Privacy Policy
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you use SupStaq. Personal data is any data that can be used to personally identify you.
Responsible Entity
KIkeriKI UG (haftungsbeschränkt) Töpfergasse 41 74343 Sachsenheim Germany Email: datenschutz@supstaq.com
2. Hosting and Technical Infrastructure
Server Hosting
This website is hosted on a Virtual Private Server (VPS) by Hostinger International Ltd., Kaunas, Lithuania. The servers are located in the European Union.
When visiting the website, technical information is automatically stored in server log files that your browser transmits:
- IP address (anonymized)
- Browser type and version
- Operating system used
- Referrer URL
- Time of server request
This data is not merged with other data sources. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the technical provision of the website).
Database and Authentication (Supabase)
For user management, authentication, and data storage, we use Supabase. Data is stored on servers in Frankfurt am Main (EU, aws-eu-central-1).
Supabase processes on our behalf:
- Email address (for login and registration)
- Password (stored encrypted, bcrypt hash)
- Session tokens
- Profile information you voluntarily provide
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
Further information: Supabase Privacy Policy
SSL Encryption
This site uses SSL encryption (Let's Encrypt) for security reasons. You can recognize an encrypted connection when your browser's address bar changes from "http://" to "https://".
3. Data We Collect
3.1 Account Data (upon Registration)
When creating an account, we collect:
- Email address (required, for login and communication)
- Display name (optional, freely chosen)
- Preferred language (German or English)
- Unit preference (metric or imperial)
3.2 Profile Data (voluntary Information)
You can voluntarily store the following data in your profile:
- Year of birth
- Gender
- Height and weight
- Estimated body fat percentage
- Skin type (Fitzpatrick scale)
- Training experience
- Health goals (e.g., muscle building, sleep optimization)
- Dietary considerations
- Pre-existing conditions and medications
Important note: Health data (pre-existing conditions, medications, blood values) constitutes special categories of personal data under Art. 9 GDPR. Processing is carried out exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR). You can revoke this consent at any time.
3.3 Blood Values
You can manually record laboratory values in your profile. This data is:
- Stored exclusively in your personal account
- Protected from access by other users through Row-Level Security (RLS)
- Never shared with third parties
- Not used for advertising purposes
Legal basis: Art. 9(2)(a) GDPR (explicit consent).
3.4 Stack Data
Your personal supplement compilation (stack) is stored in your account. This data is visible only to you.
3.5 Usage Data
We collect no usage data through tracking tools such as Google Analytics. We use no tracking cookies.
4. Use of Artificial Intelligence
SupStaq uses Artificial Intelligence (AI) in several areas. The following sections transparently explain which AI systems are used, what data is processed, and which legal bases apply.
4.1 AI-Powered Knowledge Base
The substance profiles in the knowledge base are partly created and maintained using AI systems:
- AI systems used: Claude (Anthropic, USA), Gemini (Google, USA)
- Purpose: Research, structuring, and summarization of scientific publications and community experience reports on supplements and peptides
- Data processed: Exclusively publicly available scientific literature and community contributions. No personal user data is transmitted to AI systems for knowledge base creation.
- Quality assurance: All AI-generated substance profiles undergo automated schema validation, source verification, and review pipeline. Results are reviewed by humans.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing high-quality information).
4.2 AI-Powered Recommendations and Analyses
SupStaq uses AI models to create personalized recommendations and analyses based on data you provide:
Currently available AI functions:
- Goal-based blood value recommendations: Based on your health goals, the system recommends which laboratory values you should have tested. This recommendation is currently calculated deterministically (rule-based) and not transmitted to external AI services.
- Interaction analysis: The check for interactions between substances in your stack is currently performed deterministically based on the knowledge base.
Planned AI functions (Premium):
- AI stack analysis: Analysis of your stack for gaps, redundancies, and missing cofactors
- AI blood value evaluation: Personalized substance recommendations based on your laboratory values
- Personalized dose adjustment: Dosing recommendations considering your profile
What data is processed for planned AI functions?
When activating Premium AI functions, the following data is transmitted to AI systems (Anthropic Claude):
- Your health goals
- Your blood values (if recorded)
- Your stack composition and dosages
- Your profile (age, gender, weight — anonymized, without email or name)
Expressly NOT transmitted:
- Your name or email address
- Your IP address
- Other directly identifying characteristics
Transmission is encrypted (TLS) to Anthropic servers (USA). Anthropic processes API requests without permanent storage of content and does not use the data for training their models. Further information: Anthropic Privacy Policy
Legal basis: Art. 9(2)(a) GDPR (explicit consent for health data) in conjunction with Art. 6(1)(b) GDPR (contract fulfillment).
