Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you use SupStaq. Personal data is any data that can be used to personally identify you.

Responsible Entity

Florian Gumpert Töpfergasse 41 74343 Sachsenheim Germany Email: datenschutz@supstaq.com

2. Hosting and Technical Infrastructure

Server Hosting

This website is hosted on a Virtual Private Server (VPS) by Hostinger International Ltd., Kaunas, Lithuania. The servers are located in the European Union.

When visiting the website, technical information is automatically stored in server log files that your browser transmits:

  • IP address (anonymized)
  • Browser type and version
  • Operating system used
  • Referrer URL
  • Time of server request

This data is not merged with other data sources. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the technical provision of the website).

Database and Authentication (Supabase)

For user management, authentication, and data storage, we use Supabase. Data is stored on servers in Frankfurt am Main (EU, aws-eu-central-1).

Supabase processes on our behalf:

  • Email address (for login and registration)
  • Password (stored encrypted, bcrypt hash)
  • Session tokens
  • Profile information you voluntarily provide

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).

Further information: Supabase Privacy Policy

SSL Encryption

This site uses SSL encryption (Let's Encrypt) for security reasons. You can recognize an encrypted connection when your browser's address bar changes from "http://" to "https://".

3. Data We Collect

3.1 Account Data (upon Registration)

When creating an account, we collect:

  • Email address (required, for login and communication)
  • Display name (optional, freely chosen)
  • Preferred language (German or English)
  • Unit preference (metric or imperial)

3.2 Profile Data (voluntary Information)

You can voluntarily store the following data in your profile:

  • Year of birth
  • Gender
  • Height and weight
  • Estimated body fat percentage
  • Skin type (Fitzpatrick scale)
  • Training experience
  • Health goals (e.g., muscle building, sleep optimization)
  • Dietary considerations
  • Pre-existing conditions and medications

Important note: Health data (pre-existing conditions, medications, blood values) constitutes special categories of personal data under Art. 9 GDPR. Processing is carried out exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR). You can revoke this consent at any time.

3.3 Blood Values

You can manually record laboratory values in your profile. This data is:

  • Stored exclusively in your personal account
  • Protected from access by other users through Row-Level Security (RLS)
  • Never shared with third parties
  • Not used for advertising purposes

Legal basis: Art. 9(2)(a) GDPR (explicit consent).

3.4 Stack Data

Your personal supplement compilation (stack) is stored in your account. This data is visible only to you.

3.5 Usage Data

We collect no usage data through tracking tools such as Google Analytics. We use no tracking cookies.

4. Use of Artificial Intelligence

SupStaq uses Artificial Intelligence (AI) in several areas. The following sections transparently explain which AI systems are used, what data is processed, and which legal bases apply.

4.1 AI-Powered Knowledge Base

The substance profiles in the knowledge base are partly created and maintained using AI systems:

  • AI systems used: Claude (Anthropic, USA), Gemini (Google, USA)
  • Purpose: Research, structuring, and summarization of scientific publications and community experience reports on supplements and peptides
  • Data processed: Exclusively publicly available scientific literature and community contributions. No personal user data is transmitted to AI systems for knowledge base creation.
  • Quality assurance: All AI-generated substance profiles undergo automated schema validation, source verification, and review pipeline. Results are reviewed by humans.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing high-quality information).

4.2 AI-Powered Recommendations and Analyses

SupStaq uses AI models to create personalized recommendations and analyses based on data you provide:

Currently available AI functions:

  • Goal-based blood value recommendations: Based on your health goals, the system recommends which laboratory values you should have tested. This recommendation is currently calculated deterministically (rule-based) and not transmitted to external AI services.
  • Interaction analysis: The check for interactions between substances in your stack is currently performed deterministically based on the knowledge base.

Planned AI functions (Premium):

  • AI stack analysis: Analysis of your stack for gaps, redundancies, and missing cofactors
  • AI blood value evaluation: Personalized substance recommendations based on your laboratory values
  • Personalized dose adjustment: Dosing recommendations considering your profile

Web research by AI (Premium / Premium+ / Admin):

For some AI functions, the AI system may perform a web search via Brave Search (Brave Software Inc., USA) when needed to supplement current scientific sources or public information. Only the search query formulated by the AI model is transmitted to Brave — no profile data, no blood values, no stack data, and no directly identifying information. The number of web searches per AI invocation is enforced server-side (3 for end-user features, 20 for the Admin Chat).

What data is processed for planned AI functions?

When activating Premium AI functions, the following data is transmitted to AI systems (Anthropic Claude):

  • Your health goals
  • Your blood values (if recorded)
  • Your stack composition and dosages
  • Your profile (age, gender, weight — anonymized, without email or name)

Expressly NOT transmitted:

  • Your name or email address
  • Your IP address
  • Other directly identifying characteristics

Transmission is encrypted (TLS) to Anthropic servers (USA). Anthropic processes API requests without permanent storage of content and does not use the data for training their models. Further information: Anthropic Privacy Policy

Legal basis: Art. 9(2)(a) GDPR (explicit consent for health data) in conjunction with Art. 6(1)(b) GDPR (contract fulfillment).

