Privacy Policy

TraciaAI — Operated by Hubster S.M.N LTD

Effective Date: April 11, 2026

1. Introduction

Hubster S.M.N LTD ("we", "us", "our") operates the TraciaAI mobile application. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR — EU 2016/679), the Cyprus Processing of Personal Data (Protection of the Individual) Law, and other applicable data protection laws.

We are committed to protecting your privacy and ensuring transparency about our data practices.

2. Data Controller

The data controller responsible for your personal data is:

Hubster S.M.N LTD
Registered in: Cyprus
Email: hey@hubst3r.com

For data protection inquiries, contact our Data Protection Officer at: hey@hubst3r.com

3. Data We Collect

3.1 Data You Provide Directly

  • Account Data: Email address, first name, last name, password (encrypted)
  • Profile Data: Gender, date of birth, height, weight, activity level
  • Profile Picture: Optional profile photo stored encrypted on Cloudflare R2
  • Health and Fitness Data: Meal descriptions, workout logs, body composition analysis results (text only), daily goals, weight history
  • Chat Data: Messages sent to the AI coach
  • Photos: Meal photos (stored temporarily on Cloudflare R2), body analysis photos (NEVER stored — processed and immediately discarded)
  • Subscription Data: Subscription tier, payment status (payment details handled by Apple/Google)
  • Preferences: Language preference, notification settings, timezone, city and country (for localised food suggestions)
  • Referral Data: Referral codes applied to your account, partner association

3.2 Data Collected Automatically

  • Device Data: Device type, operating system, app version
  • Health Platform Data: Steps, active calories, resting heart rate (only with your explicit permission via HealthKit/Health Connect)
  • Push Notification Tokens: For delivering notifications (Expo Push)
  • Usage Data: Feature usage patterns, session duration (anonymized)

3.3 Data We Do NOT Collect

  • Body photos (immediately discarded after AI analysis)
  • Precise GPS location
  • Contacts, call logs, or SMS
  • Browsing history outside the App
  • Financial/payment card details (handled by Apple/Google)

4. Legal Basis for Processing (GDPR Art. 6)

We process your data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the App's services (account management, AI coaching, tracking features)
  • Consent (Art. 6(1)(a)): Health data processing, push notifications, health platform integration, marketing communications
  • Legitimate Interest (Art. 6(1)(f)): App improvement, fraud prevention, security
  • Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations

5. How We Use Your Data

  • Provide and maintain the App's services
  • Process your meals, workouts, and goals through AI
  • Generate personalized AI coaching responses
  • Calculate nutritional targets and energy expenditure
  • Send push notifications (nudges, weekly summaries, milestones)
  • Process subscription payments (via Apple/Google)
  • Improve our AI models and App features (using anonymized, aggregated data only)
  • Prevent fraud and ensure security
  • Comply with legal obligations

AI Processing — What is sent to AI providers: When you use the AI coach, request meal/workout analysis, or trigger personalized insights, the following information is sent to Anthropic (Claude API): your first name, age, height, weight, gender, activity level, city and country, daily nutrition logs, today's meals and workouts, active fitness goals, and recent chat history. When you upload meal photos or body progress photos, the image data is sent to Google (Gemini API) for analysis. These third-party AI providers process your data only to generate the requested response and do not retain it beyond the API call.

6. Data Sharing and Third Parties

We share your data with the following categories of third parties (subprocessors):

  • AI Service Providers: Anthropic (Claude API) for AI coaching, weekly summaries, and personalized insights — receives profile data, daily nutrition logs, fitness goals, and chat history. Google (Gemini API) for food and body image analysis — receives photo data. Neither provider retains your data beyond the API call.
  • Cloud Storage: Cloudflare R2 for encrypted meal photo storage and profile pictures
  • Push Notifications: Expo Push Service for delivering notifications
  • Advertising: Google AdMob for free-tier users (Pro/Elite users see no ads). AdMob may collect device identifiers (IDFA/AAID) for ad targeting.
  • Subscription Management: RevenueCat for managing subscription state. RevenueCat receives your anonymous user ID and subscription transaction data, but does not access your personal information (name, email, health data).
  • Payment Processing: Apple App Store and Google Play Store handle all payment processing
  • Email Delivery: SendGrid for transactional emails (verification, password reset) and optional promotional communications
  • Hosting: Railway (backend hosting), PostgreSQL database
  • Referral Partners: If you apply a referral code, the partner who owns that code can see your first name, the date you applied the code, and your current subscription tier (free/pro/elite) through their partner dashboard. No other personal data (email, last name, health data, etc.) is shared with partners.

We never sell your personal data to any third party. We never share your health data with advertisers.

7. Automated Decision-Making and Profiling

TraciaAI uses AI to generate nutritional estimates, workout suggestions, and coaching guidance. These constitute automated processing but do not produce legal effects or similarly significant effects on you. All AI outputs are advisory in nature and you are free to disregard them. You have the right to request human review of any AI-generated recommendation by contacting us at hey@hubst3r.com.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where Anthropic, Google, Cloudflare, RevenueCat, SendGrid, and Expo operate). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that recipients maintain adequate data protection standards.

9. Data Retention

  • Account Data: Retained until you delete your account
  • Profile Picture: Retained until you delete it or your account
  • Chat History: Retained until you delete your account
  • Meal Photos: 30 days (free), 1 year (Pro/Elite), then automatically deleted
  • Body Analysis Photos: NEVER stored — processed and immediately discarded
  • Body Analysis Text Results: Retained until you delete your account
  • Weight History: Retained until you delete your account
  • Push Notification Tokens: Retained until you uninstall the App or revoke permissions
  • Email Verification Codes: Automatically expire after 10 minutes

When you delete your account, all your personal data is permanently removed from our systems within 30 days, except where retention is required by law.

10. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request restriction of processing
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
  • Right to Lodge a Complaint: File a complaint with the Commissioner for Personal Data Protection of Cyprus or your local supervisory authority

To exercise any of these rights, contact us at hey@hubst3r.com. We will respond within 30 days as required by GDPR.

11. California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request details about the personal information we have collected about you in the past 12 months
  • Right to Delete: You may request deletion of your personal information
  • Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at hey@hubst3r.com or use the account deletion feature in the App.

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using industry-standard algorithms (never stored in plain text)
  • API communication encrypted via HTTPS/TLS
  • JWT authentication with token rotation and blacklisting
  • Cloud storage (Cloudflare R2) with encryption at rest
  • Database access restricted to authenticated services only
  • Regular security reviews and updates

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. As TraciaAI is a mobile application and does not track users across third-party websites, we do not currently respond to DNT signals. However, you can control advertising identifiers through your device settings.

15. Children's Privacy

TraciaAI is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If we discover that we have collected data from a child under 18, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at hey@hubst3r.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email at least 30 days before the changes take effect. The "Effective Date" at the top indicates the latest revision. Continued use after changes constitutes acceptance.

17. Contact and Supervisory Authority

Data Controller:
Hubster S.M.N LTD
Email: hey@hubst3r.com
Country: Cyprus

Supervisory Authority:
Commissioner for Personal Data Protection
Republic of Cyprus
Website: www.dataprotection.gov.cy