Privacy Policy

Last updated: March 2026

1. Controller

Ante Kristo
Franz-Albert-Str. 64
80999 Munich, Germany
Email: hello@smartace.app

2. Overview

ACE is a fitness and health app for iOS and Apple Watch. Your privacy is our top priority. This policy describes what data we collect, why, and how we protect it.

3. Data We Process

3.1 Health Data (Apple HealthKit)

With your explicit consent, ACE reads the following data from Apple HealthKit:

  • Sleep (duration, stages, efficiency, bed/wake times)
  • Heart Rate Variability (HRV/RMSSD)
  • Resting Heart Rate
  • Heart rate samples
  • Steps, active calories, exercise minutes
  • Workouts (type, duration, distance, heart rate zones)

This data is processed locally on your device and additionally transmitted in aggregated form to our backend server (see Section 4).

3.2 Nutrition Data

  • Meal entries (text and/or photo)
  • Macronutrients (calories, protein, carbohydrates, fat)
  • Custom foods

3.3 Usage Data

  • Habits and their completion status
  • Workout plans and templates
  • Chat messages with the AI coach
  • Boost actions and their status

3.4 Photos

When using photo-based nutrition recognition, meal photos are transmitted to an external AI service for analysis (see Section 5.2). Photos are not permanently stored on our servers.

3.5 Authentication

ACE uses anonymous authentication. We do not collect your email address, name, or password. Your account is identified by a randomly generated, anonymous user ID.

4. Backend and Data Storage

Supabase

We use Supabase (Supabase Inc.) as our backend service. The following data is stored:

  • Aggregated daily metrics (sleep scores, recovery scores, HRV, resting heart rate, step count)
  • Daily scores and readiness levels
  • Nutrition entries
  • Workout plans and workout data
  • Habits
  • Custom foods

Data is associated with your anonymous user ID. Supabase servers are located in the EU (Frankfurt, Germany).

Legal basis: Art. 6(1)(b) GDPR (performance of contract) for usage data; Art. 9(2)(a) GDPR (explicit consent) for health data.

5. Third-Party Services

5.1 OpenAI (Chat and Analysis)

ACE uses the OpenAI API for the AI coach chat and photo-based nutrition recognition. The following data is transmitted to OpenAI (OpenAI LLC, USA):

  • Aggregated health metrics as context (scores, trends)
  • Your chat messages
  • For photo analysis: your meal photo

OpenAI processes this data according to their API usage policies. API data is not used by OpenAI to train their models.

Legal basis: Art. 6(1)(a) GDPR (consent), Art. 9(2)(a) GDPR (explicit consent) for health data.

5.2 Open Food Facts

For nutrition lookup from text input, ACE uses the Open Food Facts database (non-profit project). Only the search term is transmitted, no personal data.

5.3 Apple Push Notification Service (APNs)

ACE sends push notifications via Apple's APNs. A device-specific token is used for this purpose.

6. Data Transfer to Third Countries

OpenAI is based in the USA. Data transfer is based on Art. 49(1)(a) GDPR (explicit consent). You are informed about this when first using the AI coach.

Supabase data remains in the EU (Frankfurt region).

7. Data Retention

  • Health metrics: As long as your account exists
  • Chat messages: Stored locally on your device, deleted when the app is uninstalled
  • Photo analysis: Only for the duration of processing, no permanent storage
  • Account deletion: All server-side data is completely removed

8. Your Rights (GDPR)

You have the following rights at any time:

  • Access to your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of consent at any time with future effect

To exercise your rights, contact us at: hello@smartace.app

You also have the right to lodge a complaint with a data protection supervisory authority.

9. No Advertising, No Tracking

ACE uses:

  • No advertising networks
  • No analytics SDKs (no Google Analytics, no Firebase Analytics)
  • No cross-device tracking

10. Data Security

  • All data transfers are encrypted (TLS/HTTPS)
  • Supabase uses Row Level Security (RLS) — each user can only read and write their own data
  • Anonymous authentication minimizes personal data
  • HealthKit data is primarily processed locally

11. Changes

We reserve the right to update this privacy policy. The current version is always available on this page. We will notify you of significant changes within the app.

12. Contact

For privacy-related questions:
Ante Kristo
Email: hello@smartace.app