Privacy
Status: June 18, 2024
Thank you for being part of our mealy community at Sunshine Labs GmbH (hereinafter “Company”, “we”, “us” or “our”). We are committed to protecting your personal data and upholding your right to privacy. If you have any questions or concerns about this Privacy Policy or our practices with respect to your personal information, please contact us at data-privacy@mealy.de.
The “mealy” application (hereinafter “App”) and the “mealy” web service (hereinafter “Website”) are provided by us. Data is collected, processed and used each time you use one of our services (hereinafter “Services”). As the protection of your privacy when using our services is important to us, we would like to inform you below about which of your personal data is collected when you use our services and how this data is handled.
Name and address of the person responsible
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is the:
Sunshine Labs GmbH
Weisestr. 24
12049 Berlin
Germany
E-Mail: data-privacy@mealy.cooking
Website: https://mealy.cooking
represented by the management Friederike Hille
General information on data processing
1. description and scope of data processing
We only process our users' personal data to the extent necessary to provide a functional website and our content and services. The processing of our users' personal data only takes place regularly with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
2 Legal basis for data processing
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
3 Data erasure and storage duration
The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
Translated with DeepL.com (free version)
Website privacy policy
I. Provision of the website
1. description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:
IP address of the user
Time of access
This data is stored in the log files of our system. This data is not stored together with other personal data of the user.
2 Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
3 Purpose of the data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. The data is stored in log files to ensure the functionality of the website. We also use the data to optimize the website and to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.
4 Duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data is collected to provide the website, it will be retained for a maximum of 7 days.
5. possibility of objection and removal
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, the user has no option to object.
6. recipient of data / transfer to third countries
In addition to us, our hosting service provider Wix.com Ltd, Nemal St. 40, 6350671 Tel Aviv, Israel, has access to this data. This provider supports us in the operation and maintenance of the website. Further details on data protection provisions can be found at https://de.wix.com/about/privacy. We would like to point out that this service provider is based in Israel, i.e. outside the EU. As the ECJ has determined, there is currently no level of data protection in Israel comparable to that in the EU, as Israeli authorities and intelligence services could access this data. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
II Use of website cookies
1. description and scope of data processing
Further details on data processing can be found in the respective data protection notices of the service providers.For more information, please contact data-privacy@mealy.cooking.We would like to point out that these service providers are located in the USA, i.e. outside the EU.
This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
We use www.wix.com as a service tool to set up our website. This tool sets the following cookies:
Name des Cookies | Zweck | Dauer | Art des Cookies |
|---|---|---|---|
hs | Wird aus Sicherheitsgründen verwendet | Sitzung | Essentiell |
svSession | Wird in Verbindung mit der Nutzeranmeldung verwendet | 2 Jahre | Essentiell |
SSR-caching | Wird verwendet, um das System anzuzeigen, von dem die Website gerendert wurde | 1 Minute | Essentiell |
TS* | Wird aus Sicherheitsgründen und zur Betrugsbekämpfung verwendet | Sitzung | Essentiell |
bSession | Wird für die Messung der Systemeffektivität verwendet | 30 Minuten | Essentiell |
fedops.logger.sessionId | Wird für die Messung der Systemeffektivität verwendet | 12 Monate | Essentiell |
wixLanguage | Wird auf mehrsprachigen Websites verwendet, um die Sprache des Nutzers zu speichern | 12 Monate | Funktional |
XSRF-TOKEN | Wird aus Sicherheitsgründen verwendet | Sitzung | Essentiell |
When accessing our website, the user is informed about the use of cookies for analysis purposes and his consent to the processing of the personal data used in this context is obtained. In this context, reference is also made to this privacy policy.
