Legal

Privacy Policy

Last updated: 23 May 2026

This policy explains what Chompanion collects, why we collect it, and what we do with it. We've tried to keep it short and concrete. If anything is unclear, email [email protected].

Short version. We store your account, the meals you log, and the recipes you save — that's it. We don't sell your data, we don't run ads, and we don't train public AI models on your food log. Photos you submit for AI analysis are sent to our AI provider for processing only and are not retained for training.

1. Who we are

"Chompanion", "we", "us" refers to the operator of the Chompanion app and chompanion.com. For privacy questions or requests, contact [email protected].

2. What we collect

2.1 Account data

Email and username — required to create and sign in to your account.
Password — stored as a salted hash by our authentication provider (Supabase Auth). We never see your plaintext password.
Account timestamps — when you created the account, when you last signed in.

2.2 App content you create

Meals you log — food name, portion, calories and macros, the date and time you logged it.
Custom foods and recipes — anything you create, save, or favourite.
Photos you upload — meal photos you submit for AI analysis or attach to a recipe.
Goals and preferences — daily calorie/macro targets and basic in-app settings.

2.3 Subscriptions and payments (closed beta)

Chompanion is in a free closed beta for friends and family testers. We do not sell subscriptions or accept payments in the app today, and we do not receive card or payment details. The app may show placeholder UI for a future paid tier; that is not active and cannot charge you. If we enable paid plans later, we will update this policy before any purchase goes live.

2.4 Technical data

API usage counters — number of AI photo analyses, recipe generations, and similar requests, used to enforce per-day limits.
Server logs — IP address, user agent, request path and timestamp. Kept for up to 30 days for security and debugging, then rotated.
Crash reports — basic diagnostic info from the app if it crashes, used to fix bugs.

2.5 What we don't collect

Advertising identifiers, ad-tracking SDKs, third-party analytics for ad targeting.
Health-data integrations beyond what you explicitly enable.
Contacts, location, microphone, or other device data unrelated to logging food.

2.6 Nutrition lookup & barcode data

When you use certain features, the app contacts third-party nutrition databases or our servers that host copies of public food-composition data:

Barcode scan — your device sends the scanned barcode to Open Food Facts to retrieve product name, nutrition, ingredients, and images. We do not route barcode lookups through our API. Open Food Facts may log the request under their own policy.
Food search & ingredient matching — queries go to our API (api.chompanion.com), which searches a database we maintain containing nutrient values derived from USDA FoodData Central (SR Legacy and Foundation Foods) and the German Bundeslebensmittelschlüssel (BLS). Your search terms are processed on our servers; we do not send every search to USDA or BLS in real time.
AI photo analysis — the photo (or derived text) is sent to Google Gemini as described below. When the AI returns ingredient names, we may match them against the same USDA/BLS-backed database on our servers to fill in nutrition numbers.

Product images shown after a barcode scan may come from Open Food Facts and are licensed under Creative Commons Attribution ShareAlike where applicable. See our Terms — Nutrition and product data for licences and attribution requirements.

3. Why we use it

Run the service. Authenticate you, store your meals, sync across your devices.
AI analysis. Send the photo or text you submit to our AI provider so it can return nutrition estimates.
Barcode & food lookup. Look up packaged products (Open Food Facts) and match foods to reference nutrition data (USDA FoodData Central and BLS copies on our servers).
Fair-use limits. Cap daily AI usage during the beta so the service stays stable for testers.
Security & abuse prevention. Rate limit, detect attacks, fix bugs.
Service emails. Account confirmation, password resets, security notices. We do not send marketing emails by default.

4. Where your data lives

Supabase — account and profile. Hosted in the EU.
MySQL (managed) — your food diary, recipes, custom foods, and per-day usage counters.
Object storage — meal photos you upload, scoped to your account.
AI provider (Google Gemini) — receives the meal photo or text you submit, returns the nutrition estimate. Per their API terms, submissions through their paid API are not used to train Google's models.
Open Food Facts — when you scan a barcode, the app queries their public API from your device. They receive the barcode (and standard request metadata). See their terms.
USDA FoodData Central & BLS — we host imported copies on our MySQL database; you interact with them through our API, not directly with USDA or the Max Rubner-Institut on each search.
Email provider — used to send confirmation and password-reset emails.

Some of these providers are based outside the EU/EEA. Where data leaves the EU, we rely on the providers' Standard Contractual Clauses or equivalent safeguards.

5. Sharing

We do not sell your data. We share it only with the providers listed above, only to operate the service. We will disclose data if compelled by a valid legal request, and we'll push back on requests that are overbroad.

6. Retention

Account & app content — kept while your account is active.
Server logs — up to 30 days.

7. Your rights

If you're in the EU/EEA or UK, you have the right to access, correct, restrict, or delete your personal data, and to object to certain processing. You can exercise these rights from inside the app or by emailing [email protected].

7.1 Deleting your account

You can delete your account from the app. Deleting removes your meal history, recipes, uploaded photos, and profile from our active systems. Some entries — security logs — may be retained where law requires; these are isolated from your account once deleted.

Note: Chompanion does not currently offer a self-service data export feature. If you need a copy of your data for a regulatory reason (e.g. GDPR access request), email [email protected] and we will respond within 30 days.

8. Security

Passwords are hashed by Supabase Auth — we cannot read them.
All traffic to our servers uses HTTPS.
Server-only credentials (database, AI keys, webhooks) live in the backend; the app does not see them.
Database access is restricted: clients can only read and write their own rows (Row Level Security).

9. Children

Chompanion is not directed to children under 13 (or under 16 in jurisdictions that require it). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

10. Changes

If we make material changes to this policy we'll update the date above and, where the change is significant, notify you in-app or by email. Continued use of Chompanion after a change means you accept the updated policy.

11. Contact

Privacy questions, deletion requests, or anything else: [email protected].