Last updated: June 16, 2026
This privacy policy describes which data nope (the iOS app for logging meals and weight) processes, for what purpose and on what legal basis. It complements the general privacy policy for davedinapoli.de.
Dave Di Napoli
(Address: see imprint)
Email: info@davedinapoli.de
nope is a calorie and weight tracker. You set a goal weight; nope logs your meals — by voice or photo — and shows you whether you’re on track for your goal. The core data is created by your own input.
nope collects no advertising IDs, no analytics, no crash reporters and bundles no tracking SDKs. Your data is stored owner-isolated (Row Level Security) in an EU data center.
Sign-in uses Sign in with Apple. Apple provides an anonymized identifier; a real email address or name is only passed if you explicitly consent at login.
Core to the app are your start and goal weight, your weight history and your logged meals with estimated nutrition values (calories, protein, fat, carbohydrates) and timestamps. Some of this is health data within the meaning of Art. 9 GDPR; it is processed solely to calculate your budget and progress. All rows are strictly tied to your account via Row Level Security — nobody but you can read or write them.
With your permission, nope reads your body weight and active energy from Apple Health to calculate history and daily budget, and can write logged weight back. This data is not used for advertising and not shared with third parties, in line with Apple’s Health guidelines. You can revoke access at any time in iOS settings.
If you use voice input, your speech is converted to text on the device (Apple’s on-device speech recognition). No audio is transmitted to third parties; only the finished text is processed for meal recognition. On older iPhones without on-device AI this text (never audio) is transmitted to the AI service for analysis (see section 5). This cloud recognition is optional and happens only with your consent.
If you photograph a meal, the image is sent for recognition to an edge function operated by me, which calls an AI model for image recognition (see section 5). The photo is processed solely to recognize the food, is not used for advertising and is not stored permanently.
The paid cloud features (photo recognition and cloud recognition on devices without on-device AI) are bundled in the optional nope Plus subscription. The purchase is handled by Apple via in-app purchase; nope never sees payment data (e.g. card details) — it stays solely with Apple. To unlock the features, nope stores your entitlement status (active/expired, product, expiry date and an Apple-issued transaction identifier), linked to your account, in the Supabase instance named in section 5 (EU). Without this record it is not possible to verify whether a subscription is active.
Sign in with Apple is used for sign-in; HealthKit data comes from Apple Health. Apple is an independent controller in that respect. The optional nope Plus subscription is handled via Apple’s in-app purchase; Apple acts as the seller (merchant of record), remits VAT in particular, and processes payment data on its own responsibility.
Account, meals, weights and history are synced to a Supabase instance operated by me. Supabase is a processor within the meaning of Art. 28 GDPR; the data resides in an EU data center.
For photo recognition the captured image is transmitted to an AI service from OpenAI, which recognizes the food and estimates the nutrition values. On older iPhones without on-device AI, the text of your input (e.g. from voice input) is also transmitted to the same service for recognition. Each case may involve a transfer to the USA; OpenAI is a processor in that respect. Only the photo or text and the context needed for recognition are transmitted — no account data and no direct identifiers. This cloud recognition is optional and happens only after your explicit consent (Art. 49(1)(a) GDPR), which you can withdraw at any time; without it neither image nor text leaves your device for recognition.
Beyond that, no transfer to other third parties takes place — no ad networks, no analytics providers.
You have the following rights under GDPR:
Requests please to info@davedinapoli.de.
This policy may be updated when functionality changes or the legal situation evolves. The current version is always available at this URL; the date above shows its state.