Privacy Policy

Your Smart Shopping List, Kitchen Inventory, Recipe Collection, Meal Schedule, Package-Free Shopping

Sieh dir die deutsche Version der Datenschutzerklärung an. / Go to German version of this Privacy Policy.

Privacy Policy of the Website

With this privacy policy we would like to inform our visitors what data we store and how we use your data on this website poyki.app.

Visiting our website

If you visit this website, your browser / your computer will send a request to a server which then will deliver the requested web page back to you. For the server to know where it should send the web page to, it needs to know your IP address. The internet wouldn’t work without IP addresses.

Therefore, your IP address will be transmitted to the servers our website poyki.app is running on.

The web application is a WordPress-based website hosted on servers of our hosting provider World4You.

It has to be distinguished between us, the publisher of the website poyki.app, and the hosting provider World4You, who provides the technical services and infrastructure (servers etc.) for publishing and delivering the website to you, the user. World4You is data processor according to GDPR.

Our hosting provider World4You is based in Linz, Austria and complies with the regulations of GDPR (DSVGO). Servers are located in Linz, Austria.

We, as publishers of poyki.app, do not process or store any personal data about our page visitors after request has beed handled by the server. Our hosting provider, however, may save log files which contain the IP addresses of the clients making requests to their servers, the date of access and more related data, as described in World4You’s privacy policy.

All communication with our hosting provider’s servers is secured (encrypted) with SSL (https), which means that messages from and to the servers cannot be listened to or manipulated by an unauthorized 3rd party by current security standards.

Cookies

Cookies are text files that are stored on the visitor’s computer. This can contain information which enables a web server to recognize a user and to save settings. A cookie is bound to a specific domain (in this case: poyki.app), the information can only be read from this domain again at a later time.

The only cookie we use on poyki.app is a cookie to save your language preferences for our website (English or German). The cookie is stored locally on your computer only and sent to the web server with each request. The language cookie is required for the website to work properly and thus cannot be deactivated. The language cookie is set by polylang, a WordPress plugin for multilingual websites. The cookie’s name is “pll_language” and has the value “en” or “de”, depending on the selected language.

You may delete the cookies stored by your browser at any time. Every common browser provides this functionality in its browser settings.

Note: we do not show Cookie banners because the only cookie we are using is not a tracking cookie, but is required by the website to function properly.

E-Mail

You can contact us anytime via . Of course, if you send us an email, we will receive your email address. Our email server is located in Linz, Austria and hosted by World4You. After we have successfully processed your request(s) you sent us via email, we will delete your emails within one month. We will not use your email address to sent you promotional or other unwanted messages and we will not hand out your email address to unauthorized third parties.

What we are NOT using

To protect the privacy of our page visitors as much as possible, we do not use (Google) Analytics and we do not display ads from ad networks on our website. So there are no cookies from these kinds of services. We do not load fonts from Google Fonts. Instead, we are hosting the fonts ourselves. You cannot log in to or upload or send content via our website. So there are no cookies or other data stored or processed related to these operations. We do not embed content from other websites, such as videos. So there is no content loaded from other domains without your knowledge. We do not integrate active share or like buttons from social networks such as Facebook or Twitter. So there are no requests made to social networks without your explicit interaction. However, there are static links to social networks which bring you to their pages when you click them. In this case you are actively clicking the link which means that you deliberately decided to visit the linked page.

Links to external websites

On our website, we link to external websites from third parties, for example to Google Play. We are not responsible for the content and privacy on these external sites, so please check the privacy policies of these third party websites in case you visit them.

Your rights

According to the GDPR you have the right to:

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

If you believe that the processing of your data violates data protection law or that your data protection claims have been violated in any other way, you can complain to the supervisory authority.

Please find more information on your rights and the GDPR in general on the website of the European Commission, section Data Protection.

Apps

The above privacy policy is valid for our website. The mobile apps and other standalone applications we offer, provide their own privacy policies. These privacy policies can be reviewed on first start of the app. For being able to use the app, the privacy policy has to be accepted on first start of the app. All functions transmitting data across the internet are deactivated on first start so the privacy policy can be read before any data is sent.

Contact

Publisher of this Website / responsible for data processing:

Michael Brodacz-Geier

Address: Radegunder Strasse 6a/18, 8045 Graz, Austria

Contact:

Privacy Policy of the App

We value your privacy which is why we want to let you choose your privacy settings and inform you how we use/process/store your data and which third party services we use.

