Privacy Policy — EU / EEA
← Home- Region:
- EU / EEA
- Version:
- 1.0.0
- Updated:
- 2026-06-12
- Effective:
- 2026-06-12
Privacy Policy
Choco Next Year For Sure (Representative: Haruta Watanabe) (hereinafter referred to as “we,” “us,” or “our”) establishes this Privacy Policy (hereinafter referred to as this “Policy”) regarding the handling of personal data of users who use the application “PrivCook” and related websites, content, features, and other services provided by us (hereinafter collectively referred to as the “Service”) from the European Union, Iceland, Liechtenstein, or Norway (hereinafter collectively referred to as the “EU/EEA”).
This Policy applies to the processing of personal data as defined in Article 4(1) of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter referred to as the “GDPR”).
Data Controller
For the purposes of the GDPR, we act as the controller of personal data processed under this Policy.
Controller: Choco Next Year For Sure Representative: Haruta Watanabe
Address: Aoyama Marutake Building 6F 3-1-36 Minami-Aoyama, Minato-ku, Tokyo 107-0062 Japan
Contact: [email protected]
Users to Whom This Policy Applies
This Policy applies to users who use the Service from the EU/EEA.
If a user uses the Service from outside the EU/EEA, our general Privacy Policy may apply in addition to or instead of this Policy, depending on the applicable laws and circumstances.
Personal Data We Collect
We may collect the following personal data from users in connection with the Service.
1. Identification Information
- Identifiers generated using cookies or similar technologies
- App instance IDs
- Firebase Installation ID
- Crashlytics installation UUID
- RevenueCat app user ID
- Device identifiers
- Other identifiers generated by the OS, app, SDKs, or external services
2. Device and Technical Information
- Device type
- Device model
- OS type and version
- App version
- Browser information
- Network information
- IP address
- Region or approximate location information
- Language and region settings
- SDK type and version
- Information regarding the user’s usage environment
3. Usage Information
- App startup time
- Usage date and time
- Screen transitions
- In-app events
- Operation history
- Feature usage status
- Input history
- Viewed pages
- Referrers
- Other information related to behavior on the Service
4. Crash, Error, and Defect Information
- Crash occurrence date and time
- Stack traces
- App status at the time of crash or error
- Device status
- OS information
- Device model
- App version
- Operation logs immediately before a crash
- Error information
- Non-fatal error information
- Other technical information necessary to investigate crashes, errors, and defects
5. Purchase and Subscription Information
- Purchase history
- Subscription status
- Product ID
- Transaction ID
- Purchase date and time
- Expiration date
- Receipt information
- StoreKit 2 transaction information
- Google Play purchase tokens
- Eligibility to use paid features
- Store used for purchase
- Payment status
- Information necessary to confirm, restore, manage, or cancel purchases and subscriptions
We do not directly collect users’ credit card numbers or other detailed payment method information for in-app purchases processed through Apple App Store, Google Play, or other stores.
6. Inquiry, Survey, Feedback, and Form Information
- Name
- Email address
- Inquiry content
- Survey responses
- Feedback content
- Defect report content
- Content entered into forms
- Submission date and time
- Attached files if a file upload function is used
- Google Account-related information if the user is logged in to a Google Account
- Other information submitted by the user through Google Forms or other inquiry methods
7. Website Access and Security Information
- IP address
- Request date and time
- Destination URL
- Browser information
- Device information
- OS information
- Network information
- Cookies
- Access logs
- Information necessary to detect unauthorized access, attacks, or other security incidents
8. User-Provided Content
To the extent transmitted to us through the Service, inquiry forms, feedback forms, or support communications, we may process information voluntarily provided by users, including recipe-related information, cooking records, notes, tags, settings information, and other user-entered content.
Special Categories of Personal Data
The Service is not intended to collect special categories of personal data under Article 9 of the GDPR, such as health data, biometric data, genetic data, religious beliefs, political opinions, or similar sensitive information.
Users should not submit such information unless it is necessary for an inquiry or support request.
If a user voluntarily provides information that may include special categories of personal data, such as allergy, health, dietary restriction, or similar information, we will process such information only to the extent necessary for the purpose for which it was provided, and only where permitted under the GDPR, including where the user has given explicit consent or where another applicable legal basis exists.
