Privacy Policy

*Last updated: April 8, 2026*“`

BiteSense (“BiteSense”, “we”, “us”, or “our”) provides a mobile app and related services that help people with food-related health conditions track what they eat and how they feel, and discover possible patterns between meals and symptoms.

This Privacy Policy explains how we collect, use, share, and protect your information when you use the BiteSense app, our website, and related services (collectively, the “Services”).

By using BiteSense, you agree to the collection and use of information in accordance with this Privacy Policy.

Important: BiteSense is not a medical device and does not provide medical diagnosis or treatment. The app is intended for informational and self-tracking purposes only and should not replace professional medical advice, diagnosis, or treatment.

---

1. Information We Collect

We collect several types of information to provide and improve BiteSense.

1.1 Account & Profile Information

When you create an account or update your profile, we may collect:

• Email address
• Password (stored as a secure hash via Supabase Auth)
• Name
• Gender
• Birthdate or age range
• Primary health condition(s) (e.g., EoE, IBS, celiac, etc.)
• Condition frequency and severity context
• Health goals and preferences
• Known trigger foods
• Suspected trigger foods
• Flags for onboarding and tutorials (e.g., whether you completed app or premium tutorials)
• Records of accepting our Terms of Service and Privacy Policy (timestamps and status)

1.2 Health & Usage Data You Log

Because BiteSense is a health-tracking app, we collect data that may be considered sensitive or health-related, including:

Meal Logs

• Foods consumed (free-text food names)
• Meal time and date
• Location (as free text, not GPS)
• Hunger level and/or fullness
• Whether you ate with others
• Meal grouping (e.g., breakfast, lunch, dinner, snack)
• Nutritional information (calories, protein, carbs, fat) when available
• Source of the log (e.g., quick log, full form, AI-assisted)

Symptom Records

• Symptom descriptions
• Severity (e.g., 1–5 scale)
• Duration
• Date and time of symptom
• Optional link to a specific meal you believe may have caused the symptom

Elimination Diet & Goals

• Foods or items you are eliminating (e.g., dairy, gluten, specific dishes)
• Type of elimination (food, supplement, product)
• Start and end dates
• Duration and progress
• Key symptoms you’re monitoring

Settings & Preferences

• Daily calorie and meal goals
• Notification preferences (e.g., reminders, streak motivation)
• Reminder times and whether reminders are enabled
• Various in-app settings (e.g., whether certain tutorials or tooltips have been completed)

1.3 Data-Driven Insights & AI Analysis Data

To power features like Trigger Finder, Friendly Foods, Progress insights, and Doctor Reports, we collect and generate:

• Aggregated meal and symptom history relevant to each analysis run
• Insight run metadata (date/time run, type of insight, status)
• Analysis results and summary texts (e.g., possible trigger foods, likely friendly foods, trends)
• Embeddings and traits derived from your data (for example, vectors representing meals or symptoms, and trait labels such as “dairy”, “gluten”, “fried”, “ultra_processed”)
• Shared food trait cache: When you use AI food classification with consent, we may store canonical food tokens (normalized text derived from food names) and food trait tags (for example, ingredient or preparation categories) in a shared, system-managed database table used to improve classification quality and consistency for all users. The shared cache does not store your user ID or link entries to you personally. Your own meal log and per-account copies used for insights remain tied to your account as described elsewhere in this policy.

Important Distinction:

• Trigger Finder and Friendly Foods insights are generated using data-driven mathematical correlation analysis (statistical pattern detection), not artificial intelligence. These insights calculate patterns between your meals and symptoms based on your logged data.
• AI-powered features (such as Menu Scanner, Food Classification, and Food Photo Analysis) use artificial intelligence to analyze images and classify foods.

This information is stored in our database to show you insights over time and avoid recomputing everything from scratch on each run.

1.4 Analytics and Product Analytics

BiteSense uses PostHog, a privacy-first product analytics service, to understand how users interact with the app and improve our services.

