Legal

Privacy Policy

Effective date: 28 April 2026 · Last updated: 28 April 2026 · Version 1.0

This Privacy Policy explains how didenko lab, an individual developer registered with the Apple Developer Program (Team ID NBP8PX45D7), established in Portugal ("didenko lab", "we", "us"), processes your personal data when you use the Uni Up iOS application ("App") and the related website at uniup.app. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Portuguese data-protection law (Lei n.° 58/2019), and applicable rules of the UK GDPR.

The short version

The App is a "privacy by design" personal assistant: most of your data lives in your iCloud account, never on our servers.
We do not use analytics SDKs, advertising IDs, or tracking. There are no third-party trackers.
We do not sell your data and we never will.
The App talks to a third-party AI provider (DeepSeek) only when you have entered your own API key and triggered an AI feature; the request is sent directly from your device under your account.
Barcode scans send only the barcode number to public product databases (Open Food Facts and similar).
You can delete all local data at any time from Settings → Reset Database → Hard Reset.

1. Who is the controller

The controller responsible for the processing of your personal data is:

didenko lab (sole-trader / individual developer)
Apple Developer Team ID: NBP8PX45D7
Place of establishment: Porto, Portugal
Email: hello@uniup.app

didenko lab is below the GDPR threshold for a mandatory Data Protection Officer; the contact above is the single point of contact for all privacy questions.

2. What personal data we process

The App is designed to keep data on your device or in your private iCloud container. The categories of personal data that may be processed are:

Category	Details
Apple ID identifier	The opaque user ID returned by Sign in with Apple. Used to link your subscription, your shared lists, and your iCloud records.
Name and email (optional)	Only the name and email address you choose to share with the App through the Sign in with Apple sheet. If you select "Hide my email", Apple gives us a private relay address; if you decline to share, no name or email is collected. Stored locally in `UserDefaults` on your device.
Receipts and shopping content	Receipt photos, OCR-extracted text and structured fields (merchant, items, quantities, prices, currency, totals, dates), shopping-list items, voice notes (transcripts and the structured AI response, if any), reminders, products and stores you save. Stored on your device and synchronised to your private iCloud container.
Images	Receipt and shopping-item photos you take or import. Stored as JPEG files on your device under `Documents/photos/` and synced to iCloud.
Microphone audio	Used in real time on the device for speech recognition (Apple's `SFSpeechRecognizer`). Audio is not retained or transmitted by us; only the resulting transcript is stored locally.
Subscription status	Verified transaction information from StoreKit (product identifier, validity), used to unlock Pro features. We do not see your payment-instrument details.
Shared-list metadata	For lists you share through Apple CloudKit Sharing: the title, items, who added or completed each item, timestamps, and a list of invited participants (their iCloud identifiers as exposed by Apple). Visible to all participants of that share.
App preferences	Locale, country, onboarding state, theme, voice locale — held in `UserDefaults`. Your DeepSeek API key (if you provide one) is stored in the iOS Keychain.
Device push token	The App registers for remote notifications so that Apple can deliver silent CloudKit sync notifications to keep your data up to date across devices. The token is held by Apple and is not transmitted to us.

The App does not request or process: your precise location, contacts, calendar events, health data, financial-account credentials, advertising identifiers, or browsing history.

3. Purposes and legal bases

We process the categories above for the following purposes and on the following legal bases (Article 6 GDPR):

Purpose	Legal basis
Providing the core features of the App on your device (capturing receipts, managing shopping lists and reminders, syncing to your iCloud, displaying your data).	Performance of a contract — Art. 6(1)(b) GDPR.
Authenticating you via Sign in with Apple and identifying your subscription.	Performance of a contract — Art. 6(1)(b).
Processing your subscription, including verifying StoreKit transactions and applying VAT-related rules.	Performance of a contract — Art. 6(1)(b); compliance with legal obligation — Art. 6(1)(c) (tax / consumer law).
Sending content to DeepSeek when you trigger an AI feature, using your own API key.	Performance of a contract — Art. 6(1)(b); your active request constitutes the act of triggering this transfer (see Section 5).
Looking up barcodes against public product databases.	Performance of a contract — Art. 6(1)(b); legitimate interest in providing accurate product information — Art. 6(1)(f).
Detecting and preventing abuse of shared-list features and protecting the security of the App.	Legitimate interest — Art. 6(1)(f).
Responding to your support requests, complaints, and exercises of your rights.	Performance of a contract — Art. 6(1)(b); compliance with legal obligation — Art. 6(1)(c).