4.3 Third Country Transfer (USA)
The AI systems from Anthropic and Google are based in the USA. Data transfer is based on the EU-US Data Privacy Framework (Art. 45 GDPR), which both companies have joined, as well as supplementary Standard Contractual Clauses (Art. 46(2)(c) GDPR).
4.4 Automated Decision-Making
AI-generated recommendations do not constitute an automated individual decision within the meaning of Art. 22 GDPR. All recommendations are non-binding information offers. The user makes all decisions (e.g., regarding substance intake) independently and at their own responsibility.
4.5 Right to Object to AI Processing
You can object to the processing of your data by AI systems at any time:
- Premium AI functions can be deactivated at any time
- Without Premium, no personal data is transmitted to AI services
- The deterministic blood value recommendation and interaction check works without external AI
5. Cookies
Technically Necessary Cookies
SupStaq uses exclusively technically necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
supstaq.locale-pref | Stores your language preference (de/en) | 1 year |
sb-* (Supabase) | Authentication session | Session duration |
These cookies are required for the operation of the website. You can configure your browser to inform you about the setting of cookies. Disabling technically necessary cookies may limit website functionality.
We do not use marketing, analytics, or advertising cookies.
6. Email Communication
Transactional Emails
We send exclusively transactional emails (registration, password reset, magic link). Sending is handled through Supabase's integrated email service.
Marketing Emails
Marketing emails are only sent if you have explicitly consented in your profile. You can revoke this consent at any time in your profile settings.
7. Data Sharing with Third Parties
We do not share your personal data with third parties unless:
- You have expressly consented (Art. 6(1)(a) GDPR)
- Sharing is necessary for contract fulfillment (Art. 6(1)(b) GDPR)
- There is a legal obligation (Art. 6(1)(c) GDPR)
Data Processors
The following service providers process data on our behalf:
| Service Provider | Purpose | Location | Data Protection Framework |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | EU (Frankfurt) | GDPR, DPA |
| Hostinger International Ltd. | Server Hosting | EU (Lithuania) | GDPR |
| Anthropic PBC | AI Analysis & Recommendations (Premium) | USA | EU-US DPF, SCCs |
| Google LLC | AI Research (Knowledge Base) | USA | EU-US DPF, SCCs |
Data processing agreements pursuant to Art. 28 GDPR exist with all processors.
8. Data Security
We implement technical and organizational security measures:
- SSL/TLS encryption of all data transmissions
- Encrypted password storage (bcrypt)
- Row-Level Security (RLS) at database level
- Anonymization of personal data before AI processing
- No permanent storage of user data by AI providers
- Regular security updates
- Access control at server level
9. Your Rights (GDPR)
You have the following rights regarding your personal data:
9.1 Right of Access (Art. 15 GDPR)
You have the right to request confirmation of whether personal data is being processed and to receive information about this data. This includes information about whether and which of your data is processed by AI systems.
9.2 Right to Rectification (Art. 16 GDPR)
You can request rectification of inaccurate data. You can edit your profile data at any time in your profile settings.
9.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your personal data. In SupStaq you can:
- Delete your account yourself (Dashboard → Security → Delete Account)
- This irreversibly deletes all your data (profile, blood values, stack)
- No permanent user data is stored with AI providers, so separate deletion is not required
9.4 Right to Data Portability (Art. 20 GDPR)
You can export your data in a machine-readable format (JSON). This function is available under Dashboard → Security → Data Export.
9.5 Right to Restriction of Processing (Art. 18 GDPR)
You can request restriction of processing of your data, including processing by AI systems.
9.6 Right to Object (Art. 21 GDPR)
You have the right to object to the processing of your data insofar as processing is based on legitimate interest. This includes processing by AI systems.
9.7 Right to Withdraw Consent (Art. 7(3) GDPR)
You can withdraw given consent at any time. The lawfulness of processing carried out before the withdrawal is not affected.
9.8 Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is the supervisory authority of your federal state or that of our company's registered office.
10. Storage Duration
Personal data is deleted once the purpose of storage ceases:
- Account data: until account deletion by the user
- Profile data: until modification or deletion by the user
- Blood values: until deletion by the user or account deletion
- AI processing data: no permanent storage by AI providers (only for the duration of request processing)
- Server logs: maximum 30 days
- Session data: until logout or session expiry
11. Minors
SupStaq is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors.
12. Changes to this Privacy Policy
We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to the service. In case of significant changes, particularly regarding AI processing, registered users will be informed by email. The current version can always be found on this page.
Last updated: May 2026