Privacy Policy - SuppScan AI

Version 1.0 | Effective from: January 9, 2026

Language Version and Authoritative Version

Original Language: This Privacy Policy was originally drafted in German language.

Translations: We provide translations of this Privacy Policy in other languages for your reference.

Authoritative Version: In the event of any contradiction, inconsistency, or different interpretation between the German version and any translation, exclusively the German version is legally binding and authoritative.

1. Introduction and Controller

1.1 Who We Are

This Privacy Policy informs you about how we collect, use, and protect your personal data when you use the mobile application SuppScan AI (the "App").

Controller:

Lokman Beser Dr.-Golm-Str. 24 27232 Sulingen Germany

Email: [email protected] Website: https://suppscan.ai

Data Protection Officer:

Abdullah Sögüt Email: [email protected]

1.2 Legal Basis

This Privacy Policy complies with the requirements of:

General Data Protection Regulation (GDPR)
German Federal Data Protection Act (BDSG)
German Telecommunications and Telemedia Data Protection Act (TTDSG)
Other applicable data protection laws

2. What Data We Collect

2.1 Account Data

When creating an account, we collect:

Email address
Password (securely encrypted and hashed)
Name (optional)
Authentication method (Apple, Google, Email, or Anonymous)

2.2 Health Data (Special Categories under Art. 9 GDPR)

Important: Health data constitutes "special categories of personal data" under GDPR and requires your explicit consent.

We collect the following health-related information:

Age or date of birth
Gender
Weight and height
Pregnancy status and week (if applicable)
Geographic location (for Vitamin D calculations)
Dietary preferences (vegan, vegetarian, etc.)
Lifestyle factors (smoking status, alcohol consumption, sun exposure)

Legal Basis: Your explicit consent pursuant to Art. 9(2)(a) GDPR, which is obtained separately during account creation.

2.3 Supplement Data

Names and ingredients of supplements you track
Dosage information and intake schedules
Photos of supplement packaging (optional), including:
- Image content (product labels, packaging)
- Photo Metadata (EXIF Data): Date and time of capture, device model, camera settings
- Location Data: If enabled in your device settings, photos may contain geographic coordinates (we do not use this location data for tracking purposes)
Intake history and timestamps
AI-generated recommendations and nutrient targets

2.4 Device and Technical Data

Device type and operating system
App version and language settings
Push notification token
Error logs and crash reports (for app stability)
IP address (temporary, for security purposes only)

2.5 Biometric Data

Important Notice for Users in Illinois, Texas, and Washington (USA):

SuppScan AI does not collect, store, or process any biometric identifiers or biometric information within the meaning of the Illinois Biometric Information Privacy Act (BIPA), the Texas Biometric Privacy Law, or the Washington Biometric Privacy Law.

What We Do NOT Capture:

Facial recognition or facial geometry
Fingerprints or handprints
Iris or retina scans
Voice prints or voiceprints
DNA information
Gait analysis or other biometric identifiers

Our Photo Scan Feature:

When you use the AI-powered photo scan feature to photograph supplement labels:

We use automated image analysis to extract text and product information from labels
We do NOT analyze or store faces, individuals, or biometric features
Image processing is exclusively limited to text and product information extraction
Photos are NOT used for identifying individuals

If a Photo Accidentally Contains People:

These areas will not be subjected to biometric analysis
We do not store or index facial features
We do not use facial recognition technology
Photos are processed exclusively for supplement information extraction

Your Responsibility:

When photographing supplement packaging:

Avoid including yourself or other people in the photo
Focus the camera on the product label
Do not photograph people, faces, or body parts

Compliance with Illinois Biometric Information Privacy Act (BIPA):

Pursuant to 740 ILCS 14/1 et seq. (Illinois BIPA):

We do not collect biometric identifiers
We do not require written consent for biometric data (as none are collected)
We do not sell, lease, trade, or profit from biometric data
We do not have retention policies for biometric data (as none are stored)

Contact:

If you have questions regarding photo processing or biometric data:

Email: [email protected] Subject: "Biometric Privacy Inquiry"

3. How We Use Your Data

3.1 Providing the App (Legal Basis: Art. 6(1)(b) GDPR - Contract Performance)

We process your account and supplement data in order to:

Provide the core functionality of the App
Enable your supplement management
Synchronize data across your devices
Send transactional emails (account confirmation, password reset)

Without this processing, we cannot provide the App.

3.2 Processing of Health Data (Legal Basis: Art. 9(2)(a) GDPR - Explicit Consent)

We use your health data in order to:

Calculate personalized nutrient targets
Generate AI-powered supplement recommendations
Analyze your supplement intake patterns
Provide individual health insights

You may withdraw your consent at any time by deleting your account. However, withdrawal means you can no longer use the personalized features of the App.

3.3 Error Monitoring and App Stability (Legal Basis: Art. 6(1)(b) GDPR - Contract Performance)

We use error monitoring services in order to:

Detect and fix crashes and errors
Ensure stable and reliable app performance
Improve user experience

This processing is necessary to provide a functioning app. Without crash monitoring, we cannot maintain app quality.

3.4 Legal Obligations (Legal Basis: Art. 6(1)(c) GDPR - Legal Obligation)

We retain certain data as required by law:

Billing records (tax and commercial law requirements)
Dispute-related communications logs

3.5 Apple as Data Processor (Legal Basis: Art. 6(1)(b) GDPR - Contract Performance)

Apple collects and processes technical data through the App Store infrastructure:

Device type, operating system version, app performance metrics, crash reports
Apple may use depersonalized data for product improvement and App Store administration
Apple's data processing is governed by Apple's Privacy Policy: https://www.apple.com/privacy/
License Terms: https://www.apple.com/legal/internet-services/itunes/dev/stdeula/

4. Who Receives Your Data

4.1 Service Providers We Use

We share your data with the following categories of service providers:

Within the EU:

Cloud Infrastructure Provider (Germany) - Server hosting, databases, and file storage
Error Monitoring Service (EU) - Crash monitoring and stability analysis

Outside the EU (USA):

AI Service for Nutrition Recommendations - Processing of health data to generate personalized supplement recommendations and nutrient targets
Email Sending Service - Sending of transactional emails (account confirmation, password reset)
Push Notification Services - Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM)

Payment Processing:

Apple App Store and Google Play Store handle all payment transactions. We only store your subscription status (active/expired).

4.2 Apple as Data Processor

Apple processes technical data through the App Store infrastructure as a data processor:

Device type, operating system version, app performance, and crash metrics
Apple may use depersonalized data for product improvement and App Store administration
Apple's data processing is governed by: https://www.apple.com/privacy/ and https://www.apple.com/legal/internet-services/itunes/dev/stdeula/

4.3 International Data Transfers

Some of our service providers are located outside the EU, particularly in the USA:

AI providers for supplement recommendations
Email sending services
Push notification services (Apple, Google)

Safeguards for USA Transfers:

We ensure that these transfers are protected by one or more of the following guarantees:

EU-US Data Privacy Framework (DPF) - EU Commission adequacy decision of July 10, 2023. To the extent service providers are certified under the DPF, the transfer is based on this framework.
Standard Contractual Clauses (SCCs) - EU Commission-approved contractual clauses that guarantee EU data protection standards. We use these with service providers without DPF certification.
EU Establishments - Some service providers have established EU establishments as data controllers.

Copies of Guarantees: You may request a copy of the Standard Contractual Clauses or information regarding the DPF status of our service providers by emailing: [email protected]

Important Notes:

Data protection standards in the USA may differ from those in the EU
US authorities may request access to data under local law (e.g., FISA, CLOUD Act)
By using the App, you acknowledge this risk

4.3 AI Processing Safeguards

Before we send your data to AI providers:

Your data is NOT used for AI training - We have configured our API settings to prohibit training with user data
AI providers process your data only for the request and do not retain it for other purposes

4.4 Professional Advisors

We may share your personal data with professional advisors insofar as this is necessary for the provision of their services:

Lawyers - For legal advice, contract matters, and legal representation
Tax Advisors and Auditors - For tax compliance, financial statements, and financial audits
Business Consultants - For business development and strategic consultation
Insurance Brokers - For insurance matters and risk management

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring proper corporate governance and legal compliance).

All professional advisors are subject to professional confidentiality obligations and are contractually obligated to treat your data confidentially.

4.5 Single Sign-On Providers (Apple, Google)

When you sign in to SuppScan AI with a third-party service, we receive certain information from that service:

Apple Sign-In

When you choose "Sign in with Apple," we receive from Apple:

User ID (unique Apple identifier)
Email Address (either your real email or an anonymous forwarding email provided by Apple)
Name (optional, only if you share this during sign-in)

Important: Apple offers the option to "Hide My Email," whereby Apple creates a forwarding email address. We respect your choice.

Apple Privacy Policy: https://www.apple.com/legal/privacy/

Google Sign-In

When you choose "Sign in with Google," we receive from Google:

User ID (unique Google identifier)
Email Address
Profile Name
Profile Picture (optional)

Google API Services User Data Policy: Our use of information received from Google APIs complies with the Google API Services User Data Policy, including Limited Use requirements.

We use this data exclusively for:

Authentication and account creation
Providing app functionality
Communication with you regarding your account

Important: We do not sell data received from Google APIs and only share it as described in this Privacy Policy.

Google Privacy Policy: https://policies.google.com/privacy

Control Over Permissions

You may revoke SuppScan AI's permissions at any time in your Apple or Google account settings. Please note that revoking permission may impair your ability to sign in to the App.

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and your consent at the time of sign-in.

4.6 Business Transactions and Successors

We may disclose or transfer your personal data in connection with actual or contemplated business transactions:

Types of Transactions

Business Sale or Acquisition: Sale, transfer, or merger of our entire business or parts thereof
Asset Disposition: Sale or transfer of business assets or equity interests
Investments and Financing: Receipt of investors or financing rounds
Insolvency or Bankruptcy: In the event of insolvency, bankruptcy, or receivership, where personal data is transferred as business assets

Due Diligence Review

Before completing a transaction, we may need to share personal data with:

Potential buyers, investors, or merger partners
Their legal and financial advisors
Due diligence reviewers

These parties are contractually obligated to maintain confidentiality and may use your data only for the purpose of transaction review.

After Transaction Completion

In the event of a completed transaction, your personal data may be transferred to:

The acquirer, successor, or assignee of the business
The merged or newly formed company
Insolvency or bankruptcy administrator

Important: The new owner will remain bound by this Privacy Policy, unless:

You are informed of material changes to data processing practices
You are given the opportunity to object to the new processing or delete your account

Notification

In the event of material business transactions, we will notify you:

By email (to your registered email address)
By in-app notification
By updating this Privacy Policy

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring business continuity) and Art. 6(1)(b) GDPR (contract performance).

4.7 No Sale of Data

We do NOT sell, rent, or share your personal data with:

Advertisers
Data brokers
Marketing companies
Third parties not listed above

Exception: We may disclose data if required by law (e.g., court orders, law enforcement requests).

5. Data Storage and Deletion

5.1 Active Account

We store your data only as long as your account is active and you use the App.

5.2 Account Deletion

When you delete your account:

All your personal data is immediately and permanently deleted, including:
- Account information
- Health data
- Supplement records and intake history
- Supplement photos

Exceptions:

AI Interaction Logs (Art. 17(3)(e) GDPR): To defend against legal claims (e.g., product liability), we retain encrypted AI interaction logs for maximum 10 years:

Your AI inputs (age, weight, supplements, etc.)
AI recommendations and outputs
Technical metadata (timestamps, app version, AI model)

Purpose: If you claim the App provided faulty health recommendations, we can demonstrate what inputs you provided and what recommendations the AI gave.

Security: All data remains AES-256 encrypted. Your deleted user ID remains stored but points to a non-existent account.

Automatic Deletion: No later than 10 years after the AI interaction.

Further Exceptions:

Billing records (10 years, tax law requirement)
Anonymized, aggregated statistics (no personal data)

5.3 Inactive Accounts

Accounts inactive for longer than 60 months (5 years) may be deleted following prior notice.

5.4 Specific Retention Periods

While Your Account Is Active:

All personal data: For as long as your account exists
Security logs (IP addresses, login attempts): 90 days
Backups: 30 days (automatic rotation)

After Account Deletion:

AI interaction logs: Maximum 10 years (Art. 17(3)(e) GDPR - legal claims)
Billing records: 10 years (§ 147 AO, tax law requirement)
All other data: Immediate deletion (within 48 hours)
Backups: Automatic deletion within 30 days (backup cycle)

Inactive Accounts:

Automatic deletion after 60 months (5 years) of inactivity (following prior notice)

5.5 License Termination and Data Treatment

Should Apple terminate the App license due to non-compliance with Apple terms:

Data storage obligations remain consistent with this Privacy Policy
You may request data deletion at any time via account deletion
Technical data may be briefly retained for compliance purposes

6. Your Rights under GDPR

You have the following rights regarding your personal data:

6.1 Right of Access (Art. 15 GDPR)

You may request information about what personal data we have stored about you.

How to Exercise: Email [email protected]

6.2 Right to Rectification (Art. 16 GDPR)

You may request correction of inaccurate personal data.

How to Exercise: Edit your profile directly in the App.

6.3 Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You may request deletion of your personal data.

How to Exercise: Delete your account in App Settings → Delete Account.

6.4 Right to Restrict Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your data.

Important: Since processing of your data is necessary for providing App functionality (Art. 6(1)(b) GDPR), we cannot provide services if you request restriction. Your account will remain, but:

You cannot use the App
No AI features, tracking, or calculations available
Data storage only, without further processing

More Practical Alternative: If you no longer wish to use the App, we recommend full account deletion (see 6.3).

How to Exercise: Email [email protected]

6.5 Right to Data Portability (Art. 20 GDPR)

You may obtain a copy of your data.

How to Exercise: Email [email protected]

6.6 Right to Object (Art. 21 GDPR)

Since our data processing is based on contract performance and consent, objection is not applicable.

How to Exercise: Delete your account.

6.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw your consent to processing of health data at any time.

How to Exercise: Delete your account (withdrawal applies only to future processing).

6.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority.

Competent Supervisory Authority:

The Lower Saxony State Commissioner for Data Protection Website: https://www.lfd.niedersachsen.de/

7. Data Security

We protect your data with industry-standard security measures:

7.1 Technical Measures

Encryption in Transit: All data transfers use TLS 1.2 or higher
Secure Authentication: Passwords are hashed using industry-standard algorithms
Access Controls: Restricted access to personal data on a need-to-know basis
Security Monitoring: Regular security audits and vulnerability assessments

7.2 Organizational Measures

Employee training in data protection
Regular review of security practices

7.3 Incident Response

In the event of a data breach affecting your rights:

We will notify you within 72 hours (as required by Art. 33 GDPR)
We will inform the competent supervisory authority
We will take immediate measures to mitigate damage

7.4 Data Protection Impact Assessment (DPIA)

We have conducted a Data Protection Impact Assessment pursuant to Art. 35 GDPR to assess risks of processing health data and implement appropriate safeguards.

7.5 Report of Data Breaches

For All Users:

In the event of a data breach (security incident, unauthorized access, data leak) that poses a risk to your rights and freedoms, we will:

Notify the competent supervisory authorities within 72 hours of becoming aware of it, pursuant to Art. 33 GDPR
Inform affected users promptly, pursuant to Art. 34 GDPR, if the breach poses a high risk to your rights
Take immediate measures to mitigate damage and remedy the incident
Conduct and document a complete investigation of the incident

Additionally for US Users - FTC Health Breach Notification Rule:

For users in the United States, additional notification requirements apply pursuant to the FTC Health Breach Notification Rule (16 CFR Part 318), as amended on July 21, 2024.

What is the FTC Health Breach Notification Rule?

The US Federal Trade Commission (FTC) requires health apps like SuppScan AI to report data breaches affecting unsecured personal health information (PHR). This rule applies to apps not covered by HIPAA (like SuppScan AI).

In the event of a notifiable security breach, we will:

Notify You - Within 60 days of discovering the breach via:
- Email (to your registered email address)
- Alternatively, via prominent website notice for 90 days + notice to major media (if over 500 users affected)
Notify the FTC - Within 60 days of discovering the breach
Notify Third-Party Service Providers - Who may be affected by the breach

What Our Notification Will Contain:

Description of Breach: What happened, when it happened, how it was discovered
Affected Data Types: What types of health information were affected
Number of Affected Users: How many people are affected
Steps Taken: What we have done to remedy the breach
Contact Information: How you can contact us for further information
Recommended Steps: What you can do to protect yourself

What Qualifies as a "Security Breach" under the FTC Rule:

A breach occurs when unsecured personal health information is acquired without authorization, including through:

Unauthorized access to our systems
Loss or theft of devices with unencrypted data
Malicious cyberattacks or hacks
Inadvertent disclosure to unauthorized third parties

What Does NOT Qualify as a Breach:

Access by authorized employees or service providers for legitimate business purposes
Inadvertent acquisition in good faith, if information is not further disclosed
Your data is encrypted according to current industry standards (AES-256)

Your Rights in the Event of a Data Breach:

You have the right to be informed of any breach affecting your health information
You have the right to file a complaint with the FTC if you believe we did not respond properly to a breach
You may take legal action against us if you have suffered harm due to a breach

FTC Contact for Complaints:

Federal Trade Commission Consumer Response Center 600 Pennsylvania Avenue NW Washington, DC 20580 Phone: 1-877-FTC-HELP (1-877-382-4357) Website: https://www.ftc.gov/complaint

Additionally for California Users - California Civil Code §1798.82:

For California residents, additional notification requirements apply pursuant to the California Data Breach Notification Law. In the event of a breach affecting unencrypted personal information, we will notify California users "without unreasonable delay" and in the "most expedient time possible" as required by California law.

How We Prevent Data Breaches:

We implement comprehensive technical and organizational measures to prevent data breaches:

Encryption at Rest and in Transit: AES-256 encryption for stored data, TLS 1.2+ for data transfers
Access Controls: Strict authentication, role-based access control (RBAC), multi-factor authentication for administrators
Regular Security Audits: Penetration testing, vulnerability assessments, code reviews
Intrusion Detection Systems: Real-time monitoring of suspicious activities
Employee Training: Regular training in data protection and security awareness
Incident Response Plan: Documented procedures for rapid response to security incidents
Vendor Security Assessments: Security assessments of all third-party service providers

Security Vulnerability Reporting:

If you discover a security vulnerability in our services, please report it immediately to:

Email: [email protected] Subject: "Security Vulnerability Report"

We are committed to responsible disclosure and will not take action against researchers who report security issues in good faith.

8. Cookies and Tracking

Note: This Privacy Policy applies primarily to our Mobile App. Our APIs are accessible exclusively through the Mobile App.

8.1 Privacy-First Approach

We take a strict privacy-first approach and do not use third-party services for analytics, advertising, or tracking. Your usage data is not shared with marketing or advertising platforms.

8.2 Essential Technical Data (Mobile App)

We collect exclusively technical data required for providing App functionality:

Session Management (Login Status) - To keep you logged in and manage your session
Error Logs (Crash Monitoring) - To detect crashes and improve app stability
Push Notification Delivery - To send you reminders and important updates

Legal Basis: Art. 6(1)(b) GDPR (necessary for contract performance).

This data processing is technically required for the App to function properly. Without this data, we cannot provide the App's basic functions.

8.3 Website Cookies (Landing Page)

Our public website (suppscan.ai) uses exclusively technically necessary cookies:

Session Cookie (JSESSIONID): Technically required to manage your browser session.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in technical functionality).

We do not use marketing, analytics, or tracking cookies on our website. A cookie consent banner is therefore not required.

9. Age Restriction

This App is intended for users aged 18 and above.

9.1 Technical Implementation of Age Verification

Age restriction is technically enforced at multiple levels:

A minimum age of 18 years is set in the App Stores (Apple, Google)
During onboarding, date of birth is collected, with selection limited to users aged 18 and above
Onboarding cannot be completed without a valid minimum age

By using the App, you confirm that you are at least 18 years of age.

Important: We do not knowingly collect data from persons under 18 years of age. If we become aware that we have inadvertently collected such data, we will delete it immediately.

For US Users: We do not knowingly collect data from children under 13 years of age pursuant to the Children's Online Privacy Protection Act (COPPA). If we discover that we have inadvertently collected personal data from children under 13, we will delete it immediately.

10. AI-Powered Features

10.1 How AI Works in Our App

We use AI for:

Analysis of supplement labels from photos
Generation of personalized nutrient targets
Provision of supplement recommendations
Identification of potential nutrient interactions

10.2 Important Disclaimers

AI-generated recommendations are for informational purposes only and do NOT constitute medical advice.

AI can make errors or provide inaccurate information
Recommendations are based on general wellness principles, not your specific medical situation
Always consult a qualified healthcare provider before making health decisions

10.3 Transparency (EU AI Act Compliance)

For users in the EU/EEA:

You are hereby informed that:

You are interacting with an AI system when using photo scanning, nutrient calculation, and recommendation features
The AI is designed only for general wellness purposes
The AI cannot diagnose, treat, or prevent diseases
AI outputs should be independently verified before you rely on them

10.4 Automated Decision Making (Art. 22 GDPR)

Our App uses automated processing (AI) to generate personalized supplement recommendations and nutrient targets.

Important Clarification: These automated recommendations have no legal effects on you and do not significantly impair you. They serve exclusively for informational purposes.

You make all decisions yourself, including:

Whether to follow the recommendations
Which supplements you take
When and how you manage your health

Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.

Since our AI recommendations:

Do not make binding decisions
Do not create legal obligations
Do not trigger automatic actions
Have only an advisory character

... the use of our AI features does not fall under the restrictions of Art. 22 GDPR.

You are in control at all times and may:

Ignore recommendations
Make your own decisions
Delete your account if you do not wish to use AI features

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

For Material Changes:

We will notify you by email (if provided) or in-app notification
The updated policy will be published at https://suppscan.ai/privacy
Continued use of the App after notification constitutes acceptance

Version History:

Version 1.0: January 9, 2026 (Initial version)

12. Contact

For General Privacy Questions:

Email: [email protected] Mail: Lokman Beser, Dr.-Golm-Str. 24, 27232 Sulingen, Germany

Data Protection Officer:

Email: [email protected]

To Exercise Your GDPR Rights:

Email: [email protected] Subject: "GDPR Data Request"

Response Time: We will respond to your request within 30 days, as required by Art. 12(3) GDPR.

13. Supervisory Authority

If you have concerns about our data processing, you may contact:

Competent Supervisory Authority:

The Lower Saxony State Commissioner for Data Protection Website: https://www.lfd.niedersachsen.de/

14. Additional Rights by Jurisdiction

Data protection laws in some countries grant you additional rights. If you reside in one of the following countries, the jurisdiction-specific provisions below apply in addition to the rights mentioned above.

14.1 California, USA (CCPA/CPRA)

If you reside in California, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Your California Privacy Rights

Right to Know: You may request information twice per year at no cost regarding:

The categories of personal data we have collected
The sources from which we collected this data
The business or commercial purpose of collecting the data
The categories of third parties with whom we share your data
The specific personal data we have stored about you

Right to Delete: You may request deletion of your personal data, subject to certain exceptions.

Right to Opt-Out of Sale/Sharing: We do NOT sell your personal data and have not done so in the past 12 months. We do not share your personal data for cross-context behavioral advertising (cross-device advertising profiling).

Right to Correct: You may request correction of inaccurate personal data.

Right to Limit Use of Sensitive Data: Health data constitutes "sensitive personal information." We use this only for the purposes described in this Privacy Policy and no other purposes.

Right to Non-Discrimination: We will not discriminate against you if you exercise your CCPA rights.

Categories of Data Collected (CCPA Disclosure)

In the past 12 months, we have collected the following categories of personal data:

Identifiers (Name, Email, User ID)
Protected Classification Characteristics (Age, Gender, Pregnancy Status)
Health Information (Weight, Height, Supplement Use, Dietary Preferences)
Commercial Information (Subscription Status)
Internet Activity (App Usage, Error Logs)
Geolocation Data (Approximate location for Vitamin D calculations)
Sensory Data (Photos of Supplement Packaging)
Derived Information (AI-generated Nutrient Targets and Recommendations)

Exercise Your California Rights

Email: [email protected] Subject: "CCPA Request"

We will respond to your request within 45 days (extendable by another 45 days if needed).

Authorized Agent

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization.

Nevada (USA) - Opt-Out Right

If you reside in Nevada, you have the right under Nevada Revised Statutes (NRS) 603A to opt out of the sale of certain personal data.

