Privacy Policy
TraciaAI — Operated by Hubster S.M.N LTD
Effective Date: July 9, 2026
1. Introduction
Hubster S.M.N LTD ("we", "us", "our") operates the TraciaAI mobile application. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR — EU 2016/679), the Cyprus Processing of Personal Data (Protection of the Individual) Law, and other applicable data protection laws.
We are committed to protecting your privacy and ensuring transparency about our data practices.
2. Data Controller
The data controller responsible for your personal data is:
Hubster S.M.N LTD
Registered in: Cyprus
Email: hey@hubst3r.com
For data protection inquiries, contact our Data Protection Officer at: hey@hubst3r.com
3. Data We Collect
3.1 Data You Provide Directly
- Account Data: Email address, first name, last name, password (stored only as a salted, one-way hash)
- Profile Data: Gender, date of birth, height, weight, activity level
- Profile Picture: Optional profile photo stored encrypted on Cloudflare R2
- Health and Fitness Data: Meal descriptions, workout logs, body composition analysis results (text only), daily goals, weight history
- Chat Data: Messages sent to the AI coach
- Photos: Meal photos (stored temporarily on Cloudflare R2), body analysis photos (not stored by TraciaAI; sent to Google Gemini for analysis, then immediately discarded)
- Subscription Data: Subscription tier, payment status (payment details handled by Apple/Google)
- Preferences: Language preference, notification settings, timezone, city and country (for localised food suggestions)
- Referral Data: Referral codes applied to your account, partner association
- AI Consent Record: Timestamp and version of your consent to AI processing (and timestamp of any subsequent withdrawal). Retained as legal proof under GDPR Art. 7(1) for as long as your account exists.
3.2 Data Collected Automatically
- Device Data: Device type, operating system, app version
- Health Platform Data: Steps and active calories (only with your explicit permission via HealthKit/Health Connect)
- Push Notification Tokens: For delivering notifications (Expo Push)
- Usage and Analytics Data: Feature usage patterns, screens viewed, and session activity, collected via our first-party analytics provider (PostHog, EU-hosted) with IP addresses discarded on ingestion. See Section 6.
3.3 Data We Do NOT Collect
- Body photos: used once for AI analysis via Google Gemini, then immediately discarded; never stored by TraciaAI
- Precise GPS location
- Contacts, call logs, or SMS
- Browsing history outside the App
- Financial/payment card details (handled by Apple/Google)
3.4 Diagnostics and Error Reports
To detect crashes, fix bugs, keep the service secure, and improve reliability, we collect a technical error report when something goes wrong in the App. Each report may include the type and message of the error, a stack trace, the screen or feature where the error occurred, the app version and build number, the platform (such as iOS or Android), the operating-system version, the device model, a timestamp, and limited additional debugging details related to the error. A report may be linked to your account or recorded without any account link. Because a stack trace or error message can sometimes capture surrounding technical data, it may incidentally include personal data. We do not use error reports for advertising, and where a report is linked to your account, that link is removed when you delete your account.
4. Legal Basis for Processing (GDPR Art. 6)
We process your data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide the App's services (account management, AI coaching, tracking features)
- Consent (Art. 6(1)(a)): AI processing of your personal and health data via Google Gemini (see Section 5), push notifications, health platform integration (HealthKit / Health Connect), marketing communications
- Legitimate Interest (Art. 6(1)(f)): App improvement, fraud prevention, security
- Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations
5. How We Use Your Data
- Provide and maintain the App's services
- Process your meals, workouts, and goals through AI
- Generate personalized AI coaching responses
- Calculate nutritional targets and energy expenditure
- Send push notifications (nudges, weekly summaries, milestones)
- Process subscription payments (via Apple/Google)
- Improve app features, AI prompt quality, safety checks, and service reliability (we do not train any AI models on your data)
- Prevent fraud and ensure security
- Comply with legal obligations
AI Processing — What is sent to our AI provider: All AI features in TraciaAI are powered by Google's Gemini API (operated by Google LLC) on the Paid Services tier. With your explicit consent (see Section 4), the following information is sent to Gemini when you use AI features:
- AI coach, meal/workout text parsing, personalized insights, weekly summaries: your age, height, weight, gender, activity level, city and country, preferred language, subscription tier, daily nutrition goals and progress, today's meals and workouts, active fitness goal, and recent chat history (for multi-turn coach conversations).
- Meal photos and body progress photos: the image data, plus your gender, height, and weight (used to calibrate the analysis).
The data sent to Gemini does not include directly-identifying information such as your first name, email address, last name, account ID, or precise GPS location.
Under the Gemini API Paid Services terms of service, Google does not use your prompts or responses to improve its products or train its models. Google does log prompts and responses for a limited period solely for detecting violations of Google's Prohibited Use Policy and for compliance with legal disclosure obligations. We do not currently use Gemini's Zero Data Retention configuration.
Withdrawing your consent to AI processing (see Section 10) results in the immediate and permanent deletion of your TraciaAI account and all associated personal data, because AI is essential to the App's core service.
6. Data Sharing and Third Parties
We share your data with the following categories of third parties (subprocessors):
- AI Service Provider: Google LLC (Gemini API, Paid Services tier) processes all AI functionality including coaching responses, meal and workout text parsing, personalized insights, weekly summaries, meal photo analysis, and body progress photo analysis. The data categories sent are listed in Section 5. Per Google's Paid Services terms, Google does not use this data to improve its products or train its models. Google retains prompts and responses for a limited period for abuse-monitoring purposes only.
