Your health data is personal. Here's how we handle it.
CoreTrak ("we", "our", "us") operates the CoreTrak application available at app.coretrak.fit and on the Google Play Store. This Privacy Policy explains what data we collect, why we collect it, how it is processed, and your rights regarding that data.
By using CoreTrak, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the application.
When you create an account, we collect your email address, display name, and date of birth. Your email and name are used for authentication and personalisation. Your date of birth is used for age-based health calculations including the Functional Age feature.
CoreTrak collects the following health data that you voluntarily enter:
This data is stored securely in Firebase (Google Cloud) and is associated with your authenticated user account.
When you use the nutrition label scanning feature, images captured by your device camera are sent to our backend server for processing via OpenAI's API. These images are used solely to extract nutritional information. Images are not stored on our servers after processing is complete. See Section 3 for details on OpenAI's data handling.
Subscription payments are processed by Stripe. CoreTrak does not directly collect, store, or have access to your full credit card number. Stripe provides us with limited information including your subscription status, payment method type, and billing history. See Section 3 for details on Stripe's data handling.
We automatically collect technical data to maintain application stability, including crash logs, error reports, and general usage analytics. This data does not include your health information.
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email, name | Authentication, account management, personalisation | Contract performance |
| Date of birth | Age-based health calculations (Functional Age) | Consent / Contract |
| Health & fitness data | Core app functionality โ tracking, analysis, coaching | Consent / Contract |
| Camera images (OCR) | Extracting nutrition information from labels | Consent |
| Payment data | Subscription management and billing | Contract performance |
| Crash logs, usage data | App stability, bug fixing, performance improvement | Legitimate interest |
We do not sell your personal data. We do not use your health data for advertising. We do not share your data with third parties for their own marketing purposes.
We use the following third-party services to operate CoreTrak. These services process data on our behalf and are bound by their own privacy policies:
| Service | Provider | Data Processed | Purpose |
|---|---|---|---|
| Firebase Auth & Firestore | Google LLC | Account data, health & fitness data | Authentication, data storage |
| Stripe | Stripe Inc. | Payment and billing info | Subscription payments |
| OpenAI API | OpenAI LLC | Nutrition label images (transient) | OCR and AI parsing |
| Sentry | Functional Software Inc. | Crash logs, error reports | Error tracking, stability |
| Vercel | Vercel Inc. | HTTP request logs | App hosting |
| Railway | Railway Corp. | Server-side request data | Backend API hosting |
OpenAI data handling: Images sent to OpenAI's API for nutrition label processing are handled according to OpenAI's API data usage policy. Data submitted through OpenAI's API is not used to train their models. Images are not stored by CoreTrak after processing is complete.
All data is encrypted in transit using HTTPS/TLS. Your health and fitness data is stored in Firebase (Google Cloud infrastructure) which provides encryption at rest. We use Firebase Authentication for secure account management with industry-standard practices.
While we implement reasonable security measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
Your health and fitness data is retained for as long as your account is active. If you delete your account, all associated data will be permanently deleted from our systems within 30 days. Anonymised, aggregated data that cannot be linked back to you may be retained for analytical purposes.
Crash logs and error reports in Sentry are retained for 90 days. Stripe retains payment records as required by financial regulations.
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us using the details in Section 10 below. We will respond within 30 days.
CoreTrak is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that data promptly. The minimum age rating for CoreTrak on the Google Play Store is 13+.
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our third-party processors (Firebase/Google, Stripe, OpenAI, Sentry, Vercel, Railway) operate. These transfers are necessary to provide the service and are covered by the processors' own data protection agreements.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of CoreTrak after changes are posted constitutes acceptance of the updated policy. For material changes, we will provide notice within the application.