You are not legally required to provide any of the data described, but the App cannot work without the data needed to authenticate you and run the features you use. Where processing is based on legitimate interests, you may object as described in Section 8.

4. Where data is stored and processed

On your device. The primary storage of the App is local: SwiftData on your iPhone or iPad and JPEG files in the App's Documents directory.
In your iCloud account. If iCloud is enabled, your records are synchronised to Apple's private CloudKit database in the container iCloud.didenkolab.uniup. We have no administrative access to that container; it is yours.
In Apple's CloudKit Sharing zones. Lists you actively share are placed into a shared zone that is accessible only to invited participants.
In the iOS Keychain. Sensitive items, in particular your DeepSeek API key (if any), are stored in the system Keychain with the access policy kSecAttrAccessibleAfterFirstUnlock.

5. Third-party services and processors

The App relies on a small, deliberate set of third parties. Each of them is described below, including the data sent and the role.

5.1 Apple Inc. (and its EU subsidiaries) — processor / independent controller

Apple provides Sign in with Apple, iCloud / CloudKit storage and sharing, StoreKit (subscriptions), the App Store (distribution and payments), Vision (on-device OCR), SFSpeechRecognizer (speech), and the Apple Push Notification service. Apple acts as a processor for the data stored in your private CloudKit container, and as an independent controller for the App Store transaction. Apple's privacy policy is at apple.com/legal/privacy.

5.2 DeepSeek — AI parsing (only if you enable it)

If you enter a DeepSeek API key in Settings → DeepSeek API key, the App will send AI requests directly from your device to api.deepseek.com (operator: Hangzhou DeepSeek Artificial Intelligence Co., Ltd., People's Republic of China) when you trigger an AI feature. The content sent may include receipt OCR text, voice transcripts, product names, price-tag text, and the list of your open shopping items for context. Requests are billed against your DeepSeek account; we do not proxy or log them.

Important: when you use the DeepSeek integration, you act as the controller of the data you send and DeepSeek processes it under its own terms and privacy policy (DeepSeek Privacy Policy). Please review them. You can disable the integration at any time by removing the API key in Settings.

5.3 Open Food Facts, Open Beauty Facts, Open Products Facts — barcode lookup

When you scan or enter a barcode, the App may query world.openfoodfacts.org, world.openbeautyfacts.org and world.openproductsfacts.org. Only the barcode number and the search query (if you used the lookup field) are sent. These are public, non-profit databases run by the Open Food Facts association under French law; their privacy practices are described at openfoodfacts.org/privacy.

5.4 UPCitemDB — barcode-lookup fallback

If the open databases do not return a result, the App may fall back to api.upcitemdb.com's free trial endpoint. Only the barcode number is sent. UPCitemDB's privacy notice is at upcitemdb.com/privacy.

5.5 No other recipients

didenko lab does not run its own backend. There is no analytics provider, no error-reporting SDK, no advertising network, and no marketing-automation service receiving your data. We do not share data with any third party other than as described above, except where strictly required by law (for example, in response to a valid order from a competent authority).

6. International data transfers

Data stored in your iCloud container is processed by Apple in accordance with Apple's terms and may be transferred to data centres outside the European Economic Area; Apple relies on its own legal mechanisms for such transfers, described in Apple's privacy policy.

The DeepSeek integration involves a transfer to the People's Republic of China, a country for which the European Commission has not adopted an adequacy decision. You initiate this transfer yourself by configuring an API key and using the AI features. We do not undertake the transfer on your behalf and have not concluded Standard Contractual Clauses with DeepSeek. By enabling the integration, you give your explicit consent to this transfer for the purposes you have requested (Article 49(1)(a) GDPR, "explicit consent to the proposed transfer, after having been informed of the possible risks of such transfers"). You can withdraw that consent at any time by removing your DeepSeek API key from Settings.