What PostHog Collects:

• Feature usage events (e.g., which features are used, not the content you enter)
• Screen navigation (screen names only)
• App performance metrics (generic load times, error rates)
• User properties (e.g., premium status, account age — not health information)
• Aggregated metrics (e.g., total meals logged — not meal content)

What PostHog Does NOT Collect:

• Health conditions, symptoms, or medical data
• Meal details, food items, or ingredients
• User names, emails, or personal identifiers
• Photos or images
• Any Protected Health Information (PHI)
• IP addresses (disabled where supported)
• Session recordings (disabled by default)

Privacy Safeguards:

• User identifiers are hashed/anonymized before sending to analytics where supported
• Event properties are sanitized to avoid sending health-related content
• IP address capture is disabled where supported
• Session replay is disabled by default

1.5 Images & Menu Scans

If you use camera or photo-based features, we may collect:

• Photos of meals for food recognition and nutrition estimation
• Photos of restaurant menus for menu analysis
• AI-generated interpretations (e.g., identified foods, nutritional estimates, or safety flags)

Images may be sent to our AI provider (OpenAI) for analysis and, in some cases, temporarily stored or cached for performance or debugging. We do not use these images for marketing without your explicit consent.

1.6 Subscription & Billing Data

Paid/premium features are managed via Apple App Store / Google Play and RevenueCat. We do not store your full payment card information.

What we send to RevenueCat:

• Your Supabase user ID (as appUserID when you are logged in) so we can link subscriptions to your account

What we receive from RevenueCat and the app stores:

• Subscription status (active, trial, canceled, etc.)
• Product identifiers and purchase history relevant to your subscription
• Platform information (iOS/Android)

RevenueCat validates purchases with Apple/Google and relays entitlement status to us. Payment details are handled solely by Apple or Google. RevenueCat’s Privacy Policy: https://www.revenuecat.com/privacy/

1.7 Error Tracking (Sentry)

We use Sentry to capture errors and crashes so we can fix bugs and improve stability.

What Sentry Receives:

• Error messages and stack traces
• Device type, operating system, and app version
• Breadcrumbs (technical event sequence leading to an error)

What We Do NOT Send to Sentry:

• User IDs, email addresses, or personal identifiers (sendDefaultPii is disabled)
• IP addresses
• Health data, meal content, or symptom information

Sentry’s Privacy Policy: https://sentry.io/privacy/

1.8 Email Delivery (SendGrid)

We use SendGrid (Twilio) to send transactional emails such as welcome emails and password reset links.

What SendGrid Receives:

• Your email address (as the recipient)
• Template data (e.g., your name for personalized welcome emails)

SendGrid’s Privacy Policy: https://sendgrid.com/legal/privacy/

1.9 Device & Technical Information

Through our app infrastructure and third-party services (such as Supabase, Sentry, Expo, and EAS Updates), we may collect:

• Device type and model
• Operating system and version
• App version and build number
• IP address and general network information
• Error logs and crash data (stack traces, performance metrics)
• Update/OTA check data

This information is primarily used for security, debugging, and ensuring compatibility.

Expo / EAS Updates: Our app uses Expo’s update service to deliver over-the-air (OTA) updates. Expo may receive app version, runtime version, and device information to determine which updates to deliver. Expo Privacy Policy: https://expo.dev/privacy

1.10 Website Cookies & Web Tracking

On our website, we use cookies and similar technologies to:

• Remember your preferences (e.g., cookie consent, language)
• Understand how visitors use our site
• Improve performance and user experience

Where required by law, we present a cookie banner and allow you to accept or manage non-essential cookies before they are used.

