TONGUE LENS – GLOBAL PRIVACY POLICY

Effective date: December 2024

This Privacy Policy explains in clear and transparent terms how Tongue Lens ("we", "our", "us") processes personal data when you use our mobile application. Tongue Lens is a wellness-oriented, non-medical app that provides lifestyle insights and daily self-care suggestions based on a visual tongue scan guided by traditional principles of Ayurveda and Traditional Chinese Medicine (TCM). Our app does not diagnose, treat, or prevent any medical condition and must not be used as a substitute for professional medical advice.

We are strongly committed to user privacy and have designed our system from the ground up according to strict principles of data minimization, local-only storage, zero cloud retention, and full transparency. Most of the personal data you generate within the app never leaves your device. Only one temporary image copy is sent to our external AI provider OpenAI for the purpose of generating your insights—and this copy is immediately deleted by OpenAI after the processing is completed. We do not receive, store, or access this image, nor any tongue images stored locally on your device.

This Privacy Policy applies globally, including the European Union (GDPR), the United States (including CCPA/CPRA), and all other regions in which the app is made available. If regional laws require different rights or disclosures, they are included within this document.

1. Data Controller and Contact Information

The data controller responsible for processing under this Privacy Policy is:

Mathias Gillitz (sole proprietor)

Bahnhofstraße 6b
84558 Kirchweidach
Germany

Email: support@tonguelens.com

Although the app is developed in collaboration with additional team members, only the sole proprietor listed above is legally the data controller according to the GDPR and other applicable privacy laws. None of the team members has technical access to your personal data, as the architecture is designed to ensure that all sensitive content remains stored locally on your device and is never uploaded to any servers under our control.

2. Overview of How the App Processes Data

Tongue Lens follows a privacy-first architecture. This means:

  • Your tongue photos, insights history, score history, and onboarding answers are stored exclusively on your device.
  • We cannot view, access, download, or process these images or data at any time.
  • A single temporary base64-encoded copy of the selected image is sent to OpenAI solely for the purpose of generating your wellness insights. This copy is immediately deleted by OpenAI after processing (zero-retention).
  • We use Supabase only to run a lightweight edge function hosted in us-east-1, which does not store or log personal data.
  • We do not use Firebase, cloud databases, remote backups, or external storage for personal data.
  • We do not sell, rent, or share personal data with advertisers, data brokers, or tracking companies.
  • Analytics (Posthog) is optional and privacy-preserving; it is used only to understand general app usage patterns, never to track individuals or their tongue data.

This structure ensures that nearly all personal data processing happens locally on your phone, and only one isolated processing step happens temporarily through the OpenAI API.

3. Categories of Data We Process

3.1. Data stored entirely on your device (never sent to our servers)

All of the following categories are stored only on your device's secure app storage (iOS encrypted Documents folder or equivalent):

  • Tongue photos taken for insights
  • Your insights results (scores, interpretations, explanations)
  • Onboarding information you choose to provide (e.g., age, gender, basic wellness indicators)
  • Your scan history and past analyses
  • Any daily recommendations linked to the insights
  • Local app settings and preferences

We have no access to any of this data.

3.2. Temporary data sent to OpenAI (automated AI processing)

To generate your tongue insights, the app sends:

  • One base64-encoded copy of the selected tongue photo
  • A system prompt describing the insights format
  • Optional non-identifiable context provided by you (e.g., age group or wellness categories, if relevant)

OpenAI receives this data only for the duration of the processing. According to OpenAI's published policies:

  • Data is used only for generating the response
  • Data is not stored for training
  • Data is deleted immediately after processing (zero retention)
  • They comply with GDPR and comparable data protection standards

We do not receive the temporary image sent to OpenAI. We only receive the generated text result that the AI returns to your device.

3.3. Non-personal technical data (minimal device data)

The following may be processed locally by your device or the OS:

  • Device model and OS version
  • App version
  • Crash logs (if the OS provides them)

This data is not linked to your identity or tongue images and is not used for profiling.