Introduction

Poyki is a smartphone app which allows to keep track of your kitchen inventory, your recipes and packages. Based on a cooking schedule, Poyki creates a shopping list for you.

In Poyki you have the option to use a local database which is stored on your device only or you may use a shared, synchronized, cloud-based database. We call that feature “Poyki Sync”.
If you use a shared database, you have to join a so called “Family Space”. Data within the same Family Space will be shared with everyone who has joined the same Family Space.
For accessing a Family Space, the corresponding Family Space ID is needed. It looks similar to the following example: 12345678-12345678-12345678-12345678. Everyone who knows this ID can access the corresponding Family Space (read and write).
Therefore, this ID has to be kept secret. Only those who should be allowed to access the Family Space should receive the Family Space ID.

Example: User Alice decides to use the shared database. She joins family space with ID 12345678-12345678-12345678-12345678.
User Bob also uses the same Family Space ID. Bob and Alice now will see the same recipes, ingredients, shopping list etc.
This is made possible by using a cloud-based service called Firebase. More details see below.

Services we use

This section provides an overview of services we use for Poyki. More details about processed and stored data, data retention etc.
can be found after this section further below.

Optional Services
The app is able to work without the following services.

App insights
The following services are used for us developers to gain more insight in the users’ and apps’ behavior for being able to improve the app.
The app can function without them, but at the same time the data we get from these services is very valuable for future development of Poyki. You, as a
user, can choose to not enable these services in case you have privacy concerns. The services are disabled on first start of the app until the user decides himself/herself to activate or deactivate these services.

Google Analytics for Firebase
Collection of anonymous usage statistics which help us to improve our app and service by
learning how the app is typically used and which features are used to which extent. We collect statistics about interactions with
the user interface, for example button clicks. We do not collect unique ids such as user ids Family Space IDs, order IDs or IP addresses.
For us, it is not possible to track back for example certain button clicks to specific users.

Firebase Crashlytics
Collection of crash reports and exceptional app behavior such as unexpected errors which help us
to find and fix bugs and crashes and to improve the app’s overall stability. Together with crash reports, we send the last actions the user
performed before the crash occurred (e.g. button clicks) (logs) so it’s easier for us to find the reason for the crash.
Sending of crash and error reports or the inclusion of logs can be deactivated by the user.

Essential Services
The following services are required for the app to work as intended.

Firebase Remote Config
Provides configuration data used by the app.
This configuration data is created by the app developer and consumed by the app by contacting Firebase servers.
Reading configuration data from servers is only done after the user has accepted the privacy policy.

Services for synchronization feature
If you switch to the sync database (or in other words: if you use a Family Space, or respectively the “Poyki Sync” feature), we will use the following services.
These services are needed for synchronization of your shared database with other members of your Family Space.

Firebase Firestore
Firestore is the database service we use for the “Poyki Syn” feature (i.e. the synchronized database or a so-called Family Space). The database stores data about ingredients, recipes, schedule, shopping list, packages and settings. We do not use Firestore if the local database is used.

Cloud Storage for Firebase
Stores the images the user provides for recipes and packages if Poyki Sync is used. We do not use Cloud Storage if the local database is used.

Poyki API
Our API servers are hosted by world4you.com. World4You complies with GDPR and is based in Linz, Austria. The API servers host an API (Application Programming Interface) which provides additional required functionality for Poyki: Validation of subscription receipts and Firebase Cloud Messaging (FCM) ID management (more details see below). All communication with the API servers is secured (encrypted) with SSL (https), which means that messages from and to our hosting provider’s servers cannot be listened to or manipulated by an unauthorized 3rd party by current security standards.

Firebase Authentication
Provides authentication features to secure the Firestore Database and Cloud Storage. This is required to protect the remote databases to be accessed by unauthorized users.

Firebase Cloud Messaging (FCM)
For the “Poyki Sync” feature we use Firebase Cloud Messaging (FCM) for sending notifications to other users sharing the same Family Space ID. We use FCM for both sending user visible notifications and silent notifications which are used for making the synchronization feature more reliable while the app is not actively running.
We are also using FCM to occasionally send push notifications to app users. These push messages are sent by the developer and may contain messages about Poyki or other topics. You can disable display of these messages from Android’s notification settings for Poyki without deactivating FCM completely.

Note that you can deactivate all FCM related features. This will have some negative impact on the functionality of the app (synchronization will be less reliable, and you won’t be able to receive certain notifications).

