Privacy Policy – Zielfit

Privacy Policy

Last updated: April 24, 2026

1. Controller

Zielfit – Raimund Rugel
Grasweg 6a
90556 Seukendorf
Germany
Email: infozielfit@gmail.com
VAT ID: DE815742925

2. Data Protection Officer

No data protection officer has been appointed. We do not meet the requirements for mandatory appointment under Art. 37 GDPR.

3. Purposes and App Features

Zielfit is a health and fitness app. We process your data to provide the following features:

  • Calorie, nutrient and meal tracking
  • Weight, water, step, training, supplement and fasting tracking
  • Body measurements and energy expenditure calculations
  • AI-powered food photo analysis
  • AI chat for nutrition and training questions
  • Voice-based food entry (speech-to-text)
  • Barcode scanner for packaged foods
  • Apple Health / Health Connect integration
  • Personalized push notifications (reminders, streaks)
  • Premium subscription management
  • Advertising (only outside Premium, personalized only with ATT consent)

4. Data We Collect

4.1 Account Data

  • Email address, name, password (stored encrypted)
  • When signing in with Apple or Google: provider user ID and email address
  • Profile picture (optional)

4.2 Health and Fitness Data (Art. 9 GDPR)

This data belongs to special categories of personal data. Processing occurs only on the basis of your explicit consent under Art. 9(2)(a) GDPR, granted when you first use the respective tracking feature.

  • Height, weight, target weight, age, gender
  • Body measurements (chest, waist, hip, arms, thighs, calves, neck)
  • BMI, body fat percentage, muscle mass
  • Step count (via pedometer / CMPedometer)
  • Training activities (type, duration, intensity, calories burned)
  • Fasting sessions (start, end, target duration)
  • Water intake
  • Supplement intake
  • Check-in events and streaks

4.3 Nutrition Data

  • Entered meals, nutritional values, portions, meal type
  • Self-created foods and favorite foods
  • Barcode scans
  • Photos of meals (not permanently stored, see section 5.2)

4.4 AI Usage

  • Texts from the AI chat sent to OpenAI
  • Meal photos sent to OpenAI Vision
  • Voice recordings sent to OpenAI Whisper
  • Chat history stored in our database for context continuity

4.5 Apple Health / Health Connect

With your consent, we read steps, weight, height, distance, active energy and water from the Health app (iOS) or Health Connect (Android), and write back steps, weight, water and active energy. You retain full control in your system settings.

4.6 Payment Data

Payments are processed exclusively via Apple (App Store) or Google (Play Store). We receive no credit card or bank details. Our subscription partner RevenueCat only provides us with subscription status and an internal user ID.

4.7 Advertising Data

Only with consent via the ATT dialog (iOS) or consent form (Android):

  • Advertising ID (IDFA on iOS, Advertising ID on Android)
  • IP address (pseudonymized)
  • Coarse location derived from IP
  • Device model, OS version, language
  • Ad interactions

Without consent we only show non-personalized advertising.

4.8 Technical Data

  • Device information (model, OS version)
  • App version
  • Crash reports (via Apple / Google Play Console)
  • Security information (failed login attempts)

4.9 Push Notifications

Local notifications are triggered directly on your device; we do not send push messages from our servers.

5. Third Parties

5.1 Supabase (Backend, Database, Authentication, Storage)

Provider: Supabase Inc., San Francisco, USA. Our instance is hosted in Europe. All personal data (account, health, nutrition, chat history, profile picture) is stored at Supabase.

Privacy: supabase.com/privacy

5.2 OpenAI (AI Services)

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA. OpenAI receives:

  • Chat messages (AI chat)
  • Meal photos (food vision)
  • Voice recordings (Whisper)

OpenAI does not use this data to train models when accessed via our API edge functions. Deletion at OpenAI within a maximum of 30 days. Legal basis: Art. 6(1)(b) GDPR, for health data additionally Art. 9(2)(a) GDPR.

Privacy: openai.com/enterprise-privacy

5.3 Google AdMob (Advertising)

Provider: Google Ireland Ltd., Ireland, with processing also at Google LLC, USA. Personalized advertising only with ATT or consent-form consent.

Privacy: policies.google.com/privacy

5.4 RevenueCat (Subscription Management)

Provider: RevenueCat Inc., San Francisco, USA. Receives anonymized user ID, subscription status and purchase events. No email, no name.

Privacy: revenuecat.com/privacy

5.5 Apple Sign-In and Google Sign-In

When using login, your Apple or Google account token is processed.

5.6 Apple In-App Purchase / Google Play Billing

Payments are processed exclusively by Apple or Google. We do not receive any payment data.

5.7 Apple HealthKit / Google Health Connect

Health data integration is optional. We do not transfer HealthKit data to third parties. Apple explicitly prohibits the use of HealthKit data for advertising — we comply with this restriction.

6. International Data Transfers

Some providers (OpenAI, RevenueCat, Google USA entity, Supabase support) process data in the USA. Transfers are made on the following bases:

  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • EU-US Data Privacy Framework, where the recipient is certified
  • Your explicit consent (for optional features)

Participation in the EU-US DPF can be verified at dataprivacyframework.gov/list.

7. Retention Periods

  • Account data: until account deletion
  • Health and nutrition data: until account deletion or individual deletion
  • Chat history: until account deletion or active user deletion
  • Photos and voice recordings at OpenAI: max. 30 days at OpenAI, not permanently stored by us
  • Backup copies: max. 30 days after account deletion
  • Advertising data: max. 12 months
  • Support correspondence: max. 3 years

8. Account Deletion

You can delete your account at any time in the app under Settings → Delete Account. All personal data is irreversibly deleted within 30 days, including backup copies. Alternatively by email to infozielfit@gmail.com.

9. Your Rights

  • Art. 15 GDPR: right to information
  • Art. 16 GDPR: rectification
  • Art. 17 GDPR: erasure
  • Art. 18 GDPR: restriction of processing
  • Art. 20 GDPR: data portability
  • Art. 21 GDPR: objection
  • Art. 7(3) GDPR: withdrawal of consent with effect for the future

Requests to: infozielfit@gmail.com. For identification, please use the email address registered in the app.

10. Right to Complain

Competent supervisory authority:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

11. Automated Decision-Making

Based on your entries, the app calculates basal metabolic rate (BMR), calorie needs, progress forecasts and AI recommendations. These calculations have no legal or similarly significant effect within the meaning of Art. 22 GDPR.

12. Minors

The app is intended for users aged 13 and above. Users between 13 and 17 years should only use the app under parental supervision. If we become aware of use by children under 13, we will delete the account.

13. Security

  • Transport encryption: TLS 1.3
  • At-rest encryption: AES-256 on the backend
  • Session tokens: encrypted in iOS Keychain or Android EncryptedSharedPreferences
  • Row-Level-Security (RLS) in the database
  • Role-Based Access Control (RBAC)

14. Cookies and Local Storage

The app does not use web cookies. Stored locally on your device:

  • Settings (SharedPreferences)
  • Offline cache (SQLite)
  • Session token (Keychain or EncryptedSharedPreferences)

15. Changes to This Policy

Material changes will be announced via in-app notice and/or email. Continued use after the effective date constitutes acceptance.

In case of discrepancies between the English and German versions, the German version available at zielfit.com/datenschutz shall prevail for users located in Germany.