Privacy Policy

Data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is: Markus Lechner, Ruprechtshofen 3244, , Austria. Email: info@mottainai.app

What data we collect

When you register, we collect your display name, email address, and a hashed version of your password. If you sign in via Google OAuth, we receive your name, email address, and profile picture URL from Google — no password is stored. When you use the app, we store the data you enter — including item names, quantities, categories, storage locations, expiration dates, board cards, shopping list entries, and contact information. We store membership information so you can share storages, boards, and shopping lists with others. If you upload images, they are stored via Cloudinary. If you search for images within the app, your search queries are sent to Pexels. To display profile avatars, we send a SHA-256 hash of your email address to Gravatar (Automattic). If you enable push notifications, we store your push subscription endpoint. For reliability and troubleshooting, we use error monitoring and telemetry (see Telemetry section). Server access logs (IP address, request timestamp, user agent) may be collected for operational and security purposes.

Legal basis for processing

We process your data on the basis of Art. 6(1)(b) GDPR (performance of a contract) — providing the Mottainai service you signed up for, including AI-powered features available to Supporter subscribers. Server logs and telemetry are processed under Art. 6(1)(f) GDPR (legitimate interest in maintaining security, stability, and performance of the service).

Hosting and data storage

The application is hosted on Fly.io with servers located in Frankfurt, Germany (EU). The database is hosted on Neon (serverless PostgreSQL) within the EU. Both providers act as data processors on our behalf and are contractually bound to handle your data in accordance with the GDPR. Some data may be transferred to non-EU processors: Cloudinary (image hosting, US), Pexels (image search, US), Gravatar/Automattic (profile avatars, US), Google (OAuth authentication, US), Grafana Cloud (telemetry, US), and the AI provider (OpenRouter/Google Gemini, US). These transfers are safeguarded by Standard Contractual Clauses (SCCs) or equivalent mechanisms under the GDPR.

Telemetry and error monitoring

We use GlitchTip for backend error monitoring, which processes stack traces, request metadata, user ID, email, and session information. On the frontend, we use Grafana Faro for performance monitoring, which collects errors, web vitals, and OpenTelemetry traces along with user ID, display name, email, and role. Faro strips IP addresses before data is sent to Grafana Cloud. Server logs are shipped to Grafana Loki for centralized log analysis. All telemetry data is used solely for maintaining service stability and diagnosing issues.

AI features

AI-powered features (receipt scanning, storage chat) are available to Supporter subscribers only and are always user-initiated — no data is sent to AI providers automatically. When you use these features, item data and/or images are sent to our AI provider (OpenRouter, which routes to Google Gemini). This data leaves the EU. We do not use your data to train AI models.

Cookies and local storage

We use a single session cookie that is strictly necessary for authentication. It contains an opaque session identifier and expires after 7 days of inactivity. If you use passkey (WebAuthn) login, credential identifiers are stored in your browser's local storage. We do not use advertising cookies or profiling cookies. Grafana Faro uses in-memory session tracking for correlating frontend telemetry — no persistent cookie is set.

Data retention

Your account data, storage items, board cards, shopping lists, and contacts are retained as long as your account exists. Activity logs are automatically deleted after 90 days. Notification logs are automatically deleted after 30 days. Server logs are automatically deleted after 30 days. Error-monitoring diagnostics are retained only as long as needed for incident analysis. When you delete your account, all associated data (profile, items, memberships, contacts, push subscriptions, activity logs) is permanently removed from our systems.

Third-party data sharing

We do not sell, trade, or otherwise share your personal data with third parties. We do not use advertising networks or social media trackers. The following processors handle data on our behalf: Fly.io (application hosting, EU), Neon (database hosting, EU), GlitchTip (backend error monitoring, EU), Grafana Cloud (frontend telemetry via Faro with IP stripping, log aggregation via Loki, US), Cloudinary (image hosting, US), Pexels (image search, US), Gravatar/Automattic (profile avatars via email hash, US), Google (OAuth authentication, US), browser push services (FCM/APNs, for push notifications), and OpenRouter (AI provider, US — Supporter tier only). No processor receives more data than necessary for its specific function.

Your rights under the GDPR

You have the right to: access the personal data we hold about you (Art. 15 GDPR), rectify inaccurate data (Art. 16 GDPR), request deletion of your data (Art. 17 GDPR), restrict processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and object to processing (Art. 21 GDPR). To exercise any of these rights, contact us at info@mottainai.app. We will respond within 30 days.

Supervisory authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at.

Changes to this policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated date. Continued use of the service after changes constitutes acceptance of the updated policy.