Privacy Policy of Coti
Privacy Policy of Coti
Privacy Policy of Coti
© 2026 Coti. All rights reserved.
Subscribe to our newsletter
Coti
© 2026 Coti. All rights reserved.
Subscribe to our newsletter
Coti
© 2026 Coti. All rights reserved.
Subscribe to our newsletter
Coti
Coti
Coti
Coti – Privacy Policy
Last Updated: 2025-05-21
1. Data Controller and Contact Information
Kava Oy
Kovasintie 12
04220 Kerava, Finland
Email: info@coti-home.com
If you have any questions about this Privacy Policy or wish to exercise your rights, please
contact us using the information provided above.
2. Introduction
Welcome to the Privacy Policy for the Coti application. Coti provides services related to
lifestyle, health, and fitness, including smart scale integration, macro tracking, AI-based food
analysis, and personalised recipe management. By using Coti you confirm that you are at
least 13 years old and agree to the data processing practices described in this Policy.
3. Application Description
• Name: Coti
• Version: 1.2
• Categories: Lifestyle, Health & Fitness
• Age Recommendation: 13+
The Coti Food Scale is seamlessly integrated with the Coti app, enabling features such as
macro tracking and food analysis.
4. Legal Basis for Processing
We process personal data on the following legal bases under GDPR Article 6 and Article 9:
• Consent (Art. 6(1)(a) and Art. 9(2)(a)): Your voluntary permission to process your data
for marketing or additional features.
• Contractual Necessity (Art. 6(1)(b)): Processing that is essential for providing the core
functions of the app (e.g. login, macro tracking, smart scale connection).
• Legal Obligation (Art. 6(1)(c)): Processing required by applicable law.• Special Category Data — Health (Art. 9(2)(a)): Processing health data requires your
explicit consent. You may withdraw consent at any time; withdrawal does not affect the
lawfulness of prior processing.
5. Data We Collect
5.1 Data Collected via Third-Party Services
Firebase & Google (Authentication, Firestore, Analytics, Messaging)
• Login-related information: email address, approximate login location, authentication
tokens.
• App usage analytics: device model, OS version, session duration, feature interactions,
crash reports.
• Push notification tokens for delivering alerts and messages.
• Cloud storage of user-generated content (food diary entries, recipes, macro logs) in
Google Firestore.
Data is transmitted to Google servers, which may be located outside the EU/EEA. We
rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism. See
Google's Privacy Policy: https://policies.google.com/privacy
Facebook / Meta SDK (FBSDKCoreKit, FBSDKLoginKit, FBSDKShareKit)
• If you choose to log in via Facebook, we receive your public profile information (name,
email, profile picture) as authorised by you.
• The Facebook SDK may collect device identifiers, app events, and usage data and share
these with Meta for analytics and advertising purposes.
• If you use sharing features, content you choose to share is transmitted to Facebook's
servers.
Meta's data collection is governed by Meta's Privacy Policy:
https://www.facebook.com/policy. You may opt out of Facebook's data collection by not
using Facebook Login or sharing features.
AppsFlyer (Mobile Attribution & Analytics)
• AppsFlyer collects device identifiers (IDFA on iOS, subject to ATT consent), IP address,
app install source, and in-app events for the purpose of measuring advertising campaign
effectiveness.
• This data is used solely for attribution (understanding which marketing channels drive app
installs) and aggregated analytics.
AppsFlyer's Privacy Policy: https://www.appsflyer.com/legal/privacy-policy/
RevenueCat (Subscription & Purchase Management)
• Subscription status, purchase history, and transaction identifiers are shared with
RevenueCat to manage billing, restore purchases, and prevent fraud.• RevenueCat does not process payment card data; all payment transactions are handled
by Apple's App Store.
RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy
Shopify Checkout (E-Commerce)
• If you make purchases through the in-app Shopify Checkout, order details, shipping
address, and contact information are processed by Shopify. Payment data is processed
by Shopify and its payment partners and does not pass through our servers.
Shopify's Privacy Policy: https://www.shopify.com/legal/privacy
Gemini AI (Food Image Analysis)
• Food images captured via the camera are sent to Google's Gemini AI service for
nutritional content identification.
• Images are processed in real time and are not permanently stored by Gemini AI or by us
after analysis is complete.
Google Sign-In
• If you use Google Sign-In, we access your Google account name, email address, and
profile picture as authorised by you.
• We do not access your Google Drive, Gmail, or any other Google services without explicit
permission.
Sign in with Apple
• If you choose Sign in with Apple, Apple provides us with a unique identifier and, optionally,
your name and email address. Apple's "Hide My Email" relay may be used at your
discretion.
5.2 Data Provided by the User
• Personal details: Age, gender, height, body weight — used to calculate nutritional targets
and improve app features.
• Eating habits: Dietary preferences, food diary entries, meal photographs, and macro
consumption logs.
• Fitness data: Body measurements and progress data (if entered manually).
5.3 Health Data (Apple HealthKit)
IMPORTANT: Coti may read from and write to Apple HealthKit. Health data is among the
most sensitive personal data categories. We handle it under strict rules.
• Body weight, body mass index (BMI), dietary energy (calories), dietary macronutrients
(protein, fat, carbohydrates), water intake, and other nutrition-related data types that you
explicitly authorise.
• HealthKit data is used solely to populate your in-app nutrition diary and provide
personalised recommendations.
