Privacy Notice

1. Controller and contact

The controller is the person or entity listed in the Legal Notice (Impressum).

For privacy requests, contact us via the email address in the Legal Notice or through the support form in settings.

2. Categories of data we process

• Account and profile data: email address, optional display name, account status, timestamps.
• Authentication data: password hashes, access/refresh tokens, OAuth and session metadata.
• Social login data: provider, provider user ID, verified email (for example Google, GitHub, Apple via Supabase).
• Usage and content data: training/health/nutrition entries, derived projections, and related metadata.
• Access request data: email, optional name and context.
• Support data: category, message, sender email.
• Technical data: locale preference, security-relevant log and access data.

3. Purposes and legal bases (Art. 6 GDPR)

• Contract performance (Art. 6(1)(b)): account creation, login, web app and API delivery.
• Security and abuse prevention (Art. 6(1)(f)): rate limiting, session protection, token revocation, technical troubleshooting.
• Communication and support (Art. 6(1)(b) and (f)): handling requests and service communication.
• Anonymized learning and product improvement (Art. 6(1)(a) and/or (b)), where applicable for the active product mode.
• Special categories of personal data (health-related, Art. 9 GDPR): processed only with explicit consent under Art. 9(2)(a) GDPR.
• Compliance with legal obligations (Art. 6(1)(c)) where required.

4. Registration, login, and account management

During registration we process email, password (stored only as a hash), optional display name, invite information, explicit Art. 9 consent for health-related data, and where applicable consent state for anonymized learning in early access.

Without active Art. 9 consent, health-related training, recovery, sleep, and pain events cannot be stored.

Password reset uses time-limited reset tokens (currently 60 minutes). Existing sessions/tokens are revoked after password reset.

Account deletion currently follows a 30-day grace period before permanent deletion.

5. Social login (Google, GitHub, Apple)

When social login is used, we validate the provided session token through Supabase and only ingest identity information required for authentication and account linking.

We do not store social provider passwords. We only store identifiers required for account linkage.

6. Email communication

For transactional emails (for example invites, password reset, contact form notifications) we currently use Resend as mail delivery provider.

This includes processing recipient address, message content, and technical delivery metadata.

7. Cookies, local storage, and similar technologies

• NEXT_LOCALE (cookie): stores selected language for consistent localization.
• kura_rt (local storage): refresh token to keep a user session active.
• kura_setup_seen (local storage): onboarding completion marker.
• kura_oauth_session (HttpOnly cookie in OAuth flows): supports OAuth session continuity.
• We currently do not use marketing or advertising trackers in the web frontend.

8. Access logs and security telemetry

To operate and secure the service, we log API access details such as method, path, status code, response time, and where applicable user ID.

IP-related information may be processed for rate limiting and abuse prevention.

9. Recipients and processors

• Supabase (EU West / eu-west-1, project ref slawzzhovquintrsmfby): hosting of auth/database functions as processor.
• Resend (United States): transactional email delivery (for example invites, password reset, support acknowledgements) as processor.
• OpenAI API (optional, United States): only when embeddings features are enabled; processing under a separate processor agreement.
• Internal admin/support staff only where required under least-privilege and audited access.
• Authoritative versioned processor/transfer register: docs/legal/processors-and-transfers.md.

10. International data transfers

Supabase production runtime is operated in EU region eu-west-1. Resend (US) and optional OpenAI (US) may involve third-country processing.

Transfers outside the EEA only occur under lawful safeguards, in particular EU Standard Contractual Clauses (SCCs) and data processing agreements.

11. Retention

• Account data: retained until account deletion, unless legal retention duties apply.
• Account deletion: currently 30-day grace period after deactivation, then hard-delete according to system logic.
• Invite tokens: currently valid for 7 days.
• Password reset tokens: currently valid for 60 minutes.
• API keys: retained until revoked or account deletion.
• API access logs (api_access_log): 30 days.
• Security abuse telemetry (security_abuse_telemetry): 90 days.
• Kill-switch audit log (security_kill_switch_audit): 365 days.
• Support access audit (support_access_audit): 730 days (24 months).
• Expired/used password reset tokens: 30 days.
• Retention windows are technically enforced via recurring maintenance jobs and audited in log_retention_runs.

12. Your rights

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR) for processing based on Art. 6(1)(f)
• Withdrawal of consent for future processing (Art. 7(3) GDPR)

13. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, workplace, or the place of the alleged infringement (Art. 77 GDPR).

14. Data security

We apply appropriate technical and organizational measures, including role-based access controls, token revocation, hashing of sensitive secrets, encrypted transport, and security-oriented auditing/logging.

15. Updates to this notice

We may update this privacy notice if features, legal requirements, or processing activities change. The current version is available in the web app.