Privacy Policy
1 Data Controller
The data controller for the ReBip application is:
- Email: info@rebip.app
- Website: https://rebip.app
For any privacy-related inquiry, request, or complaint, please contact us at info@rebip.app.
2 Data We Collect
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account | Email address, encrypted password | Authentication and account management | Contract performance |
| Shopping lists | List names, item names, quantities, units, checked status | Core app functionality | Contract performance |
| Scan history | Product names, brands, barcodes, purchase dates, images | Personalised suggestions and offline access | Legitimate interest / consent |
| Personal products | Product details and photos added manually by the user | Personal product catalogue | Contract performance |
| Camera | Barcode frames (processed on-device, never stored) | Barcode scanning | Consent (permission prompt) |
| Product photos for AI (optional) | Photos of the product and optional text description you provide for Photo Check (off by default, opt-in in Settings) or Deep Search. Sent securely to our backend for AI analysis and discarded right after — never stored. | Verify or identify a product when the barcode is not enough | Consent (explicit opt-in / user-initiated) |
| Technical identifiers | Anonymous Firebase UID (assigned automatically) | Service continuity before sign-up | Legitimate interest |
| Crash & diagnostics | Anonymous crash reports via Firebase Crashlytics | Bug fixing and stability | Legitimate interest |
We do not collect: precise location, contacts, microphone audio, health data, or financial information. The advertising identifier (IDFA) is accessed only if you explicitly allow it through the iOS tracking prompt (see Section 8) — if you decline, ads are served in non-personalised mode.
3 How We Use Your Data
- Provide and synchronise your shopping lists across your devices.
- Identify products via barcode through our BipAI pipeline, which queries public data sources (see Sections 6 and 7).
- Verify or identify a product from photos and/or a text description you choose to provide (Photo Check, opt-in and off by default, or Deep Search). Photos and text are processed through our backend by an AI provider (Google Gemini API) solely for that analysis and are not stored, not used to train models by us, and not linked to advertising.
- Suggest products based on your past purchases — entirely processed on your device and in your private cloud account.
- Improve the shared product catalogue (BipCore Aura) with anonymised scan data, only when you explicitly submit a product.
- Send you important service communications (e.g. password reset emails).
We do not use your shopping data for advertising, profiling for third parties, or automated decision-making with legal effects. Ads shown in the app (see Section 8) are independent of your lists and scan history.
4 Data Retention
- Account data — retained as long as your account is active.
- Shopping lists & history — retained until you delete them or delete your account.
- Local cache — stored on your device and manageable from Settings → My Database.
- Crash reports — retained for 90 days by Firebase Crashlytics, then automatically deleted.
When you delete your account from within the app, all your personal data is permanently deleted from our servers within 24 hours.
5 Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following limited cases:
- With other list members — if you share a list with someone, they can see the items in that list. You control who you share with.
- With infrastructure providers — Google Firebase (authentication, database, storage, crash reporting), acting as a data processor under our instructions. See Section 6.
- Legal obligations — if required by law, court order, or to protect the rights and safety of users.
6 Third-Party Services
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Firebase Auth / Firestore / Storage / Crashlytics | Google LLC | Authentication, database, file storage, crash reporting | firebase.google.com/support/privacy |
| OpenFoodFacts / OpenBeautyFacts / OpenProductsFacts | Open Food Facts | Product lookup by barcode (read-only) | openfoodfacts.org/privacy |
| UPCitemdb | UPCitemdb Inc. | Product lookup by barcode (read-only) | upcitemdb.com/privacy |
| Barcode Monster / Datakick / Wikidata / USDA | Various open-data providers | Product lookup by barcode (read-only, no personal data sent) | See individual providers |
| Google Gemini API | Google LLC | AI analysis for BipAI: product identification from barcode data and — only if you use Photo Check (opt-in) or Deep Search — from the photos/text you provide | policies.google.com/privacy |
| Google AdMob | Google LLC | Optional ad banners (see Section 8) | policies.google.com/privacy |
When performing a barcode lookup, only the barcode number is sent to external databases — no personal information is transmitted. If you enable Photo Check or use Deep Search, the photos and text you provide are relayed through our backend to the AI provider for that single analysis and are deleted immediately afterwards. Google Firebase infrastructure is located in the European Union and/or the United States. For transfers outside the EEA, Google relies on Standard Contractual Clauses approved by the European Commission.