• We do NOT share HealthKit data with third parties, including advertisers, analytics
providers, or data brokers.
• We do NOT use HealthKit data for advertising or marketing profiling.• HealthKit data is stored locally on your device and, if you enable iCloud sync, within your
personal iCloud account. We do not upload HealthKit data to our servers.
This policy complies with Apple's HealthKit Guidelines. Any future changes to HealthKit
data usage will require an explicit update to this Policy and renewed user consent.
5.4 Device & Technical Data
• Device model, operating system version, unique device identifiers, and app version
(collected by Firebase Analytics and AppsFlyer).
• Crash logs and performance diagnostics (Firebase Crashlytics / Analytics).
• Local database: certain data (e.g., food diary entries, cached recipes) is stored in an on-
device SQLite database for offline functionality. This data remains on your device.
• Keychain: authentication tokens and credentials are stored in the iOS Keychain, which is
encrypted and accessible only by Coti.
5.5 Sensor & Hardware Data
• Bluetooth Low Energy (BLE) is used to communicate with the Coti Food Scale in real time.
Weight readings are transferred to the app and are not stored on the scale or transmitted
to our servers beyond what is necessary to display and log your measurement.
• The camera is used solely for scanning food items for AI-based nutritional analysis and for
scanning barcodes. We do not record video or store images without your explicit action.
• The photo library may be accessed if you choose to upload an existing image for food
analysis. We access only the specific image you select.
6. Advertising Tracking & App Tracking
Transparency (ATT)
Coti uses AppsFlyer for mobile attribution. On iOS, we present Apple's App Tracking
Transparency (ATT) prompt before accessing your device's Advertising Identifier (IDFA). The
purposes of tracking are:
• Measuring which advertising campaigns resulted in app installs.
• Aggregated analysis of user acquisition channels.
If you decline the ATT prompt, AppsFlyer will use privacy-preserving, aggregated
measurement methods instead. Declining tracking does not affect the functionality of the app.
We do NOT use tracking data to build individual advertising profiles or to re-target you on
other platforms.
7. Purposes of Processing
• Core App Functions: Login, macro tracking, smart scale integration, and recipe
management.• Health & Nutrition Tracking: Processing HealthKit and user-entered data to deliver
personalised nutrition insights.
• AI-Based Food Analysis: Transmitting food images to Gemini AI for nutritional
identification.
• Account Management & Support: Ensuring account security and providing customer
support.
• Subscription & Payment Processing: Managing subscriptions and transactions via
RevenueCat and Apple App Store.
• Push Notifications: Delivering reminders, updates, and relevant alerts via Firebase
Messaging.
• Marketing & Attribution: Measuring the effectiveness of advertising campaigns via
AppsFlyer (with ATT consent where required).
• App Analytics & Improvement: Understanding how users interact with the app to
improve features and fix bugs (Firebase Analytics).
• Security & Fraud Prevention: Detecting and preventing unauthorised access and
fraudulent activity.
• E-Commerce: Processing product purchases via Shopify Checkout.
8. Third-Party Services and Data Sharing
We share data with the following third parties only to the extent necessary for the purposes
described above:
Third Party
Purpose
Privacy Policy
Google Firebase
Auth, database, analytics,
messaging
policies.google.com/privacy
Meta / Facebook
Login, share features, SDK
analytics
facebook.com/policy
AppsFlyer
Mobile attribution & install
tracking
appsflyer.com/legal/privacy-
policy/
RevenueCat
Subscription management
revenuecat.com/privacy
Shopify
E-commerce checkout &
payments
shopify.com/legal/privacy
Google Gemini AI
AI food image analysis
policies.google.com/privacy
Apple HealthKit
On-device health data (not
uploaded)
apple.com/legal/privacy/
Apple App Store
In-app purchases
apple.com/legal/privacy/
We do not sell your personal data to any third party.
9. Data Retention
• Account data is retained as long as your account is active.
• Analytics data (Firebase) is retained for 14 months by default, per Google's standard
configuration.• AppsFlyer attribution data is retained for 24 months.
• HealthKit data is stored locally on your device; we do not retain copies on our servers.
• Food images sent for AI analysis are not stored after the analysis response is received.
• Upon account deletion, your personal data will be deleted or anonymised within 30 days,
except where retention is required by law.
10. Underage Users
• The minimum age to use Coti is 13 years.
• For users aged 13–15 (or up to 16, subject to local law), verifiable parental or guardian
consent is required for data processing, in accordance with Finnish law and GDPR Article
8.
• Parents and guardians may contact us at info@coti-home.com to review, correct, or delete
data relating to their child.
• We do not knowingly collect personal data from children under 13. If we discover that data
has been collected from a child under 13 without consent, we will delete it promptly.
11. International Data Transfers
Third-party services including Google (Firebase, Gemini AI), Meta (Facebook), AppsFlyer,
RevenueCat, and Shopify may store and process data on servers located outside the
EU/EEA, including in the United States. We ensure that such transfers are protected by one or
more of the following mechanisms:
• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Binding Corporate Rules or other approved transfer mechanisms.
For details of the transfer safeguards applied by each provider, please refer to their respective
privacy policies (listed in Section 8).
12. Your Rights Under GDPR
• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request corrections to inaccurate data.
• Right to Erasure: Request deletion of your data (subject to legal retention obligations).