IV. Web analysis through Google Analytics
1. description and scope of data processing
This website uses Google Analytics, a web analysis service of Google Inc (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is transmitted to a Google server in the USA and stored there. Google will use this information on behalf of the operator of this website for the purpose of evaluating the use of the website by users, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. We would like to point out that your IP address will be sent to Google servers that may be located in the USA, i.e. a third country outside the EU. The level of data protection in the USA does not currently correspond to the level within the EU. In particular, there are no adequate legal protection options. In addition, US laws allow the US secret services and authorities such as the CIA and NSA access to servers, e.g. at Google and “telephone and internet lines” in the USA, meaning that the IP address could be affected by access by the secret services. The previous agreements between the USA and the EU, Safe Harbour and Privacy Shield, which were intended to ensure an adequate level of data protection between the USA and the EU, were declared invalid by the European Court of Justice, meaning that they no longer apply. The EU and the USA must renegotiate. You can find Google's general data protection information at the following link: https://policies.google.com/privacy?hl=de. The following cookies are set by Google (translated from English by Google):
Cookie | Beschreibung | Dauer | Typ |
|---|---|---|---|
_gid | Dieses Cookie wird von Google Analytics installiert. Das Cookie wird verwendet, um Informationen darüber zu speichern, wie Besucher eine Website nutzen, und hilft bei der Erstellung eines Analyseberichts darüber, wie die Website funktioniert. Die gesammelten Daten umfassen die Anzahl der Besucher, die Herkunftsquelle und die besuchten Seiten in anonymisierter Form. | 1 Tag | Analytics |
_gat | Dieses Cookie wird von Google Universal Analytics installiert, um die Anforderungsrate zu drosseln und die Erfassung von Daten auf stark frequentierten Websites zu begrenzen. | 1 Minute | Performance |
_ga | Dieses Cookie wird von Google Analytics installiert. Das Cookie wird verwendet, um Besucher-, Sitzungs- und Kampagnendaten zu berechnen und die Nutzung der Website für den Analysebericht der Website zu verfolgen. Die Cookies speichern Informationen anonym und weisen eine zufällig generierte Nummer zu, um eindeutige Besucher zu identifizieren. | 2 Jahre | Analytics |
2. legal basis for data processing
We obtain your consent to the use of Google Analytics and the setting of a cookie by Google on your computer with the help of a so-called consent / cookie banner when the user accesses the page. By ticking the box, the user actively consents to the data processing described under VIII. for the purposes described here. In particular, you also consent to US intelligence services being able to access the servers, the “telephone and internet lines” and thus your IP address when the IP address is transmitted to Google servers in the USA. You expressly consent to this. The legal basis is Art. 6 para. 1 lit. a, 7, 49 para. 1 lit. a GDPR.
3 Purpose of the data processing
We use Google Analytics to carry out an analysis of your surfing behavior in order to better tailor the offers on our website and our products to your needs.
4 Duration of storage, objection and removal options
The cookies are stored by Google on your computer and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. In addition, the storage period of the cookies used and deployed by Google can be seen from the above list.
5. recipient of data
In addition to us, our analytics service provider Google Analytics, Google, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA, has access to this data. This provider supports us in the operation and maintenance of the website. Further details on data protection provisions can be found at https://cloud.google.com/security/privacy.
Data protection information for the app
I. Provision of the app
1. description and scope of data processing
We provide you with a mobile app that you can download to your mobile device if you are at least 16 years old. If you are not 16 years old, the consent of your parents is required in accordance with Art. 8 para. 1 sentence 2 GDPR. Below we provide information on the collection of personal data when using our mobile app. When you download the mobile app from the App Store, the required information is transmitted to the App Store, in particular your user name, email address and customer number of your account, time of download, payment information and the individual device code. We have no influence on this data collection and are not responsible for it. We only process the data to the extent necessary to download the mobile app to your mobile device. When using our app, our system collects data and information from the user's mobile device. The following data is collected:
IP address of the user
Information about the end device (operating system and version, device brand and device model, Android Advertising ID, Apple IDFA/IDFV, language setting)
Location of the user (localization of the IP address)
Optional: GPS coordinates of the user
Time and duration of access
Optional: information on diet (e.g. “vegetarian diet”)
User events (e.g. favoriting a recipe)
Device tokens, e.g. for sending push notifications
2. legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent.
