Website — Privacy Policy

Last updated: June 17, 2026

1. Controller and contact

The controller for this website is the operator named in the Imprint / Legal Notice.

You can use the contact details listed there, or the Contact page, to reach us about this Privacy Policy or your data protection rights.

2. Scope of this Privacy Policy

This Privacy Policy describes the public Crmbls AI website. The website is a frontend-only public website with informational pages, legal pages, and a Contact form where the form is configured.

Use of the Crmbls AI mobile app is governed by the separate app Privacy Policy shown under the App area where applicable.

The current public website does not provide website user accounts, authentication, payments, subscriptions, a public Pricing page, analytics scripts, backend API routes, or app store download routes.

3. Website access and technical logs

When you access the website, technically necessary data may be processed so the website can be displayed, operated securely, and kept stable. This may include:

• IP address
• date and time of access
• requested page or file
• referrer URL
• browser type and browser version
• operating system
• HTTP status code
• amount of data transferred
• technical error logs and security logs

This processing is necessary to provide the website, maintain technical security, analyze errors, and prevent misuse.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is the secure, stable, and functional operation of the website.

4. Contact form and contact requests

If you contact us through the Contact form or another contact route, we process the information needed to handle your request. The Contact form currently collects:

• required email address
• required topic
• required message content
• required Privacy Policy and Terms of Use consent for the contact request
• Google reCAPTCHA verification and related technical interaction data for spam and abuse protection
• technical data needed to transmit, secure, and document the request

When the Contact form is available, the browser submits the form data by fetch() to the configured public contact endpoint. If the required public endpoint URL or reCAPTCHA site key is missing, the Contact form shows an unavailable state instead of accepting input.

We use contact request data to respond to inquiries, handle support, privacy, legal, partnership, feedback, and similar communication, and protect the contact process against misuse.

The legal basis is Art. 6(1)(b) GDPR if your request relates to a contract, app use, support, or pre-contractual communication. In other cases, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is handling and responding to inquiries and protecting the contact process.

5. Google reCAPTCHA

The Contact form uses Google reCAPTCHA when the form is configured and available. reCAPTCHA helps protect the form against spam, automated submissions, and abuse.

For this purpose, the Contact page loads a reCAPTCHA script from Google and processes a reCAPTCHA verification token. Google may process technical interaction data as part of the verification.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is protecting the public form and the website from spam and abuse.

6. Local storage, cookies, and analytics

The current public website uses a small local browser storage entry to remember the cookie banner choice. This entry is stored under crmblsai.website.cookieConsent.v2 and contains the selected choice and the time it was saved.

The current public website does not use marketing cookies, tracking cookies, or external analytics scripts.

In the current public website, we do not intentionally use:

• Google Analytics
• Meta Pixel
• TikTok Pixel
• Hotjar
• external advertising networks
• newsletter tracking
• embedded third-party videos with tracking

If analytics, marketing cookies, or similar services are added later, this Privacy Policy will be updated. Where legally required, consent will be obtained before such services are used.

7. External links

This website may contain links to external platforms, for example the Reddit community, social media pages, or other third-party websites.

If you click an external link, you leave this website. The data processing on external platforms is governed by the privacy information of the respective provider.

8. Information about Crmbls AI and no medical advice

The website provides general information about Crmbls AI, a nutrition and lifestyle app. Website content is for general information only and does not replace medical advice, diagnosis, or treatment.

Any app-related information on the website is descriptive product information. Use of the Crmbls AI mobile app is governed by the separate Crmbls AI app Privacy Policy and Terms of Use.

9. Recipients of personal data

Recipients of personal data may include:

• technical service providers where necessary for website operation, maintenance, or security
• Google as provider of reCAPTCHA spam and abuse protection for the Contact form
• the configured public contact endpoint provider used to receive Contact requests
• email or communication service providers if you contact us by email or if we respond to your request
• external platforms if you voluntarily follow an external link
• service providers involved in handling support, privacy, or legal requests, where applicable

We do not sell personal data and do not disclose website visitor data for advertising purposes unless expressly described and, where required, consented to.

10. International transfers

Depending on the technical provider, endpoint provider, email provider, hosting configuration, Google reCAPTCHA, or external platform, data may be processed outside the European Union or the European Economic Area.

Where personal data is transferred to third countries, this is done only on the basis of legally recognized mechanisms, such as adequacy decisions, standard contractual clauses, or other safeguards permitted under the GDPR.

11. Retention

Personal data is stored only as long as necessary for the respective purposes or as required by law.

