Privacy Policy
Last updated: 5 July 2026
This Privacy Policy explains how CrossDEV (“Munchi”, “we”, “us”), established at Cruquiuszoom 52, 2142 EW Cruquius, the Netherlands, and registered with the Dutch Chamber of Commerce (KvK) under number 76028704, collects, uses and protects your personal data when you visit our website or use the Munchi mobile application and related services (together, the “Service”).
We are the data controller for the processing described here. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Dutch GDPR Implementation Act (UAVG).
1. What data we collect
| Category | Examples |
|---|---|
| Account & contact data | Name, email address, password (stored hashed), waitlist sign-up email. |
| Profile & preferences | Dietary preferences, allergies/intolerances, nutrition goals, household size, cuisines you like. |
| Usage & content data | Meal plans generated, recipes saved, grocery lists, in-app actions, feature usage. |
| Device & technical data | IP address, device type, operating system, app version, language, crash logs, approximate region, and sampled session replays (screen recordings with all text and images masked). |
| Cookies & analytics | Identifiers and usage metrics set only with your consent. See our Cookie Policy. |
| Communications | Messages you send us (support, contact form, email). |
2. Why we use it & legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and manage your account; provide the meal-planning Service | Performance of a contract (Art. 6(1)(b)) |
| Generate personalized meal plans, recipes and grocery lists | Performance of a contract (Art. 6(1)(b)); for dietary/health data, your explicit consent (Art. 9(2)(a)) |
| Send the early-access waitlist confirmation and product updates | Consent (Art. 6(1)(a)); withdraw any time via the unsubscribe link |
| Analytics and product improvement | Consent (Art. 6(1)(a)) via the cookie banner |
| Marketing & campaign measurement (Meta Pixel) | Consent (Art. 6(1)(a)) via the cookie banner |
| Security, fraud prevention, debugging, crash diagnostics & session replay | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
3. Dietary & health information
Information about allergies, intolerances, medical diets or health goals may qualify as special category data under Article 9 GDPR. We process it solely to generate the meal plans and recommendations you ask for, and only on the basis of your explicit consent, which you give when you enter this information. You can withdraw consent and delete this data at any time in the app; doing so may limit personalization.
4. Who we share data with
We do not sell your personal data. We share it only with:
- Service providers (processors) acting on our instructions, e.g. cloud hosting, email delivery, analytics and AI/model providers used to generate recommendations. Each is bound by a data processing agreement under Article 28 GDPR.
- Sentry (Functional Software, Inc., “Sentry”) as a processor for crash reporting and diagnostics, including sampled session replay. Replays are captured with text and images masked, so the content you type and view is not recorded, only interaction and error context. This is used purely for reliability and debugging on the basis of our legitimate interests (Art. 6(1)(f)); it is not advertising or cross-app tracking, uses no Advertising Identifier (IDFA), and is separate from the consent-based analytics and marketing described in our Cookie Policy.
- App stores (Apple App Store, Google Play) for distribution and, with consent, store analytics.
- Authorities where required by law, or to protect our rights.
5. International transfers
Where a provider processes data outside the European Economic Area, we rely on an adequacy decision or on the European Commission’s Standard Contractual Clauses, together with supplementary safeguards where needed. You can request a copy of the relevant safeguards using the contact details below.
Our Sentry crash-reporting and session-replay data is stored in the EU (Sentry’s Frankfurt / .de
region), so no transfer outside the EEA occurs for this processor.
6. How long we keep data
- Account data: for as long as your account is active, then deleted or anonymised within 90 days of closure.
- Waitlist emails: until you unsubscribe or we launch and migrate you to an account.
- Analytics data: for the retention period configured in our analytics tool (see the Cookie Policy).
- Legal/financial records: for the statutory retention period that applies to us (in the Netherlands, generally 7 years for tax records).
7. Your rights
Under the GDPR you have the right to: access; rectification; erasure (“right to be forgotten”); restriction; data portability; objection to processing based on legitimate interests; and to withdraw consent at any time without affecting prior processing. To exercise any right, contact us at hello@munchi.io. We respond within one month.
You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens.
8. Security
We apply appropriate technical and organisational measures, such as encryption in transit, hashed passwords, access controls and regular review, to protect your data. No method of transmission is 100% secure, but we work to protect your information and will notify you and the supervisory authority of a qualifying breach as required by Articles 33–34 GDPR.
9. Children
The Service is not directed at children under 16. We do not knowingly collect their data; if you believe a child has provided us data, contact us and we will delete it.
10. Mobile app permissions & app stores
The Munchi app may request device permissions, always with an in-context prompt you can decline:
- Notifications: meal reminders and updates.
- Camera / Photos: only if you add a photo to a recipe or scan an item (optional).
- Network access: required to sync your plans.
We provide the disclosures required by Apple’s App Store (“App Privacy” / Nutrition Label) and Google Play’s Data Safety section. In those labels, Diagnostics data (including IP address and your account ID, used for crash reporting and masked session replay) is declared as linked to your identity and used for App Functionality. We do not use the iOS Advertising Identifier (IDFA) and do not track you across other companies’ apps and websites; none of this diagnostics data is used for tracking.
11. Account deletion
You can delete your Munchi account and personal data at any time:
- In the app: go to Settings → Account → Delete account and confirm. Your account and associated personal data are removed from active systems, and deleted or anonymised within 90 days (some records may be retained only where the law requires, e.g. financial records).
- By email: send a request from your account email to hello@munchi.io with the subject “Delete my account”. We verify your identity and confirm once the deletion is complete.
Deleting your account also removes your dietary and health-related preferences. Backups are overwritten on their normal rotation. If you only want to withdraw a specific consent (for example marketing emails) without deleting your account, use the unsubscribe link or contact us and we will action it.
12. Changes & contact
We may update this policy; the “Last updated” date shows the latest version and we will notify you of material changes. We have not appointed a Data Protection Officer, as we are not legally required to; for any privacy question please contact us:
- Email: hello@munchi.io
- Controller: CrossDEV, Cruquiuszoom 52, 2142 EW Cruquius, the Netherlands
- KvK (Chamber of Commerce): 76028704