3 Purpose of the data processing
Developers can use information about the user's device to address specific problems. Information on dietary habits and user events improves the delivery of relevant content and helps to continuously optimize the app. Device tokens are necessary to deliver push notifications and in-app messages. Here, information such as location supports the targeting of messages. Other personal data is used to optimize the app and marketing.
4. duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected or to fulfill statutory retention obligations.
5. right of objection and removal
As an unregistered user, you have the option of deleting the app at any time, thereby preventing further data processing in the future. If you also wish to delete or change your data, you can request this by email.
II Account registration
1. description and scope of data processing
In our app, we offer users the opportunity to register by providing personal data. Registration is required to use an extended range of functions or to take out a subscription. The data is entered in input masks and transmitted to us and stored. In addition to the data collected when using the app, the following data is collected as part of the registration process
E-mail address
First name and surname
Time of registration
Access data
Optional: profile picture
Optional: Notes on recipes
As part of the registration process, the user's consent to the processing of this data is obtained.
2. legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent.
3 Purpose of the data processing
User registration is required for the provision of certain content and services on our website. Registration makes it possible to create collections of recipes, share shopping lists with other users and log in on multiple devices at any time.
4. duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the data collected during the registration process if the registration is canceled or modified.
5. possibility of objection and removal
As a user, you have the option of canceling your registration at any time. You can change the data stored about you at any time. The account can be deleted at any time via the settings in the mealy app.
III Paid subscriptions and trial subscriptions
1. description and scope of data processing
In addition to using the app free of charge, you have the option of taking out a paid subscription or a trial period for a subscription. This gives you access to an extended range of functions of the mealy app. As soon as you wish to take advantage of a free trial period for a subscription or a paid subscription via an in-app purchase, information on the payment method, including credit card details and other information on the financial service provider is collected and stored via the corresponding platform provider (Apple or Google). Sunshine Labs itself does not process any credit card or bank details. We do not receive any personal data relating to the payment data processed by the platform providers, only:
Time of conclusion of the subscription
Term of the subscription
Type of subscription
2. legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent. In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis.
3. purpose of the data processing
Information about users' settings in relation to individual diets enables us to improve the delivery of relevant content and continuously optimize the service for our users, both within the app and in our marketing channels. Information on payment methods transmitted via the service providers Apple or Google is necessary in order to take advantage of a trial subscription or a paid subscription.
4. duration of storage
We store your data to the extent and for as long as this is necessary to achieve the aforementioned purposes and due to statutory retention obligations.
5. possibility of objection and removal
As a user, you have the option to object at any time and have any personal data collected deleted.
IV. Disclosure of personal data to third parties
1. description and scope of data processing
Insofar as this is necessary for the provision of the contractual service owed by us or legal obligations, your data will also be passed on to service providers. A list of all service providers, if available, can be found here.
2 Legal basis for data processing
Your personal data will only be passed on within the framework of the relevant requirements, in particular data protection and competition law. In accordance with Art. 6 Para. 1 a.), we are entitled to collect, store and transfer personal data if the data subject has consented to the data processing
3. purpose of data processing
The transfer of personal data to third parties serves to provide the service in our name or on our behalf (e.g. technical processing of email dispatch, payment processing, sending push notifications). The transfer of personal data to third parties enables us to offer the services related to mealy.
4. duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected or to fulfill statutory retention obligations. In addition, we refer to the data protection provisions of the respective service provider. A list of all service providers with their respective data protection provisions, if available, can be found here.
5 Possibility of objection and removal
As a user, you have the option to object at any time and have any personal data collected deleted.
V. Transfer to third countries
1. description and scope of data processing
In order to provide the services around mealy, data may also be transferred to third countries. If processing is carried out by third-party services outside the European Union or the European Economic Area, these must meet the special requirements of Art. 44 et seq. of the GDPR.