Technical access and log data is processed for website operation, security, error analysis, and misuse prevention, and then deleted or anonymized when no longer required for those purposes. The exact retention period may also depend on the technical settings and requirements of the relevant providers.

Contact, support, privacy, and legal communications are retained only as long as necessary to process the request and, where applicable, comply with legal, security, or documentation requirements.

12. Your rights

Subject to the requirements of the GDPR, you have the following rights:

• right of access
• right to rectification
• right to erasure
• right to restriction of processing
• right to data portability
• right to object to certain processing
• right to withdraw consent with effect for the future, where processing is based on consent
• right to lodge a complaint with a data protection supervisory authority

To exercise your rights, use the contact details in the Imprint / Legal Notice.

13. Requirement to provide data

You are not required to provide personal data through this website. However, visiting the website is technically not possible without the processing of certain technical access data.

If you contact us or use a protected form, we need the information required to process your request and verify the form submission.

14. Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place on this website.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time or at any time if the website, public form, technical services, legal requirements, or processing activities change.

The current version published on the website applies.

Crmbls AI Beta App — Privacy Policy

Last updated: 16 June 2026

1. Controller

The controller responsible for personal data processing in the Crmbls AI Beta App is:

C0LD3 UG (haftungsbeschränkt)
Speditionsstraße 15A
40221 Düsseldorf
Germany

Represented by:
Simon Chao
Managing Director

Email: support@crmblsai.com
Website: c0ld3.com

2. What Crmbls AI is

Crmbls AI is an informational nutrition and lifestyle tracking app in private Beta. The app helps users log, review, and understand food, drinks, supplements, wellbeing signals, goals, Crmbls, and related app activity.

Crmbls AI is not a medical app and does not provide diagnosis, treatment, medical advice, clinical validation, disease-risk scoring, disease prevention, or professional nutrition advice.

3. Beta status and Beta data reset

Crmbls AI is currently provided as a private Beta App. The Beta is used to test the app, understand reliability, improve product quality, prepare the final version, and find technical or product issues.

During the Beta phase, features, technical systems, data models, entitlements, pricing, Crmbls rules, reward rules, processing behavior, infrastructure, third-party providers, and legal documents may change.

When the Beta phase ends, or when Crmbls AI moves to final production infrastructure, Beta accounts and Beta app data may be deleted, reset, or not migrated into the final app. This may include, for example, meal logs, scan images, water and drink logs, supplement logs, goals, wellbeing entries, lifestyle data, favorites, reports, Crmbls wallet state, reward state, settings, and other Beta data.

Technical logs, security records, support communications, backups, ledger or anti-abuse records, or other limited records may be retained for a limited time where needed for security, debugging, abuse prevention, legal compliance, dispute handling, backup deletion cycles, or similar legitimate purposes.

During private Beta, in-app account deletion may be unavailable or disabled. This does not limit mandatory rights you may have under applicable data protection law. You may contact us at support@crmblsai.com regarding privacy requests.

4. Categories of personal data we may process

Depending on the features you use, Crmbls AI may process the following categories of personal data.

4.1 Account and authentication data

If you sign in or create a Beta account, we may process:

• Google account ID or an authentication identifier derived from Google OAuth / Google Sign-In;
• email address;
• display name, if provided by Google or your account provider;
• profile image, if provided and used by the app;
• Supabase Auth user ID;
• app-internal user ID;
• login and session status;
• authentication tokens or session metadata required to keep you signed in;
• Beta onboarding completion status;
• timezone selection and related onboarding state;
• plan or entitlement status, such as Free, Basic, Pro, Admin-style internal access, or other Beta-specific access state.

Google OAuth / Google Sign-In may be processed through Supabase Auth to create or restore an authenticated app session and assign app data to the correct user.

4.2 Profile settings and app preferences

We may process app settings and preferences such as:

• timezone;
• app language and display preferences;
• appearance settings;
• onboarding state;
• selected goals and goal settings;
• app version and build context;
• device and platform information needed to operate the app.

The current app is English-only. Any future localization support may require updates to app behavior and legal documents.

4.3 Meal logs, nutrition values, and food logging data

When you log food or meals, we may process:

• meal names;
• logged dates and times;
• food items and ingredient names;
• selected BLS food items;
• BLS identifiers or internal food references;
• estimated, confirmed, edited, or user-entered gram amounts;
• BLS-based nutrition values;
• AI Calculated values;
• User Entered values;
• Not Found item metadata;
• manual Food Search entries;
• direct Nutrition Entry values;
• favorites and re-logged meals;
• daily summaries, history, stats, and goal progress derived from logs.