4.3 Third Country Transfer (USA)

The AI systems from Anthropic and Google are based in the USA. The web-research provider Brave Search (Brave Software Inc.) is also based in the USA. Data transfer is based on the EU-US Data Privacy Framework (Art. 45 GDPR), which the named companies have joined, as well as supplementary Standard Contractual Clauses (Art. 46(2)(c) GDPR).

4.4 Automated Decision-Making

AI-generated recommendations do not constitute an automated individual decision within the meaning of Art. 22 GDPR. All recommendations are non-binding information offers. The user makes all decisions (e.g., regarding substance intake) independently and at their own responsibility.

4.5 Right to Object to AI Processing

You can object to the processing of your data by AI systems at any time:

  • Premium AI functions can be deactivated at any time
  • Without Premium, no personal data is transmitted to AI services
  • The deterministic blood value recommendation and interaction check works without external AI

5. Cookies

Technically Necessary Cookies

SupStaq uses exclusively technically necessary cookies:

CookiePurposeDuration
supstaq.locale-prefStores your language preference (de/en)1 year
sb-* (Supabase)Authentication sessionSession duration

These cookies are required for the operation of the website. You can configure your browser to inform you about the setting of cookies. Disabling technically necessary cookies may limit website functionality.

We do not use marketing, analytics, or advertising cookies.

6. Email Communication

Transactional Emails

We send exclusively transactional emails (registration, password reset, magic link). Sending is handled through Supabase's integrated email service.

Marketing Emails

Marketing emails are only sent if you have explicitly consented in your profile. You can revoke this consent at any time in your profile settings.

7. Data Sharing with Third Parties

We do not share your personal data with third parties unless:

  • You have expressly consented (Art. 6(1)(a) GDPR)
  • Sharing is necessary for contract fulfillment (Art. 6(1)(b) GDPR)
  • There is a legal obligation (Art. 6(1)(c) GDPR)

Data Processors

The following service providers process data on our behalf:

Service ProviderPurposeLocationData Protection Framework
Supabase Inc.Database, AuthenticationEU (Frankfurt)GDPR, DPA
Hostinger International Ltd.Server HostingEU (Lithuania)GDPR
Anthropic PBCAI Analysis & Recommendations (Premium)USAEU-US DPF, SCCs
Google LLCAI Research (Knowledge Base)USAEU-US DPF, SCCs
Brave Software Inc.Web-search tool for AI modelsUSAEU-US DPF, SCCs

Data processing agreements pursuant to Art. 28 GDPR exist with all processors.

Affiliate / Advertising Links

If you enable product recommendations in your profile (disabled by default), SupStaq shows editorially selected product suggestions for individual substances. Some of these links are affiliate/advertising links (e.g. the Amazon Associates programme): if you click them and buy from the respective provider, we may receive a commission. This does not cost you anything extra – the price stays the same. Recommendations are made on quality alone, independently of this.

Clicks on such links are counted only anonymously and in aggregate (just the product's ID and the timestamp) to assess how useful the recommendations are. No personal data is stored and no cookies are set. The legal basis is our legitimate interest in reach measurement (Art. 6(1)(f) GDPR).

After clicking, you are forwarded to the respective provider's website, where their own privacy policy applies; the provider may set its own cookies and process data. We accept no responsibility for these external sites.

8. Data Security

We implement technical and organizational security measures:

  • SSL/TLS encryption of all data transmissions
  • Encrypted password storage (bcrypt)
  • Row-Level Security (RLS) at database level
  • Anonymization of personal data before AI processing
  • No permanent storage of user data by AI providers
  • Regular security updates
  • Access control at server level

9. Your Rights (GDPR)

You have the following rights regarding your personal data:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether personal data is being processed and to receive information about this data. This includes information about whether and which of your data is processed by AI systems.

9.2 Right to Rectification (Art. 16 GDPR)

You can request rectification of inaccurate data. You can edit your profile data at any time in your profile settings.

9.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data. In SupStaq you can:

  • Delete your account yourself (Dashboard → Security → Delete Account)
  • This irreversibly deletes all your data (profile, blood values, stack)
  • No permanent user data is stored with AI providers, so separate deletion is not required

9.4 Right to Data Portability (Art. 20 GDPR)

You can export your data in a machine-readable format (JSON). This function is available under Dashboard → Security → Data Export.

9.5 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing of your data, including processing by AI systems.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your data insofar as processing is based on legitimate interest. This includes processing by AI systems.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You can withdraw given consent at any time. The lawfulness of processing carried out before the withdrawal is not affected.

9.8 Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is the supervisory authority of your federal state or that of our company's registered office.

10. Storage Duration

Personal data is deleted once the purpose of storage ceases:

  • Account data: until account deletion by the user
  • Profile data: until modification or deletion by the user
  • Blood values: until deletion by the user or account deletion
  • AI processing data: no permanent storage by AI providers (only for the duration of request processing)
  • Server logs: maximum 30 days
  • Session data: until logout or session expiry

11. Minors

SupStaq is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors.

12. Changes to this Privacy Policy

We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to the service. In case of significant changes, particularly regarding AI processing, registered users will be informed by email. The current version can always be found on this page.


Last updated: May 2026