- Cloud Storage: Cloudflare R2 for encrypted meal photo storage and profile pictures
- Push Notifications: Expo Push Service for delivering notifications
- Advertising: Google AdMob shows ads to free-plan users only (Pro/Elite users see no ads). Where permitted we show personalized ads; in the EEA, UK, and Switzerland we obtain your consent through Google's certified consent tool (Google UMP) before personalized ads are shown, and AdMob serves only non-personalized ads if you decline. On Apple devices we also request permission through App Tracking Transparency, and you can review or change your ad-consent choice in the App's Settings. AdMob may process device and advertising identifiers (IDFA/AAID) to serve and measure ads; we do not send your health, nutrition, weight, body, or AI chat data to AdMob, and that data is not used to target or measure ads. See our Cookie Policy for full details.
- Subscription Management: RevenueCat for managing subscription state. RevenueCat receives your anonymous user ID and subscription transaction data, but does not access your personal information (name, email, health data).
- Product Analytics: PostHog (EU Cloud, hosted in Frankfurt, Germany) provides first-party product analytics. It receives usage and event data such as screens viewed, features used, session activity, and app lifecycle events (app opened, installed, became active), together with device type, operating system, and app version, plus a pseudonymous analytics identifier (for signed-in users, your account ID). IP addresses are discarded on ingestion and are not stored. We use this data solely to understand feature usage and improve the App, based on our legitimate interest (GDPR Art. 6(1)(f)); it is never used for advertising, and we do not send your meal or body photos, AI chat content, or health and nutrition values to PostHog. You may object to this processing at any time (see Section 10).
- Payment Processing: Apple App Store and Google Play Store handle all payment processing
- Email Delivery: Resend (EU region, eu-west-1 / Ireland) for transactional emails (verification, password reset) and optional promotional communications
- Hosting: Railway (backend hosting), PostgreSQL database
- Referral Partners: If you apply a referral code, the partner who owns that code can see your first name, the date you applied the code, and your current subscription tier (free/pro/elite) through their partner dashboard. No other personal data (email, last name, health data, etc.) is shared with partners.
We never sell your personal data to any third party. We never share your health data with advertisers.
7. Automated Decision-Making and Profiling
TraciaAI uses AI to generate nutritional estimates, workout suggestions, and coaching guidance. These constitute automated processing but do not produce legal effects or similarly significant effects on you. All AI outputs are advisory in nature and you are free to disregard them. You have the right to request human review of any AI-generated recommendation by contacting us at hey@hubst3r.com.
8. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where Google, Cloudflare, RevenueCat, and Expo operate). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that recipients maintain adequate data protection standards.
9. Data Retention
- Account Data: Retained until you delete your account
- Profile Picture: Retained until you delete it or your account
- Chat History: Retained until you delete your account
- Meal Photos: 30 days (free), 1 year (Pro/Elite), then automatically deleted
- Body Analysis Photos: Not stored by TraciaAI; sent to Google Gemini for analysis, then immediately discarded
- Body Analysis Text Results: Retained until you delete your account
- Weight History: Retained until you delete your account
- Push Notification Tokens: Retained until you uninstall the App or revoke permissions
- Email Verification Codes: Automatically expire after 10 minutes
- AI Consent Record: Retained for the lifetime of your account as legal proof under GDPR Art. 7(1). Withdrawing AI consent triggers account deletion (see Section 10) and removes this record along with all other personal data within 30 days.
When you delete your account, we permanently erase your account and the personal data associated with it, and we delete your profile picture and meal photos from our image storage. Personal data is fully removed within 30 days, except for a limited set of records that may persist briefly or in specific circumstances:
- Diagnostic and error logs, with the identifier that links them to your account removed;
- Residual copies contained in our routine encrypted backups, which are overwritten on our normal backup-rotation cycle;
- Short-lived authentication tokens used to keep you signed in, which remain only until they reach their built-in expiry and are then removed automatically;
- Information we are required to retain to meet legal, tax, or accounting obligations.
10. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of Access (Art. 15): Request a copy of your personal data
- Right to Rectification (Art. 16): Correct inaccurate personal data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request restriction of processing
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
- Right to Withdraw Consent (Art. 7(3)): Withdraw your consent to AI processing at any time from Profile → AI Data Sharing inside the App, or by declining consent at first launch. Because AI is the core of TraciaAI's coaching, nutrition analysis, and image analysis features, withdrawing or declining AI consent results in the immediate and permanent deletion of your account and all associated personal data. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to Lodge a Complaint: File a complaint with the Commissioner for Personal Data Protection of Cyprus or your local supervisory authority
To exercise any of these rights, contact us at hey@hubst3r.com. We will respond within 30 days as required by GDPR.
11. California Residents — CCPA/CPRA Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the personal information we have collected about you in the past 12 months
- Right to Delete: You may request deletion of your personal information
- Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise these rights, contact us at hey@hubst3r.com or use the account deletion feature in the App.
12. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using industry-standard algorithms (never stored in plain text)
- API communication encrypted via HTTPS/TLS
- JWT authentication with token rotation and blacklisting
- Cloud storage (Cloudflare R2) with encryption at rest
- Database access restricted to authenticated services only
- Regular security reviews and updates
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.
14. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. As TraciaAI is a mobile application and does not track users across third-party websites, we do not currently respond to DNT signals. However, you can control advertising identifiers through your device settings.
15. Children's Privacy
TraciaAI is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If we discover that we have collected data from a child under 18, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at hey@hubst3r.com.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email at least 30 days before the changes take effect. The "Effective Date" at the top indicates the latest revision. Continued use after changes constitutes acceptance.
17. Contact and Supervisory Authority
Data Controller:
Hubster S.M.N LTD
Email: hey@hubst3r.com
Country: Cyprus
Supervisory Authority:
Commissioner for Personal Data Protection
Republic of Cyprus
Website: www.dataprotection.gov.cy