Privacy Policy

1. Data Controller

kerntrack is operated by:

kerntrack
Email: datenschutz@kerntrack.de

(A Data Protection Officer (DPO) will be appointed and listed here before public launch.)

2. Overview — Your Data Belongs to You

kerntrack stores all health and nutrition data exclusively on your device. We have no access to this data — unless you explicitly enable an optional cloud backup in the future.

We do not use any advertising SDKs, no Facebook SDK, no Google Analytics, and no other tracking services that process your health data.

3. What Data Is Processed?

a) Locally on your device (SQLite database):

• Name and age
• Height and weight
• Nutrition goal (lose / maintain / gain)
• Daily calorie target
• Food entries (meals, calories, macronutrients)
• Weight history
• Water intake

This data is NOT transmitted to our servers. It does not leave your device.

b) Optional user account (Supabase, EU / Frankfurt):

• Email address
• Authentication tokens (encrypted)

If you create an account, only your email address is stored on servers in the EU (Frankfurt, Germany). Processing is based on Art. 6(1)(b) GDPR (performance of a contract).

c) API requests to Open Food Facts:

When you search for foods or scan a barcode, a request is sent to the Open Food Facts API (https://world.openfoodfacts.org). Your search term or barcode is transmitted. Open Food Facts is an open, non-profit project (ODbL license). No personal data is transmitted to Open Food Facts.

d) AI Photo Recognition (Google Gemini API, PRO only):

When you use AI photo recognition (PRO feature), your photo is sent to the Google Gemini API (generativelanguage.googleapis.com, Google LLC, Mountain View, USA). The photo is sent by kerntrack solely for the purpose of food recognition. Further data processing by Google is governed by Google Gemini API terms of service. Your photo leaves your device storage and is transferred to servers outside the EU/EEA.

The transfer is based on Art. 6(1)(a) GDPR (consent through active use of the feature) in conjunction with Art. 49(1)(a) GDPR (explicit consent for third-country transfer). For more information on data processing by Google, see https://policies.google.com/privacy.

If you do not wish to use this feature, simply don't use AI photo recognition. All other app functions are unaffected.

e) Payment Processing and Subscription Management (RevenueCat):

For managing in-app subscriptions, we use RevenueCat, Inc. (San Francisco, USA). RevenueCat processes only purchase data (transaction IDs, subscription status, device type) — no health data. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Data transfer: USA, secured by EU Standard Contractual Clauses (SCCs). For more information: https://www.revenuecat.com/privacy

4. Legal Basis (GDPR)

• Art. 6(1)(a) GDPR — Consent: You consent to local processing of your health data during initial setup.
• Art. 6(1)(b) GDPR — Performance of a contract: For providing app functionality.
• Art. 9(2)(a) GDPR — Explicit consent: Health data is a special category of personal data. You provide explicit consent during onboarding (step 4).

5. Data Storage and Deletion

Local data:

You can permanently delete all data at any time via Profile → "Delete all data". Uninstalling the app also deletes all locally stored data.

Account data (if applicable):

You can delete your account at any time. Send an email to datenschutz@kerntrack.de. Your email address will be removed from our servers within 30 days.

6. Data Export

You have the right to data portability (Art. 20 GDPR). In an upcoming version, data export in CSV and PDF format will be available directly in the app.

7. Your Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

Since your health data is stored exclusively on your device, you can exercise most rights yourself (view, modify, delete data).

For requests regarding your account or other privacy concerns, contact: datenschutz@kerntrack.de

8. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The responsible authority is typically the authority in your German federal state.

9. Minors

kerntrack is intended for persons aged 16 and older. Persons under 16 require the consent of a parent or guardian.

10. Changes to This Privacy Policy

We reserve the right to update this privacy policy when app functionality or legal requirements change. The current version is always available in the app under Profile → Privacy.

11. Not a Medical Device

kerntrack is not a medical product and not a medical device within the meaning of Regulation (EU) 2017/745 (MDR). The calculated calorie targets do not replace medical or nutritional advice.