CarbCam – Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Managing Director: Martin Schiftan · Commercial Register: Amtsgericht Freiburg i. Br., HRB724192 · VAT ID: DE343662047

For data protection enquiries (access, deletion, rectification, objection) please use the contact details above or the contact form.

CarbCam is a smartphone app that allows users to take photos of meals. The app sends these photos for analysis to the ns.10be.de server backend, which forwards the image to an external AI interface selected by the user or server admin (currently supported: Anthropic Claude API, Google Gemini API, OpenAI API, Zhipu GLM API, Microsoft Azure OpenAI). The returned nutritional estimates (carbohydrates, fat, protein, FPU, glycaemic index) are delivered to and displayed in the app.

CarbCam does not require registration with a name or email address. To link the device to a quota/subscription, an anonymous Installation ID (24-character hex string) is generated locally on first app launch and sent with every request.

3.1 Data collected automatically with every request

• Installation ID: 24-character hex string, generated locally on first app launch. Not traceable to a natural person.
• IP address: recorded by the web server in standard logs (max. 7 days, then anonymised).
• User agent/app version: for compatibility checks and error analysis.
• Timestamp and HTTP status code of the request.

3.2 Content generated through use of the app

• Photo of the meal (temporary): sent to the server and from there to the AI interface. The original image is not permanently stored after analysis.
• Photo hash & reduced thumbnail: an SHA-512 hash of the image and a heavily reduced thumbnail are stored in the analysis cache so that identical or similar photos can be answered more quickly and cost-effectively (perceptual hash matching).
• Analysis result: the AI response (food names, portion sizes, nutritional values) is stored in the cache together with the hash.
• Analysis events: for each request (food scan as well as BG trend analysis) a row containing the Installation ID, timestamp, provider, model, and cache hit type is stored in an event table. This table is used for quota counting (the number of analyses available per month depends on the chosen plan; scans and BG analyses both count towards the monthly limit) and fraud prevention.
• Photo history (optional): reduced photos can, at the user’s request, be associated with a personal photo history via the Installation ID, so that the user can retrieve their history after reinstalling the app.
• Feedback: ratings and comments submitted by the user for an analysis are linked to the Installation ID and the corresponding cache entry.

3.3 Data related to payment transactions

• Stripe Customer ID and Subscription ID to link the installation to the subscription.
• Plan, status, term, and billing periods of the subscription.
• Payment-related personal data (name, address, payment method) is processed exclusively by Stripe and is not available to us.
• Invoices are provided via the Stripe customer portal.

3.4 Optional: Bring Your Own Key (BYOK)

• User’s own API key for Anthropic/Google is used on the server only for forwarding to the AI and is not permanently stored (held in RAM only for the duration of the request).
• Optionally, a contact email address can be stored for BYOK support enquiries.
• For BYOK requests (Bring Your Own Key), usage data is not counted against the quota of the selected package.

• Provision of the core functionality (photo analysis, cache, feedback): Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
• Caching and quality improvement (e.g. perceptual hash matching, admin corrections for recurring AI errors): Art. 6(1)(f) GDPR (legitimate interest in efficient and cost-effective provision of the service; the data subjects’ interest in a smaller image footprint is safeguarded by the use of heavily reduced thumbnails and automatic 30-day deletion).
• Billing and payment processing: Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR (statutory retention obligations).
• Fraud prevention and abuse mitigation (quota, rate limits): Art. 6(1)(f) GDPR.
• Server logs and security: Art. 6(1)(f) GDPR.

No automated decision-making within the meaning of Art. 22 GDPR with legal effect on the data subjects takes place. The AI-based nutritional estimates are purely informational and do not constitute decisions in a legal sense.

To provide the service, data is transferred to the following processors and third parties:

5.1 Anthropic PBC (Claude API)

Registered office: San Francisco, CA, USA. Photos and a textual prompt are transmitted to the Anthropic Claude API for analysis. Anthropic is contractually obligated not to use the transmitted data for training purposes (zero-retention policy for API customers). Basis for the transfer: EU Standard Contractual Clauses (SCC). Privacy policy: anthropic.com/privacy.

5.2 Google LLC (Gemini API, optional)

Registered office: Mountain View, CA, USA. Optionally, the admin can configure the server to process requests via the Google Gemini API. In this case, photos and the prompt are transmitted to Google. Basis: EU Standard Contractual Clauses. Privacy policy: policies.google.com/privacy.

5.3 OpenAI, L.L.C.

Registered office: San Francisco, CA, USA. Optionally, the user (via settings) or the admin can send requests to the OpenAI API. In this case, photos and the prompt are transmitted to OpenAI. Basis: EU Standard Contractual Clauses. Privacy policy: openai.com/policies.

5.4 Zhipu AI

Registered office: Beijing, People’s Republic of China. Optionally, the user can send requests to the Zhipu GLM API. Important: The People’s Republic of China is considered an unsafe third country under the GDPR without an adequacy decision. Use of this provider is at the user’s explicit choice and own risk; Standard Contractual Clauses have been concluded with the provider. Privacy policy: bigmodel.cn/dev/api/security/privacy.

5.5 Microsoft Azure (OpenAI Service)

Contracting entity: Microsoft Ireland Operations Ltd., Dublin, Ireland. Data processing in Azure EU regions. Basis: Microsoft contractual framework (DPA) and EU Standard Contractual Clauses where data is transferred to third countries. Privacy policy: privacy.microsoft.com.

5.6 Stripe Payments Europe, Ltd.

Registered office: Dublin, Ireland. Payment processing, subscription management, invoicing, customer portal. During payment transactions, name, address, payment method, and email address are transmitted directly to Stripe and are not shared with us. Privacy policy: stripe.com/privacy.

5.7 Open Food Facts & USDA FoodData Central

For an additional quality check (refine cross-check), the server can perform a text-based comparison against the public databases of Open Food Facts (France) and USDA FoodData Central (USA) after an AI analysis. No photos are transmitted; only food names are sent as a text query.

5.8 Hosting and Servers

The ns.10be.de servers are located in Germany, Finland, and France. CarbCam data is processed and stored on the servers in Germany.

• Analysis cache (hash, thumbnail, AI response): 30 days, then automatic deletion.
• Perceptual hash index: 30 days (linked to the cache).
• Analysis events (quota counting): at least for the current billing/quota period (30 days for Free), beyond that aggregated for statistical purposes.
• Photo history (optional, linked to Installation ID): until deleted by the user or until the service is discontinued.
• Feedback: until processed by the admin plus a reasonable follow-up period for quality control.
• Subscription/payment data: for the duration of the contractual relationship and beyond that for the statutory retention periods (generally 10 years under commercial and tax law).
• Web server logs: max. 7 days, then automatic anonymisation.
• BYOK key: not persisted; held in RAM only for the duration of the individual request.

Under the GDPR you have, in particular, the following rights:

• Access (Art. 15 GDPR) to the data stored in relation to your Installation ID.
• Rectification of inaccurate data (Art. 16 GDPR).
• Erasure (Art. 17 GDPR), provided no statutory retention obligations apply.
• Restriction of processing: CarbCam does not offer granular restriction of individual processing purposes. You can either accept the data processing in full or terminate it by deleting the app or resetting your installation ID.
• Data portability (Art. 20 GDPR): Meal data (carbs, nutritional values, timestamps) is synced via Nightscout and available there as well as in the ns.10be.de backups. Photos are not archived on the server – enable “Save photos to gallery” in the app settings to keep local copies.
• Objection to processing based on legitimate interests (Art. 21 GDPR).
• Complaint to a supervisory authority (Art. 77 GDPR). The competent authority is, for example, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg.

To exercise your rights or if you have questions about data protection, you can contact us at any time at support@ns.10be.de or via the contact form. For a deletion request without login, please provide the 24-character Installation ID so that the relevant data records can be identified.

• Data transmission between the app and the server is carried out exclusively via HTTPS (TLS).
• Access to the servers is restricted to the provider and is secured via SSH with public-key authentication.
• Databases are not directly accessible from outside.
• Backups are created in encrypted form and overwritten after a maximum of three days, unless the core database is affected.
• BYOK keys are held exclusively in memory for the duration of a request and are never persisted to disk or logged.

As CarbCam is under active BETA development, this privacy policy may be updated when new features are added, processors change, or legal requirements make it necessary. The current version is always available at ns.10be.de/en/carbcam-privacy.html. Material changes will be communicated in the app or via the newsletter.