Privacy Policy

Last updated: 27 May 2026

1. Data Controller

NibbleCal ("we", "us", "our") operates the NibbleCal application and website at nibblecal.com. For any privacy-related inquiries, contact us at info@nibblecal.com.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address — required for authentication via magic link or Google OAuth
  • Display name — optional, set by you (or provided by Google if you sign in with Google)
  • Authentication provider — whether you signed in via magic link or Google OAuth
  • Language preference

2.2 Health & Biometric Data

If you choose to set nutrition goals, we collect and process the following special category data under GDPR Article 9(2)(a) (explicit consent):

  • Height, weight, age, and biological sex
  • Activity level and fitness goal (lose, maintain, gain)
  • Daily calorie and macronutrient targets
  • Food logs including meal names, quantities, and nutritional values

2.3 Fitness & Activity Data

If you choose to connect a third-party fitness service (such as Strava), we collect:

  • Exercise activities — activity type, name, duration, distance, and calories burned
  • Athlete profile — your athlete ID and display name from the connected service
  • OAuth tokens — encrypted access and refresh tokens for API communication (encrypted at rest with AES-256-GCM)

We only request read-only access to your activity data. We do not post, modify, or delete any data on your connected fitness accounts. You can disconnect your fitness account at any time in Settings, which immediately deletes all stored tokens and connection data.

When you connect a fitness service, that service (e.g., Strava) may collect and use data related to your access to their API, including usage data about your interactions with NibbleCal's fitness features. Please refer to their respective privacy policies for details.

2.4 Food & Kitchen Data

  • Photos — images of food, receipts, or fridge contents you capture or upload
  • Voice recordings — audio you record for voice-based food logging (transcripts are stored; raw audio is not retained)
  • Inventory items — ingredients detected or manually added
  • Barcode scans — product barcodes you scan for nutritional lookup
  • Shopping lists — items you add for grocery planning
  • Recipe data — AI-generated recipes based on your inventory

2.5 Dietary Preferences

  • Diet types (vegetarian, vegan, keto, halal, etc.)
  • Allergies and food intolerances
  • Household size
  • Default cooking time preference

2.6 Billing & Subscription Data

If you subscribe to NibbleCal Pro, we collect and store:

  • Subscription status — your current plan tier (free, trial, or paid) and subscription state
  • Polar customer ID — a unique identifier assigned by our payment processor to link your account
  • Subscription events — records of subscription lifecycle events (created, activated, cancelled, revoked) for billing integrity
  • Plan expiry dates — trial end dates and grace period timestamps

We do not store your payment card details, bank account information, or other financial credentials. All payment processing is handled entirely by Polar.

2.7 Usage Data

  • Feature usage events (e.g. recipe generated, food logged, photo captured)
  • Correction history when you amend AI-detected items
  • Timestamps of interactions

2.8 Technical Data

  • Session tokens (stored in an HTTP-only cookie)
  • Theme preference and onboarding status (stored in your browser's local storage)

3. Legal Basis for Processing (GDPR Article 6)

DataLegal Basis
Account data (email, name)Contract — necessary to provide the service (Art. 6(1)(b))
Health & biometric dataExplicit consent — you actively choose to enter this data (Art. 9(2)(a))
Food photos, voice, inventoryContract — core service functionality (Art. 6(1)(b))
Billing & subscription dataContract — necessary to provide paid features and manage your subscription (Art. 6(1)(b))
Fitness & activity data (Strava)Explicit consent — you actively connect your fitness account (Art. 9(2)(a))
Usage & analytics eventsLegitimate interest — improving the service (Art. 6(1)(f))
Session cookieContract — necessary for authentication (Art. 6(1)(b))

4. How We Use Your Data

  • Authentication — sending magic link emails to verify your identity
  • Nutrition tracking — calculating TDEE/BMR, logging meals, tracking macros
  • AI food analysis — identifying food items and estimating nutrition from photos
  • Recipe generation — creating recipes from your available ingredients and preferences
  • Voice input — transcribing spoken food descriptions for logging
  • Barcode lookup — retrieving product nutrition data from external databases
  • Analytics — generating your personal nutrition trends, consistency scores, and insights
  • Service improvement — understanding feature usage to improve NibbleCal

5. Third-Party Processors

We share data with the following third-party services to provide NibbleCal's features. Each processor is bound by their own privacy policies and data processing agreements.

ServicePurposeData SharedLocation
Google Gemini AIFood photo analysis, nutrition estimationFood images, text promptsUS
Anthropic ClaudeRecipe generationIngredient lists, dietary preferencesUS
ElevenLabsSpeech-to-text, text-to-speechAudio recordings, text for synthesisUS
DeepgramAlternative speech-to-textAudio recordingsUS
Mistral AIReceipt text extraction (OCR)Receipt imagesEU (France)
PolarPayment processing, subscription managementEmail address, Polar customer ID, subscription eventsEU/US
Cloudflare R2Image storageUploaded photosEU/US
TursoDatabase hostingAll application dataEU (Ireland)
ResendTransactional emailEmail addressUS
OpenFoodFactsBarcode product lookupBarcode numbersEU (France)
SpoonacularRecipe suggestionsIngredient names, dietary restrictionsUS
UPCitemdbBarcode product lookup (fallback)Barcode numbersUS
StravaFitness activity sync (exercise tracking)OAuth tokens (encrypted), activity data (type, duration, calories)US
Google OAuthOptional sign-in authenticationEmail address, display name (via Google consent screen)US

6. International Data Transfers

Some of our processors are located in the United States. Where data is transferred outside the European Economic Area (EEA), we rely on:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Processor-specific compliance measures

