Privacy Notice for PreisJohnny

Last Updated: December 28, 2024

This privacy notice informs you about the nature, scope, and purpose of the processing of personal data within the PreisJohnny application (hereinafter "App" or "Service").

1. Data Controller

Responsible for data processing pursuant to Art. 4(7) GDPR:

Nikolas Molinari
Technikerstraße 6/1/11
2340 Mödling
Austria

Contact for privacy inquiries:

Email: nikolas.molinari@gmail.com

2. Overview of Data Processing

PreisJohnny enables users to photograph grocery price tags and capture price information. The app uses artificial intelligence to extract price information from uploaded images.

2.1 Types of Data Processed

Category	Data	Purpose
Account Data	Email address, name (optional), password (hashed)	User identification and authentication
Device Data	Device manufacturer, device model	Troubleshooting and service quality
Location Data	GPS coordinates from image metadata	Automatic store identification
Image Data	Uploaded price tag photos	Price extraction via AI
Usage Data	Uploaded products, price observations	Core service functionality

2.2 Categories of Data Subjects

Registered users of the app

3. Legal Basis for Processing

The processing of personal data is based on the following legal grounds pursuant to Art. 6 GDPR:

Processing	Legal Basis	Explanation
Account Data	Art. 6(1)(b) GDPR	Necessary for contract performance (use of the service)
Location Data	Art. 6(1)(a) GDPR	Consent during registration
Image Processing	Art. 6(1)(b) GDPR	Core function of the service
Device Data	Art. 6(1)(f) GDPR	Legitimate interest (service quality, troubleshooting)

4. Data Collection and Use

4.1 Registration and Login

During registration, we collect:

Email address: For account identification and communication
Password: Stored in encrypted (hashed) form
Name (optional): For personalized address

4.2 Image Upload and GPS Data

When you upload an image:

GPS coordinates are extracted from the image's EXIF metadata to automatically identify the store

Device information (manufacturer, model) is captured for quality assurance purposes

The image is processed and subsequently all EXIF metadata is removed from the stored image

Important: After processing, the stored image contains no GPS data or other EXIF metadata. These are only used temporarily for store identification.

4.3 AI-Powered Price Extraction

Uploaded images are analyzed using artificial intelligence to extract price information. The following data is obtained:

Product name and brand
Price and quantity information
Unit price
Store recognition (if visible on the price tag)

5. Recipients and Third Parties

To provide our services, we use the following third-party providers:

5.1 Google LLC (Google Gemini AI)

Purpose: Image analysis and price extraction via AI
Data: Uploaded images (without EXIF metadata)
Location: USA
Legal Basis: Standard Contractual Clauses (Art. 46 GDPR)
Privacy: Google Privacy Policy

5.2 Google LLC (Google Places API)

Purpose: Store identification based on GPS coordinates
Data: GPS coordinates
Location: USA
Legal Basis: Standard Contractual Clauses (Art. 46 GDPR)
Privacy: Google Privacy Policy

5.3 Hosting Provider

Purpose: Storage and processing of all data
Location: European Union

6. Data Security

We implement the following technical and organizational measures to protect your data:

Encryption: All data transfers occur via TLS/HTTPS
Password Hashing: Passwords are stored using secure hashing algorithms
HTTP-Only Cookies: Authentication tokens are stored in HTTP-Only cookies to prevent XSS attacks
EXIF Removal: Metadata is removed from all stored images after processing
Email Verification: Accounts must be verified before use

7. Data Retention

Data Category	Retention Period
Account Data	For the duration of service use; permanently deleted 30 days after account deletion
Uploaded Images	Stored permanently (without EXIF metadata) for traceability of price observations
Price Observations	Stored permanently; linked to user account for ownership and traceability purposes
GPS Coordinates	Only temporarily during processing; no longer attributable to the user after store assignment
Device Data	For the duration of the associated upload's existence

8. Cookies

The app uses only technically necessary cookies:

Cookie	Purpose	Duration	Type
`auth_token`	Authentication	14 days	HTTP-Only, Session

No tracking cookies or cookies for advertising purposes are used.

9. Automated Decision-Making

The app uses artificial intelligence (Google Gemini) for automated extraction of price information from images.

Type of Automation:

Text recognition (OCR) on price tags
Extraction of product names, prices, and quantity information
Store chain attribution

Impact:

This automated processing has no legal effects on you and serves solely to facilitate data entry. You can manually review and correct all automatically extracted data.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

10.1 Right of Access (Art. 15 GDPR)

You may request information about your processed personal data.

10.2 Right to Rectification (Art. 16 GDPR)

You may request the correction of inaccurate data.

10.3 Right to Erasure (Art. 17 GDPR)

You may request the deletion of your data, provided there are no legal retention obligations. Account deletion is available through the app or by contacting nikolas.molinari@gmail.com.

10.4 Right to Restriction (Art. 18 GDPR)

You may request the restriction of processing of your data.

10.5 Right to Data Portability (Art. 20 GDPR)

You may receive your data in a structured, commonly used, and machine-readable format. The data export function is available through the app or by contacting us.

10.6 Right to Object (Art. 21 GDPR)

You may object to the processing of your data.

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw your consent at any time. The lawfulness of processing carried out before the withdrawal remains unaffected.

10.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with the competent data protection authority:

Austrian Data Protection Authority

Barichgasse 40-42
1030 Vienna
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at

11. Data Transfers to Third Countries

Due to the use of Google services (Gemini AI, Places API), data is transferred to the USA. The transfer is based on:

Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
Additional safeguards in accordance with the recommendations of the European Data Protection Board

12. Changes to This Privacy Notice

We reserve the right to update this privacy notice to adapt it to changed legal requirements or changes to the service.

In case of material changes, you will be notified via the email address associated with your account.

Last Updated: December 28, 2024

13. Contact

If you have any questions about the processing of your personal data, you can contact us at any time:

Email: nikolas.molinari@gmail.com Address: Nikolas Molinari, Technikerstraße 6/1/11, 2340 Mödling, Austria