Privacy Policy
Last updated: July 6, 2026
1. Data Controller
Marco Waltenberger
Eselsbergsteige 137
89075 Ulm
Germany
Email: maggehdx@gmail.com
See also our Impressum (legal notice, German).
2. Data We Collect
When using the "MARBLE" app, the following personal data is processed:
- Account data: Email address, display name, and user ID (during registration and login)
- Third-party authentication data: When signing in via "Sign in with Google" or "Sign in with Apple", the data released by the respective provider (typically email address and name) is transmitted to our authentication service Firebase Authentication
- Usage data: Recipes, shopping lists, meal plans, categories, and group memberships that you create in the app
- Images: Recipe images and profile pictures that you upload
- Subscription and purchase data: When taking out a paid subscription, an anonymized purchaser ID, the subscription status, purchase receipts, and technical platform information (App Store / Google Play) are transmitted to our billing service provider RevenueCat
- Text recognition (OCR): If you use a photo for automatic recognition of ingredients or instructions, the image is processed exclusively locally on your device using Google ML Kit. No upload to an external service takes place.
- Device data: Device type, operating system, app version (for crash reports and analytics)
- Push notifications: Device token for sending notifications (e.g., timers)
3. Minimum Age
The app is intended for users aged 16 and older. Users under 16 may only use the app with the explicit consent of a parent or guardian (Art. 8(1) GDPR in conjunction with § 21(4) TTDSG). If you believe a child has created an account without the required consent, please contact us at maggehdx@gmail.com so we can delete the account promptly.
4. Purpose of Data Processing
- App functionality: Providing core features (recipes, meal plans, shopping lists, groups)
- Authentication: Secure login and association of your data — optionally via email/password, "Sign in with Google", or "Sign in with Apple"
- Synchronization: Cross-device data synchronization and group collaboration
- Subscription management: Management of paid subscriptions (Premium tier), reconciliation of purchase status with the app stores
- Bug fixing: Detection and resolution of app crashes (Crashlytics)
- Improvement: Anonymized usage analysis to improve the app (Analytics)
- Advertising: Display of personalized ads in the free tier (AdMob)
5. Legal Basis
- Art. 6(1)(b) GDPR — Contract performance: Providing app features (recipes, meal plans, shopping lists, groups, authentication) as well as processing paid subscriptions
- Art. 6(1)(f) GDPR — Legitimate interest: Bug fixing and crash analysis (Crashlytics), protection against misuse
- Art. 6(1)(a) GDPR — Consent: Usage analytics (Firebase Analytics), personalized advertising (AdMob), and push notifications
6. Third-Party Services and Data Transfers
We use the following third-party services as data processors or as independent controllers:
- Google Firebase (Google LLC, USA) — Authentication, file storage, crash reports, analytics, push notifications. Privacy information
- Google Sign-In (Google LLC, USA) — Optional authentication method when signing in via a Google account. Privacy information
- Sign in with Apple (Apple Inc., USA) — Optional authentication method when signing in via an Apple account. Privacy information
- Supabase (Supabase Inc.) — Cloud database for recipes, shopping lists, meal plans. Data is stored exclusively in the EU (Frankfurt, Germany). Privacy information
- RevenueCat (RevenueCat, Inc., USA) — Processing and status management of paid subscriptions. Privacy information
- Google AdMob (Google LLC, USA) — Advertising in the free tier. Privacy information
Providers based in the USA (Google LLC, Apple Inc., RevenueCat, Inc.) are certified under the EU-US Data Privacy Framework; data transfers are carried out on the basis of the European Commission's adequacy decision of 10 July 2023 (Art. 45 GDPR). EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) additionally apply as a supplementary safeguard. Supabase stores data exclusively in the EU and is not subject to third-country transfers.
7. Data Retention
Your data is stored as long as your account exists. When you delete your account, all personal data will be removed within 30 days. Crash reports and anonymized analytics data are retained for up to 90 days. Subscription billing data may be retained for up to 10 years beyond account deletion due to commercial and tax law retention obligations (§ 147 AO, § 257 HGB).
8. App Permissions
Depending on the feature in use, the app requires the following device permissions:
- Camera — for taking recipe or profile pictures and for text recognition (OCR) of ingredients and preparation steps. Recordings are only processed upon your active selection.
- Photo library / storage — for selecting existing images as recipe or profile pictures
- Notifications — for displaying timer and reminder notifications (only after consent)
- Internet access — for synchronizing your data and logging in
You can revoke these permissions at any time in your device's system settings.
9. Your Rights
You have the following rights regarding your personal data:
- Access (Art. 15 GDPR) — Information about data stored about you
- Rectification (Art. 16 GDPR) — Correction of inaccurate data
- Erasure (Art. 17 GDPR) — Deletion of your data
- Restriction (Art. 18 GDPR) — Restriction of processing
- Data portability (Art. 20 GDPR) — Export of your data upon request by email; you will receive your data in a common, machine-readable format (JSON)
- Objection (Art. 21 GDPR) — Objection to processing
- Withdrawal of consent — At any time with effect for the future, e.g. within the app in the settings for analytics, advertising, and notifications
To exercise your rights, contact us at maggehdx@gmail.com.
You also have the right to lodge a complaint with a data protection supervisory authority, in particular the:
Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de
10. Reporting Infringing Content (Notice and Takedown)
Rights holders and other affected parties can report content that infringes their rights (e.g., copyright infringements) directly in the app via the "Report" function or by email to maggehdx@gmail.com. Please identify the affected content and your ownership of the rights as specifically as possible. Reports are reviewed without undue delay — usually within 7 days — and infringing content is removed or blocked.
11. Automated Decision-Making
We do not make automated decisions within the meaning of Art. 22 GDPR that produce legal effects or similarly significantly affect you. No profiling takes place.
12. Data Protection Officer
Due to the size and structure of the operation, there is no legal obligation to appoint a data protection officer (§ 38 BDSG, Art. 37 GDPR). For data-protection-related concerns, please contact the controller named in Section 1 directly.
13. Contact
For privacy-related questions, reach us at:
maggehdx@gmail.com
Deutsche Version