Privacy Policy

This policy applies to tastysnap.app and to the TastySnap iOS app. We collect as little data as possible. On the website we use analytics and marketing services (Google Tag Manager, Google Analytics 4, the Meta Pixel, the TikTok Pixel and Microsoft Clarity) only with your consent, which you can grant or refuse via the cookie notice and withdraw at any time. The TastySnap app itself still uses no tracking and no analytics. AI photo generation processes your uploaded image on servers in the United States — details and your rights are below. The German version at /datenschutz is the legally binding original.

1. Controller

The data controller within the meaning of the GDPR is:

LUMOS STUDIO (Stoffels Terren GbR)
Theaterplatz 3
52062 Aachen, Germany
Phone: +49 30 75439979
Email: support@tastysnap.app

Authorized partners: Michael Stoffels, Jana Terren.

No data protection officer has been appointed; the thresholds in Article 37 GDPR are not met.

2. General

We process personal data only on the basis of applicable laws — in particular the GDPR, the German Federal Data Protection Act (BDSG) and the German TDDDG. This policy informs you in accordance with Article 13 GDPR about the nature, scope and purpose of processing as well as your rights.

3. Hosting

The website is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. The servers are located in a data center in Nuremberg, Germany. We have entered into a data processing agreement (Article 28 GDPR) with Hetzner. The legal basis is Article 6 (1) (f) GDPR; the legitimate interest is the reliable operation of the website.

4. Server log files

When you visit the website, our server automatically processes the following data in a log file:

• IP address of the requesting device (truncated where technically possible)
• date and time of the request
• requested URL and HTTP status code
• amount of data transferred
• referrer URL and user agent (browser/operating system)

These data are processed to ensure operation and to defend against attacks (Article 6 (1) (f) GDPR). Storage is limited to a maximum of seven days; the data is not combined with other information.

5. Beta sign-up (/beta area)

On tastysnap.app/beta you can request a promo code as a beta tester. We process the first name or nickname you enter so that we can attribute the issued code to you and prevent duplicate issuance.

• Data processed: the name you enter (max. 50 characters). A nickname is fine — you don't have to provide your real name.
• Legal basis: Article 6 (1) (a) GDPR (consent given by submitting the form).
• Storage location: Hetzner Online GmbH servers in Nuremberg, Germany.
• Retention: until the end of the beta program; the entire list is then deleted.

You may withdraw your consent for the future at any time by sending a brief email to support@tastysnap.app. We will delete the entry promptly.

6. Contact by email or phone

If you contact us using the email address or phone number listed in the legal notice, we process the data you provide in order to handle your request. The legal basis is Article 6 (1) (b) GDPR for pre-contractual or contractual matters and Article 6 (1) (f) GDPR otherwise. Data is deleted as soon as it is no longer required for the purpose for which it was collected, subject to statutory retention periods.

7. Data processing in the TastySnap iOS app

The TastySnap app is an AI-assisted food-photo enhancement tool. It is built to be data-minimal: no account, no login, no analytics, no tracking, no advertising.

7.1 Device identifier

On first launch, the app generates a random, locally stored device identifier. It is used to attribute your credit balance to the device without requiring a user account. This identifier is not combined with other data and can be removed at any time by uninstalling the app. Legal basis: Article 6 (1) (b) GDPR (performance of contract).

7.2 Photo processing (core feature)

When you upload a photo in the app, it is sent to our backend service, forwarded to an AI provider and the result is returned to your device. Processing is carried out for the performance of the contract with you (Article 6 (1) (b) GDPR).

The following processors are involved:

• Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA — backend (Cloudflare Workers) and short-term storage of the uploaded original photo and the AI result (Cloudflare R2). A data processing agreement (Article 28 GDPR) is in place, including EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). Cloudflare is certified under the EU-US Data Privacy Framework (Article 45 GDPR; adequacy decision of 10 July 2023).
• Features & Labels, Inc. (operator of fal.ai), 2261 Market St, Suite 10467, San Francisco, CA 94114, USA — AI image generation. A data processing agreement (Article 28 GDPR) is in place; the transfer to the USA is based on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR).