Services for app updates and billing of subscriptions

Google Play
Google Play app version data is used to check for app updates. It will notify you if there is an update available for Poyki.

Google Play Billing
Handles purchase of subscriptions and handles payment. This is all handled by Google. We do not get access to your personal data, such as credit card data or your name / address etc.

Data we process and store

Poyki Database
The Poyki database contains your data about ingredients, recipes, schedule, shopping list, packaging and app settings.
For each entry the last change date and the username of the user who last edited the entry are stored.
Your username can be any name or even just an emoji – it doesn’t have to be your real name. It’s only used for family members to recognize you.
You can export data stored in your local and/or synchronized database at any time from within the app. You can also delete all your Family Space’s data from within the app.
Warning: if you delete your synchronized database, the data will be deleted for all other members of the same Family Space as well! Your local database is stored on your device only.
Your sync database is stored in Firebase Firestore. Firebase Firestore is a service provided by Google and allows real-time synchronization of data between devices.
We will delete Family Space’s data (entries and corresponding images) within one month if it was not used for more than one year.
The deletion is done independently from any active subscription. We do not associate billing information with used Family Spaces in a way we could reliably link active
subscriptions with actively used Family Spaces, so there is no way for us to know whether or not there is an active subscription related to an actively used Family Space.

Image Data
In case you add images to recipes or packages these images will be cropped and resized and stored on your device.
For your local database the images are only stored locally on your device.
For your sync database your images will be uploaded to Firebase Cloud Storage, a service provided by Google. This way other users sharing the same database can download the images from there and see the same images.
You can download and save the previously uploaded images from within the app. You can also delete them from the app.
We will delete your data if the corresponding Family Space is deleted (see above).

Analytics and Crashlytics
With Analytics and Crashlytics (both services provided by Google’s service Firebase) we track the usage of the app. Both is deactivated when the app first starts and you can choose to enable it if you wish to help us improve the app. When accepting this privacy policy while the corresponding switches are turned on, Analytics and Crashlytics will be activated.
With Analytics we track screen views and certain actions in the app anonymously: button clicks, change of certain settings, usage duration of the app etc.
We do not send any unique IDs to Analytics (FCM ID, Family Space ID, Order ID etc.) and we do not send any text you entered to Analytics (e.g. text searches, username, label names, ingredient names etc.). We solely track certain events and screen views.
The data we track with Analytics helps us to identify areas of the app which are used often and areas of the app which are not well accepted by our users.
Data retention for Analytics is set to 2 months. This means that after 2 months individually tracked Analytics data will be deleted by Google. Aggregated data may be stored longer.
With Crashlytics we track app crashes and severe unexpected app errors. An app crash report contains technical information about the crash itself, where in the code it happened and technical information about the user’s device.
If enabled by the user, we also send the last few events and actions (i.e. the app log) with the crash report. This includes which buttons were clicked, which screens were visited inside the app, which APIs were used. This way we can better understand which actions led to the crash. Same as for analytics, we do not send any unique IDs or text input to Crashlytics.
Sending logs with crash reports is optional – you can enable crash reporting but disable inclusion of logs.
Crash reports are essential for us to improve the app and to fix severe app issues. The more information we get about the crash itself and about what happened right before the crash, the more likely it is that we can actually find and fix the issue.
According to Firebase’s privacy information document (link see below) crash data is retained for 90 days.

Google Play Billing
Payment of subscriptions happens outside of our app – it is completely handled by Google Play, which is provided by Google. All we, as app developers, get from Google is a receipt, an order number and information about the ordered product (or subscription). The receipt we can use to check and verify if the user made a successful purchase. Personal data such as credit card data, your name, address etc. remains at Google and is not accessible by us. We do not get access to any of these personal data.
This also means, that in case of questions or requests about your payment, you have to send us your Google order number.
To verify the purchase receipt, we send the receipt data to our API servers. On our API servers the receipt is validated and exchanged for a token (a unique code). This token is then sent to Firestore and Cloud Storage with each request. Firestore and Cloud Storage then verify the token. This is implemented using Firebase Authentication. Only if the token is valid, access to the Firebase databases is granted.
The token does not contain any personal information is only stored on your device. On your device, the token is stored for a limited time before it expires and is exchanged for a new token.
This ensures that only paying customers can access our database and prevents fraud and protects from unauthorized database access.