3.4. Optional analytics (Posthog)

If activated, Posthog may collect:

  • Screen visits
  • Feature usage counts
  • anonymized events

We configure Posthog in a privacy-first mode:

  • No tongue images
  • No sensitive wellness data
  • No exact IP addresses (IP anonymization enforced)
  • No cross-app or cross-site tracking
  • No advertising or remarketing

Users can opt out of analytics at any time.

4. Purpose and Legal Basis of Processing

4.1. Purpose of processing personal data

We process your data exclusively for:

  • Generating your wellness-oriented tongue insights
  • Displaying your score results
  • Saving your insights history locally on your device
  • Providing personalized daily suggestions based on your scan
  • Enabling core app functionality (e.g., saving scans, viewing past results)
  • Improving app performance and reliability (non-personal analytics only)

We do not use your data for:

  • Medical diagnosis
  • Medical treatment
  • Advertising
  • Profiling
  • Automated decisions with legal effect

4.2. Legal basis under the GDPR

Because we operate globally, we rely on the following legal grounds:

Art. 6(1)(a) GDPR – Consent

Your explicit consent is required for:

  • sending a temporary image copy to OpenAI
  • optional analytics (Posthog)

Art. 6(1)(b) GDPR – Contractual necessity

Storing your scan history locally and running the core functionality of the app is necessary to provide the service.

Art. 6(1)(f) GDPR – Legitimate interests

Anonymous analytics to improve usability relies on our legitimate interest in maintaining and optimizing the app.

Art. 9(2)(a) GDPR – Explicit consent for sensitive data

Because your tongue image may reveal health-related information, your explicit consent is obtained before processing.

5. No Medical Purpose – Important Clarification

Tongue Lens is not a medical device and does not provide medical diagnoses, medical opinions, or treatments. All outputs are non-medical, wellness-oriented insights that relate to general well-being and traditional self-care philosophies.

The app:

  • does not assess or detect diseases
  • does not provide medical decision support
  • cannot replace professional healthcare
  • is intended solely for self-reflection and general lifestyle support

This section is essential for compliance with global medical-device laws, especially FDA (USA), MDR (EU), and related frameworks.

6. Data Storage and Retention

6.1. Local storage on your device

All personal data (images, onboarding answers, insights text, history) is stored only on your device in the private app Documents folder. iOS automatically encrypts this folder when the device is locked ("Data Protection – Complete Protection").

We do not—and technically cannot—access, transfer, store, or retrieve this data.

6.2. Temporary transfer to OpenAI

The temporary base64 copy sent to OpenAI exists only for the duration of the request and is deleted by OpenAI immediately after processing.

6.3. Your retention control

Because all data is stored locally:

  • You can delete photos or insights history at any time
  • You can reinstall the app to erase all data
  • "Delete My Data" removes all local content instantly

7. Data Sharing

We do not sell, rent, trade, or share any personal data with:

  • advertisers
  • social media networks
  • data brokers
  • third-party marketers
  • analytics companies (beyond optional anonymized Posthog events)

The only third party involved in processing is OpenAI, and only for the temporary purpose of generating your insights.

8. International Data Transfers

The only remote transfer is from your device to OpenAI's servers, which may be located in the United States or other jurisdictions. Because OpenAI operates under a zero-retention policy and complies with GDPR-level processing principles, this transfer is considered a standard processing operation with safeguarding measures.

Our Supabase edge function is hosted in us-east-1, but does not store or process any personal data.

9. Your Rights Under the GDPR (EU/EEA Users)

If you are located in the European Union or the European Economic Area, you have the following rights regarding your personal data:

Right of Access

You may request information about the personal data we process about you. Since nearly all data is stored locally on your device, we will instruct you how to access it directly on your phone.

Right to Rectification

You may correct inaccurate or incomplete data stored in the app. Most data can be edited directly inside the app.

Right to Erasure ("Right to be Forgotten")

Because all personal data is stored only on your device, the fastest and most complete erasure is performed by:

  • using the "Delete My Data" function in the app, or
  • deleting and reinstalling the app.

We do not possess any copies of your personal data.

