Privacy Policy — SerahrUHU
1. Data Controller
Thorsten Ahrens
Zillestr. 75
51067 Köln
Germany
Phone: +49 174 6628053
Email: contact@serahr.de
VAT ID: DE363343172
Full provider details: Imprint
This privacy policy covers the free product SerahrUHU (weight-loss and nutrition helper).
1a. Data Protection Officer
We have not appointed a data protection officer. In our current assessment, there is no obligation to appoint one under Art. 37(1) GDPR: although processing health data is part of our activity, it is not carried out on a large scale within the meaning of Art. 37(1)(c) GDPR (cf. Recital 91) — SerahrUHU is a small, free tool without a large number of data subjects. The threshold of § 38 BDSG (at least 20 persons constantly engaged in automated processing) is likewise not met. Please send data protection enquiries to contact@serahr.de.
2. Health Data (Art. 9 GDPR)
SerahrUHU processes health data within the meaning of Art. 9 GDPR. Your weight, your body data (height, age, gender, activity level) and your nutrition and consumption entries are special categories of personal data and enjoy heightened protection.
The legal basis for processing this data is your explicit consent under Art. 9(2)(a) GDPR. We obtain this consent granularly when you create your account and store it in versioned form (with timestamp and accepted document version). Giving this consent is voluntary and based on your free decision to use the free service; the health data is an integral part of the function you request (weight and nutrition tracking). You may withdraw this consent at any time with effect for the future (Art. 7(3) GDPR), either by deleting your account or informally by email to contact@serahr.de. Since SerahrUHU cannot reasonably be provided without processing this health data, a withdrawal leads to the termination of use; your account and the associated health data will subsequently be deleted. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Note: SerahrUHU is not a medical device and does not replace professional medical or nutritional advice. The processed values serve solely your personal self-tracking; they do not constitute a diagnosis or a treatment recommendation.
3. What Data We Process
| Data | Purpose | Category |
|---|---|---|
| Email address | Account creation, authentication, registration confirmation (double-opt-in) | Master data (Art. 6) |
| Weight entries | Trend curve, deficit calculation | Health data (Art. 9) |
| Body data (height, age, gender, activity level) | Basal metabolic rate estimation | Health data (Art. 9) |
| Food ratings | Personalized suggestions | Health data (Art. 9) |
| Nutrition diary / consumption logs | Calorie and nutrient tracking | Health data (Art. 9) |
| Self-created foods | Expansion of your personal catalog | Health data (Art. 9) |
| Weekly plan | Meal planning | Health data (Art. 9) |
| Completed daily tasks | Gamification, progress | Usage data |
| Push notification endpoint (device-specific) | Delivery of the reminders you enabled | Technical / usage data |
| Reminder settings (enabled types, time window, time zone) | Controlling the reminders | Usage data |
| Payment data (only for voluntary support) | Processing of a voluntary support payment (tip) you initiate, via Stripe; entered directly with Stripe — we do not store full payment data. Only relevant if you choose to support voluntarily. | Contract/payment data (Art. 6(1)(b)) |
All processed data is provided exclusively by you yourself; we do not collect any data from third-party sources.
3a. Server Logs
- When the web application is accessed, our hosting provider (Vercel) stores standard HTTP access data by default (time, IP address, user-agent, referrer, requested URL).
- Legal basis: Art. 6(1)(f) GDPR (security, stability, abuse prevention).
- These server logs are stored only for as long as necessary for the stated purposes (security, stability, abuse prevention) and are then automatically deleted by the hosting provider; they are not systematically linked to your account data.
3b. Push Notifications (Reminders)
If you wish, SerahrUHU can send you reminders (to weigh in, to drink, and a note if you have been below your basal metabolic rate for several days) as push notifications to your device. This feature is off by defaultand only becomes active if you enable it in your account and grant your device's notification permission.
When you enable it, we store a device-specific push endpoint (a delivery address generated by your browser) and your reminder settings (selected types, time window, time zone). The notification content is generated only at send time and is end-to-end encrypted (Web Push encryption); your browser's push delivery service merely relays it and cannot read it.
The legal basis is your consent (Art. 6(1)(a) GDPR), which you give by enabling the feature. You can turn the reminders off again at any time with effect for the future, or revoke the notification permission in your device/browser settings; the stored push endpoint is then deleted. Push reminders process no health data — only the technical endpoint and your settings are stored.
3c. Barcode Product Lookup (Open Food Facts)
On the “Food” and “Diary” pages you can optionally scan a product barcode (using your device camera) or enter the barcode number manually to import nutritional values automatically. When you trigger such a lookup, the barcode number is sent to the open food database Open Food Facts (operated by the non-profit Association Open Food Facts, France) to retrieve the matching product record.
This request runs server-side via us as an intermediary: Open Food Facts receives only the barcode number and our server's IP address — not your IP address and no personal data. A barcode number is not personal data. The lookup happens only on your active request (on-demand) and is not stored or analysed by us. The retrieved values are approximate/estimated values from a community database; they only become part of your data once you save or log the respective food yourself.
3d. Buddy Linking (sharing weight trend)
You can voluntarily link up with another SerahrUHU user (a “buddy”) to motivate each other. To do so you create a single-use invitation link; the other person must be logged in or create an account and explicitly confirm the link. Only then is the connection active.
