Back to Home

Privacy Policy

Last updated: June 5, 2026

1. General Information

This Privacy Policy explains how personal data is collected and processed when you use the TrackerSuite ecosystem, including the website, the web application at trackersuite.app, and related mobile applications such as BodyTracker.

TrackerSuite is designed to give users control over their body metrics, fitness progress, nutrition-related logs, account data, and optional AI-assisted features. Some features can be used locally on your device, while other features require a TrackerSuite Cloud Account.

Data Controller under GDPR:

Noah Schweizer

c/o Impressumservice Dein-Impressum

Stettiner Straße 41, 35410 Hungen, Germany

Email: contact@noahschweizer.com

You may also use the email address above for privacy-related requests, including access, correction, deletion, restriction, portability, objection, and withdrawal of consent.

2. Categories of Data We Process

Depending on how you use TrackerSuite, we may process the following categories of data:

  • Account data: email address, user ID, authentication provider, login method, account creation date, subscription status, and account settings.
  • Health and body data: body weight, body fat percentage, body measurements, progress entries, fitness-related values, step count, active energy, and similar metrics entered by you or imported with your permission.
  • Nutrition-related data: food logs, nutrition estimates, calorie estimates, macro estimates, meal entries, and related user-generated content if such features are enabled.
  • AI input and output data: prompts, questions, uploaded or selected context, generated answers, model responses, metadata about the selected model, token usage, timestamps, and technical request information when you actively use optional AI-assisted features.
  • Payment data: subscription status, billing email, payment provider customer ID, invoices, and payment metadata. We do not store full credit card details.
  • Technical data: IP address, device type, browser, operating system, app version, timestamps, server logs, security logs, and error diagnostics.
  • Communication data: emails, support messages, transactional emails, and account-related notifications.
  • Analytics and telemetry data: privacy-friendly usage events, app performance events, and crash or error data. Health data is not sent to analytics providers.

3. Legal Bases for Processing

We process personal data only where a legal basis under the GDPR applies:

  • Contract performance, Art. 6(1)(b) GDPR: to provide accounts, app functionality, cloud sync, subscriptions, billing access, support, requested services, and optional AI-assisted features when you choose to use them.
  • Consent, Art. 6(1)(a) GDPR: for optional features such as HealthKit access, optional analytics where consent is required, optional cloud sync of sensitive data, and optional AI-assisted features where consent is required.
  • Explicit consent for health data, Art. 9(2)(a) GDPR: for processing health-related data in cloud features, AI-assisted features, or other features that involve special categories of personal data.
  • Legitimate interests, Art. 6(1)(f) GDPR: for security, fraud prevention, abuse prevention, service reliability, debugging, basic technical logs, and product improvement where your interests and rights do not override ours.
  • Legal obligations, Art. 6(1)(c) GDPR: for tax, accounting, consumer protection, and compliance obligations.

4. Health Data, Body Metrics, and Apple HealthKit

Body weight, body fat percentage, body measurements, fitness values, nutrition-related logs, and similar information may qualify as health data and therefore as special category data under Art. 9 GDPR. We treat this data as sensitive.

Local Mode and Apple Health

If you use the iOS app without creating a TrackerSuite Cloud Account, your health and body data remains on your device unless you explicitly choose otherwise. With your permission, the app may read from or write to Apple Health / HealthKit, for example weight, body fat, step count, active energy, or similar metrics.

HealthKit permissions are controlled by you through iOS. You can grant, deny, or revoke these permissions at any time in the iOS Health app or system settings. HealthKit data is not used for advertising, is not sold, and is not shared with data brokers.

Cloud Account and Sync

If you create a TrackerSuite Cloud Account and enable cloud-based features, your health, body, progress, and nutrition-related data may be transmitted to and stored in our cloud infrastructure so that you can access it across devices and through the web dashboard. This processing is based on contract performance under Art. 6(1)(b) GDPR and, where health data is involved, on your explicit consent under Art. 9(2)(a) GDPR.

