CALOBITE
Privacy Policy
Last updated: March 23, 2026
Calobite ("we", "our", "the app") is a calorie tracking mobile application developed by an independent developer. This policy explains what data we collect, how we use it, and your rights.
1. Data We Collect
Account Data
- Authentication: We use Supabase Auth for account management. You can sign in with Google or use anonymous authentication. We store your user ID and authentication tokens securely on your device via encrypted storage.
- Profile information: Name, date of birth, sex, height, weight, and activity level — provided by you during onboarding. This data is used solely to calculate your personalized nutrition targets.
Health & Nutrition Data
- Meal entries: Food names, calories, protein, carbs, fat, and optional meal photos.
- Weight entries: Body weight measurements and optional progress photos.
- Exercise entries: Activity descriptions, duration, and estimated calories burned.
- Goals: Weight goals, target dates, and daily calorie/macro targets.
This data is stored locally on your device and synced to our secure cloud database (Supabase, hosted on AWS) so you can access it across sessions.
Food Database Queries
- Open Food Facts: When you scan a barcode, we query the Open Food Facts public database. Your device sends the barcode number and a User-Agent header. No personal data is shared.
- FatSecret: If a barcode is not found in Open Food Facts, we query the FatSecret Platform API as a fallback. This query runs on our server — your barcode is sent to our server, which then queries FatSecret. No personal data is shared with FatSecret.
AI Meal Scanning
- Meal & label photos: When you use the AI scan feature, your photo is sent to our server (Supabase Edge Function), which forwards it to Google's Gemini AI for food identification. The photo is processed in real-time and is not stored by Google beyond the API call. We do not store your scan photos on our servers.
- Scan history: We log scan metadata (timestamp, food count, scan type) for rate limiting and usage tracking. Photos are not stored server-side.
Analytics
- PostHog: We use PostHog for anonymous usage analytics (e.g., which features are used, onboarding completion rates). We track events like "meal_logged" and "barcode_scanned" with aggregate properties but never your actual food diary content.
- We do not track: GPS location, contacts, browsing history, or any data unrelated to calorie tracking.
Subscription Data
- RevenueCat: Subscription purchases are managed by RevenueCat. They process your payment through Google Play or the Apple App Store. We receive only your subscription status (active/expired) and plan type, not your payment details.
2. How We Use Your Data
- Personalized nutrition targets: Your profile data is used to calculate BMR, TDEE, and daily calorie/macro targets using the Mifflin-St Jeor equation.
- Food tracking: Your meal, weight, and exercise entries are displayed in the app and used to calculate daily progress.
- AI scanning: Photos are processed by Google Gemini solely to identify foods and estimate nutrition values. Photos are not used for training AI models.
- Product improvement: Anonymous analytics help us understand which features are useful and where users encounter friction.
3. Data Storage & Security
- Local storage: All your data is stored on your device using encrypted storage (MMKV).
- Cloud sync: Data is synced to Supabase (PostgreSQL database hosted on AWS) with Row Level Security (RLS) — each user can only access their own data.
- Authentication tokens: Stored in your device's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android).
- Edge Functions: Our server-side functions run on Supabase Edge (Deno Deploy) and only process data in transit — no persistent storage of photos or scan content.
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|
| Supabase | Database, auth, edge functions | Profile, diary, weight, exercise data |
| Google Gemini AI | Meal/label photo analysis | Photos (transient, not stored) |
| Open Food Facts | Barcode product lookup | Barcode number only |
| FatSecret | Barcode fallback lookup | Barcode number only (server-side) |
| PostHog | Anonymous analytics | Usage events, no PII |
| RevenueCat | Subscription management | User ID, purchase status |
| Google Play | App distribution, payments | Per Google's policies |
5. Data Retention
- Account data: Retained while your account is active. Deleted upon request.
- Meal/weight/exercise entries: Retained while your account is active. You can delete individual entries at any time within the app.
- Scan logs: Retained for rate limiting purposes. Anonymized after 90 days.
- Analytics: PostHog retains anonymous events per their data retention policy.
6. Your Rights
- Access: You can view all your data within the app at any time.
- Deletion: You can delete individual entries within the app. To delete your entire account and all associated data, contact us at privacy@calobite.dev.
- Portability: Contact us to request an export of your data.
- Opt-out of analytics: Contact us to opt out of PostHog analytics tracking.
7. Children's Privacy
Calobite is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us.
8. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the app after changes constitutes acceptance.
9. Contact
For privacy questions or data requests: