Privacy Policy

Last updated: February 24, 2026

1. Data Controller

Clara is operated by Nic Findlay, a sole trader based in London, England ("we", "us", "our"). We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact email: info@nicfindlay.com

2. Information We Collect

We aim to collect the minimum amount of data necessary to provide the Service. Clara does not require you to create an account or provide any personal details to use the free version of the app.

Data we collect:

  • Scan Data: When you scan a product barcode, the barcode number is sent to our server to look up product information. We do not permanently associate scans with individual users.
  • Subscription Data: If you purchase Clara Premium, your subscription is managed by RevenueCat. RevenueCat receives an anonymous app user ID and transaction data from the Apple App Store. We do not receive or store your payment card details.
  • Local Device Data: Clara stores your daily scan count and onboarding status locally on your device using standard device storage (UserDefaults on iOS). This data never leaves your device.

Data we do not collect:

  • We do not collect your name, email address, or any personal identifiers through the app.
  • We do not collect location data.
  • We do not use third-party analytics or advertising SDKs.
  • We do not sell or share your data with third parties for marketing purposes.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • To look up product information and provide ingredient analysis when you scan a barcode
  • To generate AI-powered product summaries (see Section 5 below)
  • To manage and validate your subscription status
  • To detect, prevent, and address technical issues with the Service

4. Legal Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract performance: Processing scan data to provide the product analysis service you have requested.
  • Contract performance: Processing subscription data to fulfil your Premium purchase.
  • Legitimate interest: Basic server logging to maintain security and diagnose issues with the Service.

5. AI and Automated Processing

Clara may use a large language model (LLM) accessed via an external API to generate human-readable product summaries. When this feature is enabled, product information (product name, brand, ingredient list, and nutritional data) is sent to the LLM provider for processing. No personal data or device identifiers are included in these requests. The LLM output is informational only and does not constitute a decision that produces legal or similarly significant effects on you.

6. Third-Party Services

We use the following third-party services to operate Clara:

  • Open Food Facts — an open-source food product database. Barcode lookups are sent to their servers. See their privacy policy.
  • RevenueCat — subscription management. Receives an anonymous user ID and transaction details from the App Store. See their privacy policy.
  • Railway — cloud hosting for our backend API. See their privacy policy.
  • Apple App Store — handles payment processing for subscriptions. See Apple's privacy policy.

7. Data Retention

  • Scan requests: Barcode lookup data is processed in real time and may be cached on our server for up to 24 hours to improve performance. It is not stored permanently.
  • Server logs: Standard server logs (which may include IP addresses and request timestamps) are retained for up to 30 days for security and diagnostic purposes, then deleted.
  • Subscription data: Managed and retained by RevenueCat and Apple in accordance with their respective retention policies.
  • Local device data: Stored on your device until you delete the app or clear app data.

8. International Data Transfers

Our backend servers and some third-party services may process data outside the United Kingdom. Where data is transferred internationally, we ensure appropriate safeguards are in place, including reliance on adequacy decisions or standard contractual clauses as recognised by UK data protection law.

9. Data Security

We take reasonable technical and organisational measures to protect data processed by the Service, including the use of API key authentication and encrypted connections (HTTPS). However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • The right to access your personal data
  • The right to rectification of inaccurate data
  • The right to erasure ("right to be forgotten")
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing based on legitimate interest

To exercise any of these rights, please contact us at info@nicfindlay.com. We will respond within one month of receiving your request.

11. Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

12. Children's Data

Clara is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. We encourage you to review this page periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact:

Nic Findlay
Email: info@nicfindlay.com