• Right to Restrict: Request that we limit how we process your data.
• Right to Object: Object to processing based on legitimate interests.
• Right to Data Portability: Request a copy of your data in machine-readable format.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful
processing.• Right Not to Be Profiled: Object to automated decision-making that produces significant
effects.
Data Deletion Instructions
To delete your account and personal data, email info@coti-home.com with:
• Your CotiUID (visible in the app settings).
• A brief description of the data you want removed.
We will delete or anonymise your data within 30 days and confirm completion. Certain data
may be retained longer if required by law.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer
Privacy Act (CCPA), including the right to know what personal information is collected, the
right to request deletion, and the right to opt out of the sale of personal information. We do not
sell personal information. To exercise CCPA rights, contact us at info@coti-home.com.
Right to Lodge a Complaint
If you believe your data has been processed unlawfully, you have the right to file a complaint
with your national data protection authority. In Finland, this is the Office of the Data Protection
Ombudsman (tietosuoja.fi).
13. App Permissions
Coti requests the following system permissions. Each permission is requested only when
needed and you may deny or revoke permissions in your device settings:
• Camera: Required for scanning food items and barcodes for AI nutritional analysis.
• Photo Library: Optional — allows you to upload an existing photo for food analysis.
• Bluetooth: Required to connect and communicate with the Coti Food Scale via BLE.
• Health (HealthKit): Optional — allows Coti to read/write nutrition data to Apple Health.
• Notifications: Optional — allows Coti to send reminders and alerts via push notifications.
• Tracking (ATT): Optional — allows AppsFlyer to use your IDFA for advertising attribution.
• Motion & Fitness: Optional — used if fitness activity data is integrated.
• Files & Documents: Optional — allows import of documents (e.g., recipes) via the
document picker.
14. Automated Decision Making and AI
The app uses Gemini AI for food image analysis. This process does not produce legal or
similarly significant effects on users — it simply estimates the nutritional content of a
photographed meal. You remain free to adjust or disregard any AI-generated nutritional
estimates.We do not use your data for automated profiling that would affect your access to services,
credit, insurance, or similar consequential decisions.
15. Cookies and Tracking Technologies
The Coti app may use device identifiers and equivalent tracking technologies (rather than
browser cookies) to:
• Maintain your login session.
• Improve app performance and user experience.
• Attribute app installs and measure marketing effectiveness (via AppsFlyer, subject to ATT
consent).
You can manage tracking preferences through your device's Privacy settings (Settings >
Privacy & Security > Tracking on iOS).
16. Data Security
• All data transmissions between the app and our servers are encrypted using TLS 1.2 or
higher.
• Authentication credentials are stored in the iOS Keychain, which is hardware-encrypted.
• Firebase Firestore applies access rules to ensure each user can only access their own
data.
• We conduct periodic security reviews and apply security patches promptly.
Despite these measures, no data transmission or storage system is completely secure. If you
become aware of a security issue, please contact us at info@coti-home.com.
17. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our app functionality, third-party
services, or legal requirements. When we make material changes, we will notify you through
the app and/or by email at least 14 days before the changes take effect. Your continued use of
Coti after the effective date constitutes acceptance of the updated Policy.
18. Data Protection Officer
We have not currently appointed a dedicated Data Protection Officer, as our data processing
activities do not require one under Article 37 GDPR. If our processing activities change, we will
appoint a DPO as required. For all data protection enquiries, contact: info@coti-home.com19. Governing Law
This Privacy Policy is governed by Finnish law and the General Data Protection Regulation
(EU) 2016/679 (GDPR). Any disputes shall be resolved in the competent courts of Finland,
without prejudice to your right to lodge a complaint with a supervisory authority.
Kava Oy · Kovasintie 12, 04220 Kerava, Finland · info@coti-home.com
Coti – Privacy Policy
Last Updated: 2025-05-21
1. Data Controller and Contact Information
Kava Oy
Kovasintie 12
04220 Kerava, Finland
Email: info@coti-home.com
If you have any questions about this Privacy Policy or wish to exercise your rights, please
contact us using the information provided above.
2. Introduction
Welcome to the Privacy Policy for the Coti application. Coti provides services related to
lifestyle, health, and fitness, including smart scale integration, macro tracking, AI-based food
analysis, and personalised recipe management. By using Coti you confirm that you are at
least 13 years old and agree to the data processing practices described in this Policy.
3. Application Description
• Name: Coti
• Version: 1.2
• Categories: Lifestyle, Health & Fitness
• Age Recommendation: 13+
The Coti Food Scale is seamlessly integrated with the Coti app, enabling features such as
macro tracking and food analysis.
4. Legal Basis for Processing
We process personal data on the following legal bases under GDPR Article 6 and Article 9:
• Consent (Art. 6(1)(a) and Art. 9(2)(a)): Your voluntary permission to process your data
for marketing or additional features.
• Contractual Necessity (Art. 6(1)(b)): Processing that is essential for providing the core
functions of the app (e.g. login, macro tracking, smart scale connection).
• Legal Obligation (Art. 6(1)(c)): Processing required by applicable law.• Special Category Data — Health (Art. 9(2)(a)): Processing health data requires your
explicit consent. You may withdraw consent at any time; withdrawal does not affect the
lawfulness of prior processing.
