Rechtliche Dokumente sind nur in englischer Sprache verfügbar. Der englische Text ist die maßgebliche Version.
chaimagal / Super / Super Privacy Policy

Super Privacy Policy

Updated · 25 April 2026

This is the privacy policy for the Super app. The Terms of Use and EULA also apply.

Who we are

The Super app (shared shopping lists) is operated by Chai Magal, sole proprietor, Shani 4, Modiin, Israel — referred to as "chaimagal," "we," or "us." We are the data controller. For privacy questions write to support@chaimagal.com.

What we may collect

Super is a shared-list app, so some items become visible to people you invite. We may collect:

CategoryIncludesVisibility
AccountEmail, handle, hashed password, sign-in tokens, sign-up timeYou; handle visible to people on your shared lists
ProfileAvatar photo, display namePeople on shared lists you participate in
List contentList name, photo, items (name, category, count, checked, favorite, price, photo), who added whatAll participants of that list
UsageFeature interactions, session timing, errors, device/OS, language, time zoneYou and us
Purchase statusStore receipt ID, product ID, subscription stateYou and us
CommunicationsSupport emails, in-app feedback, ratingsYou and us
Inferred dataInterests, segments, propensities derived from the aboveYou and us

Sharing model

A list has one owner (the creator) and zero or more members. Owners rename, pin, delete, invite, and remove. Members add, check, edit, and delete items, and can leave. Permissions are enforced at the database via row-level security. Invites are resolved by handle or email; unknown identifiers return "not found" without revealing whether an account exists, and invite lookups are rate-limited to prevent enumeration.

Why we use it

We may process personal data for any of these purposes:

  • Operating the app and the features you use; syncing and sharing list content with people you invite.
  • Detecting and preventing abuse, fraud, scraping, and security incidents.
  • Customer support, communications, and product feedback.
  • Marketing communications where you opt in or where we have a legitimate interest balanced against your rights.
  • Personalization and recommendations.
  • Analytics, A/B testing, performance measurement, error reporting, and user research.
  • Building, training, fine-tuning, evaluating, and improving artificial-intelligence and machine-learning models — both our own and those of providers we engage — including via human review of representative samples.
  • Serving, measuring, and personalizing advertising and marketing across our properties and third-party networks, including for cross-context behavioral advertising as defined under California privacy law.
  • Sharing with affiliates, present or future, and with successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency proceedings.
  • Generating de-identified, aggregated, or anonymized data, which we may use, disclose, license, or sell for any purpose without further restriction.
  • Compliance with law, including tax, accounting, and regulator response.
  • Any other purpose disclosed at the point of collection or to which you consent.

Under GDPR our legal bases include performance of a contract (to deliver the features you use), our legitimate interests (in operating, improving, marketing, and protecting the app), compliance with law, and your consent (which you may withdraw at any time).

AI and machine learning

Today, Smart Add parses pasted text into items using Gemma 3 270M-IT (a small language model by Google) that runs entirely on your phone, and the insights recap is also on-device. Nothing about those prompts or outputs leaves the device. The Gemma model is provided under Google's Gemma Terms of Use at ai.google.dev/gemma/terms.

We may add cloud AI features (for example a larger model for recipes or voice dictation), and we may use the content you provide — list items, prompts, outputs, feedback — to train, fine-tune, evaluate, and improve our and third-party AI/ML models. This may include human review of representative samples by our personnel or contractors under confidentiality. Categories of AI providers we may engage are listed below; specific providers may change over time. Where applicable law requires explicit, opt-in consent for AI training on your data, we will ask for it before activating the relevant processing for you.

Where your data lives

Today, account and list data live on Supabase (Ireland / EU) — Postgres database with row-level security, plus object storage for photos. Photos are compressed on your phone (target 50 KB, cap 100 KB) with EXIF stripped. TLS in transit and encryption at rest. We may add or change cloud providers; categories of recipients are listed below.