2. How We Use Your Information

We use your information to provide, maintain, and improve BiteSense. Specifically, we use it to:

Provide core app functionality

• Create and manage your account
• Log meals, symptoms, eliminations, and health context
• Synchronize your data across sessions and devices

Generate data-driven insights and AI-powered features

• Analyze correlations between meals and symptoms using mathematical analysis (Trigger Finder, Friendly Foods)
• Suggest possible trigger foods or patterns (e.g., “fried foods”, “French fries”, “dairy”) through statistical correlation
• Identify likely friendly foods that appear well tolerated using data-driven analysis
• Track elimination diet progress and effectiveness
• Generate summary text for insights and doctor-friendly reports
• Use AI for menu scanning, food classification, and photo analysis features

Enable premium features

• Validate subscription status via RevenueCat and app stores
• Unlock premium logging, AI features, menu scanner, and doctor reports
• Allow export or generation of summarized reports for your healthcare provider (for paying/premium users)

Improve and secure the Services

• Monitor app performance and fix bugs
• Detect, investigate, and prevent fraudulent or abusive behavior
• Conduct analytics to understand feature usage and improve the user experience

Communicate with you

• Send app notifications and reminders (if enabled)
• Send important service updates or policy changes
• Respond to your support requests and feedback

Comply with legal obligations

• Maintain appropriate records
• Respond to lawful requests by public authorities

3. AI and Data Processing

BiteSense uses a combination of data-driven mathematical analysis and artificial intelligence (“AI”) to provide certain features. Trigger Finder and Friendly Foods insights are generated through statistical correlation analysis of your logged patterns—no AI is used for those features. AI is used for: Food Classification (when you log foods, with consent), Quick Log photo analysis (where available under your plan), and Menu Scanner (premium). Classification outputs may update the shared food trait cache described in Section 1.3 and below.

3.1 Who Receives Your Data

We use OpenAI (OpenAI, L.L.C. / OpenAI, Inc.) as our third-party AI provider. OpenAI processes data on our behalf to power the AI features listed above. OpenAI’s Privacy Policy: https://openai.com/policies/privacy-policy.

3.2 What Data We Send to OpenAI (By Feature)

We send data to OpenAI only when you use an AI-powered feature:

• Food Classification (when you log meals): Food names only as text. No images, no health data.
• Quick Log photo analysis (when you photograph a meal): Your meal photo(s) to OpenAI’s vision API.
• Menu Scanner (when you photograph a menu): Your menu photo(s) plus your trigger food preferences and health condition label so the AI can flag items that may be triggers for you.

We do not send your email address, password, name, or account identifiers to OpenAI. We send only the minimum data required for the requested analysis.

3.3 How We Collect This Data

Data is collected when you actively use each feature: you type food names when logging meals; you take or select photos for Quick Log; you take or select menu photos for Menu Scanner. We do not automatically send data to OpenAI without your action.

3.4 When We Obtain Your Permission

We obtain your explicit consent before sharing personal data with OpenAI. AI-powered food classification is required for core BiteSense functionality. If you decline when consent is mandatory, you cannot continue core app usage. After you consent, we do not automatically re-process or bulk-upload your entire historical meal history for classification; new and ongoing logging flows apply AI classification going forward. Trait-related insights use classified foods in your account within the app’s lookback windows (see feature descriptions in the app).

3.5 How AI Outputs Are Used

AI outputs may be:

• Used to interpret menu images or meal photos (e.g., identified foods, nutritional estimates, safety flags)
• Stored as classifications or trait labels in your account (for example, per-user trait mirrors tied to your logs) and, where applicable, in a shared food trait cache that holds canonical food tokens and trait tags derived from consented classification—without storing your user ID on those shared cache rows
• Subject to validation, quarantine for unsafe or invalid input, and audit logging as part of our backend controls
• Used transiently to generate short narrative explanations (e.g., AI-generated text displayed in certain tools or reports)

These outputs are used to power AI-based features and improve the quality and consistency of classification for the service. We process food names and images via OpenAI only for consented users. Shared cache entries are system-managed; you cannot directly edit shared global cache rows.