4.4 Scan images, AI scan requests, and scan-result metadata

If you use scan features, we may process:

• photos taken in the app or selected from your device;
• compressed image data submitted for analysis;
• image metadata needed for processing;
• AI scan requests and AI scan responses;
• scan type, such as EasyScan, ComplexScan, or MultiScan;
• detected food or drink information;
• ingredient trees;
• estimated, confirmed, or edited gram amounts;
• selected BLS-backed items;
• AI Calculated fallback metadata;
• scan draft, preview, save, guided retry, and recovery metadata;
• Accuracy or reliability indicators;
• raw scan payloads and scan diagnostics used for debugging, validation, or reports;
• stored scan meal images, where the app saves them for meal history or review.

AI providers may receive scan images and related request context when you request scan analysis. This processing is separate from the use of BLS 4.0 data.

4.5 Drink, hydration, and supplement logs

If you use drink, hydration, or supplement features, we may process:

• drink and water logs;
• drink type data and custom drink types;
• logged drink or water amounts;
• drink minerals or nutrient metadata where supported;
• supplement types;
• supplement form, such as powder or tablet;
• supplement amount, grams, tablet count, and nutrient profile;
• custom supplement type data;
• supplement logs;
• amount presets;
• daily summary effects and historical snapshots.

Custom drink types, custom supplement types, and amount presets may be plan-limited and may require rewarded-action unlocks depending on the current plan configuration.

4.6 Goals, stats, lifestyle, wellbeing, and mood data

If you use goals, stats, wellbeing, or lifestyle features, we may process:

• nutrition and hydration goals;
• goal sets and goal history;
• daily summary data;
• stats and period aggregations;
• lifestyle focus modules;
• lifestyle module settings;
• lifestyle scores and module score rows;
• mood entries;
• energy level entries;
• wellbeing notes;
• timestamps and timezone-adjusted dates for wellbeing entries.

These data may reveal information about your routines, diet, wellbeing, lifestyle, or health-related preferences. They are used for app features and Beta improvement, not for medical diagnosis.

4.7 Crmbls, wallets, rewards, and unlocks

If you use Crmbls, rewards, or unlock features, we may process:

• daily Crmbl balance;
• bonus Crmbl balance;
• daily allowance and reset metadata;
• Crmbl ledger entries;
• paid action metadata;
• refunds where supported;
• idempotency keys;
• request fingerprints or related wallet-safety metadata;
• rewarded video claim state;
• rewarded-action unlock state;
• cooldowns or claim-cycle state;
• plan and entitlement state.

Rewarded videos are currently Beta sandbox/test functionality. Production ad IDs, production monetization, production subscriptions, and production ad-provider verification are not part of the current Beta unless explicitly stated in a later update.

Daily reward or streak features may exist as compatibility or historical backend schema but are disabled in the current Beta UI and claim flow.

4.8 Scan result reports

If you report a scan result, we may process:

• user ID;
• meal log ID;
• scan type;
• report reason;
• optional report comment;
• report status;
• meal snapshot;
• raw scan payload snapshot;
• image or evidence metadata;
• Accuracy score or related reliability metadata.

Reports help review scan quality and improve future behavior. A report does not automatically delete a log, correct nutrition values, re-run a scan, create a refund, or guarantee a response.

4.9 Support and contact data

If you contact us, we may process:

• email address;
• name, if provided;
• content of your message;
• time of contact;
• technical information needed to investigate your request;
• related support history.

4.10 Minimal analytics with PostHog

If analytics is enabled in the Beta build, Crmbls AI may use PostHog for minimal Beta analytics. The current intended analytics scope is limited to the allowlisted event:

• daily_app_used

This event may be used to understand whether an authenticated Beta account used the app on a given day. It may include a pseudonymous account identifier and limited global technical properties such as app version or platform context.

The current Beta analytics scope does not include food details, nutrients, scan images, ingredient lists, gram amounts, free-text notes, report comments, broad screen tracking, action streams, raw API failures, raw errors, Session Replay, heatmaps, experiments, surveys, feature flags, or broad behavioral profiling.

Analytics is disabled unless the app is configured with analytics enabled and a valid PostHog project key.

