Privacy Policy

Last updated: March 27, 2026

1. Controller and Contact Information

The controller responsible for data processing through this Service is:

Dumke Ventures UG (haftungsbeschränkt)
Ebersprung
16321 Bernau bei Berlin
Germany

Email: [email protected]

If you have any concerns about how we handle your data, you have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany

2. Scope and Purpose

This Privacy Policy applies to the Truvi mobile application (iOS and Android), the website at truviapp.com, and any related services (collectively, the “Service”). It explains what personal data we collect, why we collect it, how we process it, and what rights you have.

We process personal data only to the extent necessary and always in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TDDDG).

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Display name (if provided)
  • Authentication credentials (hashed; we never store plaintext passwords)

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — necessary to provide you with a user account and the Service.

3.2 Scan and Product Data

When you scan a barcode, we process:

  • The barcode number (EAN/UPC) to look up product information
  • The product information returned (ingredients, nutritional data, NOVA classification)

Your scan history is stored locally on your device by default. If you enable cloud sync, your scan history is stored on our servers so you can access it across devices.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for processing barcode lookups; consent (Art. 6(1)(a) GDPR) for cloud sync of scan history.

3.3 Camera Access

The app requires access to your device’s camera solely to scan barcodes. Camera data is processed in real time on your device and is not transmitted to our servers, stored, or recorded. Camera access is governed by your device’s operating system permissions, and you can revoke it at any time in your device settings.

3.4 Device and Usage Data

We automatically collect:

  • Device type, model, and operating system version
  • App version
  • Language and region settings
  • General usage patterns (features used, session duration, scan frequency)
  • Crash logs and performance diagnostics

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to maintain, improve, and ensure the stability of the Service. Our legitimate interest is in providing a reliable, high-quality product. You can object to this processing at any time (see Section 7).

3.5 Website Server Logs

When you visit our website, our hosting provider automatically collects:

  • IP address (anonymized after 7 days)
  • Date and time of access
  • Requested URL and referrer URL
  • Browser type and version

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — necessary for the technical operation and security of the website.

3.6 Communication Data

If you contact us by email or through in-app support, we collect the content of your message, your email address, and any attachments you send. We use this data solely to respond to and resolve your inquiry.

Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR); legitimate interest (Art. 6(1)(f) GDPR).

4. How We Use Your Data

We use your personal data to:

  • Provide, operate, and maintain the Service
  • Process barcode scans and return product information
  • Manage your user account and authenticate access
  • Sync your data across devices (if you opt in)
  • Send essential service communications (e.g., security alerts, account verification)
  • Analyze usage patterns to improve functionality and user experience
  • Diagnose technical issues and prevent fraud or abuse
  • Comply with legal obligations

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data.

We may share data with the following categories of recipients, only to the extent necessary:

5.1 Hosting and Infrastructure Providers

Our servers and databases are hosted within the European Union. Our hosting providers process data on our behalf under data processing agreements (Art. 28 GDPR).

5.2 App Store Platforms

Apple (App Store) and Google (Play Store) may collect data independently when you download or purchase through their platforms. Their processing is governed by their own privacy policies.

5.3 Analytics Providers

We may use privacy-focused analytics tools to understand how the Service is used. Where analytics tools process personal data, they do so under data processing agreements, and we ensure that data is anonymized or pseudonymized wherever possible.

5.4 Product Data Sources

Product information displayed in the app may be sourced from third-party databases (e.g., Open Food Facts). When you scan a barcode, the barcode number may be transmitted to these services to retrieve product data. No personal data beyond the barcode number is shared with these sources.

5.5 Legal Requirements

We may disclose your data if required to do so by law, court order, or in response to a lawful request by public authorities (e.g., to meet national security or law enforcement requirements).

6. International Data Transfers

We store and process your data within the European Economic Area (EEA). If any data transfer to a country outside the EEA becomes necessary (e.g., through a service provider), we will ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • An adequacy decision by the European Commission (Art. 45 GDPR)

You may request a copy of the applicable safeguards by contacting us.

7. Your Rights Under the GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR) — Obtain confirmation of whether we process your data and request a copy
  • Right to Rectification (Art. 16 GDPR) — Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17 GDPR) — Request deletion of your personal data (“right to be forgotten”)
  • Right to Restriction of Processing (Art. 18 GDPR) — Request that we limit how we use your data
  • Right to Data Portability (Art. 20 GDPR) — Receive your data in a structured, commonly used, machine-readable format
  • Right to Object (Art. 21 GDPR) — Object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to Withdraw Consent (Art. 7(3) GDPR) — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority (see Section 1).

8. Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion, unless legal retention obligations apply.
  • Cloud-synced scan history: Retained for the duration of your account. Deleted within 30 days of account deletion or upon withdrawal of sync consent.
  • Server logs: IP addresses anonymized after 7 days. Aggregated log data retained for up to 90 days.
  • Support correspondence: Retained for up to 3 years after resolution for quality assurance and legal purposes.
  • Legal retention: Where German commercial or tax law requires retention (e.g., §257 HGB, §147 AO), relevant data may be retained for up to 10 years.

Local scan history stored on your device is under your control and can be deleted at any time through the app settings.

9. Cookies and Tracking Technologies

Website: Our website may use cookies and similar technologies.

  • Strictly necessary cookies are required for the website to function and cannot be disabled.
  • Analytics cookies are only set with your explicit consent via our cookie consent banner.

You can manage or revoke your cookie preferences at any time through the cookie settings on our website or through your browser settings.

Mobile app: The Truvi app does not use cookies. Device identifiers may be used for analytics purposes as described in Section 3.4.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of sensitive data at rest
  • Regular security assessments
  • Access controls and authentication requirements for personnel
  • Secure development practices

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Children’s Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as soon as possible. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policies of any third-party service you access through the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Last updated” date at the top of this page and, where appropriate, by providing notice through the app or by email. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acknowledgment of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Dumke Ventures UG (haftungsbeschränkt)
Ebersprung
16321 Bernau bei Berlin
Germany

Email: [email protected]