3.5a Shared food trait cache (summary)

The shared cache helps the app reuse reliable trait labels for the same or similar food names across users without attaching your identity to those shared records. Inputs that appear to contain sensitive identifiers may be rejected or quarantined rather than stored. Your personal meal history and account data remain separate user-specific records as described in Sections 1 and 5.

3.6 Third-Party AI Provider Data Protection

OpenAI is contractually obligated to protect data processed through their API. As of this policy’s date, OpenAI states that data sent via the API is not used to train their models by default. OpenAI provides the same or equal protection for data we send as required by applicable privacy laws. We recommend reviewing OpenAI’s current Privacy Policy and Terms of Use for full details.

4. Legal Basis for Processing (Where Applicable)

Where privacy laws such as the GDPR apply, we rely on one or more of the following legal bases:

• Consent: When you provide health information and enable certain features, you consent to our processing of that data to provide services and analyses.
• Contract: We process data necessary to provide the Services under our agreement with you (e.g., basic account, logging, and subscription features).
• Legitimate Interests: We process certain data (e.g., aggregated analytics, app performance logs) to improve BiteSense, maintain security, and understand usage, in ways that do not override your rights and freedoms.
• Legal Obligations: We may process or retain some information as required by law.

You can withdraw your consent for specific processing (e.g., AI-powered features) at any time by contacting us at info@bitesense.app (subject to technical limitations).

5. Data Sharing and Third Parties

We do not sell, trade, or rent your personal information. We share your data only in the following circumstances:

5.1 Service Providers

We use trusted third-party providers to operate BiteSense. The table at the top of this policy summarizes what data we send to each. Full details:

• Supabase – Database, authentication, edge functions, and storage. Receives all account and health data you enter, plus shared food trait cache data as described in Section 3.
• OpenAI – AI analysis (see Section 3). Receives food names, meal photos, menu photos, and trigger preferences only when you use AI features and consent.
• RevenueCat – Subscription management. Receives your user ID, subscription status, and product identifiers. RevenueCat connects to Apple/Google for purchase validation.
• PostHog – Product analytics (see Section 1.4). Receives hashed IDs, screen names, and usage events—no health data.
• Sentry – Error tracking (see Section 1.7). Receives error logs and device info—no user IDs or health data.
• SendGrid – Transactional email (see Section 1.8). Receives your email address and template data for welcome/password-reset emails.
• Expo / EAS – App framework, OTA updates, and distribution. Receives app/device info for update delivery.
• Apple / Google – Payment processing. Handles purchase transactions; we do not receive payment card details.

These providers process data on our behalf and are contractually obligated to protect your data and use it only for the services we request.

5.2 Aggregated & Anonymized Data

We may use your information in an aggregated and anonymized form (that does not identify you personally) to:

• Analyze how people use BiteSense
• Improve our features, algorithms, and user experience
• Support research on food-related conditions and symptom patterns

In some cases, we may share such aggregated and anonymized information with trusted research partners (for example, universities or medical research institutions). This information does not include your name, email, or other direct identifiers and is not intended to identify any individual user.

If we ever wish to share information that could reasonably identify you, or involve you directly in a research study, we will ask for your explicit consent at that time.

5.3 With Your Explicit Consent

We may share your data with third parties when you explicitly ask us to do so, for example:

• Generating and sending a doctor report that you choose to share with a health professional.
• Exporting your data in a format that you then share.

We do not share your data with healthcare providers or anyone else unless you choose to do so.

5.4 Legal and Safety Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation or valid legal process
• Protect and defend our rights or property
• Protect the personal safety of BiteSense users or the public
• Protect against legal liability or prevent fraud/abuse

6. Data Security

We take data security seriously and implement reasonable technical and organizational measures to protect your information, including:

• Encryption of data in transit and at rest where supported by our providers (e.g., Supabase)
• Secure authentication and session management via Supabase Auth
• Limited access to personal data by authorized team members only
• Use of reputable third-party infrastructure providers with strong security practices
• Regular updates and monitoring to mitigate security vulnerabilities

No method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security, but we aim to follow industry best practices.

