Korysnyk beta
Products Features Assistants Pricing FAQ Investors Download

The authentic version of this document is the Ukrainian one. Translations are provided for convenience.

Privacy Policy

Date of publication: 12 May 2026 · Effective date: 11 June 2026 · Version 2.0

This Privacy Policy explains how Korysnyk LTD processes your personal data when you use the Korysnyk mobile application, the korysnyk.care website and the dashboard.korysnyk.care web account (together, the "Service")

This document has been prepared taking into account the requirements of the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679, hereinafter "GDPR") and the UK Data Protection Act 2018 (UK Data Protection Act 2018, UK GDPR)

1. Data Controller

The controller of your personal data under the GDPR is

  • Name: Korysnyk LTD
  • Jurisdiction: England and Wales
  • Company registration number: 16942523
  • Registered address: 128 City Road, London, United Kingdom, EC1V 2NX
  • Contact email address for data protection matters: admin@korysnyk.care

If you have any questions about the processing of personal data or wish to exercise your rights, please contact us at the address indicated

2. Categories of personal data we process

2.1. Account identification data

  • Email address
  • First and last name, if you provide them
  • Hashed password (we store only the hash, not the password itself)
  • Profile photo, if you upload one
  • Technical session identifiers (access and refresh JWT tokens)

2.2. Special category data (health data)

The data in this section belongs to special categories of personal data under Article 9 of the GDPR and is processed only on the basis of your explicit consent (explicit consent, Art. 9(2)(a) GDPR). You provide it voluntarily, may choose not to specify it, and may also delete it at any time

  • Allergies and food intolerances
  • Chronic diseases and diagnoses (diabetes, hypertension, celiac disease, gout, kidney disease and others)
  • Dietary restrictions (veganism, keto, halal and others)
  • Skin type and characteristics for cosmetics analysis
  • Sex, age, height, weight, body mass index calculated by the system
  • Pregnancy or breastfeeding status, if you specify it

2.3. Service usage data

  • History of product barcode scans
  • History of text and voice searches
  • History of interaction with AI assistants (Savora, Medic, Cosmo) — texts of messages and responses
  • Likes, dislikes, comments on products and news
  • News bookmarks
  • Photos of product packaging that you submit for moderation

2.4. Technical data

  • IP address and technical information about the device (model, operating system, application version)
  • Timestamps of requests to the API
  • Error logs, which may contain user_id and request context
  • Anonymized in-app behavior analytics events

3. Legal bases for processing

Purpose of processing Category of data GDPR legal basis
Creation and maintenance of an account Section 2.1 Performance of a contract, Art. 6(1)(b)
Authentication and session security Section 2.1, 2.4 Performance of a contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f)
Personalization of product analysis (Swapr) Section 2.2 Explicit consent, Art. 9(2)(a)
General analysis of product composition (Lumi) Section 2.3 Performance of a contract, Art. 6(1)(b)
AI consultations in themed chats Section 2.3 Performance of a contract, Art. 6(1)(b)
Application usage analytics Section 2.4 Consent, Art. 6(1)(a) — you can disable analytics in the settings
Detection and correction of errors Section 2.4 Legitimate interests, Art. 6(1)(f)
Moderation of user content Section 2.3 Performance of a contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f)
Sending service notifications Section 2.1 Performance of a contract, Art. 6(1)(b)

Where processing is based on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing that took place before the withdrawal

4. How we obtain your data

  • Directly from you during registration, completion of your health profile, product scanning, communication with AI assistants and submission of products for moderation
  • Automatically during use of the application — technical data, request logs, analytics events
  • From your device — the camera for scanning barcodes and photographing packaging, the microphone for voice search, if you have granted the corresponding permissions

Access to the camera and microphone is granted only with your explicit consent in the operating system dialogs and is used solely for the scanner and search functions

5. Categories of data recipients

We transfer personal data to the following categories of processors (processors), each of which acts on the basis of a contract with us and is obliged to ensure a level of protection that complies with the GDPR

5.1. Processors with data processing in infrastructure outside the EEA

  • OpenRouter (provider: OpenRouter Inc., USA) — the single gateway to the LLM for analysis of product composition and AI chats. Through OpenRouter, data is routed to third-party models, in particular Google (the model google/gemini-2.5-flash-lite by default). The texts of requests and the product composition are transferred; direct user identifiers are not transferred
  • Mixpanel Inc. (USA) — in-app behavior analytics, events are sent with a pseudonymized identifier. You can opt out of analytics in the application settings

5.2. Providers that process data solely as infrastructure

  • Cloud hosting and providers of computing resources in the EU and United Kingdom regions
  • The self-hosted GlitchTip service at errors.korysnyk.care for collecting error logs (Sentry-compatible), located in the infrastructure of Korysnyk LTD
  • The self-hosted Meilisearch and Qdrant services for search, located in the infrastructure of Korysnyk LTD

5.3. Legal and regulatory recipients

We may transfer data to competent state authorities in the case of a justified legal requirement, a court decision or an obligation provided for by legislation

We do not sell your personal data. We do not use your data for third-party marketing

6. International data transfers

Some of our processors (OpenRouter, Mixpanel) are located in the USA. The transfer of personal data to third countries is carried out on the basis of

  • The European Commission's Standard Contractual Clauses (Standard Contractual Clauses) of 4 June 2021
  • Adequacy decisions, if such have been adopted in respect of a particular country or certification program (for example, the EU-US Data Privacy Framework, if the processor participates in it)

Copies of the applicable contractual mechanisms may be requested at admin@korysnyk.care

7. Automated decision-making and profiling

The Service contains automated analysis components

  • Lumi — an automated assessment of the safety of a product's composition, generates an overall score of 0–100, a Nutri-Score, a NOVA group and textual warnings
  • Swapr — automated personalization of recommendations based on your health profile

These results are of an informational nature, are not a medical diagnosis, medical advice or a prescription. We do not make any legally significant decisions about you on the basis of these results. The decision about consuming a product is made by you independently; in case of doubt, consult a doctor

You can delete your health profile data at any time, which will disable Swapr personalization. Lumi's general analysis will remain available

8. Retention periods

Category of data Retention period
Account data Until the account is deleted, after which soft-delete for 30 days, then complete destruction
Health profile data Until deleted by you or until the account is deleted
Scan and search history Until deleted by you via the history-clearing function or until the account is deleted
History of chats with AI assistants Until the chat is deleted by you or until the account is deleted
Error logs in GlitchTip 90 days, after which automatic deletion
Analytics events in Mixpanel Stored in accordance with the provider's data retention settings, but no longer than necessary for analytical purposes
Lumi cache by EAN13 Indefinitely, as it does not contain personal data
Photos submitted for moderation Stored after moderation as part of the product database, not linked to the account after acceptance

Some anonymized or aggregated data may be stored longer for statistical and research purposes in a form that does not allow you to be identified

9. Data security

We apply technical and organizational protection measures in accordance with Article 32 of the GDPR

  • Encryption of data transmission (TLS 1.2+)
  • Encryption of passwords via werkzeug with salted hashing
  • JWT authentication with separate access and refresh tokens, proactive refresh 5 minutes before expiration
  • Restriction of database access at the network level
  • Error logging to the self-hosted GlitchTip
  • Restriction of user actions (rate-limit) to prevent abuse
  • Regular updates of infrastructure components

No system is absolutely secure. In the event of an incident with personal data that may create a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours in accordance with Article 33 of the GDPR, and you — in the cases provided for by Article 34 of the GDPR

10. Your rights under the GDPR

You have the following rights in relation to your personal data

  • Right of access (Art. 15) — to obtain confirmation of processing and a copy of the data
  • Right to rectification (Art. 16) — to correct inaccurate or incomplete data
  • Right to erasure / right to be forgotten (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — to receive the data in a structured, machine-readable format
  • Right to object to processing (Art. 21), in particular to processing on the basis of legitimate interests
  • Right not to be subject to a decision based solely on automated processing (Art. 22) — given that we do not make decisions with legal consequences, this right is exercised through the ability to disable Swapr personalization
  • Right to withdraw consent at any time, where processing is based on consent
  • Right to lodge a complaint with a supervisory authority

To exercise these rights, write to admin@korysnyk.care. We respond within one month of receiving the request in accordance with Article 12(3) of the GDPR

11. Right to complain

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with a supervisory authority at your place of residence, place of work or place of the alleged violation

  • Ukraine: Ukrainian Parliament Commissioner for Human Rights
  • United Kingdom: Information Commissioner's Office (ICO), ico.org.uk
  • Other EU countries: the relevant national data protection authority

12. Account deletion

You can delete your account

  • In the application: settings → delete account
  • Via the web page: korysnyk.care/delete-account
  • By submitting a request to admin@korysnyk.care

Upon receipt of the request, your account is placed in a soft-delete state with a recovery window of 30 days. After the end of this period, personal data is irreversibly deleted. Anonymized statistical data and the Lumi cache (not linked to you) may continue to be stored

13. Analytics

The Service uses Mixpanel to collect aggregated data about the use of the application. Analytics does not include the content of messages with AI assistants and the contents of your health profile. You can disable analytics in the application settings — after disabling, new events are not sent

14. Cookies

The korysnyk.care website uses solely technical (necessary) cookies required for the operation of the site. Analytical and marketing cookies are not set on the site. In the dashboard.korysnyk.care web account, technical cookies are used to maintain the session and authentication

15. Children

The Service is not intended for persons under 16 years of age. We do not knowingly collect the personal data of children. If you become aware that a child has provided us with data without the consent of a parent or legal guardian, please notify us at admin@korysnyk.care and we will delete this data

16. Changes to the Policy

We may update this Policy from time to time. The date of the last update is indicated at the beginning of the document. We will notify you of material changes through the application or by email at least 30 days before the changes take effect. Continued use of the Service after the changes take effect means your acceptance of the updated version

17. Contacts

For matters of data protection, the exercise of your rights, complaints and other inquiries

Email: admin@korysnyk.care

Website: korysnyk.care

Legal entity: Korysnyk LTD, England and Wales

Company registration number: 16942523

Registered address: 128 City Road, London, United Kingdom, EC1V 2NX

Korysnyk

AI scanner for food, cosmetics and household chemicals with personalized ingredient analysis tailored to your health profile.

Made in Ukraine · A product by Korysnyk LTD

Product

  • Products
  • Features
  • AI assistants
  • Pricing
  • How it works

Support

  • Download
  • FAQ
  • Support
  • Telegram
  • GitHub
  • Investors and sponsors

Legal

  • Privacy Policy
  • Terms of Use
  • Delete account
  • License

© 2026 Korysnyk LTD. All rights reserved.

Created by Yuriy Kachaniuk