Retention: We do not store original photos or AI results long-term. In our cloud storage (Cloudflare R2) they remain only as long as necessary to provide the feature and any immediate follow-up (e.g. saving or re-running a generation), and are removed regularly thereafter. Storage at Features & Labels, Inc. is governed by their privacy policy; we contractually require that data be processed only as needed for image generation. Generated images are additionally saved — at your discretion — to your device's local photo library; that storage is entirely on your device.

You can request deletion of all data linked to your device identifier at any time by emailing support@tastysnap.app.

No automated decision-making within the meaning of Article 22 GDPR is carried out. The AI image generation is a creative tool with no legal effect on you.

7.3 Purchases (in-app purchases)

Purchases of credit packages are processed via Apple's StoreKit. The provider is Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. We receive only an anonymized confirmation that a transaction was successful, plus a transaction ID; your payment method and personal data are processed exclusively by Apple. The legal basis is Article 6 (1) (b) GDPR. Apple's privacy policy applies in addition.

7.4 App permissions

• Camera: only when you actively take a photo within the app.
• Photo library: only to pick a specific existing photo and to save the result.

Both accesses are user-initiated; no content is read without your active selection.

8. Cookies and similar technologies

We distinguish between strictly necessary and consent-based storage technologies:

• Strictly necessary (no consent required): The website stores your cookie choice itself in local storage (the ts_consent entry) and remembers when you dismiss informational banners. These values are required to honour your choice, stay on your device and are not transmitted to third parties. Legal basis: § 25 (2) no. 2 TDDDG and Article 6 (1) (f) GDPR.
• Consent-based (only after your approval): Only when you select “Accept all” in the cookie notice are the analytics and marketing services activated that may set cookies or comparable identifiers (see section 9). If you select “Only necessary”, this does not happen.

Before you give consent, none of these services set cookies usable for tracking or advertising. You can change your choice at any time by clearing the data stored in your browser for this website (in particular the ts_consent entry); the cookie notice will reappear on your next visit. The legal basis for the consent-based services is § 25 (1) TDDDG in conjunction with Article 6 (1) (a) GDPR.

The app stores only functionally necessary values locally on the device (e.g. credit balance in iOS UserDefaults). These values are not transmitted to third parties.

8a. Minors

Our service is intended for users aged 16 and older. We do not knowingly collect personal data from individuals under 16. If you believe data of a minor has been submitted to us, please email support@tastysnap.app; we will delete it without undue delay.

9. Web analytics, reach measurement and marketing (consent-based only)

On the website we use the following services to analyse usage statistically, improve our offering and measure the effectiveness of our advertising. All of the services below are only loaded and active after your explicit consent via the cookie notice. The legal basis in each case is § 25 (1) TDDDG in conjunction with Article 6 (1) (a) GDPR (consent). You can withdraw your consent at any time with effect for the future (see sections 8 and 12).

9.1 Google Tag Manager

We use Google Tag Manager, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Tag Manager is itself a management tool that delivers the tags listed below (Google Analytics, Meta Pixel, TikTok Pixel and Microsoft Clarity); it does not itself collect personal data in any usable form and sets no analytics or advertising cookies, but the services below are embedded through it. We control Tag Manager via Google's Consent Mode, so that tags are not triggered without your consent — or only without cookies and without personalised evaluation.

9.2 Google Analytics 4

After your consent we use Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar identifiers to collect information about how you use the website (e.g. pages viewed, approximate location based on the truncated IP address, device and browser information, time on site). This information is generally transmitted to and stored on a Google server. The IP address is processed in truncated form.