5. Data We Collect
5.1 Data Collected via Third-Party Services
Firebase & Google (Authentication, Firestore, Analytics, Messaging)
• Login-related information: email address, approximate login location, authentication
tokens.
• App usage analytics: device model, OS version, session duration, feature interactions,
crash reports.
• Push notification tokens for delivering alerts and messages.
• Cloud storage of user-generated content (food diary entries, recipes, macro logs) in
Google Firestore.
Data is transmitted to Google servers, which may be located outside the EU/EEA. We
rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism. See
Google's Privacy Policy: https://policies.google.com/privacy
Facebook / Meta SDK (FBSDKCoreKit, FBSDKLoginKit, FBSDKShareKit)
• If you choose to log in via Facebook, we receive your public profile information (name,
email, profile picture) as authorised by you.
• The Facebook SDK may collect device identifiers, app events, and usage data and share
these with Meta for analytics and advertising purposes.
• If you use sharing features, content you choose to share is transmitted to Facebook's
servers.
Meta's data collection is governed by Meta's Privacy Policy:
https://www.facebook.com/policy. You may opt out of Facebook's data collection by not
using Facebook Login or sharing features.
AppsFlyer (Mobile Attribution & Analytics)
• AppsFlyer collects device identifiers (IDFA on iOS, subject to ATT consent), IP address,
app install source, and in-app events for the purpose of measuring advertising campaign
effectiveness.
• This data is used solely for attribution (understanding which marketing channels drive app
installs) and aggregated analytics.
AppsFlyer's Privacy Policy: https://www.appsflyer.com/legal/privacy-policy/
RevenueCat (Subscription & Purchase Management)
• Subscription status, purchase history, and transaction identifiers are shared with
RevenueCat to manage billing, restore purchases, and prevent fraud.• RevenueCat does not process payment card data; all payment transactions are handled
by Apple's App Store.
RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy
Shopify Checkout (E-Commerce)
• If you make purchases through the in-app Shopify Checkout, order details, shipping
address, and contact information are processed by Shopify. Payment data is processed
by Shopify and its payment partners and does not pass through our servers.
Shopify's Privacy Policy: https://www.shopify.com/legal/privacy
Gemini AI (Food Image Analysis)
• Food images captured via the camera are sent to Google's Gemini AI service for
nutritional content identification.
• Images are processed in real time and are not permanently stored by Gemini AI or by us
after analysis is complete.
Google Sign-In
• If you use Google Sign-In, we access your Google account name, email address, and
profile picture as authorised by you.
• We do not access your Google Drive, Gmail, or any other Google services without explicit
permission.
Sign in with Apple
• If you choose Sign in with Apple, Apple provides us with a unique identifier and, optionally,
your name and email address. Apple's "Hide My Email" relay may be used at your
discretion.
5.2 Data Provided by the User
• Personal details: Age, gender, height, body weight — used to calculate nutritional targets
and improve app features.
• Eating habits: Dietary preferences, food diary entries, meal photographs, and macro
consumption logs.
• Fitness data: Body measurements and progress data (if entered manually).
5.3 Health Data (Apple HealthKit)
IMPORTANT: Coti may read from and write to Apple HealthKit. Health data is among the
most sensitive personal data categories. We handle it under strict rules.
• Body weight, body mass index (BMI), dietary energy (calories), dietary macronutrients
(protein, fat, carbohydrates), water intake, and other nutrition-related data types that you
explicitly authorise.
• HealthKit data is used solely to populate your in-app nutrition diary and provide
personalised recommendations.
• We do NOT share HealthKit data with third parties, including advertisers, analytics
providers, or data brokers.
• We do NOT use HealthKit data for advertising or marketing profiling.• HealthKit data is stored locally on your device and, if you enable iCloud sync, within your
personal iCloud account. We do not upload HealthKit data to our servers.
This policy complies with Apple's HealthKit Guidelines. Any future changes to HealthKit
data usage will require an explicit update to this Policy and renewed user consent.
5.4 Device & Technical Data
• Device model, operating system version, unique device identifiers, and app version
(collected by Firebase Analytics and AppsFlyer).
• Crash logs and performance diagnostics (Firebase Crashlytics / Analytics).
• Local database: certain data (e.g., food diary entries, cached recipes) is stored in an on-
device SQLite database for offline functionality. This data remains on your device.
• Keychain: authentication tokens and credentials are stored in the iOS Keychain, which is
encrypted and accessible only by Coti.
5.5 Sensor & Hardware Data
• Bluetooth Low Energy (BLE) is used to communicate with the Coti Food Scale in real time.
Weight readings are transferred to the app and are not stored on the scale or transmitted
to our servers beyond what is necessary to display and log your measurement.
• The camera is used solely for scanning food items for AI-based nutritional analysis and for
scanning barcodes. We do not record video or store images without your explicit action.
• The photo library may be accessed if you choose to upload an existing image for food
analysis. We access only the specific image you select.
6. Advertising Tracking & App Tracking
Transparency (ATT)
Coti uses AppsFlyer for mobile attribution. On iOS, we present Apple's App Tracking
Transparency (ATT) prompt before accessing your device's Advertising Identifier (IDFA). The
purposes of tracking are:
• Measuring which advertising campaigns resulted in app installs.
• Aggregated analysis of user acquisition channels.
