F
Forkin
27. mai 2026

Why Forkin is a European company — and what the US CLOUD Act has to do with your food data

Most food and nutrition apps run on US cloud providers, which makes them subject to the US CLOUD Act. We don't. Here's exactly what that means and why it matters for sensitive food, dietary, and health data.

Forkin is a European company, hosted on European servers, run by a European team. That isn't a marketing line — it's a deliberate engineering and legal choice, and it's the single biggest structural difference between us and the largest apps in this category.

If you log what you eat, what you don't eat, what your kids eat, what your pet eats, what your skin reacts to, or what your doctor told you to avoid — that's sensitive personal data under EU law. Under GDPR Article 9, data about your health, diet, religious beliefs (halal, kosher), or even your political views deserves a higher level of protection than your shopping habits. So we built around it.

The US CLOUD Act, in one paragraph

The Clarifying Lawful Overseas Use of Data Act (passed in 2018) compels US-headquartered cloud providers — Amazon Web Services, Google Cloud, Microsoft Azure, Cloudflare, DigitalOcean, Firebase — to hand over customer data to US law enforcement on request, regardless of where in the world that data is physically stored. The provider does not have to tell the customer. The provider does not have to tell the data subject. Sometimes the provider is legally gagged from saying anything at all.

This is not theoretical. The Schrems II ruling by the Court of Justice of the EU (2020) explicitly cited US surveillance law — including the CLOUD Act and FISA 702 — as the reason that transfers of EU personal data to US providers cannot be considered "essentially equivalent" to EU protection. The legal mechanism that papers over this gap, the EU-US Data Privacy Framework, has already been challenged in court and most observers expect it to fall a third time.

What this means for your favourite "EU" food app

Open the privacy policy of almost any major nutrition app and search for "Amazon Web Services", "Google Cloud", "Firebase", "Cloudflare", or "DigitalOcean." You will find at least one. Often all of them. The provider's data centre may sit in Frankfurt or Paris, but the parent company is US-headquartered, which means the CLOUD Act applies. Your meal diary, your weight history, your dietary restrictions — all of it is reachable by US legal process.

If you scan halal products, that's a religious preference. If you log Crohn's-friendly meals, that's a health condition. If you track your child's allergies, that's a minor's medical data. None of this is something you'd casually want disclosed under a sealed warrant in another jurisdiction.

How we built around it

Forkin has zero US-headquartered providers in its production path. Here is the actual stack:

  • Compute & storage: Hetzner Cloud (Germany) — EU-headquartered, no US parent, ISO 27001.
  • GPU inference: Hyperstack (UK/EU) — EU operations, contracts under EU law.
  • CDN & edge: Bunny.net (Slovenia) — EU-headquartered, EU-only routing for our zone. We migrated off Cloudflare in 2026 for exactly this reason.
  • VLM / LLM inference: Scaleway Generative APIs (France) — French cloud, hosted on renewable energy.
  • Email: Brevo (France) — French SMTP relay, French data residency.
  • Error monitoring: Sentry EU region (Germany) — ingest.de.sentry.io, EU-only ingest.
  • Analytics: PostHog EU region (Frankfurt) — eu.i.posthog.com.

Payments are processed by Paddle (UK) as Merchant of Record so we don't see your card. Apple Sign In and Google Sign In are platform identity providers, not data hosts. Both options are presented because Apple Sign In is the most privacy-respecting choice, but we don't force you into either.

"Doesn't GDPR already cover this?"

Yes — for the company that holds your data. But GDPR doesn't change the legal authority a US court has over a US company, and it doesn't change which warrants a US provider must honour. The only way to fully escape that authority is to not put your data in a US-controlled system in the first place. So we don't.

If you ever want to know exactly what's stored about you, request it: every Forkin account can export everything in a machine-readable format (Article 20 portability), and you can permanently delete the account from inside the app (Article 17 erasure). Both endpoints are live, not "coming soon."

The honest trade-off

EU-only infrastructure is more expensive per request than US hyperscalers, and EU providers ship fewer ready-made AI primitives than AWS or Google Cloud. That's a real cost for us. The reason we accept it is that this category — what people eat, what their kids eat, what they're allergic to — is exactly the category where the cost of getting privacy wrong is permanent.

If you're choosing between food-scanning apps and you care about this, the question to ask isn't "do you have GDPR-compliant privacy policies?" Everyone does. The question is: "Whose courts can subpoena my data, and would I find out?"

Our answer is: Polish and European courts only, and yes, you'd find out — because our privacy policy commits to telling you, and there is no US gag order that can stop us.

Read our methodology · Privacy policy · Our mission