Privacy Policy
Last updated: May 23, 2026
This policy describes how we process your personal data when you use the crispl.io website, the Crispl app and related services, under Regulation (EU) 2016/679 (“GDPR”).
1. Data controller
The data controller is TeamLab S.r.l. (“we”, “Crispl”).
- Registered office: Via Roma 6, 23900 Lecco, Italy
- VAT / Tax ID: IT03992200133
- Email: privacy@crispl.io
2. What data we collect
Data you provide:
- Email, when you join the waitlist or create an account.
- Food profile: goals (e.g. cut sugar or salt), preferences, allergens and intolerances you choose to declare in order to receive a personalized score.
Data generated by using the service:
- Scan history and products viewed.
- Label photos you upload for analysis.
- Any content you save to the diary.
Purchase data: Pro purchases are made through the stores (App Store / Google Play). Payment data is processed by the stores and their processors; we do not store card numbers. We may retain the data needed for invoicing and tax compliance, where applicable.
Data collected automatically:
- Technical data (device type, logs, IP address) for security and operation.
- Analytics data only with your consent (see the Cookies section).
On the website (waitlist): email, language and campaign parameters (UTM) if present in the URL.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provide the service (scans, score, account) | Performance of a contract (Art. 6.1.b) |
| Waitlist signup and launch communications | Consent (Art. 6.1.a) |
| Analytics and measurement | Consent (Art. 6.1.a) |
| Security, abuse prevention | Legitimate interest (Art. 6.1.f) |
| Invoicing and legal obligations | Legal obligation (Art. 6.1.c) |
4. Data on allergens, intolerances and preferences
The information on allergens and intolerances you choose to enter may, depending on context, fall under the special categories of data (Art. 9 GDPR). We process it only on the basis of your explicit consent and solely to make the personalized score work. We do not use it for medical purposes, we do not sell it and we do not share it with third parties for marketing. You can remove it at any time.
5. How long we keep data
- Scan photos: automatically deleted after 30 days, unless you save them to the diary (in which case they remain until you delete them).
- Account and profile: while the account is active; deleted on your request.
- Waitlist email: until you withdraw consent or unsubscribe.
- Invoicing and accounting data: retained for 10 years, as required by Italian tax law (where applicable).
- Technical data/logs: for as long as needed for security and legal obligations.
6. Who we share data with
We use providers that process data on our behalf (data processors), selected for GDPR compliance and bound by appropriate data processing agreements:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Hosting / infrastructure | Servers and operation of the Service | Technical data, content | EU |
| Brevo | Transactional email and waitlist management | Email, language | EU |
| AWS (S3 / CloudFront) | Storage of scan images | Label photos | EU |
| Anthropic (Claude) | AI analysis of labels and chat | Content sent for analysis | US (SCCs) |
Anthropic (Claude): content is sent to the API to generate analysis and responses; under its commercial API terms, Anthropic does not use your data to train its models. We do not sell your personal data and we will notify you of material changes to our provider list.
7. Transfers outside the EU
Some providers, in particular Anthropic (Claude), may process data in the United States. In these cases, transfers rely on appropriate safeguards under the GDPR, in particular the European Commission’s Standard Contractual Clauses (SCC).
8. Security
We implement appropriate technical and organizational measures to protect your data, including:
- encryption in transit (HTTPS/TLS);
- password hashing;
- access control and rate limiting on sensitive endpoints;
- storage of images on access-controlled infrastructure, with automatic deletion according to the periods indicated.
No system, however, is 100% secure: while we apply appropriate measures, we cannot guarantee absolute security.
9. Your rights
You have the right to: access, rectification, erasure, restriction, objection, portability, and to withdraw consent at any time (without affecting processing already carried out).
To exercise your rights, write to privacy@crispl.io: we will respond within 30 days, as required by the GDPR. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) or with the supervisory authority in your country of residence.
10. Children
Crispl is not directed at children under 16 and we do not knowingly collect personal data from children under 16. If you become aware that a minor has provided us with personal data, please contact us and we will delete it.
11. Cookies
By default, the site uses only essential technical cookies. Analytics tools are activated only with your consent, manageable via the cookie banner. The preference is stored locally on your device.
12. Changes to this policy
We may update this policy over time. The date at the top indicates the last update; material changes will be communicated by appropriate means.
13. Contact
For any question about how we handle your data: privacy@crispl.io.
See also our Terms of Service.