Privacy Policy

Last updated: April 7, 2026

1. Data Controller

2. Overview of Data Processing

getNudge is a health app that helps users track their nutrition, weight, and health data, and receive personalized recommendations. The following overview summarizes the types of data processed and the purposes of their processing.

3. Data We Process

3.1 Account Data

• Email address (for registration and login)
• Password (stored encrypted, not accessible by us)
• OAuth tokens when signing in via Google or Apple

3.2 Profile Data

• Name, age, gender
• Height and weight
• Personal health goals
• Calorie target and macronutrient distribution

3.3 Health and Nutrition Data

• Food entries and meals
• Weight history
• Water intake
• Supplement intake
• Mood and energy levels
• User-created foods and recipes

3.4 Technical Data

• Device type and operating system
• App version
• Error reports (via Sentry)

4. Legal Basis

Your data is processed on the following legal bases:

• Consent (Art. 6(1)(a), Art. 9(2)(a) GDPR): We obtain your explicit consent for the processing of health data. You can revoke this consent at any time in the app settings.
• Performance of a Contract (Art. 6(1)(b) GDPR): Account data and basic profile data are processed to provide the service.
• Legitimate Interests (Art. 6(1)(f) GDPR): Technical data for troubleshooting and improving the app.

5. Hosting and Infrastructure

5.1 Supabase

We use Supabase (Supabase Inc., San Francisco, USA) as our backend service for authentication and data storage. Data is stored on servers in the EU (Ireland). Data transmission is encrypted (TLS). Supabase processes data on our behalf in accordance with Art. 28 GDPR.

5.2 Vercel

Our website is hosted via Vercel (Vercel Inc., San Francisco, USA). No personal data is stored in this process. Vercel may store technical access data (IP address, timestamps) in server log files when pages are accessed.

5.3 Sentry

For error detection, we use Sentry (Functional Software Inc., San Francisco, USA). In the event of an error, technical data (device type, OS version, stack trace) is transmitted. No health or nutrition data is sent to Sentry.

5.4 AI-Based Analysis

getNudge uses AI services for personalized nutrition analysis, health insights, and reports. Processing is carried out by the following providers:

• OpenRouter (OpenRouter Inc., USA) — API gateway for AI processing
• Mistral AI (Mistral AI SAS, Paris, France) — Text-based analyses and recommendations
• Google Gemini (Google LLC, USA) — Image-based recognition (meal photos, nutrition labels)

What data is processed:

• Nutrition data (meals, nutritional values)
• Meal photos and nutrition label photos
• Health metrics (sleep, steps, heart rate — if connected)
• Voice transcripts (when using voice input for meals)

The data is used exclusively to generate personalized recommendations. It is not used to train AI models and is not permanently stored by third-party providers. The legal basis is your consent (Art. 6(1)(a), Art. 9(2)(a) GDPR), which you can revoke at any time in the app settings.

5.5 PostHog

For anonymized usage analytics, we use PostHog (PostHog Inc.). Data is processed on EU servers. No personal health data is transmitted to PostHog. There is no cross-app tracking and no access to advertising identifiers (IDFA).

5.6 ChatGPT App and MCP Connector

When you connect the public getNudge app in ChatGPT, we provide selected data from your getNudge account via a read-only MCP connector. The connection is only established after your explicit consent on our consent page.

What data can be read:

• Profile summaries with goals and preferences
• Food data and meals from the diary
• Health metrics such as steps, sleep, heart rate, or weight
• Saved insights and generated reports

The ChatGPT app has no write access in v1. No data is modified, deleted, or transmitted without your active request. Raw data queries are additionally limited to fixed fields, time ranges, row caps, and pagination.

The legal basis for this processing is your explicit consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR. You can revoke the connection at any time via the consent page. The terms and privacy policies of OpenAI additionally apply to further processing within ChatGPT.

6. Third-Party Authentication

You can sign in via Google or Apple. In doing so, we only receive:

• Your email address
• Your name (if provided by the provider)

We do not receive access to your Google/Apple password or any other account data.

7. Data Sharing

Your data is not sold to third parties. Data is only shared:

• With the processors listed in section 5
• When you explicitly request it (e.g., challenges with friends)
• When we are legally obligated to do so

8. Data Security

• All data is transmitted encrypted (TLS/HTTPS)
• Passwords are stored hashed (bcrypt)
• Data access is protected by Row Level Security (RLS) at the database level — each user can only see their own data
• Auth tokens are stored securely in device storage (expo-secure-store)
• Sessions expire after 24 hours of inactivity

9. Your Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR): You can request a copy of your stored data.
• Rectification (Art. 16 GDPR): You can have inaccurate data corrected.
• Erasure (Art. 17 GDPR): You can request the deletion of your data. In the app, you can delete your account and all data independently.
• Restriction (Art. 18 GDPR): You can request the restriction of processing.
• Data Portability (Art. 20 GDPR): You can export your data in a machine-readable format. The app provides a built-in export function (JSON).
• Withdrawal of Consent (Art. 7(3) GDPR): You can revoke your consent to the processing of health data at any time in the app settings or for the ChatGPT connection on our consent page.
• Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is the Saxon Data Protection Commissioner.

10. Data Export and Account Deletion

In the app under Settings → Data you can:

• Export all your data as a JSON file
• Permanently delete your account and all associated data

Both actions require re-authentication for your protection.

11. Data Retention

Your data is stored as long as your account exists. Upon account deletion, all personal data and health data are permanently deleted. Anonymized, aggregated data may be retained for statistical purposes.

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy in the event of changes to the app or changed legal requirements. The current version is always available at get-nudge.de/datenschutz.

13. Contact

For questions about data protection, you can reach us at: