← Back

Privacy Policy

Last updated: March 28, 2026

BiteSignal ("we," "our," "us") is a personal food sensitivity tracking app. This policy explains what data we collect, why, and how we protect it.

1. What We Collect

We collect only what's needed to provide the service:

• Account information — your name, email address, and password (hashed, never stored in plaintext)
• Food logs — food descriptions you enter, along with AI-generated ingredient and compound breakdowns, timestamps, and optional alcohol flags
• Symptom logs — symptom type, severity (1-10), timestamps, and optional notes
• Health profile — meals per day and dietary restrictions (optional, provided by you)

We do not collect location data, contacts, browsing history, or device identifiers beyond standard HTTP headers.

2. How We Use Your Data

• Food decomposition — your food descriptions are sent to Google's Gemini API to break them into chemical compounds. Only the food text is sent, not your name, email, or any identifying information.
• Pattern analysis — your food and symptom data is analyzed by our deterministic statistics engine to identify potential compound-symptom correlations. This analysis runs on our servers and does not use AI.
• Plain-language insights — analytics results (not your raw data) are sent to Google's Gemini API to generate easy-to-read summaries.
• Clinical reports — if you choose to generate a PDF report, your data is processed server-side to create it. The report is delivered directly to you.

3. What We Do NOT Do

• We do not sell your data to anyone, ever.
• We do not share your data with advertisers or data brokers.
• We do not use your data to train AI models. Google Gemini API (paid tier) does not use API inputs for model training.
• We do not use third-party analytics or tracking tools.
• We do not show you ads.

4. Third-Party Services

We use the following services to operate BiteSignal:

• Supabase — authentication and database hosting. Your data is stored in Supabase-managed PostgreSQL with per-user row-level security. Supabase Privacy Policy
• Google Gemini API — food decomposition and insight generation. Only food descriptions and anonymized analytics summaries are sent. Gemini API Terms
• Vercel — application hosting (US servers). Processes requests transiently. Vercel Privacy Policy

5. Data Security

• All data is encrypted in transit (TLS/HTTPS)
• Database storage is encrypted at rest (managed by Supabase)
• Per-user row-level security ensures you can only access your own data
• Authentication uses industry-standard JWT tokens
• Passwords are hashed and never stored in plaintext

6. Your Rights

You have full control over your data:

• Access — request a copy of all your data by emailing fede@getbitesignal.com
• Correction — edit any food or symptom entry directly in the app
• Deletion — delete your account and all data from Settings in the app, or by emailing fede@getbitesignal.com
• Portability — we will provide your data in a standard JSON format upon request

7. Data Retention

We keep your data for as long as you have an account. If you delete your data through the app, it is removed from our database. If you request account deletion, all associated data is permanently removed.

8. Children

BiteSignal is not intended for use by anyone under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly.

9. Changes to This Policy

If we make significant changes to this policy, we will notify you via the app or by email. Continued use of BiteSignal after changes constitutes acceptance of the updated policy.

10. Contact

For privacy questions or data deletion requests, contact us at fede@getbitesignal.com.