Privacy Policy

Last updated 2026-07-05

This is a plain-language description of our actual data practices, written by the team. It is not a substitute for legal advice, and a qualified privacy lawyer should review it — particularly the regulatory framing in docs/COMPLIANCE.md — before it's treated as a final, lawyer-approved policy for every market Food & Fit is sold in.

The short version

Food & Fit is local-first. Your food log, weight, exercise, and cycle/ symptom/glucose/supplement notes are stored on your device, in your device's protected storage, using Apple's SwiftData framework. There is no Food & Fit account, no sign-in, and no server-side database of your personal logs. The only things that ever leave your device are described below — everything else stays on your phone until you delete it or delete the app.

What stays on your device, always

  • Your food, exercise, and weight logs.
  • Your cycle, symptom, glucose, and supplement notes ("Well-being" features). This data is written to your device's local database and is never sent to our servers — we verified this directly in the app's networking code, which has no code path that transmits cycle/symptom/ glucose/supplement data anywhere.
  • Your on-device AI reflections (weekly Trends summary, Well-being pattern insights). These run using Apple's on-device Foundation Models framework, entirely on your phone. Nothing about your logs is sent to us or to Apple's servers to generate these.
  • Your targets, profile, and settings (goals, life stage, units).

You can delete all of this at any time from Settings → Delete Everything, which permanently erases every record above from your device. Deleting the app does the same.

What is sent to our servers, and why

Food & Fit uses a backend (a Cloudflare Worker we operate) for one job: to turn a food description, photo, or barcode into a calorie/macro estimate, using AI. When you describe a meal, snap a photo, or scan a barcode:

  • The text, photo, or barcode you provide is sent to our backend for processing.
  • Photos are processed and discarded — we do not store them. The backend returns an estimate and does not keep a copy.
  • An anonymous, per-install device identifier (not your name, email, or Apple ID) is sent with each request. It's used only to (a) apply the free daily AI-estimate allowance and (b) rate-limit/abuse-prevent at the network level (a short-lived counter, not a profile). It is not linked to any account, because there is no account, and it is not used to track you across other apps or websites.
  • Barcode lookups and food search go through the same backend to fetch nutrition data; they carry no health/cycle information, only the barcode or search text you typed.

We do not have a customer database, a login system, or a marketing/ads pipeline that this data feeds into.

Analytics

Food & Fit does not currently integrate any third-party analytics, advertising, or attribution SDK (no PostHog, Firebase, Mixpanel, etc.) — we checked the current app and backend source and confirmed none is wired in. Apple's own App Store Connect Analytics (aggregate install/engagement stats Apple provides to every developer) may apply, but that is Apple's product, not ours, and it does not give us access to your individual logs. If this changes (e.g. a future release adds product analytics), we will update this policy and the App Store "Privacy Nutrition Label" before that release ships — see docs/COMPLIANCE.md for the open item tracking this.

Apple Health (optional, off by default)

If you choose to connect Apple Health, Food & Fit can read and write specific Health data types (dietary energy, protein, body weight, active energy, and, for menstrual-cycle tracking, menstrual-flow/cycle-start samples and basal body temperature) so your rings/trends match what you track elsewhere and so other Health apps can see what you log here. This is:

  • Off until you explicitly grant it, permission-by-permission, through Apple's own Health permission screen (not ours).
  • Local to your device's Health store. We don't receive a copy of your Health data on our servers — it's a direct read/write between the app and Apple's HealthKit framework on your phone. Whether that data syncs to iCloud is controlled by your own iCloud/Health settings, not by us.
  • Revocable any time in iOS Settings → Health → Data Access & Devices.

Payments

Subscriptions and the lifetime purchase are handled entirely by Apple's StoreKit / App Store billing. We never see or store your card number, billing address, or Apple ID.

Who can see what

  • Us (the developer): transient access to the food/photo/barcode text you send for parsing (processed and discarded), plus anonymized rate-limit counters. We never receive your cycle, symptom, glucose, or supplement entries, your weight history, or your food log history in bulk — those stay on-device.
  • Apple: standard App Store operator data (purchases, crash logs if you opt in to sharing them with developers, App Store Connect Analytics), and whatever Health data you choose to sync, governed by Apple's own privacy policy.
  • No one else. We don't sell data, run ads, or share data with data brokers. There is nothing to share — most of what you'd expect us to have, we simply don't collect.

Data export and deletion

  • Export: Settings → Export lets you generate a file of your own data to keep or move elsewhere.
  • Delete: Settings → Delete Everything wipes all local records immediately. Deleting the app has the same effect (SwiftData's on-device store is removed with it), except for any data you separately chose to sync to Apple Health, which Apple's Health app controls independently.

Children

Food & Fit is not directed at children and is not intended for use by anyone under 13 (or the relevant minimum age in your country). We do not knowingly collect data from children.

Sensitive health data (cycle, symptom, glucose, supplement notes)

We know this category of data — reproductive/cycle health in particular — is sensitive, including under frameworks like the EU/UK GDPR's "special category data" (Article 9) and post-Dobbs U.S. state health-data laws. Our answer to that sensitivity is architectural, not just a policy promise: this data never leaves your device, so there is no server-side collection, sharing, or sale of it for us to misuse, subpoena-comply with, or breach. If you delete the app or use Delete Everything, it is gone. See docs/COMPLIANCE.md for the market-by-market regulatory posture and open items a lawyer should confirm.

Changes to this policy

If what leaves your device changes (e.g., analytics is added, a new synced feature ships), we'll update this document and the version date above before that feature reaches users, and reflect it in the App Store's Privacy Nutrition Label.

Contact

Questions about this policy: see the support contact at foodandfit.app/support.