1. Data Controller
NibbleCal ("we", "us", "our") operates the NibbleCal application and website at nibblecal.com. For any privacy-related inquiries, contact us at info@nibblecal.com.
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — required for authentication via magic link or Google OAuth
- Display name — optional, set by you (or provided by Google if you sign in with Google)
- Authentication provider — whether you signed in via magic link or Google OAuth
- Language preference
2.2 Health & Biometric Data
If you choose to set nutrition goals, we collect and process the following special category data under GDPR Article 9(2)(a) (explicit consent):
- Height, weight, age, and biological sex
- Activity level and fitness goal (lose, maintain, gain)
- Daily calorie and macronutrient targets
- Food logs including meal names, quantities, and nutritional values
2.3 Fitness & Activity Data
If you choose to connect a third-party fitness service (such as Strava), we collect:
- Exercise activities — activity type, name, duration, distance, and calories burned
- Athlete profile — your athlete ID and display name from the connected service
- OAuth tokens — encrypted access and refresh tokens for API communication (encrypted at rest with AES-256-GCM)
We only request read-only access to your activity data. We do not post, modify, or delete any data on your connected fitness accounts. You can disconnect your fitness account at any time in Settings, which immediately deletes all stored tokens and connection data.
When you connect a fitness service, that service (e.g., Strava) may collect and use data related to your access to their API, including usage data about your interactions with NibbleCal's fitness features. Please refer to their respective privacy policies for details.
2.4 Food & Kitchen Data
- Photos — images of food, receipts, or fridge contents you capture or upload
- Voice recordings — audio you record for voice-based food logging (transcripts are stored; raw audio is not retained)
- Inventory items — ingredients detected or manually added
- Barcode scans — product barcodes you scan for nutritional lookup
- Shopping lists — items you add for grocery planning
- Recipe data — AI-generated recipes based on your inventory
2.5 Dietary Preferences
- Diet types (vegetarian, vegan, keto, halal, etc.)
- Allergies and food intolerances
- Household size
- Default cooking time preference
2.6 Billing & Subscription Data
If you subscribe to NibbleCal Pro, we collect and store:
- Subscription status — your current plan tier (free, trial, or paid) and subscription state
- Polar customer ID — a unique identifier assigned by our payment processor to link your account
- Subscription events — records of subscription lifecycle events (created, activated, cancelled, revoked) for billing integrity
- Plan expiry dates — trial end dates and grace period timestamps
We do not store your payment card details, bank account information, or other financial credentials. All payment processing is handled entirely by Polar.
2.7 Usage Data
- Feature usage events (e.g. recipe generated, food logged, photo captured)
- Correction history when you amend AI-detected items
- Timestamps of interactions
2.8 Technical Data
- Session tokens (stored in an HTTP-only cookie)
- Theme preference and onboarding status (stored in your browser's local storage)
3. Legal Basis for Processing (GDPR Article 6)
| Data | Legal Basis |
|---|---|
| Account data (email, name) | Contract — necessary to provide the service (Art. 6(1)(b)) |
| Health & biometric data | Explicit consent — you actively choose to enter this data (Art. 9(2)(a)) |
| Food photos, voice, inventory | Contract — core service functionality (Art. 6(1)(b)) |
| Billing & subscription data | Contract — necessary to provide paid features and manage your subscription (Art. 6(1)(b)) |
| Fitness & activity data (Strava) | Explicit consent — you actively connect your fitness account (Art. 9(2)(a)) |
| Usage & analytics events | Legitimate interest — improving the service (Art. 6(1)(f)) |
| Session cookie | Contract — necessary for authentication (Art. 6(1)(b)) |
4. How We Use Your Data
- Authentication — sending magic link emails to verify your identity
- Nutrition tracking — calculating TDEE/BMR, logging meals, tracking macros
- AI food analysis — identifying food items and estimating nutrition from photos
- Recipe generation — creating recipes from your available ingredients and preferences
- Voice input — transcribing spoken food descriptions for logging
- Barcode lookup — retrieving product nutrition data from external databases
- Analytics — generating your personal nutrition trends, consistency scores, and insights
- Service improvement — understanding feature usage to improve NibbleCal
5. Third-Party Processors
We share data with the following third-party services to provide NibbleCal's features. Each processor is bound by their own privacy policies and data processing agreements.
