Privacy Policy

Last Updated: 10 April 2026

This Privacy Policy explains how TastyBytes Oy ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the BonApp! mobile application ("App"). We comply with the General Data Protection Regulation (GDPR), the Finnish Data Protection Act, and the EU Digital Services Act (DSA).

1. Data Controller

TastyBytes Oy
Tyyneläntie 19
03100 Nummela
Finland
Business ID: 3472941-4
Email: privacy@tastybytes.io

2. Personal Data We Collect

2.1 Authentication Data

When you sign in using Google or Apple, we receive authentication tokens used only to verify your account. We do not access token contents beyond authentication. These tokens are governed by the respective platform privacy policies.

2.2 Profile Data

Information you choose to include in your App profile, such as nickname, age, sex, or settings.

2.3 Food Preference & Nutrition Data

Dietary preferences, allergies, nutritional goals, and similar data used to personalize your experience.

2.4 Usage Data

Interactions with the App, including saved recipes, viewed content, and feature usage patterns.

2.5 Device & Technical Data

Device type, OS version, App version, crash logs (if permitted), and unique identifiers.

2.6 Scanned Content (OCR)

When scanning images of recipes or ingredients, files are processed through Google Cloud Vision API, a secure third-party OCR service, solely to extract text. Files are not stored after processing and are deleted immediately upon completion.

2.7 User Content

Recipe text, meal plans, notes, and any content you create or upload in the App.

2.8 Subscription Data

Subscription status for BonApp+ is managed entirely by Apple Inc. (App Store) or Google LLC (Google Play). We receive only a confirmation of active entitlement via RevenueCat, our subscription management provider, which allows us to unlock premium features. We do not collect, process, or store payment details such as credit card numbers or bank account information. Please refer to the privacy policies of Apple, Google, and RevenueCat for details on how they handle your payment and subscription data.

3. Legal Basis for Processing

• Contract: Account creation, authentication, syncing, personalization.
• Legitimate Interest: Analytics, security, fraud prevention, service improvement.
• Legal Obligation: Compliance with applicable law.
• Consent: Marketing communications, optional features requiring permission.

4. How We Use Your Personal Data

• Operate and provide core App functionality.
• Personalize meal plans and recommendations.
• Sync your data across devices.
• Improve App features and performance.
• Provide localised content.
• Ensure system security and prevent misuse.
• Comply with legal obligations.
• Support content moderation under the DSA.

5. Content Moderation (DSA Compliance)

We may process data to detect and manage illegal or harmful content. Automated tools may be used for initial detection, always followed by human review. You will receive a reasoned statement if your content is removed or restricted.

6. Sharing Your Information

We only share your personal data with:

• Service providers such as Google (Firebase, Cloud Vision), RevenueCat, and analytics partners, who process data on our behalf under data processing agreements.
• Authorities when required by law.
• With your explicit consent when you choose to share content.

We do not sell or rent personal data.

7. Payment Information

We do not collect, process, or store your payment details (such as credit card numbers or bank account information). All financial transactions related to subscriptions are handled exclusively by Apple Inc. (via the Apple App Store) or Google LLC (via the Google Play Store). We only receive confirmation from these providers that a purchase has been successfully processed, allowing us to unlock premium features within the App. Please refer to the privacy policies of Apple or Google for more information regarding how they handle your payment data.

8. International Data Transfers

Some of our service providers, including Google and RevenueCat, may process data outside the EU/EEA. Where this occurs, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions to ensure appropriate safeguards are in place.

9. Data Security

We apply industry-standard security measures including encryption in transit and at rest, access controls, and regular security reviews. While no system is perfectly secure, we continuously work to protect your data.

10. Your GDPR Rights

Under GDPR you have the following rights:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to object
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at: privacy@tastybytes.io

As a company established in Finland, our lead supervisory authority under GDPR is the Office of the Data Protection Ombudsman (tietosuoja.fi). EU/EEA users may also contact their local data protection authority, who will coordinate with the Finnish authority where appropriate.

11. Retention of Personal Data

We retain personal data only as long as necessary for service operation, legal obligations, fraud prevention, and dispute resolution. When you delete your account, active personal data is deleted without undue delay, with limited retention where required by law. Aggregated, anonymized data may be retained indefinitely.

12. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has provided personal data, contact us at privacy@tastybytes.io and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be communicated in the App. Please review this Policy regularly.

14. Contact Us

For any questions, concerns, or data subject requests:
privacy@tastybytes.io