5. Nutrition, Estimates, and Optional AI Features

TrackerSuite may include nutrition-related features, estimations, calculations, image-based food recognition, and AI-assisted functionality. These features are intended for logging, convenience, and estimation only.

Nutrition values, calorie estimates, macro estimates, body fat estimates, AI-generated responses, and similar outputs may be inaccurate or incomplete. They are not medical advice, nutritional advice, diagnosis, treatment, or a substitute for professional guidance.

AI-assisted features are optional and are only available when you create and use a TrackerSuite Cloud Account. If you do not use AI-assisted features, your prompts or AI requests are not sent to an AI provider.

6. Optional LLM / AI Processing via OpenRouter

TrackerSuite uses OpenRouter as a technical provider for optional LLM / AI-assisted features. OpenRouter provides access to different AI models through a unified API and may route requests to selected third-party model providers.

When you actively use an AI-assisted feature, the content necessary to process your request may be transmitted to OpenRouter and, depending on the selected model or routing configuration, to the relevant model provider. This may include your prompt, selected context, generated response, model name, token usage, timestamps, and technical request metadata.

We do not automatically send your entire TrackerSuite account, full health history, full nutrition history, payment details, or unrelated personal data to OpenRouter. Only the data necessary for the specific AI request is sent.

Because TrackerSuite involves health, body, and nutrition-related data, you should avoid entering information into AI features that you do not want to be processed by an external AI provider. If an AI request includes health-related or nutrition-related information, that information may qualify as sensitive data under Art. 9 GDPR.

The legal basis for optional AI processing is contract performance under Art. 6(1)(b) GDPR, because the AI feature is provided at your request. Where AI requests include health-related data or other special category data, processing is based on your explicit consent under Art. 9(2)(a) GDPR.

OpenRouter and downstream model providers may have their own logging, abuse prevention, security, and retention rules. Where technically and commercially reasonable, we may configure AI requests to reduce retention, restrict provider routing, or use providers with stronger privacy settings. However, no AI provider should be treated as a private medical professional or confidential health advisor.

7. Hosting, Infrastructure, and Service Providers

We use carefully selected service providers to operate TrackerSuite. These providers process data only as necessary to provide their services to us and, where required, under data processing agreements.

  • Vercel Inc.: hosting, content delivery, deployment, and technical operation of the website and web application. Technical data such as IP addresses, browser data, and request logs may be processed to deliver the service securely and efficiently.
  • Supabase: database, authentication, cloud storage, account management, and sync infrastructure for TrackerSuite Cloud Accounts.
  • Resend: transactional emails such as login emails, verification emails, account notifications, security messages, and product-related service emails.
  • OpenRouter: optional AI / LLM request processing for users with a TrackerSuite Cloud Account who actively use AI-assisted features. OpenRouter may route requests to selected third-party model providers.
  • Apple: iOS distribution, in-app purchases, Sign in with Apple, StoreKit, and Apple HealthKit where you grant permission.
  • Google: Google login / OAuth authentication if you choose to sign in with Google.
  • Stripe Payments Europe, Ltd.: payment processing, subscriptions, invoices, taxes, fraud prevention, and billing portal access for web subscriptions.

8. Authentication and Social Login

You may be able to sign in using email authentication, Sign in with Apple, or Google login. When you use a third-party login provider, that provider may process your data according to its own privacy policy and terms.

We receive only the information necessary to create and maintain your TrackerSuite account, such as your email address, provider user ID, and authentication status.

9. Payments and Subscriptions

Depending on where you purchase a subscription, payment processing is handled either by Apple or by Stripe.

  • iOS In-App Purchases: purchases made inside the iOS app are processed by Apple through the App Store and StoreKit. We do not receive your full payment details from Apple.
  • Web Subscriptions: web-based subscriptions are processed by Stripe. Stripe may process your billing email, payment method information, billing address, tax information, invoices, transaction metadata, and fraud prevention data. We do not store full credit card details on our own servers.

Payment and invoice data may be retained as long as required for tax, accounting, chargeback, and legal compliance purposes.

