Privacy Policy

This policy applies to tastysnap.app and to the TastySnap iOS app. We collect as little data as possible: no analytics, no tracking, no advertising cookies, no user account. AI photo generation processes your uploaded image on servers in the United States — details and your rights are below. The German version at /datenschutz is the legally binding original.

1. Controller

The data controller within the meaning of the GDPR is:

LUMOS STUDIO (Stoffels Terren GbR)
Theaterplatz 3
52062 Aachen, Germany
Phone: +49 30 75439979
Email: support@tastysnap.app

Authorized partners: Michael Stoffels, Jana Terren.

No data protection officer has been appointed; the thresholds in Article 37 GDPR are not met.

2. General

We process personal data only on the basis of applicable laws — in particular the GDPR, the German Federal Data Protection Act (BDSG) and the German TDDDG. This policy informs you in accordance with Article 13 GDPR about the nature, scope and purpose of processing as well as your rights.

3. Hosting

The website is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. The servers are located in a data center in Nuremberg, Germany. We have entered into a data processing agreement (Article 28 GDPR) with Hetzner. The legal basis is Article 6 (1) (f) GDPR; the legitimate interest is the reliable operation of the website.

4. Server log files

When you visit the website, our server automatically processes the following data in a log file:

• IP address of the requesting device (truncated where technically possible)
• date and time of the request
• requested URL and HTTP status code
• amount of data transferred
• referrer URL and user agent (browser/operating system)

These data are processed to ensure operation and to defend against attacks (Article 6 (1) (f) GDPR). Storage is limited to a maximum of seven days; the data is not combined with other information.

5. Beta sign-up (/beta area)

On tastysnap.app/beta you can request a promo code as a beta tester. We process the first name or nickname you enter so that we can attribute the issued code to you and prevent duplicate issuance.

• Data processed: the name you enter (max. 50 characters). A nickname is fine — you don't have to provide your real name.
• Legal basis: Article 6 (1) (a) GDPR (consent given by submitting the form).
• Storage location: Hetzner Online GmbH servers in Nuremberg, Germany.
• Retention: until the end of the beta program; the entire list is then deleted.

You may withdraw your consent for the future at any time by sending a brief email to support@tastysnap.app. We will delete the entry promptly.

6. Contact by email or phone

If you contact us using the email address or phone number listed in the legal notice, we process the data you provide in order to handle your request. The legal basis is Article 6 (1) (b) GDPR for pre-contractual or contractual matters and Article 6 (1) (f) GDPR otherwise. Data is deleted as soon as it is no longer required for the purpose for which it was collected, subject to statutory retention periods.

7. Data processing in the TastySnap iOS app

The TastySnap app is an AI-assisted food-photo enhancement tool. It is built to be data-minimal: no account, no login, no analytics, no tracking, no advertising.

7.1 Device identifier

On first launch, the app generates a random, locally stored device identifier. It is used to attribute your credit balance to the device without requiring a user account. This identifier is not combined with other data and can be removed at any time by uninstalling the app. Legal basis: Article 6 (1) (b) GDPR (performance of contract).

7.2 Photo processing (core feature)

When you upload a photo in the app, it is sent to our backend service, forwarded to an AI provider and the result is returned to your device. Processing is carried out for the performance of the contract with you (Article 6 (1) (b) GDPR).

The following processors are involved:

• Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA — backend (Cloudflare Workers) and short-term storage of the uploaded original photo and the AI result (Cloudflare R2). A data processing agreement (Article 28 GDPR) is in place, including EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). Cloudflare is certified under the EU-US Data Privacy Framework (Article 45 GDPR; adequacy decision of 10 July 2023).
• Features & Labels, Inc. (operator of fal.ai), 2261 Market St, Suite 10467, San Francisco, CA 94114, USA — AI image generation. A data processing agreement (Article 28 GDPR) is in place; the transfer to the USA is based on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR).

Retention: We do not store original photos or AI results long-term. In our cloud storage (Cloudflare R2) they remain only as long as necessary to provide the feature and any immediate follow-up (e.g. saving or re-running a generation), and are removed regularly thereafter. Storage at Features & Labels, Inc. is governed by their privacy policy; we contractually require that data be processed only as needed for image generation. Generated images are additionally saved — at your discretion — to your device's local photo library; that storage is entirely on your device.

You can request deletion of all data linked to your device identifier at any time by emailing support@tastysnap.app.

No automated decision-making within the meaning of Article 22 GDPR is carried out. The AI image generation is a creative tool with no legal effect on you.

7.3 Purchases (in-app purchases)

Purchases of credit packages are processed via Apple's StoreKit. The provider is Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. We receive only an anonymized confirmation that a transaction was successful, plus a transaction ID; your payment method and personal data are processed exclusively by Apple. The legal basis is Article 6 (1) (b) GDPR. Apple's privacy policy applies in addition.

7.4 App permissions

• Camera: only when you actively take a photo within the app.
• Photo library: only to pick a specific existing photo and to save the result.

Both accesses are user-initiated; no content is read without your active selection.

8. Cookies and similar technologies

The website does not use cookies or comparable storage technologies for tracking, analytics or advertising. A consent banner under § 25 TDDDG is therefore not required.

The only piece of local storage we set is a flag that remembers when you've dismissed the beta tester banner at the top of the homepage. No personal data is stored or transmitted; the entry stays on your device and can be cleared via your browser's settings at any time.

The app stores only functionally necessary values locally on the device (e.g. credit balance in iOS UserDefaults). These values are not transmitted to third parties.

8a. Minors

Our service is intended for users aged 16 and older. We do not knowingly collect personal data from individuals under 16. If you believe data of a minor has been submitted to us, please email support@tastysnap.app; we will delete it without undue delay.

9. Recipients

Apart from the processors named in sections 3 and 7, we do not pass on personal data to third parties unless legally required to do so.

10. International transfers

In the context of app usage, data is transferred to the USA (see section 7.2). Transfers are carried out on the basis of EU Standard Contractual Clauses (Article 46 (2) (c) GDPR) and, where the provider is certified, on the basis of the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR).

11. Your rights

You have the right at any time:

• to obtain information about the personal data we hold about you (Article 15 GDPR),
• to have inaccurate data corrected (Article 16 GDPR),
• to have data erased (Article 17 GDPR),
• to restrict processing (Article 18 GDPR),
• to data portability (Article 20 GDPR),
• to object to processing (Article 21 GDPR),
• to withdraw consent with effect for the future (Article 7 (3) GDPR).

A short email to support@tastysnap.app is sufficient.

You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). The authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf, Germany
www.ldi.nrw.de

12. Data security

Data is transmitted exclusively over encrypted connections (TLS 1.2/1.3). Data in Cloudflare R2 is encrypted server-side.

13. Changes to this policy

We update this policy when our processing activities change or new legal requirements arise. The current version published here applies.

Last updated: 7 May 2026