Purposes and Legal Bases of Processing
We process users’ personal data for the following purposes and on the following legal bases.
| Purpose of Processing | Categories of Personal Data | Legal Basis under the GDPR |
|---|---|---|
| To provide the Service | Identification information, device and technical information, usage information, user-provided content | Performance of a contract, Article 6(1)(b) |
| To provide paid features, in-app purchases, subscriptions, one-time purchase products, and purchase restoration | Purchase and subscription information, identification information, device and technical information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); legal obligation, Article 6(1)(c), where applicable |
| To confirm purchase status and prevent unauthorized use | Purchase and subscription information, identification information, device and technical information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To respond to inquiries, feedback, surveys, and defect reports | Inquiry, survey, feedback, and form information; user-provided content | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); consent, Article 6(1)(a), where applicable |
| To analyze usage of the Service and improve features, quality, display, and usability | Usage information, device and technical information, identification information | Consent, Article 6(1)(a), where required; legitimate interests, Article 6(1)(f), where applicable |
| To detect, investigate, and fix crashes, defects, errors, and other technical issues | Crash, error, and defect information; device and technical information; identification information | Consent, Article 6(1)(a), where required; legitimate interests, Article 6(1)(f), where applicable |
| To provide Firebase-related functions and maintain app quality, stability, and safety | Identification information, device and technical information, session information, quality indicators | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To deliver the website, improve display speed, and ensure security | Website access and security information | Legitimate interests, Article 6(1)(f) |
| To prevent, investigate, and respond to unauthorized use, fraud, security incidents, and violations of our terms | Identification information, device and technical information, usage information, website access and security information, purchase information | Legitimate interests, Article 6(1)(f); legal obligation, Article 6(1)(c), where applicable |
| To comply with applicable laws, regulations, legal requests, or obligations | Relevant personal data necessary for compliance | Legal obligation, Article 6(1)(c) |
| To announce or notify users of changes to, discontinuance of, termination of, or cancellation of the Service | Identification information, contact information, purchase and subscription information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To provide, maintain, protect, and improve the Service | Identification information, device and technical information, usage information, crash information, purchase information, inquiry information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); consent, Article 6(1)(a), where applicable |
Legitimate Interests
Where we rely on legitimate interests under Article 6(1)(f) of the GDPR, our legitimate interests include the following.
- Maintaining and improving the Service
- Ensuring the quality, stability, and safety of the Service
- Detecting, investigating, and fixing defects, crashes, errors, and security issues
- Preventing unauthorized use, fraud, abuse, and violations of the Terms of Use
- Managing purchase status, usage eligibility, and service operations
- Responding to inquiries and maintaining necessary records
- Protecting our rights, users’ rights, and third-party rights
When relying on legitimate interests, we consider the impact on users’ rights and interests and implement reasonable measures to protect users’ personal data.
Consent and Withdrawal of Consent
Where we process personal data based on the user’s consent under Article 6(1)(a) of the GDPR, the user may withdraw such consent at any time.
Users may withdraw consent or stop certain processing by using the settings provided within the app, by using browser settings, or by contacting us at the email address stated in this Policy.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Opt-Out
We provide a mechanism that allows users to stop the collection of information by Google Analytics for Firebase / Google Analytics 4 and Firebase Crashlytics through settings within the app.
If a user opts out, we will stop transmitting the relevant analytics information and crash information after such setting is applied.
However, information that has already been transmitted before the opt-out may be handled in accordance with the specifications and retention periods of each external service.
Information necessary for providing in-app purchases, subscriptions, paid features, purchase status confirmation, and purchase restoration may continue to be processed to the extent necessary to provide the paid features of the Service. If such processing is stopped, paid features, purchase status confirmation, purchase restoration, and other related functions may become unavailable.
With respect to the use of cookies on the website, users may disable cookies through their browser settings. However, if cookies are disabled, some functions of the Service may not operate properly.