7. How long we keep data

App data on your device and in your iCloud: kept for as long as you keep the App installed and your iCloud entries in place. You can delete it at any time using Settings → Reset Database (Soft Reset removes records; Hard Reset removes records, on-device images, and the SwiftData store and quits the App).
Shared lists: kept until the owner deletes the list or removes the share. If you are a participant, you can leave the share at any time in iCloud settings.
Subscription data: Apple retains transaction history under its own retention policy. We retain only the verified status needed to unlock Pro features.
Support correspondence: kept for up to 24 months after the matter is closed, then deleted, unless we are required to keep it longer for legal reasons (for example, evidence of contractual performance).
DeepSeek requests: retained by DeepSeek under its policy; not retained by us at all.

8. Your rights under the GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, which you can exercise at any time by writing to hello@uniup.app. We will respond within one month and, in any case, within the deadlines set by applicable law.

Right of access (Art. 15 GDPR) — obtain confirmation of whether we process data about you and a copy of it.
Right to rectification (Art. 16) — have inaccurate data corrected. Most data can be edited directly in the App.
Right to erasure ("right to be forgotten", Art. 17) — have your data deleted. Local and iCloud data can be deleted by you instantly via Hard Reset and by deleting the App from your iCloud settings.
Right to restriction (Art. 18) — ask us to limit processing in certain cases.
Right to data portability (Art. 20) — receive a copy of your structured data in a machine-readable format. The App offers an export of receipts and lists; for additional formats please contact us.
Right to object (Art. 21) — object to processing based on our legitimate interests.
Right to withdraw consent (Art. 7) — where processing is based on consent (in particular the DeepSeek transfer in Section 6), you may withdraw consent at any time, without affecting prior lawful processing.
Right to lodge a complaint (Art. 77) — with your local supervisory authority. The lead authority for didenko lab is the Portuguese Comissão Nacional de Proteção de Dados (CNPD): cnpd.pt.

You can also exercise your rights against Apple directly for data Apple holds (your iCloud account, your App Store purchases) at privacy.apple.com.

9. Children

The App is rated 4+ in the App Store and is suitable for general audiences, but it is not directed at children under 13. We do not knowingly collect personal data from children under 13 (or under the digital-consent age set by your country, where higher). If you believe a child has used the App without appropriate consent, please write to hello@uniup.app and we will delete the data.

10. Security

We rely on the security architecture provided by Apple's platform: TLS 1.2+ for all network calls, on-device encryption of the SwiftData store, the iOS Keychain for secrets, end-to-end encryption of supported CloudKit data classes, and Sign in with Apple for authentication. The DeepSeek API key never leaves your device except in the headers of the HTTPS calls you initiate to api.deepseek.com. No system is perfectly secure; if we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours and inform you without undue delay where required by Article 34 GDPR.

11. Tracking, cookies and analytics

The App does not include any third-party SDK for analytics, attribution, advertising, or crash reporting. The PrivacyInfo manifest declared with the binary sets NSPrivacyTracking = false and contains no tracking domains. The website uniup.app serves static pages without third-party cookies or analytics scripts.

12. Automated decisions and AI output

The AI features parse your input and return suggestions (categorised receipt items, structured shopping items, draft reminders, nutrition estimates, and similar). These outputs are suggestions only: they are presented to you for review, do not produce legal effects, and are not used to evaluate or score you. You are always free to edit, accept, or discard them. Within the meaning of Article 22 GDPR, the App does not subject you to a decision based solely on automated processing.

13. Changes to this policy

If we materially change how we handle your data, we will update this page, change the "Last updated" date at the top, and, where the change is material, give you notice in the App or on uniup.app/privacy.html before the change takes effect.

14. Contact and complaints

For any privacy-related question, request, or complaint, please contact us at:

didenko lab
Porto, Portugal
Email: hello@uniup.app

If you are not satisfied with our response, you may lodge a complaint with the supervisory authority in the EU country where you live, work, or where the alleged infringement took place. For Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD), cnpd.pt, +351 213 928 400, geral@cnpd.pt.