5. Purposes of processing

We process personal data for the following purposes:

• providing the Beta App and account features;
• authenticating users through Google OAuth / Supabase Auth;
• assigning app data to the correct authenticated user;
• completing Beta onboarding and timezone setup;
• analyzing food or drink images when you request scans;
• creating scan drafts, previews, guided retries, and saved meal logs;
• calculating and saving nutrition values;
• showing source labels such as BLS-based, AI Calculated, User Entered, and Not Found;
• showing history, summaries, goals, stats, lifestyle views, and Accuracy indicators;
• providing Food Search, Nutrition Entry, drinks, supplements, favorites, wellbeing, and goals;
• managing Crmbls wallets, ledger entries, spend, refunds, reward claims, and rewarded-action unlocks;
• improving reliability and investigating reported scan issues;
• preventing abuse, duplicate charges, wallet manipulation, and unauthorized access;
• debugging, support, security, and legal compliance;
• limited Beta analytics if enabled;
• preparing the final version of the app and planning the end-of-Beta reset.

6. BLS 4.0 / Bundeslebensmittelschlüssel and user data

Crmbls AI uses BLS 4.0 / Bundeslebensmittelschlüssel nutrient data as one foundation for BLS-based calculations.

BLS 4.0 itself is not personal user data. It is an external open data source used by Crmbls AI for app calculations.

User-specific meals, photos, quantities, logs, selected BLS items, calculated values, AI results, source labels, summaries, and reports are processed by Crmbls AI and its technical providers, not by the Max Rubner-Institut.

BLS attribution does not mean that user data is shared with the Max Rubner-Institut. Unless we state otherwise in this Privacy Policy or in a future update, Crmbls AI does not send user-specific app data, meal photos, user logs, scan results, or account data to the Max Rubner-Institut for BLS attribution or calculation purposes.

The Max Rubner-Institut publishes the BLS 4.0 data source. It does not calculate individual Crmbls AI user meals, app results, daily summaries, or Accuracy indicators.

7. AI-assisted processing

When you request scan analysis or certain AI-assisted features, Crmbls AI may send images, text, and technical request context to AI providers to analyze the requested content.

The AI provider may process the submitted image and request data to return structured scan information. Crmbls AI then validates, maps, transforms, and calculates app values through its backend logic, source data, and server-controlled validation paths.

Normal scan outputs do not rely on user-controlled client nutrition totals. AI-generated or AI-assisted outputs are subject to backend validation and may still be incomplete, inaccurate, or unsuitable for your individual needs.

8. Legal bases

Where the GDPR applies, we rely on the following legal bases depending on the processing context:

• Article 6(1)(b) GDPR where processing is necessary to provide the app, account, requested features, Beta access, or related services;
• Article 6(1)(f) GDPR where we have a legitimate interest in secure operation, debugging, abuse prevention, product reliability, support, Beta improvement, and preparation of the final app;
• Article 6(1)(a) GDPR where consent is required, for example for optional analytics or other optional features where applicable;
• Article 9(2)(a) GDPR where special-category data may be involved and explicit consent is required.

Because nutrition, wellbeing, lifestyle, or notes may reveal sensitive information, you should use the Beta App only if you are comfortable with the processing described here. If a specific feature requires consent, you may be asked to provide it through the app or another appropriate process.

9. Hosting, backend, and infrastructure

The Beta App communicates with backend and API infrastructure. The website, Beta API subdomains, backend services, and later production API subdomains may be hosted through Hostinger.

The backend may process technical API requests, IP addresses, device and connection information, authentication data, app data, server logs, and security logs to provide the app, protect the service, and troubleshoot issues.

Backend secrets are not stored in the frontend. Hosted Beta environments require a valid authenticated session for user-owned app routes.

10. Database, authentication, and storage providers

Crmbls AI may use Supabase or comparable providers for authentication, database, and storage functions. This can include:

• account and authentication data;
• user profiles and app settings;
• meal logs;
• scan images;
• water and drink logs;
• supplement logs;
• goals;
• wellbeing logs;
• favorites;
• lifestyle data;
• scan reports;
• Crmbls wallet and ledger data;
• reward state;
• server-side security or audit data.

11. Google services

Depending on the feature and platform, Google services may be involved, including:

• Google OAuth / Google Sign-In for authentication;
• Google AI / Gemini or related AI services for scan analysis;
• Google AdMob for rewarded ads in test, sandbox, Beta, or future production contexts;
• Google Play and Google Play testing infrastructure if you install or test the app through Google Play.

Google's own privacy notices and terms may apply to those services.

12. PostHog analytics

If analytics is enabled in the Beta build, Crmbls AI may use PostHog for the limited daily_app_used analytics event described above.

The current Beta configuration is intended to be EU-region and privacy-minimized. Analytics is disabled unless the app is configured with analytics enabled and a PostHog project key.

