Privacy Policy
Last updated: May 23, 2026
The German-language version of this privacy policy is the legally binding one.
Controller
Data Protection Officer
We are not legally required to appoint a Data Protection Officer. For any privacy matter please reach us at info@celsios.io.
Scope
This privacy policy informs you about the nature, scope and purposes of the processing of personal data ("data") in the context of using our application "CartWise" (website and web app, the "Service"). Terms used follow the EU General Data Protection Regulation (GDPR).
Categories of personal data processed
We process only the following categories of data:
- Account and authentication data: Email address, hashed password, session tokens. When signing in via third parties (Google, Apple): the profile information provided by them (typically email and unique user ID).
- Household data: Household name, invite code, a user's membership in a household and the date they joined.
- Shopping data: Recorded trips with start/end times and optional budget, plus line items (product name, price, category, short context, timestamp).
- Images for AI analysis: Photos of price tags that you take are sent to our AI service for analysis. We do not retain these images.
- Technical data: IP address, user agent and access timestamps, processed by our backend and hosting providers for security purposes.
- Local browser storage: Language preference and the backend authentication session. This data stays in your browser and is not shared with third parties.
Purposes and legal bases
We process your data for the following purposes:
- Providing and operating the Service, including account, household, trips, budget alerts and statistics — Art. 6(1)(b) GDPR (performance of a contract).
- Analysing price-tag photos via our AI service to detect product, price and category — Art. 6(1)(b) GDPR.
- Security, abuse prevention and platform operations (server logs, rate limits) — Art. 6(1)(f) GDPR (legitimate interest in secure operation).
- Compliance with legal obligations (e.g. commercial and tax retention) — Art. 6(1)(c) GDPR.
Recipients and processors
To deliver the Service we use the following processors and services. We have data processing agreements under Art. 28 GDPR with our processors.
- Backend & Hosting: Database, authentication and server-side logic (Lovable Cloud).
- AI service: Analysis of your price-tag photos using a model from Google's Gemini family.
- Login providers: Google and Apple — only when you actively choose this sign-in option.
Beyond this we do not share personal data with third parties. There is no advertising use, no third-party tracking and no profiling for advertising purposes.
International data transfers
Some of the providers listed (in particular Google and Apple) also process data in third countries outside the EU/EEA. Transfers take place on the basis of appropriate safeguards under Art. 46 GDPR, in particular the EU Commission's Standard Contractual Clauses and — where applicable — the EU-US Data Privacy Framework.
Retention period
We retain your data only as long as necessary for the purposes above, at most until your account is deleted. Shopping and household data are removed when the account is deleted. Images sent for AI analysis are not persistently stored by us. Statutory retention obligations (in particular § 257 HGB, § 147 AO) remain unaffected.
Cookies and local storage
We do not use cookies or storage mechanisms for tracking, advertising or audience measurement. Only strictly necessary information is stored in your browser (language preference and authentication session). It is essential to operating the Service (§ 25(2)(2) TDDDG) and does not require consent.
AI-based image analysis
When you photograph a price tag, the image is sent to an AI service (a Gemini model from Google) for analysis. The result of the analysis is the product name, price, category and a short context text. Please only photograph price tags and avoid capturing people or other identifying content.
There is no automated individual decision-making, including profiling within the meaning of Art. 22 GDPR, that produces legal effects concerning you or similarly significantly affects you.
Your rights as a data subject
Under the GDPR you have in particular the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority — for us the Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany.
An informal email to info@celsios.io is sufficient to exercise your rights.
Account deletion
You can have your account and the associated personal data deleted at any time. Please send a short email to info@celsios.io. We will confirm deletion within a reasonable period.
Changes to this privacy policy
We reserve the right to adapt this privacy policy to reflect changes in the law or in the Service. The current version is always available on this page. Last updated: May 23, 2026.