Right to Restrict Processing

You may disable app features or analytics at any time. You may also choose not to perform any scans.

Right to Withdraw Consent

You may withdraw consent for processing or analytics at any time in the settings. This does not affect the lawfulness of processing prior to withdrawal.

Right to Data Portability

You may export your scan text results or history from your device if such feature is available. Because the data is only stored locally, portability takes place directly on your phone.

Right to Lodge a Complaint

You may lodge a complaint with your local supervisory authority. A list of EU authorities can be found here:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

10. Rights of California and U.S. Users (CCPA/CPRA)

If you reside in California or other U.S. states with privacy legislation, you have the following rights:

Right to Know

You may request to know what categories of personal information are collected. This Privacy Policy openly states all categories.

Right to Delete

Because all data is stored on your device, deletion takes place instantly using the in-app "Delete My Data" feature.

Right to Opt-Out of Data Selling/Sharing

We do not sell or share personal data with third parties.

We do not use personal data for advertising.

No opt-out link is required because no selling/sharing occurs.

Right to Non-Discrimination

You will never be penalized or face reduced functionality for exercising privacy rights.

Right to Correct Data

Because your data is stored locally, corrections happen directly on your device.

Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information for secondary purposes.

Tongue images and wellness indicators are used only for direct processing inside the app.

11. Data Security and Technical Safeguards

We apply a multi-layer security approach designed to minimize risk and maximize user privacy.

11.1. On-Device Protection

  • All personal data is stored in the app's private "Documents" folder.
  • On iOS devices, this folder is automatically encrypted at rest using the device's hardware encryption.
  • Data is only accessible when the device is unlocked.

11.2. Minimal Data Exposure

  • No personal data is stored on our servers.
  • Only one temporary image copy is sent to OpenAI for processing and immediately deleted by them.
  • No raw photos or insights history leave the device.

11.3. Network Security

  • Communication with OpenAI uses encrypted HTTPS/TLS connections.
  • Supabase edge functions do not store or log personal data.

11.4. Internal Access Control

  • We cannot access your tongue images.
  • We cannot access your insights history.
  • We cannot access onboarding answers.

The system architecture is designed so that we technically have zero access.

11.5. Analytics Safety

If Posthog is activated:

  • IP addresses are anonymized
  • No personal identifiers are stored
  • No images or wellness data are collected
  • Data is aggregated and used only to improve user experience

12. Children's Privacy

Tongue Lens is not intended for children under the age of 16.

We do not knowingly collect, store, or process personal data from children.

If we learn that a child under 16 has used the app without parental consent, we advise uninstalling the app to delete all locally stored data.

We do not have access to these data and cannot delete them remotely.

13. Third-Party Services

13.1. OpenAI (Insights Provider)

Used solely for automatic image processing.

  • Zero retention (no training use)
  • No saving, no profiling
  • Immediate deletion of temporary copies

13.2. Supabase (Edge Function)

Used only to execute a stateless function.

  • Hosted in us-east-1
  • No storage, no logs containing personal data
  • No tracking

13.3. Posthog (Optional Analytics)

Used only to see how users interact with non-sensitive parts of the app.

  • No sensitive data
  • No images
  • No health or wellness indicators
  • Can be disabled anytime

We do not use any third-party advertising, tracking networks, data brokers, or marketing SDKs.

14. Data Transfers Outside the EU

The only international transfer occurs when a temporary base64 copy of your tongue photo is sent to OpenAI for the sole purpose of generating your insights.

This transfer is protected by:

  • encrypted HTTPS/TLS transport
  • zero retention on the processor side
  • explicit user consent
  • GDPR-standard contractual arrangements provided by OpenAI

Because no other personal data leaves the device, no other data transfers occur.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on our website and reflected by an updated "Effective Date."

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

If material changes occur, we will notify users within the app.

16. Contact

For any questions about this Privacy Policy or data protection at Tongue Lens, you may contact:

Data Controller:

Mathias Gillitz
Bahnhofstraße 6b
84558 Kirchweidach
Germany

Email: support@tonguelens.com