Who we may share with

We may disclose personal data, in the categories above, to:

  • Cloud, hosting, content-delivery, storage, backup, email, customer-support, and similar infrastructure providers (today: Supabase).
  • Apple and Google — app distribution and in-app purchase processing.
  • Analytics, error-reporting, observability, and product-research providers.
  • Artificial-intelligence and machine-learning model providers, prompt-evaluation services, and human-review contractors.
  • Advertising networks, ad-measurement, attribution, retargeting, and marketing-automation providers, including for cross-context behavioral advertising.
  • Marketing-list providers, customer-data platforms, and email-delivery services.
  • Push-notification gateways and consent-management platforms.
  • Professional advisors — lawyers, accountants, auditors, insurers, consultants.
  • Authorities, regulators, courts, and law enforcement, where we are legally compelled or where, in good faith, we believe disclosure is necessary to comply with legal process or to protect rights, property, or safety.
  • Affiliates, present or future, and successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency proceedings.
  • Other recipients to whom you direct us to share or to whom you consent.

Subscriptions and payments

Super is free to install. Paid features may be offered as a one-time purchase or recurring subscription processed exclusively through the App Store or Google Play. We do not see or store card or bank details. Subscriptions auto-renew under the store's terms; you manage and cancel in your Apple ID or Google account. Statutory withdrawal and cancellation rights (the EU 14-day right of withdrawal, the UK Consumer Contracts Regulations 2013, the Israeli Consumer Protection Law 5741-1981, California's Automatic Renewal Law, and Australian Consumer Law guarantees) are unaffected.

Advertising

Super may, now or in the future, display advertising — banner, interstitial, native, sponsored placements, or rewarded formats. Where ads are enabled we may work with third-party ad networks, ad-measurement, attribution, retargeting, and marketing partners, including for cross-context behavioral advertising as defined under California privacy law. We do not permit ad partners to target ads to you based on sensitive categories (religion, political views, sexual orientation, health, mental-health, precise geolocation) derivable from the app. Users in the EU, EEA, UK, and Brazil will see an in-app consent prompt before non-essential ad tracking. Users in California and similar US states have a "Do Not Sell or Share My Personal Information" control in Settings, and we honor Global Privacy Control (GPC) signals.

International transfers

Account and list data are stored in the European Union. The European Commission has recognized Israel as providing an adequate level of data protection. Transfers outside the EU/EEA and Israel (for example, to a US-based AI or analytics provider) are covered by an adequacy decision where one applies, or by the European Commission's 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards.

Retention and deletion

Items and lists are deletable at any time. Leaving a list removes your participant row; the list continues for everyone else. Account deletion removes your owned lists (with their items and participants), your profile, and your purchase history within 30 days, except where retention is required for legitimate reasons — records, taxation, fraud prevention, defense of legal claims (typically up to seven years from last activity). Backups containing your data roll off on their own lifecycle (up to 35 days). De-identified or aggregated data may be kept indefinitely.

Your rights

Subject to applicable law you have the right to access, rectify, delete, port, restrict, and object to processing of your personal data; to withdraw consent without affecting processing already done; and to lodge a complaint with a supervisory authority. Items you added to someone else's list remain there until the owner or you delete the item itself. Most rights can be exercised in-app; for the rest, email support@chaimagal.com from the email associated with your account. We respond within the time required by your applicable law (typically 30 days under GDPR; 45 days under CCPA, extendable once).

California rights

California residents have additional rights under CCPA/CPRA: the right to know, delete, correct, opt out of "sale" or "sharing," limit use of sensitive personal information, and non-discrimination. We honor Global Privacy Control (GPC) signals as opt-out requests. To opt out by email, write to support@chaimagal.com with the subject "Do Not Sell or Share."

Minors

Super is intended for users 13 and older. Where the age of digital consent in your jurisdiction is higher (e.g. 16 in Germany, Ireland, the Netherlands, Poland, and several other EU member states), users below that age need parental consent. In California, users between 13 and 15 must opt in to "sale" or "sharing" rather than opt out. We do not knowingly collect personal data from children under 13.

What we will not do

We will not:

  • Sell raw, identifiable personal data to data brokers (we may sell de-identified or aggregated data).
  • Share personal data with insurers, employers, or law enforcement absent valid legal process or your consent.
  • Use personal data for political-advertising targeting.

Security and changes

TLS in transit, short-lived rotating tokens, row-level security at the database, encryption at rest. If we become aware of a breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours where required and notify you without undue delay.

We may update this policy. The "Updated" date at the top reflects the latest revision. For material changes — including changes to data categories, recipient categories, purposes, or paid-feature pricing — we will notify you in-app (banner or launch screen) and, where we hold a verified email, by email, before the change takes effect.

Super Privacy Policy — chaimagal