CafTrack Privacy Policy
Last updated: 23 June 2026
This Privacy Policy explains how FITN APP LTD ("we", "us", "our") collects, uses, stores and protects your personal data when you use the CafTrack mobile application and related services (the "Service").
CafTrack is owned and operated by FITN APP LTD. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
CafTrack is a 16+ product. If you are aged under 16 you must not use the app. We do not knowingly collect data from anyone under 16. If you believe a person under 16 has provided us with personal data, contact us immediately and we will delete it.
1. Data Controller
The Data Controller responsible for your personal data is:
FITN APP LTD
Company number: 15742758
24 Picton House, Hussar Court
Westside View, Waterlooville
PO7 7SQ, United Kingdom
Email: info@caftrackapp.com
2. Personal Data We Collect
2.1 Account & Profile Data
- Email address and password (encrypted)
- Display name (optional)
- Subscription tier (Free or Pro)
- App preferences (theme, daily target, cutoff time, notification settings)
2.2 Caffeine Intake Data
The core function of CafTrack is logging your caffeine consumption. We collect:
- Caffeine logs — drink or product, estimated caffeine content (mg), time of consumption, and input method used (barcode, AI vision, voice, type, or select)
- Your daily caffeine target (a personal performance goal you set yourself)
- Your cutoff time (a time of day you set yourself)
- Intake history, trends and streaks derived from your logs
Caffeine intake data relates to your lifestyle and consumption habits. We treat it with the same care as health data: encrypted in transit and at rest, and never sold or shared for marketing.
2.3 Health & Fitness Data (HealthKit / Health Connect)
With your explicit permission, CafTrack reads data from Apple HealthKit (iOS) or Google Health Connect (Android), which may include:
- Sleep duration and quality
- Resting heart rate and heart rate variability (HRV)
- Workout sessions (type, start time, duration) — used to deliver the workout gel prompt
This is special category data under UK GDPR. We process it only:
- with your explicit consent, given via the HealthKit / Health Connect permission flow;
- to personalise AI Strategist recommendations and time workout notifications;
- with encryption at rest and strict access controls.
You can revoke access at any time in your device's Health settings or in the CafTrack Profile tab. Revoking access stops future collection but does not affect processing carried out before withdrawal.
We never use HealthKit or Health Connect data for advertising, marketing, or data mining, and we never disclose it to advertisers or data brokers. This is also a strict requirement of Apple's and Google's platform policies, which we comply with fully.
2.4 AI Inputs (AI Strategist & AI Vision)
When you use the AI Strategist (Pro feature), we collect and process:
- Your chat messages to the AI Strategist
- Contextual data sent with each request — today's intake, your target, cutoff time, and (where permitted) recent sleep and heart rate data
- Images you submit through the AI Vision scan feature (processed to identify drinks and estimate caffeine content)
These inputs are processed in real time using third-party AI infrastructure (Anthropic). See Section 6.
2.5 Purchase & Subscription Data
- Subscription status, plan, trial status, and renewal dates (via RevenueCat)
- We never see or store your full payment card details — payment is handled entirely by Apple App Store or Google Play
2.6 Usage & Diagnostic Data
- Device information (model, operating system, app version)
- IP address (approximate location for security and aggregate analytics only)
- App interaction logs (features used, screens visited)
- Crash reports and diagnostic data
- Push notification tokens — an anonymous device token used solely to deliver the notifications you enable (such as cutoff warnings, gel prompts and daily reminders). It does not identify you personally and is processed via Expo. You can disable notifications at any time in the Profile tab or your device settings.
2.7 Advertising and Attribution Data
CafTrack does not display third-party advertisements inside the app. Promotional content shown in the app (such as CafTrack Pro upgrade cards) is our own and involves no third-party data processing.
We use the Meta (Facebook) software development kit (SDK) to measure the effectiveness of our own advertising — for example, to understand whether you installed or subscribed to CafTrack after seeing one of our adverts. This is known as attribution and measurement.
On iOS, this may involve the Identifier for Advertisers (IDFA) and is only enabled if you grant permission through Apple's App Tracking Transparency (ATT) prompt. If you decline, no advertising identifier is collected and no cross-app tracking takes place. You can change this choice at any time in your device's Settings → Privacy & Security → Tracking.
Where you consent, limited event data (such as app installs and subscription events) and the advertising identifier may be shared with Meta Platforms Ireland Limited for attribution and measurement only.
We never share your HealthKit / Health Connect data or your caffeine intake data with Meta or any other advertising provider.
3. How We Use Your Data
(a) To provide the Service — creating your account, authenticating logins, storing and displaying your caffeine logs, calculating intake vs target, applying your cutoff time, processing subscriptions and determining your access tier.
(b) To generate personalised AI Strategist recommendations — your intake data, targets, and (with consent) health data are processed by the AI Strategist to provide caffeine timing and performance recommendations. This is the primary purpose of the AI Strategist and is necessary to deliver that feature.
(c) To deliver notifications — cutoff warnings, gel prompts during detected workouts, and other service notifications you enable.
(d) For product analytics — we analyse aggregated, non-identifying data (feature usage, retention) to improve the Service.
(e) For advertising attribution — where you consent via App Tracking Transparency, to measure the effectiveness of our own advertising campaigns (see Section 2.7).
(f) For safety, security and legal compliance — to detect fraud, enforce our Terms & Conditions, respond to legal requests, and protect users.
(g) For service communications — transactional emails relating to your account (password resets, security alerts, subscription confirmations). These are not marketing.
We do not use your data to encourage excessive caffeine consumption. Your target is a goal you set yourself; CafTrack does not set or raise it for you.