While a connection is active, your buddy sees only your smoothed weight trend and your current weight — no individual measurements, no food diary and no body/profile data — and vice versa. As this is health data (Art. 9 GDPR), the sharing happens solely on the basis of your explicit consent, which you give when accepting the link. You can end the connection in your account at any time; afterwards neither side has access to the other's trend data.
4. Legal Bases
- Art. 9(2)(a) GDPR — Explicit consent: processing of health data (weight, body data, nutrition and consumption entries).
- Art. 6(1)(b) GDPR — Contract performance: creation and management of your user account, authentication, provision of features.
- Art. 6(1)(f) GDPR — Legitimate interest: pseudonymous statistical reach measurement via Vercel Web Analytics (see section 7).
- Art. 6(1)(a) GDPR — Consent: sending push reminders, if you enable them in your account (see section 3b).
- Art. 6(1)(b) / (f) GDPR — Provision of the barcode product lookup you actively trigger (see section 3c); no personal data is transmitted to Open Food Facts.
- Art. 9(2)(a) in conjunction with Art. 6(1)(a) GDPR — Explicit consent: sharing your smoothed weight trend with a buddy you confirmed (see section 3d), revocable at any time.
5. Retention and Deletion
Your data remains stored until you delete your account. Upon account deletion, your data is deleted from the production systems without undue delay — there is no 30-day grace period. Complete removal from technical backups occurs within the regular backup cycles of our processor. You can also export your data as a JSON file at any time (right to data portability, Art. 20 GDPR).
If you enabled push reminders, the associated push endpoint is deleted as soon as you turn the reminders off (or revoke the permission), at the latest upon account deletion.
6. Processors and Sub-Processors
SerahrUHU is free of charge and uses no external AI services at runtime; a payment processor (Stripe) is involved only when you voluntarily choose to support us (a tip). The following processors are involved:
| Service Provider | Purpose | Location / Transfer |
|---|---|---|
| Supabase, Inc. | Database, authentication, storage of health data | USA, data hosted in the EU region Ireland (eu-west-1); Standard Contractual Clauses (SCC) |
| Vercel, Inc. | Hosting of the web application | USA; SCC + EU-U.S. Data Privacy Framework (DPF) |
| Resend, Inc. | Transactional email; your email address is processed to send the registration / double-opt-in confirmation | USA; SCC + EU-U.S. Data Privacy Framework (DPF) |
| Your browser's/device's push delivery service (e.g. Google LLC / Firebase Cloud Messaging on Chrome/Android, Mozilla on Firefox, Apple on Safari) | Delivery of the push reminders you enabled to your device; the message content is end-to-end encrypted and cannot be read by the service. Only relevant if you enable push reminders. | depending on the provider, possibly USA; SCC / DPF where applicable |
| Stripe Payments Europe, Ltd. | Payment processing solely for a voluntary support payment (tip) you initiate. You enter your payment details directly with Stripe; we only receive the payment confirmation and do not store full payment data. Only relevant if you choose to support voluntarily. | Ireland (EU); Standard Contractual Clauses (SCC) for any transfer to the USA |
SCC = Standard Contractual Clauses under Art. 46(2)(c) GDPR. DPF = EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023). Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.
7. Cookies and Tracking
SerahrUHU uses exclusively technically necessary session and authentication cookies (Supabase) required for login and session management. No consent is required for these (§ 25(2)(2) TDDDG).
Vercel Web Analytics (provider: Vercel Inc.) is active on our pages. It measures reach pseudonymously (including page views, referrer, approximate country of origin from the truncated IP, browser/device type). No cookies are set and no cross-device or cross-site tracking takes place; no access to terminal-device information within the meaning of § 25 TDDDG occurs. The legal basis is our legitimate interest in statistical reach measurement (Art. 6(1)(f) GDPR).
8. Your Rights
Under GDPR you have the following rights:
- Access (Art. 15) — what data is stored about you
- Rectification (Art. 16) — correction of inaccurate data
- Erasure (Art. 17) — deletion of your data
- Restriction (Art. 18) — restriction of processing
- Data portability (Art. 20) — release of your data in a machine-readable format (JSON export)
- Objection (Art. 21) — objection to processing
- Withdrawal of consent (Art. 7(3)) — withdrawal of consent to the processing of your health data with effect for the future
Please direct requests to contact@serahr.de.
8a. Automated Decision-Making
No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.
9. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. You may complain to any data protection supervisory authority; the authority competent for us is the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.
10. Changes
This privacy policy may be updated as needed. The current version is always available on this page.
Current version: Version 1.0.5, effective from 06/04/2026.
Previous Versions
- Version 1.0.0Valid: 05/30/2026 to 06/01/2026DE (PDF)EN (PDF)
- Version 1.0.1Valid: 06/01/2026 to 06/02/2026DE (PDF)EN (PDF)
- Version 1.0.2Valid: 06/02/2026 to 06/03/2026DE (PDF)EN (PDF)
- Version 1.0.3Valid: 06/03/2026 to 06/04/2026DE (PDF)EN (PDF)
- Version 1.0.4Valid: 06/04/2026 to 06/04/2026DE (PDF)EN (PDF)
- Version 1.0.5Valid: 06/04/2026 to todayDE (PDF)EN (PDF)