7. Data Retention

Data TypeRetention Period
Account dataUntil you request deletion (30-day soft-delete grace period before permanent removal)
Health & nutrition dataUntil you request deletion
Uploaded photosUntil you request deletion
Food logsUntil you request deletion
Subscription & billing dataUntil account deletion (subscription events retained for 24 months for financial records)
Fitness connection tokensUntil you disconnect the fitness account or delete your account
Exercise activity logsUntil you disconnect the fitness account or delete your account
Session tokens90 days from last activity (sliding)
Magic link tokens20 minutes (auto-expire)
Barcode cache90 days (shared, non-personal)
Usage events12 months, then anonymised

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate data via Settings or by contacting us
  • Erasure ("right to be forgotten") — request deletion of your account and all associated data
  • Data portability — receive your data in a structured, machine-readable format
  • Restriction of processing — limit how we use your data in certain circumstances
  • Object — object to processing based on legitimate interest
  • Withdraw consent — withdraw consent for health data processing at any time (this does not affect prior processing)

To exercise any of these rights, email info@nibblecal.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local Data Protection Authority (DPA).

9. Cookies & Local Storage

9.1 Essential Cookie

We set a single HTTP-only session cookie (nibblecal_session) that is strictly necessary for authentication. It contains only an opaque session token and cannot be read by JavaScript. No consent is required for this cookie under GDPR Recital 30 and the ePrivacy Directive (strictly necessary exemption).

9.2 Local Storage

We store the following in your browser's local storage:

  • nibblecal-theme — your dark/light theme preference
  • nibblecal-streak-date / nibblecal-streak-count — visit streak tracking

We do not use any third-party tracking cookies, advertising pixels, or cross-site analytics.

10. Household Data Sharing

NibbleCal supports household groups. When you are a member of a household, all members can view:

  • Shared inventory items
  • Shopping lists
  • Generated recipes
  • Food capture events from any household member

Your personal nutrition goals, food logs, and biometric data are not shared with other household members.

11. Children's Privacy

NibbleCal is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly.

12. Security

We protect your data with:

  • TLS/HTTPS encryption for all data in transit
  • HTTP-only, Secure, SameSite cookies to prevent XSS and CSRF attacks
  • Encrypted database storage (Turso)
  • Encrypted object storage (Cloudflare R2)
  • Passwordless authentication (magic links) — no passwords to leak
  • Signed, time-limited URLs for image access

13. AI Assistants & MCP Connectors

NibbleCal exposes a Model Context Protocol (MCP) server that lets you use NibbleCal from third-party chat agents such as ChatGPT, Claude, VS Code, and Cursor. This section describes what data is processed when you connect a chat agent to your NibbleCal account. See also Section 14 of our Terms of Service.

13.1 What the Chat Agent Sees

When you ask a chat agent a question, the agent decides which NibbleCal tool to call and what arguments to pass. The response from NibbleCal — and only the response — is then visible to the chat agent's underlying model so it can answer you. Depending on the tool called, the response may include:

  • Recipes, ingredients, and meal-plan entries from your household
  • Pantry inventory items, expiry dates, and shopping list items
  • Food log entries (meal name, quantity, macros, meal slot, timestamp)
  • Daily nutrition totals and goal progress
  • Your dietary preferences (diet, allergies) and household size
  • Capture history (photo & voice submission metadata; image URLs are signed and time-limited)

NibbleCal does not send your email address, OAuth tokens for third-party services (such as Strava or Garmin), payment data, or full account credentials through any MCP tool response.

13.2 Authentication via Device Code

Connecting a chat agent to your account uses a short-lived device code that you approve at nibblecal.com/auth/mcp-approve. On approval, a bearer token is issued specifically for that chat-agent session (database column sessions.scope = 'mcp'). The token is held by the chat agent client; it authorises calls back to the NibbleCal API at the same scope as your web session.

13.3 Third-Party Model Providers

The chat agent itself (ChatGPT, Claude, etc.) is operated by a third party. Anything you type into the chat agent, and any tool response NibbleCal returns, is processed by that third party's underlying model provider (typically OpenAI, Anthropic, or similar) according to their own terms and privacy policy. NibbleCal has no control over and assumes no responsibility for those providers' handling of conversation data.

As of the "Last updated" date above, OpenAI and Anthropic both publicly commit to not training their models on API / business-tier data by default. We recommend you verify the current terms of any chat agent you connect.

13.4 NibbleCal Does Not Train on Your Logs

NibbleCal does not use your food logs, photos, voice transcripts, or pantry data to train AI models. We use third-party model APIs (Section 5) to compute nutrition estimates and generate recipes on demand. These calls are governed by the respective providers' no-training-by-default API terms.

13.5 Retention of MCP Session Data

MCP sessions are stored in the sessions table with a 90-day inactivity sliding window, matching the retention of standard web sessions. Daily quota counters for AI tools (table mcp_quota_counters) are retained for 30 days for fraud-prevention and rate-limiting purposes, then automatically purged. Device codes that are not approved within 10 minutes are immediately invalidated.

13.6 Anonymous (Unauthenticated) MCP Usage

A small subset of MCP tools may be used without a NibbleCal account (estimate_meal_text, estimate_meal_photo, browse_recipes_public, features, signup_start). For these calls we collect only the request itself plus an IP-based rate-limit identifier; no personal data is associated with the request.

13.7 Revoking MCP Access

You can revoke an MCP session at any time:

  • From Settings → Connected sessions inside NibbleCal
  • By removing the NibbleCal connector inside your chat agent
  • By deleting your NibbleCal account, which revokes all sessions of every scope

Revocation takes effect immediately — the next tool call from that chat agent will be rejected.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by displaying a notice within the application. The "Last updated" date at the top of this page indicates the most recent revision.

15. Contact

For privacy questions, data access requests, or complaints:

Email: info@nibblecal.com

Terms of ServiceDisclaimer