Your live location is not stored permanently nor transmitted to other users. Only the coordinates you explicitly assign to a pin are stored permanently.
Legal basis: Art. 6(1)(a) GDPR (consent by granting the location permission). You can revoke the permission at any time in the system settings of your device.
Purpose: stability, debugging, performance optimization, product improvement.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, error-free product) for purely necessary diagnostics; Art. 6(1)(a) GDPR (consent) for analytics beyond what is technically necessary. Analytics is disabled in debug mode.
Opt-out: you can limit crash reports, performance monitoring and analytics at the device system level via Android/iOS privacy settings (or on iOS via App Tracking Transparency). An in-app opt-out for analytics is planned.
When you purchase the "Founder Pack" or "Premium Pack", the following data is processed:
The actual payment is processed exclusively via the Apple App Store or Google Play; we do not receive credit card or bank data. Purchase management is handled technically through RevenueCat (see section 5).
Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(c) GDPR (statutory retention requirements).
When you report content or a user, we store your user ID, the ID of the reported content/user, the reason and optionally a description. This data is stored to process the report and for documentation pursuant to the Digital Services Act (DSA).
Legal basis: Art. 6(1)(c) GDPR (legal obligation under the DSA), Art. 6(1)(f) GDPR (legitimate interest in platform safety).
We use the following processors and services. Data processing agreements under Art. 28 GDPR are in place with all providers. Where data is transferred to third countries (in particular the United States), transfers are based on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR and/or – for US-certified providers – on the EU-US Data Privacy Framework (Art. 45 GDPR).
| Service | Provider | Purpose | Transfer |
|---|---|---|---|
| Firebase Authentication | Google Ireland Ltd. (EU) / Google LLC (US) | Login, password hash, session | US (SCCs + DPF) |
| Cloud Firestore | Google Ireland Ltd. / Google LLC | Database for pins, profiles, meetups | EU – Region: europe-west4 (Netherlands); administrative access by Google LLC (US) cannot be excluded, based on SCCs + DPF |
| Firebase Storage | Google Ireland Ltd. / Google LLC | Storage of uploaded photos | US (SCCs + DPF) |
| Firebase Cloud Functions | Google Ireland Ltd. / Google LLC | Server-side logic | US (SCCs + DPF) – default us-central1 |
| Firebase Cloud Messaging | Google Ireland Ltd. / Google LLC | Push notifications | US (SCCs + DPF) |
| Firebase Analytics | Google Ireland Ltd. / Google LLC | Usage analytics | US (SCCs + DPF) |
| Firebase Crashlytics | Google Ireland Ltd. / Google LLC | Crash reporting | US (SCCs + DPF) |
| Firebase Performance Monitoring | Google Ireland Ltd. / Google LLC | Performance measurement | US (SCCs + DPF) |
| Firebase Hosting | Google Ireland Ltd. / Google LLC | Website delivery | US (SCCs + DPF) |
| Google Sign-In | Google Ireland Ltd. / Google LLC | Authentication via Google account | US (SCCs + DPF) |
| Google Places API | Google Ireland Ltd. / Google LLC | Autocomplete and place search | US (SCCs + DPF) |
| Google Play In-App Review | Google Ireland Ltd. / Google LLC | In-app rating prompt (Android) | US (SCCs + DPF) |
| Apple Sign In | Apple Distribution International Ltd. (Ireland) | Authentication via Apple ID | EU / US |
| Apple App Store In-App Purchase | Apple Distribution International Ltd. | Purchase processing on iOS | EU / US |
| Apple Push Notification Service | Apple Distribution International Ltd. | Push notifications on iOS | EU / US |
| Apple In-App Ratings | Apple Distribution International Ltd. | In-app rating prompt (iOS) | EU / US |
| Mapbox | Mapbox Inc., US | Map tiles and rendering | US (SCCs + DPF) |
| RevenueCat | RevenueCat Inc., US | In-app purchase and entitlement management | US (SCCs) |
Provider privacy notices:
Profiles, pins and meetups may – depending on your settings – be visible to other users of the App. Public profiles and pins can potentially be viewed by all signed-in users. When creating content, be mindful not to share information you do not want to be public.
No sharing with third parties other than the processors listed in section 5 takes place. Disclosure to government agencies only occurs when we are legally obliged to do so (e.g., upon court order).
We do not sell personal data.
| Data category | Retention period |
|---|---|
| Account and profile data | for the duration of your account |
| Content (pins, photos, meetups) | until deleted by you or upon account deletion |
| Crash and performance data | up to 90 days (Firebase default) |
| Analytics data | up to 14 months (configured Firebase default) |
| Push tokens | until logout or uninstall |
| Reports and moderation decisions | up to 3 years (DSA documentation) |
| Purchase receipts and transactions | up to 10 years (tax retention, § 147 AO) |
| Server logs with IP address | usually max. 30 days |
After deletion of your account, personal data is removed from all active systems within 30 days, except for data subject to statutory retention (e.g., invoicing data).
Under the GDPR, you have the following rights:
You can delete your account at any time in the app settings under "Delete account". Instructions and information on how to request deletion without the app installed are available at pinyourplate.app/delete-account. For any other request, contact support@pinyourplate.app.
Without prejudice to any other legal remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or of the alleged infringement.
The supervisory authority for the controller is:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany
www.lda.brandenburg.de
There is no automated decision-making, including profiling, within the meaning of Art. 22 GDPR.
Use of the App is permitted for persons aged 16 and over. Persons under 16 may use the App only with verifiable consent of their legal guardians (Art. 8 GDPR). The App is not directed at children. If we become aware that a child has submitted data without the required consent, it will be deleted immediately.
Data is encrypted in transit via TLS/HTTPS. On the server side, data is stored in the access-controlled systems of our processors. Internal access to personal data is restricted to the necessary minimum.
Push notifications are only sent if you have granted the corresponding system permission. You may revoke the permission at any time in your device settings.
The website pinyourplate.app is a purely static information page and does not set tracking cookies. Technically necessary cookies of the hosting provider (Firebase Hosting) may be used temporarily; no consent is required for this under § 25(2)(2) TDDDG.
We reserve the right to adapt this Privacy Policy to reflect changes in the law or new features. We will inform you of material changes – where required – within the app or by e-mail. The current version is available at pinyourplate.app/privacy.
For privacy-related questions, contact us at:
E-mail: support@pinyourplate.app