Privacy Policy

1. Data Controller
Snap Bite acts as a Data Controller within the meaning of the General Data Protection Regulation (GDPR/DSGVO).
Use gdpr@onebite.fit email to contact regarding GDPR-relevant topics.

2. Use of Artificial Intelligence Systems (EU AI Act)
In accordance with Article 50 of the EU AI Act, the App informs the User of the following:
Role of the Parties: The Controller acts as the "Deployer" of the AI system. The technology model is provided by a third-party provider (Google Gemini API).
Nature of Content: All image analysis results are generated by an automated AI system. These results are informational and probabilistic in nature.
Disclaimer: The generated data does not constitute medical advice. The Controller is not responsible for decisions made by the User based on the AI output.

3. Data Collection, Processing, and Storage
3.1. Local Data (On-Device Storage)
The following data is collected and processed by Application on the User's device in an isolated environment. All the data is optional.
|----------------|-------------------|------------------------------------|
| Data           | Purpose           | Description                        |
|----------------|-------------------|------------------------------------|
| Anthropometric | App functionality | A User can provide the information |
| parameters     |                   | about their weight, height and age |
|                |                   | to calculate an approximate        |
|                |                   | amount of calories consumption.    |
|----------------|-------------------|------------------------------------|
| Activity level | App functionality | Physical activity level provided   |
|                |                   | by the User is used to calculate   |
|                |                   | an approximate amount of calories  |
|                |                   | consumption.                       |
|----------------|-------------------|------------------------------------|
| Burned energy  | App functionality | An app is capable of collecting    |
|                |                   | amount of burned energy through    |
|                |                   | Health Connect API as daily        |
|                |                   | aggregates to display them as      |
|                |                   | reference values in App UI. This   |
|                |                   | data is not stored by the App.     |
|----------------|-------------------|------------------------------------|
| Food dairy     | App functionality | Food dairy includes meal name,     |
|                |                   | date and time, amount of proteins, |
|                |                   | fats and carbohydrates in it,      |
|                |                   | size of a serving and ingredients  |
|                |                   | list. This data is used to         |
|                |                   | enable primary purpose of the app, |
|                |                   | namely, calories and nutrients     |
|                |                   | counting.                          |
|----------------|-------------------|------------------------------------|
| Application    | App functionality | An app stores User's preferences,  |
| settings       |                   | specifically: preferred language,  |
|                |                   | desired weight target and target   |
|                |                   | date.                              |
|----------------|-------------------|------------------------------------|
The responsible person does not have technical access to the specified data and does not automatically back it up to external servers.
The User can completely delete local data independently using Android OS system functions or by uninstalling the App.
3.2. Data Export and Import
The App provides functionality for exporting data to external file formats.
Transfer of Responsibility: From the moment the export procedure is initiated and the data is saved outside the App's isolated environment, the User is solely responsible for the confidentiality, integrity, and security of the data.
3.3. Server Processing and Identification
The following data is collected and processed by Application on the User's device and on Snap Bite Server. Data transfer is performed via the secure TLS 1.3 protocol. Storage period defined in this table refers to a duration the data is preserved on server after it is used to perform collection purposes.
|---------|---------------|------------------------------------|---------|
| Data    | Purpose(s)    | Description                        | Storage |
|         | Obligation    |                                    | Period* |
|---------|---------------|------------------------------------|---------|
| Google  | App           | A User can use their Google        | Not     |
| auth    | functionality | account to access an AI food       | stored  |
| token   | Security      | recognition feature of the App     |         |
|         | Optional      | The token includes Account ID,     |         |
|         |               | User Name and e-mail address.      |         |
|         |               | The token is only stored in App    |         |
|         |               | and processed on server at runtime |         |
|---------|---------------|------------------------------------|---------|
| Google  | Security      | An ID of account is stored to      | 30 Days |
| account | Optional      | prevent abuse of the App by        |         |
| id      |               | enforcing a rate limiting to       |         |
|         |               | AI meal recognition feature        |         |
|---------|---------------|------------------------------------|---------|
| Crash   | App           | The app sends crash logs of each   | 30 Days |
| logs    | functionality | crash event. These logs include    |         |
|         | Security      | App version, device specification  |         |
|         | Required      | and stack trace of an error.       |         |
|---------|---------------|------------------------------------|---------|
| Contact | App           | A user can contact developer via   | 30 Days |
| form    | functionality | in-App contact form. The form      |         |
|         | Optional      | collects user Name, E-mail address |         |
|         |               | and the message. The content       |         |
|         |               | entered in this form is shared     |         |
|         |               | with the Developer                 |         |
|---------|---------------|------------------------------------|---------|
| App     | App           | The server stores API access logs, | 30 Days |
| Logs    | functionality | that include User ID, access date  |         |
|         | Security      | and time and query. The query may  |         |
|         | Mandatory     | contain User’s search input: EAN   |         |
|         |               | codes and names of products.       |         |
|         |               | Technical data (Client version and |         |
|         |               | IP address) is collected alongside |         |
|         |               | the User input                     |         |
|---------|---------------|------------------------------------|---------|
The data above can be requested for deletion according to Section 7 of the Privacy Policy.

4. Data transfer to third parties
The following data is collected and processed by Application on the User's device, on Snap Bite Server and transferred to the Third-party. Data transfer to server and to third party is performed via the secure TLS 1.3 protocol. The third party for data processing is Google Gemini API. The data is Optional.
|----------------|-------------------|------------------------------------|
| Data           | Purpose           | Description                        |
|----------------|-------------------|------------------------------------|
| User-provided  | App functionality | A User can upload a picture of a   |
| photo          |                   | meal to perform an analysis of     |
|                |                   | its contents with AI. Uploaded     |
|                |                   | Images are processed in the        |
|                |                   | server's RAM in transit and are    |
|                |                   | subject to immediate deletion      |
|                |                   | after the analysis results are     |
|                |                   | transmitted to the User. The image |
|                |                   | is sent without metadata.          |
|                |                   | The metadata (timestamp) is        |
|                |                   | processed on devices. Rest of the  |
|                |                   | metadata is removed.               |
|----------------|-------------------|------------------------------------|
If data is processed on servers outside the EEA, the level of protection is guaranteed by the Standard Contractual Clauses (SCC) approved by the European Commission.

5. Legal basis for processing (Articles 6 & 9 GDPR)
Article 6 (1) (b): Processing is necessary for the performance of the contract for the provision of the App services.
Article 9 (2) (a): The User's explicit consent to the processing of special categories of data (nutrition data), expressed by an active action (sending a photo for analysis).
Article 6 (1) (f): Legitimate interest in ensuring technical security and preventing abuse.

6. Age Restrictions
The App is not intended for use by persons under 16 years of age. The Controller does not knowingly collect or process data from minors. If it is discovered that the data of a person under 16 years of age has been processed without the consent of their legal representatives, such data will be deleted immediately.

7. Rights of the Data Subject
The User has all the rights provided for in Chapter III of the GDPR, including:
The right to access, rectify, and delete data ("right to be forgotten").
The right to restrict processing and data portability.
The right to revoke consent at any time without giving reasons (implemented via the "Delete Account" function in the App interface).

8. Changes and Applicable Law
This Policy is governed by the laws of the Federal Republic of Germany. The Controller reserves the right to make changes to this Policy.. The Controller does not knowingly collect or process data from minors. If it is discovered that the data of a person under 16 years of age has been processed without the consent of their legal representatives, such data will be deleted immediately.

7. Rights of the Data Subject
The User has all the rights provided for in Chapter III of the GDPR, including:
The right to access, rectify, and delete data ("right to be forgotten").
The right to restrict processing and data portability.
The right to revoke consent at any time without giving reasons (implemented via the "Delete Account" function in the App interface).

8. Changes and Applicable Law
This Policy is governed by the laws of the Federal Republic of Germany. The Controller reserves the right to make changes to this Policy.