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Gemini AI | Food photo analysis, nutrition estimation | Food images, text prompts | US |
| Anthropic Claude | Recipe generation | Ingredient lists, dietary preferences | US |
| ElevenLabs | Speech-to-text, text-to-speech | Audio recordings, text for synthesis | US |
| Deepgram | Alternative speech-to-text | Audio recordings | US |
| Mistral AI | Receipt text extraction (OCR) | Receipt images | EU (France) |
| Polar | Payment processing, subscription management | Email address, Polar customer ID, subscription events | EU/US |
| Cloudflare R2 | Image storage | Uploaded photos | EU/US |
| Turso | Database hosting | All application data | EU (Ireland) |
| Resend | Transactional email | Email address | US |
| OpenFoodFacts | Barcode product lookup | Barcode numbers | EU (France) |
| Spoonacular | Recipe suggestions | Ingredient names, dietary restrictions | US |
| UPCitemdb | Barcode product lookup (fallback) | Barcode numbers | US |
| Strava | Fitness activity sync (exercise tracking) | OAuth tokens (encrypted), activity data (type, duration, calories) | US |
| Google OAuth | Optional sign-in authentication | Email address, display name (via Google consent screen) | US |
6. International Data Transfers
Some of our processors are located in the United States. Where data is transferred outside the European Economic Area (EEA), we rely on:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Processor-specific compliance measures
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you request deletion (30-day soft-delete grace period before permanent removal) |
| Health & nutrition data | Until you request deletion |
| Uploaded photos | Until you request deletion |
| Food logs | Until you request deletion |
| Subscription & billing data | Until account deletion (subscription events retained for 24 months for financial records) |
| Fitness connection tokens | Until you disconnect the fitness account or delete your account |
| Exercise activity logs | Until you disconnect the fitness account or delete your account |
| Session tokens | 90 days from last activity (sliding) |
| Magic link tokens | 20 minutes (auto-expire) |
| Barcode cache | 90 days (shared, non-personal) |
| Usage events | 12 months, then anonymised |
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate data via Settings or by contacting us
- Erasure ("right to be forgotten") — request deletion of your account and all associated data
- Data portability — receive your data in a structured, machine-readable format
- Restriction of processing — limit how we use your data in certain circumstances
- Object — object to processing based on legitimate interest
- Withdraw consent — withdraw consent for health data processing at any time (this does not affect prior processing)
To exercise any of these rights, email info@nibblecal.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local Data Protection Authority (DPA).
9. Cookies & Local Storage
9.1 Essential Cookie
We set a single HTTP-only session cookie (nibblecal_session) that is strictly necessary for authentication. It contains only an opaque session token and cannot be read by JavaScript. No consent is required for this cookie under GDPR Recital 30 and the ePrivacy Directive (strictly necessary exemption).
9.2 Local Storage
We store the following in your browser's local storage:
nibblecal-theme— your dark/light theme preferencenibblecal-streak-date/nibblecal-streak-count— visit streak tracking
We do not use any third-party tracking cookies, advertising pixels, or cross-site analytics.
10. Household Data Sharing
NibbleCal supports household groups. When you are a member of a household, all members can view:
- Shared inventory items
- Shopping lists
- Generated recipes
- Food capture events from any household member
Your personal nutrition goals, food logs, and biometric data are not shared with other household members.
11. Children's Privacy
NibbleCal is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly.
12. Security
We protect your data with:
- TLS/HTTPS encryption for all data in transit
- HTTP-only, Secure, SameSite cookies to prevent XSS and CSRF attacks
- Encrypted database storage (Turso)
- Encrypted object storage (Cloudflare R2)
- Passwordless authentication (magic links) — no passwords to leak
- Signed, time-limited URLs for image access
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by displaying a notice within the application. The "Last updated" date at the top of this page indicates the most recent revision.
14. Contact
For privacy questions, data access requests, or complaints:
Email: info@nibblecal.com