4. Legal Bases for Processing
- Performance of a contract — providing the Service you signed up for (account, logging, dashboard, subscriptions, AI Strategist recommendations for your personal use).
- Consent — for processing HealthKit / Health Connect data (special category data), for optional notifications, and for advertising attribution using the advertising identifier where you grant permission via App Tracking Transparency.
- Legitimate interests — analytics, fraud prevention, and Service improvement, where these do not override your rights.
- Legal obligation — where we are required by law to retain or disclose data.
5. Special Category Data (Health Information)
Health data read from HealthKit or Health Connect is special category data under UK GDPR. We process it only:
- with your explicit consent, given at the point of collection;
- for the sole purposes of personalising AI Strategist recommendations and timing workout gel prompts;
- with additional security measures including encryption at rest and access restrictions.
You can withdraw consent at any time via your device Health settings or the Profile tab. Withdrawal does not affect processing carried out before withdrawal.
6. Confidentiality of AI Inputs
We treat your interactions with the AI Strategist as confidential:
- Your inputs are stored encrypted and accessible only by you and authorised CafTrack systems.
- We do not sell, share, or disclose your AI Strategist conversation content to third parties for marketing or any commercial purpose.
- We use third-party AI infrastructure (Anthropic) to process inputs in real time. Anthropic does not use API inputs to train its models by default, and we do not authorise such use.
- AI Vision images are processed to identify the drink and estimate caffeine content, then handled in line with Section 9 retention periods.
7. Third-Party Service Providers
We do not sell your personal data. We do not share your personal data with third parties for marketing purposes.
To deliver the Service, we use the following processors under written agreements:
- Supabase — authentication and database hosting
- Anthropic — AI processing for the AI Strategist and AI Vision scan
- RevenueCat — subscription management and entitlements
- Expo (EAS) — app builds, updates, and push notification delivery
- Meta Platforms Ireland Limited — advertising attribution and measurement, only where you consent via App Tracking Transparency (see Section 2.7)
- Apple App Store / Google Play — subscription billing and payment processing
- IONOS — transactional email delivery
We do not use any in-app advertising network. If one is introduced, it will be named here before any ad-serving data processing begins.
Each provider is contractually bound to protect your data and use it only for the purposes we instruct.
8. International Data Transfers
Some processors (notably Anthropic) are based outside the UK. Where data is transferred outside the UK, we rely on:
- UK adequacy regulations under Article 45 of UK GDPR, where available;
- Standard Contractual Clauses approved by the UK Information Commissioner;
- equivalent safeguards required by UK data protection law.
9. How Long We Keep Your Data
- Account data — retained while your account is active.
- Caffeine logs — detailed individual logs are retained for 30 days, after which they are purged; aggregated trends may be retained while your account is active.
- Health data & AI Strategist conversations — retained while your account is active. Deleted within 30 days of account closure.
- Usage and diagnostic logs — retained for up to 12 months.
- Subscription and payment records — retained for 7 years after the end of the relevant tax year, as required by UK law.
- Backups — routine backups are retained for up to 90 days after deletion of the underlying record.
10. Your Rights Under UK GDPR
You have the right to:
- access your personal data and obtain a copy;
- request correction of inaccurate data;
- request deletion of your data ("right to be forgotten");
- restrict or object to our processing of your data;
- withdraw any consent you have given, at any time;
- receive your data in a portable format and have it transferred to another controller;
- not be subject to fully automated decisions that produce legal or similarly significant effects on you;
- lodge a complaint with the UK Information Commissioner's Office (ICO).
To exercise any of these rights, contact us at info@caftrackapp.com. We will respond within one month, free of charge.
You can contact the ICO at https://ico.org.uk/make-a-complaint or 0303 123 1113.
11. Marketing
We never sell or share your data with third parties for their own marketing purposes.
If you opt in to marketing emails from CafTrack, you can opt out at any time by:
- emailing info@caftrackapp.com;
- clicking the "unsubscribe" link in any marketing email.
12. Cookies and Tracking
The CafTrack mobile app does not use traditional browser cookies. We use device identifiers and analytics SDKs to operate the Service and understand aggregated usage, as described in Section 2.6.
With your permission (given via Apple's App Tracking Transparency prompt on iOS), we use the advertising identifier (IDFA) for advertising attribution and measurement, as described in Section 2.7. If you do not grant permission, no advertising identifier is used and no cross-app tracking takes place.
13. Security
We implement appropriate technical and organisational measures to protect your data, including:
- encryption in transit (HTTPS/TLS) and at rest;
- hashed and salted passwords;
- access controls limiting access to personal data on a need-to-know basis;
- regular security reviews of our infrastructure and providers.
If we become aware of a personal data breach affecting your data, we will notify you and the ICO where legally required to do so.
14. Automated Decision-Making and AI
The AI Strategist generates personalised caffeine timing recommendations using automated processing of your inputs. These do not produce legal or similarly significant effects on you — they are recommendations, not decisions about your rights or entitlements, and not medical advice.
You can choose not to use the AI Strategist. You can also request a human review of any AI-generated content by contacting us.
15. Children
CafTrack is designed for adults and is rated 16+. We do not knowingly collect personal data from anyone under 16. Caffeine consumption guidance for adolescents differs significantly from adults, and CafTrack is not designed or calibrated for users under 16. If we learn that we have collected data from a person under 16, we will delete it promptly.
16. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the latest revision. Where changes are material, we will notify you in the app and, where required, ask for fresh consent.
17. Contact Us
FITN APP LTD
Company number: 15742758
24 Picton House, Hussar Court
Westside View, Waterlooville
PO7 7SQ, United Kingdom
Email: info@caftrackapp.com