Your privacy
is safe

KitchenNmbrs, a trade name of KitchenNmbrs B.V., places great importance on your privacy. In this Privacy Policy we transparently explain which personal data we process, on which legal basis, for what purpose, how long we retain it, and what rights you have. We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the Dutch GDPR Implementation Act (UAVG) and other applicable privacy legislation.

Version: 2.0  |  Effective date: 19 April 2026  |  Replaces: all previous versions

1. Who are we? (Controller)

The controller within the meaning of Article 4(7) GDPR is:

KitchenNmbrs B.V. has no statutory obligation to appoint a Data Protection Officer (DPO). For privacy-related questions you can reach us directly via the email address above.

2. What personal data do we process?

We process the following categories of personal data:

2.1 Data you provide yourself

• Registration: first name, last name, email address, password (encrypted with bcrypt), country, language.
• Business information: restaurant name, type of establishment, kitchen type, number of employees (voluntary).
• Payment information: invoicing details (company name, VAT number, address) for billing purposes. Payment details (card data, bank account information) are processed exclusively by our payment provider Mollie B.V.; we never store these ourselves.
• App content: recipes, ingredients, purchase prices, selling prices, HACCP records, order lists, inventory data and other hospitality management data you enter (see also Article 4).
• Communications: messages you send us via email, the contact form or in-app chat.
• Invoice import: data from supplier invoices you upload (PDF/CSV/Excel), including supplier names, product names and prices, processed for the automatic import functionality.

2.2 Data collected automatically

• Technical data: IP address (anonymised after processing), device type, operating system, browser type, language setting.
• Usage data: which features are used (e.g. creating recipes, completing HACCP tasks), navigation patterns within the app, error messages and crash logs — exclusively at aggregated and anonymised level.
• Session data: login times, session duration, device ID for security purposes.
• Push notification tokens: Firebase Cloud Messaging token for delivering in-app notifications (opt-in).

2.3 Special categories

We do not, as a rule, process special categories of personal data as referred to in Article 9 GDPR (such as health data, religion or biometric data). The HACCP module may contain employee names and job descriptions; these are ordinary personal data, not special categories.

3. Legal bases and purposes per processing activity

We process personal data exclusively on the basis of one of the following legal grounds (Art. 6 GDPR):

Where legitimate interests is used as the legal basis, we have carried out a balancing test between KitchenNmbrs' interests and your privacy interests. You have the right to object to processing on the grounds of legitimate interests (see Article 11).

4. App-specific processing

4.1 Recipes and food cost calculations

The recipes, ingredients, purchase prices and cost price calculations you enter in KitchenNmbrs are your confidential business data. We:

• Process this data exclusively to deliver the core functionality of the Service;
• Never sell this data to third parties in identified or traceable form;
• Use this data exclusively in anonymised and aggregated form for Benchmark Data (see Article 5);
• Do not grant KitchenNmbrs employees access to your recipe content outside of technical necessity (incident resolution, maintenance).

4.2 HACCP module and employee data

The HACCP module of KitchenNmbrs enables you to store employee names, job titles and simplified identification data (such as a PIN code) for HACCP records. For this processing, KitchenNmbrs acts as processor within the meaning of Art. 4(8) GDPR, and you as the operator of the food business (FBO) are the controller.

This means that:

• You are responsible for a valid legal basis for processing employee personal data in the HACCP module;
• You inform your employees about the use of their data in KitchenNmbrs;
• KitchenNmbrs processes employee data exclusively on your behalf and in accordance with the Data Processing Agreement. Upon request we will enter into a separate Data Processing Agreement (DPA) in accordance with Art. 28 GDPR — send a request to info@kitchennmbrs.app.

4.3 AI-powered features (Chatbot / AI assistant)

KitchenNmbrs offers an AI-powered kitchen assistant. When you use this feature, your messages are processed by the AI API of Anthropic PBC (US). We take the following measures:

• We never include identifiable personal data in API calls to Anthropic;
• Conversation histories are stored in anonymised form for debugging and quality improvement;
• Anthropic processes data in accordance with their privacy policy and is certified under the EU-US Data Privacy Framework.

4.4 Invoice import (PDF/CSV/Excel)

When you upload supplier invoices via the import feature, the file contents (product names, prices, supplier names) are processed locally to add ingredients to your library. We do not retain the original file contents longer than is technically necessary for processing (maximum 24 hours). Extracted price data is incorporated, fully anonymised, into the Benchmark Data in accordance with Article 5.

5. Anonymous Benchmark Data and Supplier Intelligence

5.1  KitchenNmbrs is entitled to aggregate and fully anonymised ingredient price data from multiple users into statistical market analyses ("Anonymous Benchmark Data"). This data is used for the Supplier Intelligence service and for internal product development.

5.2  The Anonymous Benchmark Data meets all requirements of Article 4(5) GDPR for anonymisation: the data cannot be traced back to individual users, individual restaurants or specific suppliers. We apply aggregation thresholds (minimum 5 users per category/region) to exclude any re-identification of individuals.

5.3  The Anonymous Benchmark Data contains exclusively:

• Aggregated price indices per ingredient category per region;
• Statistical trends (price per unit, seasonal patterns);
• Categorical volume trends.

5.4  The Anonymous Benchmark Data never contains:

• Individual recipes, preparation techniques or formulations;
• HACCP records or employee data;
• Customer data, order history or other personally identifiable business information;
• Personal data or business names of individual users.

5.5  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). KitchenNmbrs has an interest in developing market insights based on anonymised data to improve the Service and generate additional revenue. This interest has been weighed against your privacy interests; since the data is fully anonymous and not traceable, your privacy interests do not outweigh KitchenNmbrs' legitimate interests.