7. Data Retention and Deletion

7.1 Retention

We retain your personal and health data for as long as your account is active and as necessary to provide the Services.

We may retain certain information for a limited period after account deletion:

• To comply with legal, tax, or regulatory requirements
• To investigate or resolve disputes
• In backup or archived copies that are difficult to remove immediately

Where possible, we will either delete or anonymize your data when it is no longer needed.

7.2 Account Deletion

You can request deletion of your account and associated data via the app or by contacting us.

When we delete your account:

• Your authentication record (email and login credentials) are removed from our auth provider.
• Core health and usage data tied to your user ID (meals, symptoms, eliminations, profile, and related embeddings/traits) are scheduled for deletion from our primary database.
• Shared food trait cache: Entries in the shared cache are not stored with your user ID. After account deletion, those shared canonical token and trait records may remain as part of the service’s aggregate classification data, in the same way that non-identifying derived data may be retained; they are not used to identify you.
• Some technical logs, backups, or anonymized/aggregated data may remain for a limited time but are no longer linked to your identity.

We are continually improving our data deletion processes to ensure that personal data is removed comprehensively and safely.

8. Your Rights and Choices

Depending on your location and applicable laws, you may have the following rights:

• Access – Request a copy of the personal data we hold about you.
• Correction – Ask us to correct inaccurate or incomplete information.
• Deletion – Request deletion of your personal data (subject to our legal obligations).
• Restriction – Ask us to restrict processing of your data in certain circumstances.
• Portability – Request your data in a structured, commonly used, and machine-readable format.
• Objection – Object to certain types of processing (e.g., direct marketing or some forms of analytics).
• Withdraw Consent – If processing is based on your consent, you can withdraw that consent at any time.

You can exercise many of these rights directly in the app (for example, by editing your profile, updating settings, or requesting account deletion). For other requests, please contact us at info@bitesense.app.

We may need to verify your identity before responding to certain requests.

9. Children’s Privacy

BiteSense is not intended for anyone under 18 years of age. We do not knowingly collect personal information from anyone under 18.

If you believe that someone under 18 has provided us with personal information, please contact us at info@bitesense.app, and we will take steps to delete such information.

10. International Data Transfers

We are based in Ontario, Canada, but we may store and process your information in other countries where our service providers operate.

These countries may have different data protection laws than your country of residence. Where required, we take steps to ensure that appropriate safeguards are in place for such transfers (for example, contractual commitments).

By using BiteSense, you understand that your information may be transferred to and processed in countries outside of your own.

11. Permissions on Your Device

The BiteSense app may request certain permissions from your device, including:

• Camera – To take photos of meals and menus for AI analysis.
• Photo Library / Media – To select existing images for meal or menu analysis.
• Notifications – To send reminders, streak motivation, and important updates.

You can control these permissions in your device settings at any time. Denying permissions may limit the functionality of certain features (for example, camera-based menu scanning).

We do not request or use GPS location, contacts, or microphone access for core app functionality.

12. Not a Medical Device / No Medical Advice

BiteSense is designed to help you log data and observe potential patterns between foods and symptoms. However:

• BiteSense is not a medical device.
• BiteSense does not provide medical diagnosis, treatment, or cure.
• Data-driven insights and AI-powered outputs suggested by the app may be incomplete, approximate, or incorrect.

You should always consult a qualified healthcare provider before making any medical decisions, changing your treatment, or starting/stopping medications or elimination diets based on information from the app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make changes:

• We will update the “Last updated” date at the top of this page.
• In some cases, we may notify you in the app or by email.

Your continued use of BiteSense after any changes to this Privacy Policy constitutes your acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@bitesense.app

Jurisdiction: This Privacy Policy is governed by the laws of the Province of Ontario, Canada.

“`