Recipients of Personal Data
We may disclose or transfer users’ personal data to the following recipients to the extent necessary for the purposes described in this Policy.
| Recipient | Purpose |
|---|---|
| Google LLC and its affiliates | Google Analytics, Google Analytics for Firebase, Google Analytics 4, Firebase, Firebase Crashlytics, Google Forms, Google Workspace, and related services |
| RevenueCat, Inc. | In-app purchase and subscription management, purchase verification, purchase restoration, usage eligibility management, and fraud prevention |
| Apple Inc. and its affiliates | App distribution, in-app purchases, subscriptions, billing, refund handling, and related App Store services |
| Google LLC and its affiliates | App distribution, in-app purchases, subscriptions, billing, refund handling, and related Google Play services |
| Cloudflare, Inc. | Website delivery, CDN, DNS, security, DDoS protection, access control, and log management |
| Payment service providers, stores, and platform providers | Payment processing, billing, refund handling, purchase confirmation, and subscription management |
| Professional advisors | Legal, accounting, tax, audit, or other professional advice, where necessary |
| Public authorities, courts, regulators, or law enforcement agencies | Compliance with laws, regulations, legal procedures, or enforceable governmental requests |
We do not sell users’ personal data.
International Transfers
We are located in Japan. Users’ personal data may be transferred to and processed in Japan.
Japan has received an adequacy decision from the European Commission, which allows personal data to be transferred from the EU to Japan on the basis that Japan ensures an adequate level of protection for personal data.
Users’ personal data may also be transferred to countries or regions outside the EU/EEA and Japan, including the United States, through our use of external service providers such as Google, RevenueCat, Apple, and Cloudflare.
Where personal data is transferred to a country or region that has not received an adequacy decision from the European Commission, we will rely on appropriate safeguards under the GDPR, such as standard contractual clauses, an adequacy mechanism, or other lawful transfer mechanisms, where required.
Users may contact us if they wish to receive information regarding the safeguards applied to international transfers.
Retention Period
We retain users’ personal data only for as long as necessary to fulfill the purposes for which the personal data was collected and processed, unless a longer retention period is required or permitted by applicable laws and regulations.
Specific retention periods are determined by taking into account the following factors.
- The purposes for collecting and processing the personal data
- The nature and sensitivity of the personal data
- The need to retain the personal data for legal, accounting, tax, security, fraud prevention, dispute resolution, or business reasons
- The retention periods and settings of external services used in connection with the Service
- The need to provide, maintain, protect, and improve the Service
When personal data is no longer necessary, we will delete, anonymize, or otherwise appropriately handle it in accordance with applicable laws and regulations.
User Rights
Subject to the conditions and limitations under the GDPR, users have the following rights regarding their personal data.
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
- Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects
- Right to lodge a complaint with a supervisory authority
If a user wishes to exercise any of these rights, the user may contact us at the email address stated in this Policy.
We may request information necessary to verify the identity of the user before responding to a request.
If a user is dissatisfied with our processing of personal data, the user may lodge a complaint with the data protection supervisory authority in the user’s country of residence, place of work, or place of the alleged infringement.
Automated Decision-Making
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning the user or similarly significantly affect the user.
Security Measures
We implement reasonable technical and organizational measures to protect users’ personal data from unauthorized access, leakage, loss, destruction, alteration, misuse, and other risks.
However, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
Children’s Personal Data
The Service is not intended for children under the age at which consent can be lawfully given under applicable data protection laws without the consent of a parent or legal guardian.
If a minor uses the Service, the minor must obtain the consent of a parent or legal guardian.
If we become aware that we have collected personal data from a child without required parental or guardian consent, we will take appropriate measures in accordance with applicable laws and regulations.
Relationship with Other Policies
Our general Privacy Policy and External Transmission Policy may also apply to the handling of users’ information in connection with the Service.
If there is any conflict between this Policy and our general Privacy Policy with respect to the processing of personal data of users in the EU/EEA, this Policy shall prevail to the extent of such conflict.
Changes to This Policy
We may amend this Policy as necessary.
When we amend this Policy, we will notify or inform users of the effective date and content of the amended Policy by displaying it within the Service, posting it on our website, or by any other appropriate method.
Contact Information
If you have any questions regarding this Policy or wish to exercise your rights under the GDPR, please contact us at the following email address.
Privacy Contact: Choco Next Year For Sure Representative: Haruta Watanabe
Address: Aoyama Marutake Building 6F 3-1-36 Minami-Aoyama, Minato-ku, Tokyo 107-0062 Japan
Email: [email protected]
Established on June 12, 2026