10. Analytics, Telemetry, and Error Diagnostics

We use privacy-conscious analytics and diagnostics to understand product usage, detect bugs, improve reliability, and maintain security. We do not send your health data, body metrics, nutrition logs, personal notes, private progress entries, or AI prompt content to analytics providers.

  • Vercel Analytics: used for basic website and web app analytics. This may include page views, referrers, device and browser information, and aggregated usage statistics.
  • TelemetryDeck: used for anonymous or pseudonymous iOS app telemetry, such as app version, screen usage, performance events, and crash-related diagnostics.
  • Server logs: our infrastructure providers may process technical logs such as IP address, request timestamp, endpoint, user agent, and security events.

Analytics and telemetry are used to improve the service and are not used to create advertising profiles based on health data.

11. International Data Transfers

Some of our service providers or their sub-processors may be located outside the European Economic Area, including in the United States. This may include providers involved in hosting, authentication, payments, email delivery, analytics, and optional AI / LLM processing.

Where personal data is transferred to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses, data processing agreements, technical security measures, encryption, and transfer risk assessments where required.

Despite these safeguards, data processing in third countries may involve different legal protections than within the European Union.

12. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

  • Account data: retained while your account exists.
  • Health, body, progress, and nutrition data: retained while your account exists or until you delete the data or your account.
  • AI request data: prompts, responses, AI request metadata, token usage, and related technical logs may be retained for a limited period where necessary to provide the feature, monitor abuse, debug errors, ensure security, control costs, and comply with legal obligations. OpenRouter and downstream model providers may apply their own retention rules depending on the selected model and routing configuration.
  • Local app data: stored on your device and controlled by you. Deleting the app or app data may remove local records from your device, subject to iOS backup behavior.
  • Payment and invoice data: retained as required for tax, accounting, fraud prevention, dispute, and legal compliance obligations.
  • Support emails and communication: retained as long as necessary to handle your request and for reasonable documentation periods.
  • Server logs and security logs: retained for a limited period necessary for security, debugging, abuse prevention, and service reliability, unless longer retention is required for investigation or legal reasons.
  • Backups: deleted data may remain in encrypted backups for a limited period until those backups are rotated or overwritten.

13. Account Deletion and Data Deletion

You can delete your TrackerSuite Cloud Account from the app or web dashboard. Account deletion is intended to permanently delete your account and associated cloud data, including synced health data, body metrics, progress logs, nutrition logs, AI-related data stored in your TrackerSuite account, and user-generated content, unless retention is legally required.

Deleting your cloud account does not automatically cancel subscriptions managed by Apple or Stripe if they are handled separately by those providers. You may need to cancel active subscriptions through the App Store subscription settings or the Stripe billing portal.

Some residual data may remain temporarily in backups, logs, fraud prevention records, invoices, AI provider logs, abuse prevention records, or legal records where deletion is technically delayed or legally restricted.

14. Your GDPR Rights

Subject to the conditions of the GDPR, you have the following rights:

  • Right of access under Art. 15 GDPR
  • Right to rectification under Art. 16 GDPR
  • Right to erasure under Art. 17 GDPR
  • Right to restriction of processing under Art. 18 GDPR
  • Right to data portability under Art. 20 GDPR
  • Right to object under Art. 21 GDPR
  • Right to withdraw consent at any time under Art. 7(3) GDPR
  • Right to lodge a complaint with a supervisory authority under Art. 77 GDPR

To exercise your rights, contact us at contact@noahschweizer.com.

If you withdraw consent for processing health-related data in optional AI-assisted features, you may no longer be able to use those AI features with health, body, or nutrition-related context.

15. Children and Minimum Age

TrackerSuite is intended for users aged 16 or older. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us so that we can take appropriate action.

16. Security

We use appropriate technical and organizational measures to protect your data, including access controls, encrypted transmission, provider-level security measures, and separation of sensitive data where reasonably possible. No system can be guaranteed to be completely secure, but we work to reduce risks and protect your data responsibly.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new features, change service providers, change AI model providers, introduce or modify AI-based functionality, or adapt to legal requirements. The latest version will always be available on this page. If changes are material, we may notify you through the app, website, or email where appropriate.