Privacy Policy

Last updated: March 12, 2026

Introduction

Robotato ("we", "our", "the app") is a kitchen management application for Android. We are committed to protecting your privacy. This policy explains what data Robotato collects, how it is stored, and what rights you have under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG/DSGVO).

The short version: Your core data stays on your device by default. Cloud sync is entirely optional and always within your household only. We don't sell your data. Anonymous usage analytics are available on an opt-in basis only (see Section 5).

1. What Data Robotato Stores

Robotato stores the following data locally on your device in a Room/SQLite database:

  • Recipes, ingredients, cooking steps, photos, and categories
  • Shopping lists, checked items, and price history
  • Pantry inventory, quantities, expiration dates, and storage locations
  • Meal plans, meal wishes, cooking sessions, and timers
  • Nutrition tracking data (calories and macros per ingredient and recipe)
  • Personal nutrition goals per household member
  • Budget targets, manual expenses, and spending data
  • Dietary restriction profiles and equipment inventory
  • AI processing jobs and enrichment results
  • App preferences, theme, language settings, and barcode associations

If you never create or join a household, none of this data ever leaves your device. The app works fully offline.

The following data never leaves your device, even with cloud sync enabled:

  • Nutrition tracking data (calories, macros per ingredient and recipe)
  • Personal nutrition goals per household member
  • Budget targets and expense data
  • AI processing history and enrichment results
  • App preferences, theme, and language settings
  • Bluetooth device pairings and meal consumption history

API keys for AI services (if provided by you) are stored in Android's EncryptedSharedPreferences with hardware-backed encryption.

2. Cloud-Synced Data (Optional)

If you choose to create or join a household, the following data may be synced via Firebase Firestore to enable collaboration with your household members:

  • Household membership (display names, roles) — encrypted with AES-256-GCM
  • Household member profiles (names, avatars) — encrypted
  • Dietary restriction profiles (allergens per member and guest) — encrypted
  • Recipes, ingredients, cooking steps, sub-recipes, variants, and categories
  • Shopping lists, items, prices, and shop assignments
  • Pantry inventory, quantities, expiration dates, and storage locations
  • Meal plans, meal wishes, votes, and cooking assignments
  • Cooking sessions, timers, cooking patterns, and cooking party station data
  • Guest cooking stations: Only step completion progress is stored. No personal information is collected from guests. Session codes expire after 24 hours.
  • Equipment names and associations
  • Ingredient barcodes and product information

Friend sharing (separate from household): If you join a friend group, the following data is shared with group members:

  • Friend group name and membership
  • Recipe snapshots you choose to share (name, ingredients, steps)
  • Cooksnap photos and captions (stored in Firebase Cloud Storage)

Sync frequency: Household data syncs automatically every 30 minutes when a household is active. Friend recipe metadata syncs every 12 hours. Sync only runs when the device has a network connection.

Sensitive fields (person names, dietary restriction details, display names) are encrypted with AES-256-GCM using a per-household data encryption key (DEK) before leaving your device. The DEK is derived from your household invite code and is never stored on our servers. Key rotation is supported.

Household data is shared only within your household. No other users can access it. You join a household by accepting an invite code — this constitutes your consent to share data within that household. Friend sharing requires you to create or join a friend group. Both are entirely optional — the app works fully offline without them.

Health and nutrition data is never cloud-synced. Nutrition values, calorie goals, budget data, and personal health metrics remain on your device at all times, even if you enable cloud sync. This is by design and cannot be changed.

3. Third-Party Services

Firebase (Google)

We use the following Firebase services:

  • Firebase Authentication — Email/password and Google Sign-In for optional cloud features. We store your email address, display name, and profile photo URL (if provided by Google Sign-In).
  • Firebase Firestore — Cloud database for household data sync (see Section 2). Sensitive fields are encrypted client-side before upload.
  • Firebase Cloud Storage — Stores cooksnap photos shared within friend groups.
  • Firebase Analytics (GA4) — Anonymous usage analytics. Disabled by default, requires explicit opt-in consent. See Section 5 for details.
  • Firebase Crashlytics — Crash reporting. Disabled by default, requires explicit opt-in consent. See Section 5 for details.
  • Firebase App Check — Validates that requests come from legitimate app installations using Play Integrity. No personal data is collected.

Firebase services are governed by Google's Privacy Policy.

On-Device ML (Google ML Kit & OpenCV)

We use Google ML Kit for barcode scanning, document scanning, and text recognition (OCR), and OpenCV for image preprocessing (contrast enhancement, adaptive thresholding). All processing happens entirely on your device. No images, camera frames, or scanned text are sent to any server.

Firebase AI Logic (Vertex AI) — Default AI Provider

Robotato uses Firebase AI Logic (Google Vertex AI) as its default AI provider for recipe features such as recipe import from URL/text/photo, recipe cleanup suggestions, pantry-aware recipe discovery, and multi-recipe cooking timelines. Requests are processed in the europe-west3 (Frankfurt) region for EU data residency.

  • Managed by Robotato — no API key is required from you
  • Sends recipe text to the AI service. When using recipe discovery, your pantry ingredient names and dietary restriction categories may also be included
  • All AI features are entirely optional and user-initiated
  • Authenticated via Firebase App Check (Play Integrity)

AI requests are processed by Google Vertex AI under Google Cloud Terms of Service. Data is processed in the EU (Frankfurt region).

Alternative AI Providers (Optional)

You may optionally configure alternative AI providers (Anthropic Claude, OpenAI, or Grok) by entering your own API key in Settings. If you do, recipe text is sent directly to the provider you selected. Your API key is stored locally in Android EncryptedSharedPreferences and is transmitted only to the provider's servers — never to Robotato's infrastructure. Each provider's privacy policy governs their processing of your data.