5.6  If you object to the use of your anonymised data for Benchmark Data, you can notify us via info@kitchennmbrs.app. Given the fully anonymous nature of the data, it is not always technically possible to reverse individual contributions, but we will exclude your data from new Benchmark Data generation after an objection. An objection has no consequences for your subscription.

6. Cookies and tracking technologies

We use cookies and similar technologies. A detailed description is available in our Cookie Policy. In brief:

• Functional cookies (strictly necessary): session management, staying logged in, language preference. Legal basis: Art. 6(1)(b) GDPR (contract) — no consent required.
• Analytical cookies: Google Analytics 4 with IP anonymisation, exclusively after your cookie consent. Legal basis: Art. 6(1)(a) GDPR (consent).
• Marketing cookies: not used without your explicit consent via our cookie consent banner.

You may withdraw your cookie consent at any time via the cookie settings (link in the footer) or via your browser settings. Withdrawal does not affect the processing of data prior to the withdrawal.

7. Sub-processors

We engage the following sub-processors. Data Processing Agreements (DPAs) have been concluded with all sub-processors in accordance with Art. 28 GDPR.

We will not engage new sub-processors without notifying you (via email or in-app message) and giving you the opportunity to object in accordance with Art. 28(2) GDPR.

8. International transfers

8.1  Certain sub-processors (Google, Apple, Anthropic) are established outside the European Economic Area (EEA). Transfers of personal data to these parties take place exclusively on the basis of:

• EU-US Data Privacy Framework (DPF): for parties certified under the DPF programme of the U.S. Department of Commerce;
• Standard Contractual Clauses (SCC): the model clauses approved by the European Commission (Implementing Decision 2021/914);
• Adequacy decisions: for countries for which the European Commission has adopted an adequacy decision.

8.2  We do not transfer personal data to countries that do not meet the safeguards above. You may request a copy of the applicable SCCs via info@kitchennmbrs.app.

9. Retention periods

10. Security

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect personal data against unauthorised access, loss, destruction or disclosure, including:

• Encryption in transit: TLS 1.2/1.3 for all connections;
• Password encryption: bcrypt hashing with an adequate cost factor;
• PIN code encryption: bcrypt hashing (never stored in plaintext);
• Access control: strict need-to-know access for KitchenNmbrs employees to production databases;
• Servers within the EU: all primary data storage on STRATO AG servers in Germany;
• Regular backups: encrypted automated backups;
• Security monitoring: logging of suspicious activities and logins;
• Confidentiality obligations: all employees and contractors are bound by a confidentiality agreement.

No security system is infallible. In the event of a security breach we act in accordance with Article 14.

11. Your rights (GDPR)

Under the GDPR you have the following rights. You may exercise these rights via info@kitchennmbrs.app:

• Right of access (Art. 15 GDPR): you have the right to know which personal data we process about you, for what purpose and to whom it has been disclosed.
• Right to rectification (Art. 16 GDPR): inaccurate or incomplete personal data may be corrected.
• Right to erasure / right to be forgotten (Art. 17 GDPR): in certain circumstances you may request the deletion of your personal data. This right does not apply to data we are required to retain under a legal obligation (such as the statutory tax retention requirement).
• Right to restriction of processing (Art. 18 GDPR): in certain circumstances you may request that processing be temporarily restricted.
• Right to data portability (Art. 20 GDPR): you may receive the personal data you have provided to us in a structured, commonly used and machine-readable format (CSV/JSON).
• Right to object (Art. 21 GDPR): you may at any time object to processing based on legitimate interests or for direct marketing purposes. In the event of an objection to direct marketing we will stop immediately.
• Right to withdraw consent (Art. 7(3) GDPR): where processing is based on your consent, you may withdraw that consent at any time without giving reasons. Withdrawal has no retroactive effect.
• Right not to be subject to automated decision-making (Art. 22 GDPR): see Article 13.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl. You may also lodge a complaint with the supervisory authority in your country of residence within the EU.

12. Submitting a request and response time

12.1  To submit a privacy request, send an email to info@kitchennmbrs.app with the subject line "GDPR-request" and the nature of your request. To verify your identity, we may ask for additional information.

12.2  We will respond to your request within one (1) month of receipt in accordance with Art. 12(3) GDPR. For complex or extensive requests we may extend this period by a maximum of two (2) months; in that case we will inform you within one month of the extension and the reason for it.

12.3  Handling requests is in principle free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse such requests — in accordance with Art. 12(5) GDPR.

13. Automated decision-making and profiling

KitchenNmbrs does not engage in automated individual decision-making or profiling that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR. The AI assistant in the app generates suggestions and recommendations, but these never result in automated decisions with legal consequences for you.

14. Data breaches

14.1  In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours in accordance with Art. 33 GDPR.

14.2  If the data breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay in accordance with Art. 34 GDPR, stating the nature of the data breach, the possible consequences and the measures we are taking.

14.3  We maintain an internal register of all (suspected) data breaches in accordance with Art. 33(5) GDPR.

15. Minors

The Service is intended exclusively for persons aged 16 or over. We do not knowingly process personal data of minors under the age of 16. If we become aware that we are processing personal data of a minor without valid parental consent, we will immediately delete that data and close the Account.

16. Changes to this Privacy Policy

16.1  KitchenNmbrs reserves the right to amend this Privacy Policy at any time, for example due to changes in legislation, new processing activities or new sub-processors.

16.2  In the event of material changes we will notify you at least 30 days in advance via email or a prominent in-app notification. The effective date of the new version will always be stated at the top of this policy.

16.3  If you do not agree with the amended version, you may close your account before the effective date. Continued use after the effective date constitutes acceptance of the amended version.

17. Contact

Do you have questions about this Privacy Policy, or would you like to exercise one of your rights? Please contact us: