Privacy Policy

GDPR-compliant information on how we process your data, including health data.

Last updated: 2026-04-29 · Version 1.1 · Review cycle: every six months

§ 1 Data Controller and Contact

The controller under the GDPR and applicable national data protection laws is:

Patrick Huber
Fasanenweg 5
83059 Kolbermoor
Germany
Email: hello@toleah.com

For data protection inquiries, please contact the above address with the subject „Data Protection".

§ 2 Processing Activities Overview

2.1 Website provision

Purpose: Delivery of the marketing website; technical operation, security.
Data: IP address (truncated), date + time, user-agent, referrer, requested URL, HTTP status.
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest).
Recipients: Vercel Inc. (hosting + edge network).
Third country: USA — Vercel (EU-US Data Privacy Framework); EU edge regions preferred.
Retention: Server logs max. 14 days.

2.2 Account registration and app use

Purpose: Account management, authentication, cross-device sync.
Data: Email, Auth-UUID, optional: name, language, timezone.
Legal basis: Art. 6 (1) lit. b GDPR (contract).
Recipients: Supabase Inc. (EU-hosted, Frankfurt; Pro tier with 7-day point-in-time recovery).
Retention: Until account deletion.

2.3 Scanner use and intolerance profile

Purpose: Personalized tolerance assessment of scanned products.
Data: Active intolerances with severity, enzyme use, scanned barcodes, favorites.
Legal basis: Art. 6 (1) lit. b GDPR in conjunction with Art. 9 (2) lit. a GDPR (explicit consent for health data, obtained during onboarding).
Recipients: Supabase Inc. (EU-hosted); Open Food Facts (France, anonymous barcode lookup); EAN-DB (anonymous fallback lookup for unrecognised products).
Retention: Until user deletion.

2.3a AI web-search fallback (Premium)

Purpose: If a scanned barcode is not found in any of our product databases, an AI-powered web-search fallback (Anthropic Claude) can reconstruct product data from public sources — Premium users only, daily quota + global hourly rate-limited. This is the only Anthropic processing path in app v1.0.
Data: Barcode number (no personal data); response carries a confidence score and is labelled „AI-generated".
Legal basis: Art. 6 (1) lit. b GDPR (contract performance).
Recipients: Anthropic PBC (USA), DPF-listed + Standard Contractual Clauses.
Retention: No prompt retention at Anthropic beyond 30 days.

2.4 Symptom diary (DailyLog)

Purpose: Daily documentation of symptoms for personal reflection.
Data (health data, Art. 9 GDPR): daily scores 0–10 for skin, GI, headache, sleep, mood; optional Bristol stool scale, cycle day, note, date.
Legal basis: Art. 9 (2) lit. a GDPR (explicit consent) — separately obtained before first entry; revocable at any time.
Recipients: Supabase Inc. (EU-hosted); only when signed in.
Third country: None.
Retention: Until user deletion.
Special: Row-level security on database level — access by others technically excluded.

2.5 Practitioner sharing (consent-based) — planned for v1.2

Note: Not active in app v1.0. A separate privacy-policy iteration will be issued before activation in v1.2.
Purpose: Voluntary sharing of scan history and symptom diary with a chosen naturopath or physician.
Legal basis: Art. 9 (2) lit. a GDPR (consent), Art. 9 (2) lit. h GDPR (healthcare) additionally.
Recipients: Practice selected by user.
Retention: Share is revocable with immediate blocking.

2.6 Payment processing (Premium)

Mobile: Apple / Google — provider receives no direct payment data. Subscription state management runs through RevenueCat Inc. (USA, DPF + Standard Contractual Clauses) — pseudonymous user IDs and subscription status only, no payment details.
Legal basis: Art. 6 (1) lit. b + lit. c GDPR (contract + § 147 AO tax retention at Apple/Google).
Retention: Invoice data 10 years at Apple/Google. RevenueCat subscription state until account deletion, then pseudonym anonymisation.

2.7 AI meal plans (Practitioner Dashboard, planned for v1.2)

Note: This feature is part of the Practitioner Dashboard and is not active in app v1.0. There is no app-side Anthropic transfer for meal-plan generation in v1.0 — the only Anthropic path is the AI web-search fallback (see 2.3a).
Purpose: Generation of individualized meal-plan suggestions for clients.
Data: Intolerance profile, preferences (pseudonymised) — no names, no symptom data.
Legal basis: Art. 6 (1) lit. b GDPR; Art. 9 (2) lit. a GDPR for intolerance data.
Recipients: Anthropic PBC (USA), DPF-listed + Standard Contractual Clauses.
Retention: No prompt retention beyond 30 days.

2.8 Error reports and analytics

We do not use any external analytics or crash-reporting services (no Sentry, PostHog, Google Analytics, Plausible etc.). No usage or error data is transmitted to third parties. Local logs on the device exist only for functional purposes and are not uploaded.

§ 3 Health Data (Art. 9 GDPR) — Enhanced Protection

  • Explicit consent under Art. 9 (2) lit. a GDPR before first processing
  • Local storage as default — cloud sync is opt-in
  • Pseudonymization wherever technically feasible
  • Transport encryption TLS 1.3
  • At-rest encryption AES-256
  • Row-level security on database level
  • Audit logging for security-relevant access

§ 4 Your Rights

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure / „right to be forgotten" (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) — export as JSON on email request
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent at any time with future effect
  • Complaint to supervisory authority (Art. 77 GDPR) — for our registered seat: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany

To exercise your rights: email hello@toleah.com with subject „Data Protection — Access" (or Erasure, Objection). Response within one month (Art. 12 (3) GDPR).

§ 5 Data Export and Deletion

Account deletion (Art. 17 GDPR): directly in the app under Settings → Account → Delete data — all content is removed without delay on device and server.

Data export / access (Art. 15, Art. 20 GDPR): in app v1.0 by email request to datenschutz@toleah.de — handled within one month per Art. 12 (3) GDPR. Format: structured, commonly used, machine-readable (JSON). An in-app export function is planned for an upcoming version (v1.1).

Consent management: Settings → Consents — withdraw individual consents with effect for the future.

§ 6 Processors

We work with the following Art. 28 GDPR processors:

  • Supabase Inc. (EU-hosted Frankfurt, Pro tier with 7-day point-in-time recovery) — auth, database, realtime, edge functions
  • Vercel Inc. (USA, DPF; EU edge preferred) — marketing-website hosting + cookieless Vercel Analytics
  • RevenueCat Inc. (USA, DPF + SCCs) — In-App-Purchase verification and subscription state sync for the mobile app (pseudonymous user IDs, no payment data)
  • Anthropic PBC (USA, DPF + SCCs) — AI web-search fallback (Premium scanner, quota-limited). AI meal plans are part of the Practitioner Dashboard and not active in app v1.0.
  • Open Food Facts (non-profit, France, EU) — anonymous product database (barcode lookup)
  • EAN-DB — anonymous fallback product database (barcode only)
  • Apple / Google — app-store distribution and mobile payment (IAP)

§ 7 Third-Country Transfers

For transfers to third countries (USA), the following safeguards apply:

  1. EU-US Data Privacy Framework (DPF) for certified recipients
  2. Standard Contractual Clauses (SCCs) under Art. 46 (2) lit. c GDPR
  3. Supplementary measures per EDPB Recommendation 01/2020

§ 8 Cookies and Similar Technologies

Mobile apps: No browser cookies. Local storage only for functionality.
Web applications: Cookies only with consent (Section 25 (1) TTDSG), except for technically necessary. See Cookie Policy.

§ 9 Automated Decision-Making

No fully automated decision-making under Art. 22 GDPR. Tolerance assessment is a rule-based, transparent recommendation. The AI meal plan is a supporting tool for healthcare professionals; clinical decisions remain with the professional.

§ 10 Data Security

  • Transport encryption TLS 1.3
  • At-rest encryption AES-256
  • Row-level security
  • Two-factor authentication for admin access
  • Audit logging for health data
  • Daily backups with point-in-time recovery
  • Least-privilege principle

§ 11 Minors

The application is intended for persons aged 16 and above (Art. 8 (1) GDPR). For persons under 16, consent of the guardian is required.

§ 12 Changes

This policy will be updated if processing activities or legal framework change. Material changes will be actively communicated (email or in-app notice). The current version is always available at toleah.com/en/privacy.

§ 13 Contact

Email: hello@toleah.com (Subject: „Data Protection")
Mail: Patrick Huber, Fasanenweg 5, 83059 Kolbermoor, Germany