If you decline the ATT prompt, AppsFlyer will use privacy-preserving, aggregated
measurement methods instead. Declining tracking does not affect the functionality of the app.
We do NOT use tracking data to build individual advertising profiles or to re-target you on
other platforms.
7. Purposes of Processing
• Core App Functions: Login, macro tracking, smart scale integration, and recipe
management.• Health & Nutrition Tracking: Processing HealthKit and user-entered data to deliver
personalised nutrition insights.
• AI-Based Food Analysis: Transmitting food images to Gemini AI for nutritional
identification.
• Account Management & Support: Ensuring account security and providing customer
support.
• Subscription & Payment Processing: Managing subscriptions and transactions via
RevenueCat and Apple App Store.
• Push Notifications: Delivering reminders, updates, and relevant alerts via Firebase
Messaging.
• Marketing & Attribution: Measuring the effectiveness of advertising campaigns via
AppsFlyer (with ATT consent where required).
• App Analytics & Improvement: Understanding how users interact with the app to
improve features and fix bugs (Firebase Analytics).
• Security & Fraud Prevention: Detecting and preventing unauthorised access and
fraudulent activity.
• E-Commerce: Processing product purchases via Shopify Checkout.
8. Third-Party Services and Data Sharing
We share data with the following third parties only to the extent necessary for the purposes
described above:
Third Party
Purpose
Privacy Policy
Google Firebase
Auth, database, analytics,
messaging
policies.google.com/privacy
Meta / Facebook
Login, share features, SDK
analytics
facebook.com/policy
AppsFlyer
Mobile attribution & install
tracking
appsflyer.com/legal/privacy-
policy/
RevenueCat
Subscription management
revenuecat.com/privacy
Shopify
E-commerce checkout &
payments
shopify.com/legal/privacy
Google Gemini AI
AI food image analysis
policies.google.com/privacy
Apple HealthKit
On-device health data (not
uploaded)
apple.com/legal/privacy/
Apple App Store
In-app purchases
apple.com/legal/privacy/
We do not sell your personal data to any third party.
9. Data Retention
• Account data is retained as long as your account is active.
• Analytics data (Firebase) is retained for 14 months by default, per Google's standard
configuration.• AppsFlyer attribution data is retained for 24 months.
• HealthKit data is stored locally on your device; we do not retain copies on our servers.
• Food images sent for AI analysis are not stored after the analysis response is received.
• Upon account deletion, your personal data will be deleted or anonymised within 30 days,
except where retention is required by law.
10. Underage Users
• The minimum age to use Coti is 13 years.
• For users aged 13–15 (or up to 16, subject to local law), verifiable parental or guardian
consent is required for data processing, in accordance with Finnish law and GDPR Article
8.
• Parents and guardians may contact us at info@coti-home.com to review, correct, or delete
data relating to their child.
• We do not knowingly collect personal data from children under 13. If we discover that data
has been collected from a child under 13 without consent, we will delete it promptly.
11. International Data Transfers
Third-party services including Google (Firebase, Gemini AI), Meta (Facebook), AppsFlyer,
RevenueCat, and Shopify may store and process data on servers located outside the
EU/EEA, including in the United States. We ensure that such transfers are protected by one or
more of the following mechanisms:
• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Binding Corporate Rules or other approved transfer mechanisms.
For details of the transfer safeguards applied by each provider, please refer to their respective
privacy policies (listed in Section 8).
12. Your Rights Under GDPR
• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request corrections to inaccurate data.
• Right to Erasure: Request deletion of your data (subject to legal retention obligations).
• Right to Restrict: Request that we limit how we process your data.
• Right to Object: Object to processing based on legitimate interests.
• Right to Data Portability: Request a copy of your data in machine-readable format.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful
processing.• Right Not to Be Profiled: Object to automated decision-making that produces significant
effects.
Data Deletion Instructions
To delete your account and personal data, email info@coti-home.com with:
• Your CotiUID (visible in the app settings).
• A brief description of the data you want removed.
We will delete or anonymise your data within 30 days and confirm completion. Certain data
may be retained longer if required by law.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer
Privacy Act (CCPA), including the right to know what personal information is collected, the
right to request deletion, and the right to opt out of the sale of personal information. We do not
sell personal information. To exercise CCPA rights, contact us at info@coti-home.com.
Right to Lodge a Complaint
If you believe your data has been processed unlawfully, you have the right to file a complaint
with your national data protection authority. In Finland, this is the Office of the Data Protection
Ombudsman (tietosuoja.fi).
13. App Permissions
Coti requests the following system permissions. Each permission is requested only when
needed and you may deny or revoke permissions in your device settings:
• Camera: Required for scanning food items and barcodes for AI nutritional analysis.
• Photo Library: Optional — allows you to upload an existing photo for food analysis.
• Bluetooth: Required to connect and communicate with the Coti Food Scale via BLE.
• Health (HealthKit): Optional — allows Coti to read/write nutrition data to Apple Health.
• Notifications: Optional — allows Coti to send reminders and alerts via push notifications.
• Tracking (ATT): Optional — allows AppsFlyer to use your IDFA for advertising attribution.
• Motion & Fitness: Optional — used if fitness activity data is integrated.
• Files & Documents: Optional — allows import of documents (e.g., recipes) via the
document picker.