We do not use PostHog in the current Beta scope for scan content, nutrition content, image content, screen-by-screen tracking, raw error tracking, Session Replay, heatmaps, experiments, surveys, feature flags, or broad user profiling.

13. App permissions

The app may request device permissions, including:

• camera access, to take food or drink photos;
• photo or media access, to select images for scan or meal history features;
• internet access, to communicate with backend, authentication, AI, storage, analytics, reward, and support services.

The app should request permissions only when needed for the relevant feature.

14. Local storage and secure device storage

The app may store some data locally on your device, such as:

• session information in secure storage;
• onboarding state;
• app preferences;
• cached UI state;
• temporary scan or form state;
• local identifiers used for safe app operation.

Local data may be lost if you delete the app, clear app data, change devices, or reset your device.

15. Recipients and processors

Depending on the features used, recipients or processors may include:

• Hostinger as hosting provider for website, API, backend, or related subdomains;
• Supabase or comparable database, storage, and authentication providers;
• Google for OAuth, Google AI/Gemini, Google Play, or AdMob, where applicable;
• PostHog for limited analytics if enabled;
• app store or beta testing platforms;
• email and support providers;
• technical providers needed for security, infrastructure, debugging, or maintenance;
• professional advisers or authorities where legally required.

We do not share user-specific data with the Max Rubner-Institut merely because we use or attribute BLS 4.0 data.

We do not sell personal data.

16. International transfers

Some providers may process data outside the European Union or European Economic Area. Where required, we rely on legally recognized safeguards, such as adequacy decisions, standard contractual clauses, or other mechanisms permitted under applicable data protection law.

17. Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy, unless longer retention is required or permitted by law.

During the Beta phase, data may be reset, deleted, or migrated for testing, infrastructure, reliability, or preparation of the final app. At the end of the Beta phase, Beta accounts and Beta app data are expected to be deleted, reset, or not migrated into the final app.

Some limited records may be retained for security, abuse prevention, debugging, audit, legal compliance, backup deletion cycles, or dispute handling. Crmbls ledger or anti-abuse records may be retained in minimized or neutralized form where needed to protect wallet integrity, prevent manipulation, investigate abuse, or comply with legal requirements.

Support messages are retained only as long as needed to handle the request or meet legal requirements.

18. Account deletion and privacy requests

During private Beta, the in-app account deletion action may be disabled. If you have privacy requests, including requests for access, correction, deletion, restriction, or objection, contact us at:

support@crmblsai.com

When the Beta phase ends, Beta accounts and Beta app data are expected to be deleted, reset, or not migrated into the final app. This automatic Beta reset is separate from individual privacy requests.

If a public account-deletion page or process is required for app store compliance, it must match the implemented Beta behavior and this Privacy Policy.

19. Your rights

Where applicable law grants you rights, you may have the right to:

• request access to your personal data;
• request correction of inaccurate data;
• request deletion of personal data;
• request restriction of processing;
• request data portability;
• object to certain processing;
• withdraw consent with effect for the future;
• lodge a complaint with a data protection supervisory authority.

To exercise your rights, contact us at:

support@crmblsai.com

These rights may be subject to legal conditions, exceptions, identity verification, security restrictions, technical constraints, and retention obligations.

20. No automated decisions with legal effect

The app may display automated calculations, source labels, scan outputs, Accuracy indicators, recommendations, or lifestyle views. These are app features and informational orientation tools.

The Beta App does not make automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

21. Security

We use appropriate technical and organizational measures to protect personal data. These may include encrypted transmission, secure session storage, backend validation, access controls, user ownership checks, idempotency safeguards, and separation of Beta and production environments where applicable.

No digital system can guarantee absolute security.

22. Children

The Beta App is not intended for children. If you are under the age required by applicable law to use the app or provide consent, you may use the app only if legally permitted and, where required, with consent from a parent or legal guardian.

23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Updates may be necessary when the app, Beta scope, features, infrastructure, data sources, third-party services, analytics scope, rewards, account handling, law, or business model changes.

We will make the current version available in the app or through the official legal pages. For material changes, we will inform you through appropriate means, such as an in-app notice, website notice, email, app store release notes, or another suitable communication channel.

Where a change requires consent under applicable law, we will ask for consent before applying that processing where required. If you do not agree with the updated Privacy Policy or any required processing, you should stop using the Beta App or the affected feature. Continued use of the Beta App after an updated Privacy Policy becomes available means that you acknowledge the updated Privacy Policy, to the extent permitted by applicable law.

24. Contact

For privacy questions or requests, contact:

C0LD3 UG (haftungsbeschränkt)
Email: support@crmblsai.com