7 Product Data, BipAI & Open Data Licensing
Product information in ReBip comes from two sources:
- BipCore Aura — ReBip's official product database, curated and verified by our team.
- BipAI — our artificial-intelligence pipeline, which searches, aggregates and cross-checks publicly available product information from the open data sources listed below. AI-generated product data may contain errors; always double-check important details (such as allergens or ingredients) on the physical product.
BipAI relies on the following open data sources. We gratefully acknowledge these projects and comply with their licensing terms:
| Source | Content | License |
|---|---|---|
| Open Food Facts (incl. Open Beauty Facts, Open Products Facts, Open Pet Food Facts) | Product data and photos | Data: Open Database License (ODbL) 1.0 · Photos: CC BY-SA 3.0 |
| Wikidata | Brand and product metadata | CC0 1.0 (public domain) |
| Wikipedia / Wikimedia Commons | Reference images | CC BY-SA and per-file licenses |
| USDA FoodData Central | Nutritional data | U.S. Government work (public domain) |
| UPCitemdb | Barcode lookup | Free API terms of service |
| Barcode Monster | Barcode lookup | Free API |
| Datakick | Barcode lookup | Open database (see datakick.org) |
| Open Library | Book metadata (ISBN) | Open data (see openlibrary.org) |
| Licensed web-search APIs | Supplementary product information and images | Commercial API agreements |
Data derived from Open Food Facts is available under the Open Database License (ODbL); photos from Open Food Facts are licensed under CC BY-SA 3.0. Within the ReBip app, all product pages link exclusively to rebip.app — this page serves as the complete attribution notice for the sources above.
8 Advertising
ReBip may show two kinds of advertising, both clearly labelled as "Sponsored":
- ReBip sponsored products — native product cards managed directly by ReBip. These are served from our own infrastructure and do not involve any third-party tracking.
- Google AdMob banners — standard ad banners served by Google. On iOS, AdMob can access the advertising identifier (IDFA) only if you allow it through the App Tracking Transparency prompt. If you decline, ads are served in non-personalised mode. Your shopping lists and scan history are never shared with advertisers.
You can change your tracking preference at any time in iOS Settings → Privacy & Security → Tracking. For details on how Google processes ad data, see policies.google.com/technologies/ads.
9 Security
- All data in transit is encrypted using TLS 1.2 or higher.
- Passwords are never stored in plain text — Firebase Auth uses industry-standard hashing.
- Access to Firestore is restricted by security rules: each user can only read and write their own data.
- The app operates fully offline using a local encrypted cache when no internet connection is available.
10 Children's Privacy
ReBip is not directed at children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@rebip.app and we will delete it promptly.
11 Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:
Request a copy of the personal data we hold about you.
Correct inaccurate or incomplete personal data.
Delete your account and all associated data — available directly in the app under Settings → Account → Delete account.
Request that we restrict processing of your data in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interest.
To exercise any of these rights, contact us at info@rebip.app. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (e.g. the Garante per la protezione dei dati personali in Italy).
12 Account Deletion
You can permanently delete your account and all associated data at any time, directly from the app:
- Open the app and tap Settings.
- Tap your account name at the top.
- Scroll down and tap Delete account.
- Enter your password to confirm.
Deletion is immediate and irreversible. All your lists, purchase history, personal products, and account data are permanently removed from our servers. Local data stored on your device is also cleared automatically.
13 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via the app or by email. Continued use of ReBip after a policy update constitutes acceptance of the revised policy.