A data processing agreement (Article 28 GDPR) is in place with Google. A transfer to the USA to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, cannot be ruled out; it is based on the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR) — Google LLC is certified under the Framework — and additionally on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). Retention of the collected event and user data at Google: up to 14 months. For more information, see Google's privacy policy.

9.3 Meta Pixel (Facebook/Instagram)

After your consent we use the Meta Pixel, a service of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. The pixel lets us understand the behaviour of visitors after they have seen or clicked an ad on Facebook or Instagram (conversion measurement), and allows you to receive advertising tailored to you (remarketing). In doing so, cookies or comparable identifiers are set and information about your visit is transmitted to Meta.

For the data collected via the pixel, we and Meta are joint controllers within the meaning of Article 26 GDPR; Meta's Controller Addendum applies in this respect. Meta's subsequent processing for its own purposes is Meta's responsibility. A transfer to the USA to Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, is based on the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR) and additionally on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). For more information, see Meta's privacy policy.

9.4 TikTok Pixel

After your consent we use the TikTok Pixel, a service of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland. The pixel lets us measure the success of our ads on TikTok after users have seen or clicked an ad (conversion measurement), and allows us to show you advertising tailored to you (remarketing). In doing so, cookies or comparable identifiers are set and information about your visit is transmitted to TikTok.

For the data collected via the pixel, we and TikTok are joint controllers within the meaning of Article 26 GDPR; the joint-controller arrangement provided by TikTok applies in this respect. TikTok's subsequent processing for its own purposes is TikTok's responsibility. TikTok may also transfer data to group companies outside the EU/EEA (including the United Kingdom, the USA and Singapore); for countries without an adequacy decision, transfers are based on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). For more information, see TikTok's privacy policy.

9.5 Microsoft Clarity

After your consent we use Microsoft Clarity, a web analytics service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Clarity helps us understand how our website is used: it records, among other things, pages viewed, clicks, mouse and scroll movements as well as device and browser information. From this, Clarity produces pseudonymous usage statistics, heatmaps and session recordings (replays of individual, anonymised visit sessions). Text you enter and sensitive content are masked by default. Cookies or comparable identifiers are set.

A data processing agreement (Article 28 GDPR) is in place with Microsoft. A transfer to the USA to the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, cannot be ruled out; it is based on the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR) — Microsoft is certified under the Framework — and additionally on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). For more information, see Microsoft's privacy statement.

10. Recipients

Apart from the service providers named in sections 3, 7 and 9, we do not pass on personal data to third parties unless legally required to do so.

11. International transfers

Both in the context of app usage (see section 7.2) and — after your consent — when using Google Analytics 4, the Meta Pixel and Microsoft Clarity (see section 9), data is transferred to the USA. Transfers are carried out on the basis of the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR), where the provider is certified, and additionally on the basis of EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). When using the TikTok Pixel, data may also be transferred to further third countries outside the EU/EEA (including the United Kingdom, the USA and Singapore); for countries without an adequacy decision, transfers are based on EU Standard Contractual Clauses (Article 46 (2) (c) GDPR). Despite these safeguards, the level of data protection in those countries may be lower than in the EU, in particular with regard to potential access by local authorities.

12. Your rights

You have the right at any time:

• to obtain information about the personal data we hold about you (Article 15 GDPR),
• to have inaccurate data corrected (Article 16 GDPR),
• to have data erased (Article 17 GDPR),
• to restrict processing (Article 18 GDPR),
• to data portability (Article 20 GDPR),
• to object to processing (Article 21 GDPR),
• to withdraw consent with effect for the future (Article 7 (3) GDPR).

A short email to support@tastysnap.app is sufficient.

You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). The authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf, Germany
www.ldi.nrw.de

13. Data security

Data is transmitted exclusively over encrypted connections (TLS 1.2/1.3). Data in Cloudflare R2 is encrypted server-side.

14. Changes to this policy

We update this policy when our processing activities change or new legal requirements arise. The current version published here applies.

Last updated: 24 June 2026