2 Legal basis for data processing
Your personal data will only be passed on within the relevant requirements, in particular those of data protection and competition law. In accordance with Art. 6 para. 1 a.), we are authorized to collect, store and transfer personal data if the data subject has consented to the data processing
3. purpose of data processing
The transfer of personal data to third parties serves to provide the service in our name or on our behalf (e.g. technical processing of email dispatch, payment processing, sending push notifications). The transfer of personal data to third parties enables us to offer the services related to mealy.
4. duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected or to fulfill statutory retention obligations.In addition, we refer to the data protection provisions of the respective service provider. A list of all service providers with their respective data protection provisions, if available, can be found here.
5. possibility of objection and removal
As a user, you have the option to object at any time and have any personal data collected deleted.
VI Recipients of data (in third countries) / service providers with access to personal data (from third countries)
Sunshine Labs works with service providers to offer the services around mealy. A service provider receives personal data from Sunshine Labs and is commissioned to process this data for specific purposes. Below you will find a list of all Sunshine Labs service providers with the purpose and location of the data processing. Further details on data processing can be found in the respective data protection notices of the service providers.For more information, please contact data-privacy@mealy.cooking.
We would like to point out that these service providers are located in the USA, i.e. outside the EU. As the ECJ has determined, the level of data protection in the USA is currently not comparable to that in the EU, as US authorities and secret services could access this data. If we obtain your consent when you access the app, you consent to the transmission of the data and any access by these authorities.
Dienstleister | Zweck der Datenverarbeitung | Adresse |
|---|---|---|
Typeform | Umfrageplattform | Carrer de Bac de Roda, 163, 08018 Barcelona, Spanien |
Google - Firebase | Datenbank | 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA |
AppsFlyer | Attributionsverfolgung | 100 1st St 25th floor, San Francisco, CA 94105, USA |
Rights of the Data Subject
If your personal data is being processed, you are considered a data subject under the GDPR, and you have the following rights against the data controller. You can exercise these rights, for example, by emailing data-privacy@mealy.cooking:
1. Right of Access
You have the right to request confirmation from the controller as to whether personal data concerning you is being processed by us.
• the purposes for which the personal data is processed;
• the categories of personal data that are being processed;
• the recipients or categories of recipients to whom the personal data concerning you have been disclosed or will be disclosed;
• the planned duration of the storage of your personal data, or, if specific information cannot be provided, the criteria used to determine the storage period;
• the existence of a right to rectify or erase your personal data, a right to restrict processing by the controller, or a right to object to such processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• all available information about the origin of the data, if the personal data was not collected from the data subject;
• the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR, and—at least in such cases—meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed whether your personal data is transferred to a third country or an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
2. Right to Rectification
You have the right to obtain rectification and/or completion from the controller if the personal data concerning you is inaccurate or incomplete. The controller must make the correction without undue delay.
3. Right to Restrict Processing
Under the following conditions, you can request the restriction of processing of your personal data:
• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims; or
• if you have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
If the processing of your personal data has been restricted, such data shall—except for storage—only be processed with your consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been limited according to the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to Erasure
a) Obligation to Erase
You have the right to demand the immediate erasure of personal data concerning you from the controller, and the controller is obligated to erase this data without undue delay if one of the following reasons applies:
• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You withdraw your consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
• You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
• The personal data concerning you has been unlawfully processed.
• The erasure of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data concerning you was collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
b) Information to Third Parties
If the controller has made your personal data public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you as the data subject have requested the erasure of any links to, or copies or replications of, this personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health according to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR, in so far as the right referred to in (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise, or defense of legal claims.
5. Right to Notification
If you have exercised your right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of data or restriction of processing unless this proves impossible or involves disproportionate effort. You have the right to be informed by the controller about these recipients.
6. Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, provided that:
• the processing is based on consent according to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract according to Art. 6(1)(b) GDPR; and
• the processing is carried out by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This right must not adversely affect the rights and freedoms of others. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. The controller will no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes. In connection with the use of information society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to Withdraw Consent
You have the right to withdraw your consent to data processing at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This does not apply if the decision:
• is necessary for entering into, or performance of, a contract between you and the controller;
• is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.
However, such decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in (1) and (3), the controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.
10. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.