Back to homepage

Privacy Policy — SerahrUHU

Note: This English version is provided for informational purposes only. The German text constitutes the sole legal basis.

1. Data Controller

Thorsten Ahrens
Zillestr. 75
51067 Köln
Germany
Phone: +49 174 6628053
Email: contact@serahr.de
VAT ID: DE363343172
Full provider details: Imprint

This privacy policy covers the free product SerahrUHU (weight-loss and nutrition helper).

1a. Data Protection Officer

We have not appointed a data protection officer. In our current assessment, there is no obligation to appoint one under Art. 37(1) GDPR: although processing health data is part of our activity, it is not carried out on a large scale within the meaning of Art. 37(1)(c) GDPR (cf. Recital 91) — SerahrUHU is a small, free tool without a large number of data subjects. The threshold of § 38 BDSG (at least 20 persons constantly engaged in automated processing) is likewise not met. Please send data protection enquiries to contact@serahr.de.

2. Health Data (Art. 9 GDPR)

SerahrUHU processes health data within the meaning of Art. 9 GDPR. Your weight, your body data (height, age, gender, activity level) and your nutrition and consumption entries are special categories of personal data and enjoy heightened protection.

The legal basis for processing this data is your explicit consent under Art. 9(2)(a) GDPR. We obtain this consent granularly when you create your account and store it in versioned form (with timestamp and accepted document version). Giving this consent is voluntary and based on your free decision to use the free service; the health data is an integral part of the function you request (weight and nutrition tracking). You may withdraw this consent at any time with effect for the future (Art. 7(3) GDPR), either by deleting your account or informally by email to contact@serahr.de. Since SerahrUHU cannot reasonably be provided without processing this health data, a withdrawal leads to the termination of use; your account and the associated health data will subsequently be deleted. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Note: SerahrUHU is not a medical device and does not replace professional medical or nutritional advice. The processed values serve solely your personal self-tracking; they do not constitute a diagnosis or a treatment recommendation.

3. What Data We Process

DataPurposeCategory
Email addressAccount creation, authentication, registration confirmation (double-opt-in)Master data (Art. 6)
Weight entriesTrend curve, deficit calculationHealth data (Art. 9)
Body data (height, age, gender, activity level)Basal metabolic rate estimationHealth data (Art. 9)
Food ratingsPersonalized suggestionsHealth data (Art. 9)
Nutrition diary / consumption logsCalorie and nutrient trackingHealth data (Art. 9)
Self-created foodsExpansion of your personal catalogHealth data (Art. 9)
Weekly planMeal planningHealth data (Art. 9)
Completed daily tasksGamification, progressUsage data

All processed data is provided exclusively by you yourself; we do not collect any data from third-party sources.

3a. Server Logs

  • When the web application is accessed, our hosting provider (Vercel) stores standard HTTP access data by default (time, IP address, user-agent, referrer, requested URL).
  • Legal basis: Art. 6(1)(f) GDPR (security, stability, abuse prevention).
  • These server logs are stored only for as long as necessary for the stated purposes (security, stability, abuse prevention) and are then automatically deleted by the hosting provider; they are not systematically linked to your account data.

4. Legal Bases

  • Art. 9(2)(a) GDPR — Explicit consent: processing of health data (weight, body data, nutrition and consumption entries).
  • Art. 6(1)(b) GDPR — Contract performance: creation and management of your user account, authentication, provision of features.
  • Art. 6(1)(f) GDPR — Legitimate interest: pseudonymous statistical reach measurement via Vercel Web Analytics (see section 7).

5. Retention and Deletion

Your data remains stored until you delete your account. Upon account deletion, your data is deleted from the production systems without undue delay — there is no 30-day grace period. Complete removal from technical backups occurs within the regular backup cycles of our processor. You can also export your data as a JSON file at any time (right to data portability, Art. 20 GDPR).

6. Processors and Sub-Processors

SerahrUHU is free of charge and uses neither a payment processor nor external AI services at runtime. The following processors are involved:

Service ProviderPurposeLocation / Transfer
Supabase, Inc.Database, authentication, storage of health dataUSA, data hosted in the EU region Ireland (eu-west-1); Standard Contractual Clauses (SCC)
Vercel, Inc.Hosting of the web applicationUSA; SCC + EU-U.S. Data Privacy Framework (DPF)
Resend, Inc.Transactional email; your email address is processed to send the registration / double-opt-in confirmationUSA; SCC + EU-U.S. Data Privacy Framework (DPF)

SCC = Standard Contractual Clauses under Art. 46(2)(c) GDPR. DPF = EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023). Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.

7. Cookies and Tracking

SerahrUHU uses exclusively technically necessary session and authentication cookies (Supabase) required for login and session management. No consent is required for these (§ 25(2)(2) TDDDG).

Vercel Web Analytics (provider: Vercel Inc.) is active on our pages. It measures reach pseudonymously (including page views, referrer, approximate country of origin from the truncated IP, browser/device type). No cookies are set and no cross-device or cross-site tracking takes place; no access to terminal-device information within the meaning of § 25 TDDDG occurs. The legal basis is our legitimate interest in statistical reach measurement (Art. 6(1)(f) GDPR).

8. Your Rights

Under GDPR you have the following rights:

  • Access (Art. 15) — what data is stored about you
  • Rectification (Art. 16) — correction of inaccurate data
  • Erasure (Art. 17) — deletion of your data
  • Restriction (Art. 18) — restriction of processing
  • Data portability (Art. 20) — release of your data in a machine-readable format (JSON export)
  • Objection (Art. 21) — objection to processing
  • Withdrawal of consent (Art. 7(3)) — withdrawal of consent to the processing of your health data with effect for the future

Please direct requests to contact@serahr.de.

8a. Automated Decision-Making

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.

9. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. You may complain to any data protection supervisory authority; the authority competent for us is the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.

10. Changes

This privacy policy may be updated as needed. The current version is always available on this page.

Current version: Version 1.0.0, effective from 05/30/2026.

Previous Versions

TermsPrivacy Policy