Privacy Policy

As of: April 2026

1. General

ExodaFood is an app for tracking nutritional data, analyzing food items and supporting grocery shopping. Your privacy is very important to us. This privacy policy explains what data is collected and how it is used.

2. Controller

The controller within the meaning of the GDPR is:

T. Stephan
Kookamp 40
46354 Südlohn
Germany
Phone: +49 171 3833568
E-Mail: info@exoda.de

ExodaFood does not require registration and does not collect personal data such as name, email address or phone number. The app automatically creates an anonymous identifier (Firebase Anonymous Auth) to associate your data with your device. An optional nickname is only required for the community feature.

3. Data stored per user

The following data is stored per user (only under your anonymous identifier) in the cloud:

• Nutrition entries (food items, nutritional values, date)
• Health Data: Optional profile data such as height, weight, age and activity level – only if entered by you, used exclusively to calculate your personal calorie requirement and not shared with third parties
• Community posts (nickname, text, optional images)
• Fridge list (food items captured or recognised via photo by you)
• Shopping cart (items added by you)
• FCM token (for push notifications on community interactions)

All user-related data is linked exclusively to your anonymous identifier and can be deleted at any time.

4. Shared data (product database)

The following data is stored collectively and is visible to all users:

• Products identified during receipt scanning (product name, category)
• Store markers: which stores users have specified for a product (only store name and count – no user reference visible externally)
• AI-generated recipes (without user reference)

5. AI image analysis (OpenAI)

When you use the Scan fridge or Scan receipt features, the captured photo is temporarily transmitted to a Google Cloud Function, which forwards it to the OpenAI API (GPT-4o Vision) for analysis. The following applies:

• The photo is not stored permanently – neither on our servers nor at OpenAI (OpenAI does not use data from API requests to train its models).
• Only the result identified by the AI (product list) is further processed and stored in the app.
• The OpenAI Privacy Policy applies.

6. Location data

For the Markets nearby feature, the app requires one-time access to your location. The following applies:

• Your location is not stored in Firebase and is not passed on to third parties.
• It is used solely for a query to the OpenStreetMap Overpass API to find nearby stores.
• You can revoke location access at any time in your device settings.
• The OpenStreetMap Foundation Privacy Policy applies.

7. Firebase (Google)

ExodaFood uses Google Firebase for data storage, anonymous authentication, Cloud Functions and push notifications (FCM). The infrastructure is located in the EU (region europe-west1). The Google Firebase Privacy Policy applies.

8. Data sources

• Open Food Facts (openfoodfacts.org, ODbL 1.0): When scanning barcodes or searching for products, requests are sent to the Open Food Facts API.
• OpenStreetMap / Overpass API (ODbL 1.0): For the nearby markets feature, the Overpass API is queried; the temporary location is transmitted in the process.
• OpenAI API: For AI recipe suggestions and image analysis.

9. Push notifications

If you allow the app to send notifications, a Firebase Cloud Messaging token (FCM token) is stored anonymously in the database. This token is used solely to send you notifications about new comments in the community. You can disable push notifications at any time in your device's system settings.

10. Your rights (GDPR)

As a data subject, you have the following rights under the GDPR:

• Access (Art. 15 GDPR): Right to information about what data is stored about you
• Rectification (Art. 16 GDPR): Right to correction of inaccurate data
• Erasure (Art. 17 GDPR): Right to deletion of your data
• Restriction (Art. 18 GDPR): Right to restricted processing
• Objection (Art. 21 GDPR): Right to object to processing
• Data portability (Art. 20 GDPR): Right to receive your data

At any time you can directly in the app:

• View and delete your nutrition entries, fridge list and shopping cart
• Adjust or reset your profile
• Delete community posts and comments
• Revoke location access in your device settings
• Disable push notifications

Since all data is stored completely anonymously, identification and targeted deletion of individual users by us is technically not possible. All your data is bound to the anonymous identifier on your device.

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is: State Commissioner for Data Protection and Freedom of Information NRW.