14. Automated Decision Making and AI
The app uses Gemini AI for food image analysis. This process does not produce legal or
similarly significant effects on users — it simply estimates the nutritional content of a
photographed meal. You remain free to adjust or disregard any AI-generated nutritional
estimates.We do not use your data for automated profiling that would affect your access to services,
credit, insurance, or similar consequential decisions.
15. Cookies and Tracking Technologies
The Coti app may use device identifiers and equivalent tracking technologies (rather than
browser cookies) to:
• Maintain your login session.
• Improve app performance and user experience.
• Attribute app installs and measure marketing effectiveness (via AppsFlyer, subject to ATT
consent).
You can manage tracking preferences through your device's Privacy settings (Settings >
Privacy & Security > Tracking on iOS).
16. Data Security
• All data transmissions between the app and our servers are encrypted using TLS 1.2 or
higher.
• Authentication credentials are stored in the iOS Keychain, which is hardware-encrypted.
• Firebase Firestore applies access rules to ensure each user can only access their own
data.
• We conduct periodic security reviews and apply security patches promptly.
Despite these measures, no data transmission or storage system is completely secure. If you
become aware of a security issue, please contact us at info@coti-home.com.
17. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our app functionality, third-party
services, or legal requirements. When we make material changes, we will notify you through
the app and/or by email at least 14 days before the changes take effect. Your continued use of
Coti after the effective date constitutes acceptance of the updated Policy.
18. Data Protection Officer
We have not currently appointed a dedicated Data Protection Officer, as our data processing
activities do not require one under Article 37 GDPR. If our processing activities change, we will
appoint a DPO as required. For all data protection enquiries, contact: info@coti-home.com19. Governing Law
This Privacy Policy is governed by Finnish law and the General Data Protection Regulation
(EU) 2016/679 (GDPR). Any disputes shall be resolved in the competent courts of Finland,
without prejudice to your right to lodge a complaint with a supervisory authority.
Kava Oy · Kovasintie 12, 04220 Kerava, Finland · info@coti-home.com
Coti – Privacy Policy
Last Updated: 2025-05-21
1. Data Controller and Contact Information
Kava Oy
Kovasintie 12
04220 Kerava, Finland
Email: info@coti-home.com
If you have any questions about this Privacy Policy or wish to exercise your rights, please
contact us using the information provided above.
2. Introduction
Welcome to the Privacy Policy for the Coti application. Coti provides services related to
lifestyle, health, and fitness, including smart scale integration, macro tracking, AI-based food
analysis, and personalised recipe management. By using Coti you confirm that you are at
least 13 years old and agree to the data processing practices described in this Policy.
3. Application Description
• Name: Coti
• Version: 1.2
• Categories: Lifestyle, Health & Fitness
• Age Recommendation: 13+
The Coti Food Scale is seamlessly integrated with the Coti app, enabling features such as
macro tracking and food analysis.
4. Legal Basis for Processing
We process personal data on the following legal bases under GDPR Article 6 and Article 9:
• Consent (Art. 6(1)(a) and Art. 9(2)(a)): Your voluntary permission to process your data
for marketing or additional features.
• Contractual Necessity (Art. 6(1)(b)): Processing that is essential for providing the core
functions of the app (e.g. login, macro tracking, smart scale connection).
• Legal Obligation (Art. 6(1)(c)): Processing required by applicable law.• Special Category Data — Health (Art. 9(2)(a)): Processing health data requires your
explicit consent. You may withdraw consent at any time; withdrawal does not affect the
lawfulness of prior processing.
5. Data We Collect
5.1 Data Collected via Third-Party Services
Firebase & Google (Authentication, Firestore, Analytics, Messaging)
• Login-related information: email address, approximate login location, authentication
tokens.
• App usage analytics: device model, OS version, session duration, feature interactions,
crash reports.
• Push notification tokens for delivering alerts and messages.
• Cloud storage of user-generated content (food diary entries, recipes, macro logs) in
Google Firestore.
Data is transmitted to Google servers, which may be located outside the EU/EEA. We
rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism. See
Google's Privacy Policy: https://policies.google.com/privacy
Facebook / Meta SDK (FBSDKCoreKit, FBSDKLoginKit, FBSDKShareKit)
• If you choose to log in via Facebook, we receive your public profile information (name,
email, profile picture) as authorised by you.
• The Facebook SDK may collect device identifiers, app events, and usage data and share
these with Meta for analytics and advertising purposes.
• If you use sharing features, content you choose to share is transmitted to Facebook's
servers.
Meta's data collection is governed by Meta's Privacy Policy:
https://www.facebook.com/policy. You may opt out of Facebook's data collection by not
using Facebook Login or sharing features.
AppsFlyer (Mobile Attribution & Analytics)
• AppsFlyer collects device identifiers (IDFA on iOS, subject to ATT consent), IP address,
app install source, and in-app events for the purpose of measuring advertising campaign
effectiveness.
• This data is used solely for attribution (understanding which marketing channels drive app
installs) and aggregated analytics.
AppsFlyer's Privacy Policy: https://www.appsflyer.com/legal/privacy-policy/
RevenueCat (Subscription & Purchase Management)
• Subscription status, purchase history, and transaction identifiers are shared with
RevenueCat to manage billing, restore purchases, and prevent fraud.• RevenueCat does not process payment card data; all payment transactions are handled
by Apple's App Store.
RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy
Shopify Checkout (E-Commerce)
• If you make purchases through the in-app Shopify Checkout, order details, shipping
address, and contact information are processed by Shopify. Payment data is processed
by Shopify and its payment partners and does not pass through our servers.
Shopify's Privacy Policy: https://www.shopify.com/legal/privacy
Gemini AI (Food Image Analysis)
• Food images captured via the camera are sent to Google's Gemini AI service for
nutritional content identification.
• Images are processed in real time and are not permanently stored by Gemini AI or by us
after analysis is complete.
Google Sign-In
• If you use Google Sign-In, we access your Google account name, email address, and
profile picture as authorised by you.
• We do not access your Google Drive, Gmail, or any other Google services without explicit
permission.
Sign in with Apple
• If you choose Sign in with Apple, Apple provides us with a unique identifier and, optionally,
your name and email address. Apple's "Hide My Email" relay may be used at your
discretion.
5.2 Data Provided by the User
• Personal details: Age, gender, height, body weight — used to calculate nutritional targets
and improve app features.
• Eating habits: Dietary preferences, food diary entries, meal photographs, and macro
consumption logs.
• Fitness data: Body measurements and progress data (if entered manually).
5.3 Health Data (Apple HealthKit)
IMPORTANT: Coti may read from and write to Apple HealthKit. Health data is among the
most sensitive personal data categories. We handle it under strict rules.
• Body weight, body mass index (BMI), dietary energy (calories), dietary macronutrients
(protein, fat, carbohydrates), water intake, and other nutrition-related data types that you
explicitly authorise.
• HealthKit data is used solely to populate your in-app nutrition diary and provide
personalised recommendations.
• We do NOT share HealthKit data with third parties, including advertisers, analytics
providers, or data brokers.
• We do NOT use HealthKit data for advertising or marketing profiling.• HealthKit data is stored locally on your device and, if you enable iCloud sync, within your
personal iCloud account. We do not upload HealthKit data to our servers.
This policy complies with Apple's HealthKit Guidelines. Any future changes to HealthKit
data usage will require an explicit update to this Policy and renewed user consent.
5.4 Device & Technical Data
• Device model, operating system version, unique device identifiers, and app version
(collected by Firebase Analytics and AppsFlyer).
• Crash logs and performance diagnostics (Firebase Crashlytics / Analytics).
• Local database: certain data (e.g., food diary entries, cached recipes) is stored in an on-
device SQLite database for offline functionality. This data remains on your device.
• Keychain: authentication tokens and credentials are stored in the iOS Keychain, which is
encrypted and accessible only by Coti.
5.5 Sensor & Hardware Data
• Bluetooth Low Energy (BLE) is used to communicate with the Coti Food Scale in real time.
Weight readings are transferred to the app and are not stored on the scale or transmitted
to our servers beyond what is necessary to display and log your measurement.
• The camera is used solely for scanning food items for AI-based nutritional analysis and for
scanning barcodes. We do not record video or store images without your explicit action.
• The photo library may be accessed if you choose to upload an existing image for food
analysis. We access only the specific image you select.
6. Advertising Tracking & App Tracking
Transparency (ATT)
Coti uses AppsFlyer for mobile attribution. On iOS, we present Apple's App Tracking
Transparency (ATT) prompt before accessing your device's Advertising Identifier (IDFA). The
purposes of tracking are:
• Measuring which advertising campaigns resulted in app installs.
• Aggregated analysis of user acquisition channels.
If you decline the ATT prompt, AppsFlyer will use privacy-preserving, aggregated
measurement methods instead. Declining tracking does not affect the functionality of the app.
We do NOT use tracking data to build individual advertising profiles or to re-target you on
other platforms.
7. Purposes of Processing
• Core App Functions: Login, macro tracking, smart scale integration, and recipe
management.• Health & Nutrition Tracking: Processing HealthKit and user-entered data to deliver
personalised nutrition insights.
• AI-Based Food Analysis: Transmitting food images to Gemini AI for nutritional
identification.
• Account Management & Support: Ensuring account security and providing customer
support.
• Subscription & Payment Processing: Managing subscriptions and transactions via
RevenueCat and Apple App Store.
• Push Notifications: Delivering reminders, updates, and relevant alerts via Firebase
Messaging.
• Marketing & Attribution: Measuring the effectiveness of advertising campaigns via
AppsFlyer (with ATT consent where required).
• App Analytics & Improvement: Understanding how users interact with the app to
improve features and fix bugs (Firebase Analytics).
• Security & Fraud Prevention: Detecting and preventing unauthorised access and
fraudulent activity.
• E-Commerce: Processing product purchases via Shopify Checkout.
8. Third-Party Services and Data Sharing
We share data with the following third parties only to the extent necessary for the purposes
described above:
Third Party
Purpose
Privacy Policy
Google Firebase
Auth, database, analytics,
messaging
policies.google.com/privacy
Meta / Facebook
Login, share features, SDK
analytics
facebook.com/policy
AppsFlyer
Mobile attribution & install
tracking
appsflyer.com/legal/privacy-
policy/
RevenueCat
Subscription management
revenuecat.com/privacy
Shopify
E-commerce checkout &
payments
shopify.com/legal/privacy
Google Gemini AI
AI food image analysis
policies.google.com/privacy
Apple HealthKit
On-device health data (not
uploaded)
apple.com/legal/privacy/
Apple App Store
In-app purchases
apple.com/legal/privacy/
We do not sell your personal data to any third party.