Poyki API
This section describes the data sent and processed by the Poyki API. The Poyki API is hosted by our hosting provider World4You.
Validation of subscription receipts: After a subscription was purchased by the user, the app receives a receipt from Google. This receipt contains data about the bought product and a digital signature. It does not contain personal data of the buyer.
This receipt is sent to our hosting provider’s servers where it is verified and exchanged for a token.
This token is needed to use the synchronized database (Firestore, Cloud Storage).
Neither the receipt nor the token is stored on our hosting provider’s servers after the validation request is finished.
For being able to know which Family Space is unlocked by a “Poyki Sync Family” subscriber, we store a mapping of the user’s subscription order ID and the corresponding unlocked Family Space ID.
The family space is unlocked for one month after the last use of the family space with a “Poyki Sync Family” subscription. After that period the expired mapping data is deleted from our servers within one month.
FCM ID management: In order to be able to send FCM notifications to specific devices, we need to know their “address”.
Therefore, we store a mapping of the FCM IDs of the users’ devices and the last used Family Space IDs in a database on our hosting provider’s servers. Details see below.

Firebase Cloud Messaging (FCM) ID
To improve synchronization between devices, to send (deactivatable) notifications between users of the same Family Space and to send push-notifications from the developer,
we are using Firebase Cloud Messaging (FCM), a service provided by Google.
For FCM to work, FCM creates a unique ID (or “token”) for your device. The ID is like an address so FCM knows where to send the messages to.
Poyki has to tell FCM which FCM addresses certain messages should be sent to. Therefore, Google’s servers need to know about the devices’ FCM IDs and we, as
app developers, need to maintain a mapping of FCM IDs and Family Space IDs on our hosting provider’s servers (see API servers).
You can delete your FCM ID and the FCM-ID-to-Family-Space-ID-mapping anytime from within the app and you can deactivate FCM ID storage on our
API servers completely. You can do this from Poyki’s app settings by choosing “Delete FCM Token”.
In case you don’t delete your FCM ID manually by clicking the button, we will delete the FCM-ID-to-Family-Space-ID-mapping after six months from our servers.
After this time frame, you have to use Poyki once to get your FCM ID re-registered. The FCM ID will only be generated and re-registered if you have the feature activated.
When you uninstall the app or delete the app’s app data the FCM token will be deleted from your device. Next time you use the app again while
having any of the features enabled which require FCM, a new random token will be generated.
Note that uninstalling the app or deleting the app data does not automatically delete the token from our servers.
Without registered FCM ID you will not be able to receive Family Space related notifications. Also, the synchronization feature will
work less reliably while Poyki app is paused or backgrounded.
Another feature we use FCM for is to send push notifications to Poyki users, independent from the used database and independent from the used Family Space.
The notifications are sent by the app publisher and may contain information about Poyki or other topics.
You may deactivate display of these notifications from Android’s notification settings for Poyki.
For this function, the above described mapping is not needed and therefore these push notifications work without an FCM ID entry in our server’s database.
On first start of the app the FCM ID won’t be generated and registered immediately, but only after the FCM features are activated by your consent and after accepting the privacy policy.
No mapping will be stored as long as you are using your local database only.

Summary:

  • A unique FCM ID is generated and saved on your device.
  • The FCM ID will be registered on Google’s FCM service.
  • FCM-ID-to-Family-Space-ID-mapping is stored on the API servers.
  • “Delete FCM Token” will delete your token from your device and deletes the FCM-ID-to-Family-Space-ID-mapping from the API servers. All features using FCM will be deactivated.
  • Activating any feature requiring FCM will re-generate an FCM ID and re-register the ID on Google’s FCM service and will re-register the FCM-ID-to-Family-Space-ID-mapping on our API servers.

IP-Addresses
Please note that when contacting a server, your IP address will be sent to that server. This is inevitable, because that’s how the internet works.
So the services mentioned above will receive your IP address. It is possible that your internet provider may determine your identity via your IP address.
According to their own policies, the services we use, use your IP address only to fulfil the server request.
The services may log server access time together with your IP address for technical or diagnostic reasons. This is described in the privacy policies of the respective services.

E-Mail
You can contact us anytime via . Of course, if you send us an email, we will receive your email address.
Our email server is located in Linz, Austria and hosted by World4You.
After we have successfully processed your request(s) you sent us via email, we will delete your emails within one month.
We will not use your email address to sent you promotional or other unwanted messages and we will not hand out your email address to unauthorized third parties.

