Privacy policy

1. Controller

Responsible for data processing under GDPR: Stefan Wibmer · [address pending] · [email protected]

2. What we store

• Account data: Email address, password hash (for OAuth: provider ID instead of password), sign-up timestamp.
• Log data: Your food and symptom entries including photos. These belong exclusively to you.
• Technical data: IP address (truncated, max. 14 days), user agent, device type — only for error analysis.
• No trackers: We do not use Google Analytics, Facebook Pixel, or any other advertising trackers.

3. Where we store (EU hosting)

• Database & auth: Supabase, region eu-central-1 (fra1), Frankfurt am Main.
• Website & PWA hosting: Cloudflare Pages, EU edge locations.
• Photo storage: Cloudflare R2, region EU.
• Email delivery: Resend / Loops (data processing agreements in place).

4. AI processing of photos

When you upload a photo of your plate, we send it once to Gemini 2.5 (Google) via OpenRouter for content extraction. The photo is not used for training. You can disable AI analysis in Settings at any time.

5. Your rights (GDPR Art. 15–22)

• Access (Art. 15): Any time via Settings → Data export.
• Rectification (Art. 16): Directly in the app.
• Erasure (Art. 17): Settings → Delete account (immediate, irrevocable).
• Restriction (Art. 18): By email to [email protected].
• Portability (Art. 20): Export as JSON/Markdown any time.
• Objection (Art. 21): By email to [email protected].

6. Cookies

We only use strictly necessary cookies (login session, language/theme preference). No tracking, no cookie banner theater.

7. Right to complain

You have the right to file a complaint with a data protection authority. The competent authority is the Austrian Data Protection Authority (dsb.gv.at).

8. Changes

For significant changes to this privacy policy, beta users will be informed by email.