# Quoko — Privacy Policy (English summary)

_Last updated: 2026-07-14. The authoritative German version, including the legally required details, is at [quoko.app/legal.html](https://quoko.app/legal.html#datenschutz)._

Quoko is a personal nutrition journal. It is **local-first**: your journal lives on your device. This policy explains exactly what data exists, where it goes, and why.

## What stays on your device
Your meals & photo thumbnails, weight log, water, goals, profile, learning corrections, settings, and any AI API key you add are stored in your browser's local storage. Without an AI analysis or sign-in, none of it leaves your device. There are **no analytics, no ads, no trackers, no marketing emails** — which is also why there is no cookie banner: we only use storage that is strictly necessary to run the app.

## AI analysis (health-related data — your explicit consent)
When you analyze a photo or describe a meal, the photo/text is sent **through our server (api.quoko.app, a Cloudflare Worker) to Anthropic (USA)** to estimate nutrition. Optional AI features (weekly report, food chat) send aggregated journal data the same way. Because food and weight data can indicate health, Quoko asks for your **explicit consent before the first AI analysis**; you can withdraw it anytime in Settings, which stops all AI features.
- Photos are passed through for the single analysis and are **not stored by us**.
- Anthropic processes requests under its Commercial Terms; API inputs are not used to train models. Anthropic is certified under the **EU-U.S. Data Privacy Framework**.
- If you use your own Google Gemini key instead, requests go directly from your device to Google under Google's terms.
- Tip: photograph your food, not people.

## Our server's protective bookkeeping
To prevent abuse and cap AI costs, api.quoko.app keeps in Cloudflare KV: per-IP daily counters (deleted after ~25 h), a used-free-analysis flag per user id, premium entitlements (until expiry), and promo-code redemption records (90 days). Legal basis: legitimate interest (abuse prevention). Hosting by Cloudflare (DPF-certified) produces ordinary connection logs.

## Sign-in (optional)
You can use Quoko without an account. If you sign in with Google/Apple, **Firebase Authentication** processes your email, name and profile photo. Our server only ever sees your anonymous user id via a signed token — never your email. Google's scripts load **only when you start signing in** (or are already signed in), not for anonymous visitors. Cloud sync, once active, stores your journal in your private record readable only by you; API keys are never synced.

## Barcode & food search
Barcode numbers or typed search terms (never photos) go to **Open Food Facts** to look up nutrition.

## Payments
Premium subscriptions are processed by **Stripe** (DPF-certified). We receive your subscription status tied to your user id, not your payment details. Cancel anytime: Settings → Legal → "Verträge hier kündigen" / manage subscription.

## Your rights & controls
GDPR gives you access, rectification, erasure, restriction, portability, objection, consent withdrawal, and the right to complain to a supervisory authority. In-app: **Settings → Data** offers full export (JSON) and full erase; signed-in users can delete their account and all synced data permanently.

## Children
Quoko is not directed at anyone under 16.

## Contact
**support@quoko.app** — controller identity and postal address: see the Impressum at [quoko.app/legal.html](https://quoko.app/legal.html#impressum).