External Data Sources (User-Initiated)

The following external services are contacted only when you initiate a specific action:

  • Open Food Facts API — When you scan a barcode, the barcode number is sent to look up product information. No personal data is sent.
  • USDA FoodData Central API — When you trigger nutrition enrichment, a generic food search query is sent to look up nutritional values. No personal data is sent.
  • Supadata API — When you import a recipe from a video URL, the video URL is sent to a Firebase Cloud Function that retrieves captions via the Supadata API. Only the URL is sent.
  • OpenAI Whisper API — If video captions are unavailable, the audio track is sent to OpenAI's Whisper speech-to-text service as a fallback. This only occurs when caption extraction fails.
  • YouTube Data API v3 — When you import a recipe from a YouTube video and have a YouTube API key configured, the video URL is sent to retrieve metadata.

4. Camera, Microphone & Photo Access

Robotato requests camera access (runtime permission) for:

  • Taking recipe photos (stored locally)
  • Taking cooksnap photos (uploaded to Firebase Storage only when you share them in a friend group)
  • Scanning barcodes on ingredients and equipment (camera frames processed on-device, immediately discarded)
  • Scanning receipts for shopping list automation (images processed on-device via OCR, deleted after processing)

Microphone access (runtime permission) is requested only for video recipe import, where audio may be extracted for speech-to-text processing if captions are unavailable (see Section 3, OpenAI Whisper).

Recipe photos are stored locally on your device. They are never uploaded to any server. Cooksnap photos are the only images that leave your device, and only when you explicitly share them in a friend group.

5. Analytics & Crash Reporting

Robotato includes Firebase Analytics (GA4) and Firebase Crashlytics to help us improve the app. Both are disabled by default and require your explicit opt-in consent.

If you enable analytics, we collect:

  • Anonymous app interaction data (feature usage, screen views, event counts)
  • Device type, OS version, and app version
  • No personally identifiable information (PII) is collected
  • No recipe content, ingredient names, or personal data is included

If you enable crash reporting:

  • Crash logs, stack traces, and device state at the time of the crash
  • No personal data from your recipes or household is included

You can change your preferences at any time in Settings > Usage Statistics. Data retention follows Firebase defaults (2 months for Analytics, 90 days for Crashlytics).

We still do NOT:

  • Sell, rent, or share your data with third parties
  • Collect device identifiers for profiling or advertising
  • Create user profiles for marketing purposes
  • Use third-party tracking pixels or fingerprinting
  • Include any advertising SDKs in the app

6. Device Hardware Access

Robotato requests the following device permissions. Runtime permissions require your explicit approval before they are used:

  • Camera (runtime) — Recipe photos, barcode scanning, receipt scanning (see Section 4)
  • Microphone (runtime) — Audio extraction for video recipe import only
  • Bluetooth (runtime) — BLE shopping list sharing between nearby devices. Data is transferred directly between devices and never sent to any server.
  • NFC (intent-based) — Meal prep container tagging. NFC tag data stays on your device.
  • Notifications (runtime) — Expiration alerts, meal reminders, and cooking timer alarms
  • Exact alarms (always granted) — Precise cooking timer notifications
  • Internet (always granted) — Required for cloud sync, AI features, and external API calls (all optional)

No hardware sensor data is collected or transmitted. BLE and NFC data never leaves your device.

7. Background Processing

Robotato may run the following background tasks:

  • Household sync — Pushes and pulls household data to/from Firestore every 30 minutes (only when a household is active)
  • Friend recipe sync — Syncs friend recipe metadata every 12 hours (only when friend groups exist)
  • Expiration check — Checks pantry expirations daily and sends local notifications. No data is transmitted.
  • AI recipe processing — Processes recipe cleanup requests in the background. Only runs when you initiate it.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right to access — Export all your data via Settings > Backup > Export (encrypted backup file containing JSON data and images, protected by your password)
  • Right to portability — The JSON export is machine-readable and can be imported into another Robotato installation
  • Right to deletion — Delete all local data by uninstalling the app, or delete cloud data by leaving your household and deleting your account
  • Right to withdraw consent — Leave your household at any time to stop cloud sync. Disable analytics at any time in Settings. All local data is preserved.
  • Right to rectification — Edit any of your data directly within the app at any time

9. Data Retention

Local data: Stored indefinitely until you delete it or uninstall the app.

Cloud data: Retained as long as the household exists. When you leave a household, your membership record is removed. When the last member leaves, all household data is automatically deleted. The household owner can also delete the household and all its data at any time through the app settings.

Authentication data: Your Firebase account can be deleted through the app's settings, which removes your email and authentication tokens from Firebase servers.

Analytics data: Firebase Analytics retains data for 2 months. Crashlytics retains crash data for 90 days.

10. Children's Privacy

Robotato is not directed at children under 16. We do not knowingly collect personal information from children. The app does not require age verification as it primarily stores user-generated cooking data.

11. Data Security

We take data security seriously:

  • Sensitive cloud data (person names, dietary restrictions, display names) is encrypted client-side with AES-256-GCM using a per-household data encryption key before leaving your device
  • Encryption keys support rotation and are derived from household invite codes — never stored on servers
  • Sensitive credentials (API keys) are stored in Android EncryptedSharedPreferences with hardware-backed encryption
  • All network traffic is encrypted with TLS
  • Firebase security rules enforce household membership and role-based access control
  • Firebase App Check (Play Integrity) prevents unauthorized API access
  • No data is stored on unencrypted external storage

12. Changes to This Policy

We may update this privacy policy as the app evolves. The "Last updated" date at the top of this page will reflect any changes. For significant changes, we will notify users through the app.

13. Contact

If you have questions about this privacy policy or your data, please contact us at:

robotatoapp@gmail.com