Important: We do NOT sell your personal data and have never done so. Should we change our practices in the future, we will notify you and provide you the opportunity to opt out of the sale.

If you nonetheless wish to make a Nevada opt-out request:

Email: [email protected] Subject: "Nevada Opt-Out Request"

Please provide your name and the email address associated with your account.

14.1.2 Other US States (Colorado, Connecticut, Utah, Virginia)

For Users in Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA):

If applicable, you have similar rights as under CCPA:

Right to Know - About personal data collected
Right to Delete - Your data
Right to Correct - Inaccurate data (except Utah)
Right to Data Portability
Opt-Out from Targeted Advertising (we do not conduct targeted advertising)
Opt-Out from Sale of personal data (we do not sell data)
Opt-Out from Profiling in decisions with legal/similar effects

Exercise Your Rights:

Email: [email protected] Subject: "[State]-Privacy Request" (e.g., "Colorado-Privacy Request")

We will respond to your request within 45 days.

Note: These laws apply only if we meet certain processing thresholds in your state (e.g., 100,000+ residents). Regardless, we respect these rights for all US users.

14.2 Brazil (LGPD)

If you reside in Brazil, you have the following additional rights under the Lei Geral de Proteção de Dados (LGPD):

Your Brazilian Privacy Rights

Confirmation and Access: Confirmation of processing and access to your data
Rectification: Correction of incomplete, inaccurate, or outdated data
Anonymization, Blocking, or Deletion: Right to anonymize, block, or delete unnecessary or excessive data
Data Portability: Transfer of your data to another service provider
Deletion: Deletion of personal data processed based on your consent
Information about Data Sharing: Information about public and private entities with which we have shared your data
Information about Refusal of Consent: About the consequences of refusing consent
Withdrawal of Consent: Withdrawal of your consent

Legal Basis for Processing (LGPD)

We process your data based on:

Consent: For health data and AI-powered recommendations (Art. 7, I and Art. 11, II(a) LGPD)
Contract Performance: For providing App functionality (Art. 7, V LGPD)
Legitimate Interest: For business continuity and security (Art. 7, IX LGPD)

Exercise Your Brazilian Rights

Email: [email protected] Subject: "LGPD Request"

We will respond to your request within 15 days.

Brazilian Data Protection Authority

Autoridade Nacional de Proteção de Dados (ANPD) Website: https://www.gov.br/anpd/pt-br

14.3 Canada (PIPEDA)

If you reside in Canada, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

Your Canadian Privacy Rights

Right to Access: Access to your personal data and information about its use
Right to Correct: Correction of inaccurate or incomplete data
Right to Withdraw Consent: Withdrawal of your consent to data processing (subject to contractual and legal restrictions)
Right to Complain: Complaint to the Office of the Privacy Commissioner of Canada

Cross-Border Data Transfers

Your personal data may be transferred to service providers in the USA and other countries for processing. This data may be subject to access by authorities in these countries pursuant to their laws.

We protect your data through:

EU-US Data Privacy Framework (for US service providers)
Standard Contractual Clauses with third parties
Technical and organizational security measures

Exercise Your Canadian Rights

Email: [email protected] Subject: "PIPEDA Request"

We will respond to your request within 30 days.

Canadian Data Protection Authority

Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, Quebec K1A 1H3 Phone: 1-800-282-1376 Website: https://www.priv.gc.ca

14.4 United Kingdom (UK GDPR)

If you reside in the United Kingdom, you have the same rights as under EU GDPR (see Section 6), with the following UK-specific details:

UK Supervisory Authority

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Phone: 0303 123 1113 Website: https://ico.org.uk

International Data Transfers from the UK

Data transfers from the UK to third countries are protected by:

UK Adequacy Decisions
UK International Data Transfer Agreement (IDTA)
UK Addendum to EU Standard Contractual Clauses

14.5 Other Countries

Switzerland: Users in Switzerland have similar rights as under GDPR. The competent authority is the Federal Data Protection and Information Commissioner (EDÖB): https://www.edoeb.admin.ch

Australia: Users in Australia have rights under the Privacy Act 1988. The competent authority is the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au

Other Jurisdictions: If you reside in another country, local data protection laws may apply. Contact us at [email protected] for jurisdiction-specific information.

Date: January 9, 2026 Version: 1.0