1. Data Controller
The data controller responsible for processing your personal data is:
Davi Augusto Wazlawick
4 Frankfurter Allee, 10247 Berlin, Germany
Email: contact@growthroom.eu
2. What Data We Collect
Account Data
- Email address — required to create an account and for password reset.
- Password — stored as a one-way bcrypt hash. We never store your plaintext password.
Profile Data (optional)
- Dietary preference (e.g. vegan, vegetarian)
- Dietary sensitivities / allergies you choose to declare
- Display name and short bio
- Profile photo (stored locally on your device, not uploaded to our servers)
Note: Dietary and allergy information may constitute health-related data under GDPR Article 9. We process it solely to provide personalised analysis results, based on your explicit consent given during onboarding.
Usage Data
- Scan history: product name, analysis result, timestamp, source (barcode / image / database)
- Monthly scan counter (to enforce usage limits)
- Anonymised server logs (IP address, timestamp, HTTP method — retained max 7 days)
Product Images
Photos you take or upload are sent to Anthropic's API for AI analysis and are not stored on our servers after the analysis is complete. Anthropic's data handling is governed by their Privacy Policy.
3. How We Use Your Data
- To provide, operate, and improve the Service
- To personalise scan results based on your dietary profile
- To enforce usage limits
- To send transactional emails (account confirmation, password reset) — no marketing emails without separate consent
- To comply with legal obligations
4. Legal Basis (GDPR Art. 6 & 9)
- Contract performance (Art. 6(1)(b)) — account data and scan history, necessary to provide the Service
- Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) — dietary and allergy/sensitivity data (special category health data)
- Legitimate interest (Art. 6(1)(f)) — anonymised server logs for security and abuse prevention
- Legal obligation (Art. 6(1)(c)) — where required by applicable law
5. Data Sharing & Third Parties
We do not sell your personal data. We share data only as follows:
- Anthropic, Inc. (USA) — receives product images for AI analysis. Transfer is based on Anthropic's Standard Contractual Clauses. See Anthropic Privacy Policy.
- Open Food Facts — we query their public API using a barcode or product name (no personal data sent).
- Hosting provider — our server infrastructure provider processes data as a data processor under a data processing agreement.
6. Data Retention
- Account data: retained until you delete your account, plus up to 30 days for backup purposes.
- Scan history: retained as long as your account is active, or until you request deletion.
- Server logs: maximum 7 days, then automatically deleted.
- Product images: not retained after AI analysis (processed in memory only).
7. Your Rights Under GDPR
You have the right to:
- Access Request a copy of all personal data we hold about you
- Rectification Correct inaccurate or incomplete data
- Erasure Request deletion of your account and all associated data ("right to be forgotten")
- Portability Receive your data in a structured, machine-readable format
- Restriction Ask us to pause processing while a dispute is resolved
- Objection Object to processing based on legitimate interest
- Withdraw consent Withdraw your consent for special-category data at any time (this may limit functionality)
To exercise any right, email contact@growthroom.eu. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection supervisory authority. In Germany: Bundesbeauftragter für den Datenschutz (BfDI).
8. Security
We implement industry-standard security measures including HTTPS/TLS encryption in transit, bcrypt password hashing, and restricted database access. No system is completely secure; we cannot guarantee absolute security.
9. International Transfers
Product images are processed by Anthropic in the United States. If you opt in to ad measurement (see Section 11), pseudonymised event and device data are processed by Meta Platforms Ireland Ltd. (EU controller) and may be transferred to Meta Platforms, Inc. (USA). All transfers outside the EU/EEA are made under appropriate safeguards (EU Standard Contractual Clauses). No other personal data is transferred outside the EU/EEA.
10. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately.
11. Cookies, Tracking & Advertising
Our web pages (terms, privacy, password reset, marketing) use no tracking cookies — only essential browser behaviour.
The mobile app integrates the Meta Audience Network / Facebook SDK for the sole purpose of measuring advertising campaigns we run on Facebook and Instagram and improving the Service. When enabled, it processes the following data:
- Device identifiers Advertising identifier (IDFA on iOS / Advertising ID on Android), device model, operating system, language and country
- App events App install, app open, account registration, free trial start, subscription purchase (amount + currency), product scan (status only — never ingredients or photos)
- Coarse usage data Session timestamps and aggregated activity
iOS: on first launch you will see Apple's App Tracking Transparency prompt. If you choose "Ask App not to Track", the advertising identifier is not collected and event data is reported in Apple's aggregated SKAdNetwork format only.
Android: you can reset or limit your Advertising ID in your device's Google settings at any time.
Legal basis: consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time by disabling tracking in your device settings or by uninstalling the app.
Data recipient: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (EU controller) — see Meta's Privacy Policy for further details on their processing.
What we never send to Meta: your email address, name, dietary or allergy profile, scanned product photos, or ingredient lists.
The mobile app also integrates Google Firebase Analytics for measuring our advertising on Google Ads (Universal App Campaigns, Performance Max, YouTube) and understanding aggregated app usage. When enabled, it processes:
- Device identifiers Advertising identifier (IDFA on iOS / Advertising ID on Android — same identifier as the Meta integration, no additional collection), App Instance ID, device model, operating system, language and country
- App events First open, session start, app updates, screen views and (when added in a future release) custom events such as registration and subscription
- Coarse usage data Session timestamps and aggregated activity
iOS: Firebase Analytics respects the same Apple ATT decision as the Meta SDK. If you decline tracking, the advertising identifier is not shared and event data is reported in Apple's aggregated SKAdNetwork format only.
Legal basis: consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time by disabling tracking in your device settings or by uninstalling the app.
Data recipient: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (EU controller) — see Google's Privacy Policy. Firebase data is processed in the United States under Standard Contractual Clauses.
What we never send to Google: your email address, name, dietary or allergy profile, scanned product photos, or ingredient lists.
12. Push Notifications
With your permission, we send push notifications to your device to announce product updates, new features, and time-sensitive information such as referral rewards becoming available.
- What we send A short title and message, plus an optional internal route so tapping the notification opens the relevant screen in the app
- What we collect A device-bound push token issued by Apple (APNs) or Google (FCM), the device platform (iOS / Android), and the language you selected in the app — used only to address notifications to your device and translate them. We do not collect notification content interactions beyond what you tap inside the app.
- Delivery provider Notifications are dispatched via the Expo Push Service (Expo, Inc., USA), which relays to Apple Push Notification service and Firebase Cloud Messaging on our behalf. See Expo's Privacy Policy.
- Legal basis Consent (GDPR Art. 6(1)(a)). The operating system prompts you the first time we request it; you can disable notifications at any time from your device settings, and your push token is deleted when you sign out or uninstall the app.
- International transfer Push tokens issued by APNs and FCM, and message payloads relayed by Expo, are processed in the United States under Standard Contractual Clauses.
13. Changes to This Policy
We will notify you of material changes via email or in-app notification at least 14 days before they take effect.
14. Contact & Data Protection Enquiries
Davi Augusto Wazlawick
4 Frankfurter Allee, 10247 Berlin, Germany
contact@growthroom.eu
Last updated: 20 May 2026