Privacy Policy

AllBlazing BV (trading as Protein Cam) is the data controller under the EU General Data Protection Regulation (GDPR) and the Dutch GDPR implementation (Algemene verordening gegevensbescherming, AVG).

Registered address: Buitenwatersloot 81, 2613 TB Delft, The Netherlands
KvK: 83648941 · VAT: NL862946670B01
Email: support@proteincam.com

We have not appointed a Data Protection Officer. For privacy questions or to exercise your rights, contact us at the email above.

This policy applies to visitors and registered users of Protein Cam, including free scans, Pro subscriptions, account features (history, friends leaderboard), and support communications.

By using the service you acknowledge this policy. Where we rely on consent (e.g. analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

• Account data (if you register): email address, display name, Auth0 user identifier, password (held by our identity provider, not stored by us in plain text).
• Meal photos you upload for analysis: processed in memory on our servers for inference; not stored on our servers by default after the request completes.
• Analysis results: food classification, estimated portion, protein grams, confidence, and related metadata generated by our systems.
• Usage & device data: IP address (for rate limiting and abuse prevention), browser type, request timestamps, coarse usage counters (e.g. daily scan quotas).
• Payment data (Pro): processed by Stripe; we receive subscription status, customer email, and Stripe identifiers — not full card numbers.
• Local/browser data: preferences (goals, meal history, consent choices) stored in your browser unless you use synced account features backed by our infrastructure.
• Communications: emails you send us, newsletter sign-ups, and transactional emails (welcome, password reset, fraud alerts).

• Provide the service (contract / pre-contractual steps): meal analysis, accounts, Pro features, customer support.
• Security & abuse prevention (legitimate interests): rate limits, fraud monitoring, protecting our infrastructure and users.
• Payments & billing (contract / legal obligation): Pro subscriptions, tax and accounting records.
• Analytics (consent, where required): Google Analytics 4 only if you accept analytics cookies via our banner.
• Marketing (consent): newsletter emails only where you have opted in.
• Legal compliance (legal obligation): responding to lawful requests, dispute records.

Where we rely on legitimate interests, you may object (see section 11). We balance our interests against your rights and implement data minimisation by default (e.g. ephemeral photo processing).

Protein Cam uses automated systems, including third-party vision models, to estimate food type and portion size. A deterministic nutrition layer converts those estimates into protein grams. Outputs include a confidence indicator where available.

Nature of the system: This is a consumer wellness/information tool, not medical advice, not a high-risk AI system under the EU AI Act, and not used for decisions with legal or similarly significant effects on you.

Limitations: Estimates may be wrong. Do not rely on outputs for medical, dietary, or allergy-critical decisions without independent verification.

Human oversight: You remain in control — you can correct portions, add sides, and override results. Contact us if you believe an output is systematically biased or harmful.

Photos sent for analysis are transmitted to our AI subprocessors solely to perform the requested inference for the duration of processing.

Strictly necessary cookies/session tokens are used for authentication and security. Analytics cookies (GA4) are set only after you consent via our cookie banner. You can change preferences anytime via “Cookie settings” in the footer.

See also our Terms of Service for service rules.

We use trusted providers who process data on our instructions:

• Auth0 (Okta) — authentication, password reset (EU/US; SCCs where applicable)
• OpenAI — vision inference for meal photos (may involve transfers outside the EEA; safeguards per provider terms)
• Stripe — payments (PCI-DSS; may process outside EEA with appropriate safeguards)
• Upstash — Redis storage for Pro status, quotas, friends features (cloud region per configuration)
• Netlify — hosting and serverless execution
• Email provider (SMTP) — transactional email delivery
• Google — Analytics 4 (only with consent)

We do not sell your personal data. We do not permit subprocessors to use your data for their own marketing.

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms offered by our providers. Copies of relevant safeguards may be requested by email.

• Meal photos: not retained on our servers after processing (ephemeral).
• Account data: until you delete your account or ask us to delete it, plus a short backup window.
• Pro/subscription records: for the subscription term and as required for tax/accounting (typically up to 7 years).
• Security logs: limited retention (e.g. 30–90 days) unless needed for incident investigation.
• Local browser data: controlled by you via browser settings.

We use HTTPS, access controls, environment-isolated secrets, rate limiting, and least-privilege practices. No method of transmission or storage is 100% secure; you use the service at your own risk within these limitations.

Under GDPR/AVG you may have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”) where applicable
• Restrict or object to certain processing
• Data portability (structured, commonly used format)
• Withdraw consent (analytics/marketing)
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local EU supervisory authority

To exercise rights, email support@proteincam.com. We may need to verify your identity. We respond within one month unless extension is permitted by law.

Protein Cam is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

We do not make solely automated decisions with legal or similarly significant effects. AI outputs are informational estimates you may accept, adjust, or ignore.

We may update this policy. Material changes will be posted on this page with a new effective date. Continued use after changes constitutes acceptance where permitted by law.