More information about data processing

We do not show ads from ad networks in the app nor on our website. We disable Analytics and Crashlytics when the app first starts until the user actively decides to deactivate or activate the services by clicking the continue button on the Privacy Policy page shown on first app start.
Not required cloud services for using the local database (e.g. Firestore, Cloud Storage) will only be enabled after switching to a shared Family Space (“Poyki Sync”).
Please note that the use of any web service (visit of a website, use of an API or cloud-based service) will transmit your device’s IP address to the server handling the request.
To protect our accounts and therefore your data, we use secure passwords and 2-factor authentication for our accounts at Google and Firebase as well as for our hosting provider.
We use secure connections (https) for all services.

We, as app developers, have access to all synchronized databases and corresponding image data. We access this data solely to provide intended functionality of the Poyki service and for diagnostic or debugging reasons.
In particular, we do not sell your data to third parties or use your data for personalized ads.

For the Firebase services and Google Play services, Google LLC is data processor.
Google LLC is based in the USA and processes data there. The European Court of Justice has not certified the USA as having an adequate level of data protection. In particular, there is a risk that your data may be accessed by US
authorities for control and monitoring purposes and that no effective legal remedies are available.
Google obligates itself to be subject to GDPR. However, since the termination of the “Privacy Shield” agreement between EU and USA, due to US laws, it cannot be guaranteed that
all privacy related rights of EU citizens can be enforced. For example, Google could be forced by the US government to hand out user data, and therefore the US government could get a copy of data from EU citizens.
In this case, enforcement of rights EU citizens have due to GDPR, may be difficult or even impossible (e.g. erasure or correction of inaccurate personal data).
Wherever possible, we have chosen a location in the EU for Google servers, but not all Google services allow such a server location selection. Therefore, it is possible that certain data might be transmitted to Google servers in the USA.
Note: The “Cloud Act” obliges American Internet companies and IT service providers to guarantee US authorities (and also the secret services) access to stored data even if it is not stored in the USA.
When using services by Google (and therefore also by using this app) you deliberately take that risk.

For the Poyki API on mickbitsoftware.com and Poyki Website poyki.app as well as the email address , World4You is hosting provider and therefore data processor which complies with GDPR.

Server locations
Google Cloud Platform resource location (Firestore, Cloud Storage) is “eur3 (europe-west)”.
API Server and API database hosted by World4You Internet Services GmbH and is located in Linz, Austria.

Your rights

According to GDPR you have the right to:

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

If you believe that the processing of your data violates data protection law or that your data protection claims have been violated in any other way, you can complain to the supervisory authority.

Please find more information on your rights and the GDPR in general on https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-are-my-rights_en

Contact

App publisher and developer and responsible for data processing:

Michael Brodacz-Geier
Radegunder Straße 6a/18
8045 Graz
Österreich

In case you have questions, concerns, complaints or any other input, please contact us.
E-Mail:

App’s Webseite: https://poyki.app
Publisher’s Webseite: https://www.mickbitsoftware.com

3rd party services and providers
Poyki API, websites and email addresses are hosted by:
World4You Internet Services GmbH
Hafenstrasse 35, 4020 Linz, Austria

Google Services (Google Play, Firebase) are provided by:
Google LLC
1600 Amphitheatre Parkway in Mountain View, California, United States

Privacy Policies and Terms of Use

Privacy Policy of the website poyki.app:
https://poyki.app/en/privacy-policy

Below, find the Privacy Policies and Terms of Service of the used services and providers. These documents inform about data processing and retention policies of services and providers we use for Poyki.

world4you.com: https://www.world4you.com/en/unternehmen/datenschutzerklaerung.html

Google:
Privacy and Security in Firebase (incl. retention policies): https://firebase.google.com/support/privacy
Terms of Service for Firebase Services: https://firebase.google.com/terms/
Privacy in Google Analytics: https://support.google.com/analytics/answer/6004245
Firebase Crashlytics and Firebase App Distribution Terms of Service: https://firebase.google.com/terms/crashlytics
Crashlytics and App Distribution Data Processing and Security Terms: https://firebase.google.com/terms/crashlytics-app-distribution-data-processing-terms/
Google Privacy Policy: https://policies.google.com/privacy

© 2024 Poyki - Smart Shopping List Android App. Google Play and the Google Play logo are trademarks of Google LLC.