9. Data Retention
• Account data is retained as long as your account is active.
• Analytics data (Firebase) is retained for 14 months by default, per Google's standard
configuration.• AppsFlyer attribution data is retained for 24 months.
• HealthKit data is stored locally on your device; we do not retain copies on our servers.
• Food images sent for AI analysis are not stored after the analysis response is received.
• Upon account deletion, your personal data will be deleted or anonymised within 30 days,
except where retention is required by law.
10. Underage Users
• The minimum age to use Coti is 13 years.
• For users aged 13–15 (or up to 16, subject to local law), verifiable parental or guardian
consent is required for data processing, in accordance with Finnish law and GDPR Article
8.
• Parents and guardians may contact us at info@coti-home.com to review, correct, or delete
data relating to their child.
• We do not knowingly collect personal data from children under 13. If we discover that data
has been collected from a child under 13 without consent, we will delete it promptly.
11. International Data Transfers
Third-party services including Google (Firebase, Gemini AI), Meta (Facebook), AppsFlyer,
RevenueCat, and Shopify may store and process data on servers located outside the
EU/EEA, including in the United States. We ensure that such transfers are protected by one or
more of the following mechanisms:
• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Binding Corporate Rules or other approved transfer mechanisms.
For details of the transfer safeguards applied by each provider, please refer to their respective
privacy policies (listed in Section 8).
12. Your Rights Under GDPR
• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request corrections to inaccurate data.
• Right to Erasure: Request deletion of your data (subject to legal retention obligations).
• Right to Restrict: Request that we limit how we process your data.
• Right to Object: Object to processing based on legitimate interests.
• Right to Data Portability: Request a copy of your data in machine-readable format.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful
processing.• Right Not to Be Profiled: Object to automated decision-making that produces significant
effects.
Data Deletion Instructions
To delete your account and personal data, email info@coti-home.com with:
• Your CotiUID (visible in the app settings).
• A brief description of the data you want removed.
We will delete or anonymise your data within 30 days and confirm completion. Certain data
may be retained longer if required by law.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer
Privacy Act (CCPA), including the right to know what personal information is collected, the
right to request deletion, and the right to opt out of the sale of personal information. We do not
sell personal information. To exercise CCPA rights, contact us at info@coti-home.com.
Right to Lodge a Complaint
If you believe your data has been processed unlawfully, you have the right to file a complaint
with your national data protection authority. In Finland, this is the Office of the Data Protection
Ombudsman (tietosuoja.fi).
13. App Permissions
Coti requests the following system permissions. Each permission is requested only when
needed and you may deny or revoke permissions in your device settings:
• Camera: Required for scanning food items and barcodes for AI nutritional analysis.
• Photo Library: Optional — allows you to upload an existing photo for food analysis.
• Bluetooth: Required to connect and communicate with the Coti Food Scale via BLE.
• Health (HealthKit): Optional — allows Coti to read/write nutrition data to Apple Health.
• Notifications: Optional — allows Coti to send reminders and alerts via push notifications.
• Tracking (ATT): Optional — allows AppsFlyer to use your IDFA for advertising attribution.
• Motion & Fitness: Optional — used if fitness activity data is integrated.
• Files & Documents: Optional — allows import of documents (e.g., recipes) via the
document picker.
14. Automated Decision Making and AI
The app uses Gemini AI for food image analysis. This process does not produce legal or
similarly significant effects on users — it simply estimates the nutritional content of a
photographed meal. You remain free to adjust or disregard any AI-generated nutritional
estimates.We do not use your data for automated profiling that would affect your access to services,
credit, insurance, or similar consequential decisions.
15. Cookies and Tracking Technologies
The Coti app may use device identifiers and equivalent tracking technologies (rather than
browser cookies) to:
• Maintain your login session.
• Improve app performance and user experience.
• Attribute app installs and measure marketing effectiveness (via AppsFlyer, subject to ATT
consent).
You can manage tracking preferences through your device's Privacy settings (Settings >
Privacy & Security > Tracking on iOS).
16. Data Security
• All data transmissions between the app and our servers are encrypted using TLS 1.2 or
higher.
• Authentication credentials are stored in the iOS Keychain, which is hardware-encrypted.
• Firebase Firestore applies access rules to ensure each user can only access their own
data.
• We conduct periodic security reviews and apply security patches promptly.
Despite these measures, no data transmission or storage system is completely secure. If you
become aware of a security issue, please contact us at info@coti-home.com.
17. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our app functionality, third-party
services, or legal requirements. When we make material changes, we will notify you through
the app and/or by email at least 14 days before the changes take effect. Your continued use of
Coti after the effective date constitutes acceptance of the updated Policy.
18. Data Protection Officer
We have not currently appointed a dedicated Data Protection Officer, as our data processing
activities do not require one under Article 37 GDPR. If our processing activities change, we will
appoint a DPO as required. For all data protection enquiries, contact: info@coti-home.com
19. Governing Law
This Privacy Policy is governed by Finnish law and the General Data Protection Regulation
(EU) 2016/679 (GDPR). Any disputes shall be resolved in the competent courts of Finland,
without prejudice to your right to lodge a complaint with a supervisory authority.
Kava Oy · Kovasintie 12, 04220 Kerava, Finland · info@coti-home.com