Privacy Policy

Last updated: June 2026

1. Data Controller

The controller responsible for data processing in the Cravewatch app and on this website is:

Mert Agil (sole proprietor)
In der Tiefschley 2
41517 Grevenbroich
Germany

Email: support@cravewatch.de

2. Data We Process

When you use Cravewatch, we process the following data:

  • Account data: email address (provided by your Apple or Google account; with Apple optionally an anonymized relay address), username (freely chosen)
  • Usage data: your streak, saved craving moments, joker usage, emergency sessions
  • Social data: your friends list and your support circle (only if you use this feature)
  • Device data: push token (only if you allow notifications)
  • Technical data: anonymized crash reports on app errors (stack traces, device model, OS version)

3. Purpose of Processing

We process your data solely to provide the app's functionality — streak tracking, the joker system, emergency features, and the support circle. We do not sell data and we do not use it for advertising or profiling.

4. Legal Basis

Processing of your data is based on the following legal grounds:

  • Art. 6(1)(b) GDPR (performance of a contract): for providing the app's functionality, account management, and processing your Pro subscription.
  • Art. 6(1)(a) GDPR (consent): for push notifications and optional features you actively consent to.
  • Art. 6(1)(f) GDPR (legitimate interest): for processing technical error data via Sentry, to ensure the stability and security of the app.

5. Content with Potential Health Relevance

You can record content in Cravewatch that may allow inferences about your eating habits or personal well-being — such as craving moments, mood tags, or notes.

This data is processed solely to provide the features you use, stored in the EU region, and never used for advertising, profiling, or analytics purposes, nor sold to third parties. Content is only visible to you; we do not evaluate it automatically.

6. Storage Location & Data Processors

We use the following data processors:

  • Supabase (Supabase Inc., USA / EU region): backend for storing your account and usage data. A data processing agreement (DPA) under Art. 28 GDPR is in place. Data is stored in the EU region.
  • Apple (Apple Inc., USA) — "Sign in with Apple": when you sign in with your Apple ID, Apple handles authentication and provides us with a user ID and an email address. A transfer to the USA takes place on the basis of the EU Standard Contractual Clauses or other appropriate safeguards under Art. 46 GDPR. Apple's Privacy Policy
  • Google (Google LLC, USA) — "Continue with Google": when you sign in with your Google account, Google handles authentication and provides us with a user ID, your name, and your email address. A transfer to the USA takes place on the basis of the EU Standard Contractual Clauses or other appropriate safeguards under Art. 46 GDPR. Google's Privacy Policy
  • RevenueCat (RevenueCat Inc., USA): manages your Pro subscription. RevenueCat receives a pseudonymous user ID and processes purchase data. A DPA under Art. 28 GDPR is in place. Data transfer to the USA is based on the EU Standard Contractual Clauses.
  • Sentry (Functional Software, Inc., EU region Frankfurt): technical error logging. We use the EU region, so error data is processed exclusively in Germany. Only technical data is transmitted (stack traces, device model, OS version, anonymous user ID). No email addresses, names, or content are transmitted. Sentry's Privacy Policy
  • Expo Push Notification Service (Expo, USA): only when you allow push notifications. Only the push token and the notification text are transmitted. Data transfer to the USA is based on the EU Standard Contractual Clauses. Expo's Privacy Policy
  • Apple or Google (App Store / Play Store): process your payment data directly when you purchase a subscription — we do not receive your payment data.

7. Data Security

We take appropriate technical and organizational measures to protect personal data against loss, misuse, or unauthorized access. These include in particular transport encryption (TLS/HTTPS), access controls to the backend, regular security updates, and processing exclusively in the EU region where technically possible.

8. Retention Period

We store your data for as long as your account exists. After deletion of your account, personal data will be erased within 30 days, unless statutory retention obligations apply.

9. Your Rights

Under GDPR you have the right to:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)

To exercise these rights, simply write to us at support@cravewatch.de. We will respond to requests without undue delay and at the latest within one month of receipt.

10. Account Deletion

You can delete your account at any time — either directly in the app via "Profile → Delete account" or by emailing support@cravewatch.de.

11. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates GDPR. The competent authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (ldi.nrw.de).

12. Minors

Persons under 16 years of age require the consent of their legal guardians for the processing of their personal data in Cravewatch. We assume that this consent is in place when the account is set up.

13. Website

This website uses no tracking or analytics tools, no advertising cookies, and no non-essential cookies. Fonts are loaded locally from our own domain — there is no data transfer to third parties (e.g. Google Fonts). When the site is accessed, only the standard, technically necessary server log information (IP address, date/time, requested URL) is stored by our host to ensure operation of the website.

14. Changes to This Privacy Policy

We reserve the right to amend this privacy policy if the app's functionality or legal requirements change. The current version is always available at cravewatch.de/en/privacy.