1. About us
FreshBox is published by JEANCYIT, hereinafter "we". This policy describes the data processed by the FreshBox iOS app.
Data controller
- JEANCYIT
- Email: support@jeancyit.fr
- Website: jeancyit.fr
2. Our commitment
We process the minimum data strictly necessary to operate the app, in compliance with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act.
3. Data we collect
3.1 Data you enter
- Products: name, photo, expiration date, category, barcode, price, brand, Nutri-Score
- Shopping lists: items, quantities
- Household: invite code, member names (your first name)
- Account (optional): email, Apple ID (Sign in with Apple)
3.2 Anonymous technical data
- iPhone model, iOS version, FreshBox version, language, country (read from your device)
- Anonymized usage events (e.g. "product added", "receipt scanned") — see section 5
- Crash reports to fix bugs
3.3 Payment data
Premium subscription payments are handled exclusively by Apple via the App Store. We never receive your card number or billing address. We only receive an anonymous confirmation of your subscription status.
4. Why we process this data
| Purpose | Legal basis | Retention |
|---|---|---|
| App functionality (fridge, lists, household) | Contract performance | As long as your account is active |
| Expiration notifications | Contract performance | As long as your account is active |
| AI recipe generation | Contract performance | No retention on the AI side |
| Receipt and barcode scanning | Contract performance | No retention on the AI side |
| Anonymous usage statistics | Legitimate interest (product improvement) | 365 days |
| Crash diagnostics | Legitimate interest (quality) | 180 days |
| Subscription management | Contract performance | While subscription is active + 5 years (accounting obligation) |
5. Anonymous usage statistics
To understand how FreshBox is used and improve its features, the app sends anonymized usage events to TelemetryDeck (TelemetryDeck UG, Berlin, Germany).
No personal data is collected. Only a signed session identifier (SHA-256, non-reversible) is used. Data processed:
- Event type (e.g. "receipt scanned", "recipe generated")
- App version, iPhone model, iOS version
- Language and country (from device settings, no precise geolocation)
TelemetryDeck's privacy policy: telemetrydeck.com/privacy
6. Sub-processors and hosting
We rely on the following providers, which act as data sub-processors under the GDPR:
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase (Firestore, Auth, Storage, App Check) |
Hosting and syncing your data across devices and household members | European Union (region europe-west1) |
| Google Gemini API (via Cloudflare Workers proxy) |
Anti-waste recipe generation, receipt OCR scanning | United States (with EU-US Standard Contractual Clauses) |
| Cloudflare Workers | Proxy for Gemini API calls (to protect our API keys) | Global network, European point of presence prioritized |
| OpenFoodFacts | Product lookup by barcode (open-source collaborative database) | European Union (France) |
| TelemetryDeck | Anonymous usage statistics (see section 5) | European Union (Germany) |
| Apple Inc. | App distribution, subscription handling, push notifications, Sign in with Apple | United States (with EU-US Standard Contractual Clauses) |
None of these sub-processors are allowed to use your data for any purpose other than those defined in this policy.
7. Your rights
Under the GDPR, you have the following rights at any time:
- Access: review the data we hold about you
- Rectification: correct inaccurate data
- Erasure: delete your account and all your data (directly in the app: Profile → Delete account)
- Portability: receive your data in a structured format (JSON)
- Objection: opt out of certain processing (notably usage statistics)
- Restriction: temporarily limit processing
- Complaint: lodge a complaint with the French CNIL if you believe your rights are not respected
To exercise these rights: support@jeancyit.fr. We will respond within 30 days.
8. Security
- Your data is encrypted in transit (TLS 1.3) and at rest (Firebase / iCloud encryption)
- Server access restricted to authorized administrators
- No API keys ever transit through your device (Cloudflare proxy)
- Strong authentication (Apple App Check) to block API abuse
9. Children
FreshBox is intended for a general audience. We do not knowingly collect data from children under 13. If you are a parent and believe your child has provided us with data, please contact us for immediate removal.
10. Changes to this policy
This policy may evolve to reflect changes in the app or regulations. The last update date appears at the top of this page. In case of significant changes, you will be notified within the app.
11. Contact
For any question regarding this policy or your data:
- Email: support@jeancyit.fr
- Support page: jeancyit.fr/freshbox/en/support