Privacy Policy

This Privacy Policy describes how PhotoMeal, Inc. (“PhotoMeal”, “we”, “our”, or “us”) collects, uses, discloses, and safeguards information about you when you download, install, register for, or use the PhotoMeal mobile application (the “App”), visit photomeal.app (the “Site”), or otherwise interact with us (collectively, the “Service”).

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.

1. Information we collect

We collect information in three ways: information you provide directly, information generated through your use of the Service, and information from third parties.

1.1 Information you provide

• Account information. Email address, password hash (we never store passwords in plain text), display name, and authentication identifiers when you sign in via Apple, Google, or email.
• Profile and goal data. Optional information you choose to provide such as date of birth, sex, height, weight, activity level, dietary preferences, allergies, and calorie or macronutrient targets.
• Meal content.Photographs you capture or upload, voice or text notes attached to a meal, manually entered foods and serving sizes, and tags you apply (e.g. “breakfast”, “post-workout”).
• Communications. Messages you send to support, survey responses, and feedback you submit through in-app prompts.
• Payment information. Subscription purchases are processed by Apple App Store or Google Play. We receive a transaction identifier and subscription status, but we do not receive or store your full card or bank details.

1.2 Information collected automatically

• Device and technical data. Device model, operating system version, App version, language, time zone, mobile carrier, screen dimensions, and a randomly generated installation identifier.
• Usage data. Pages or screens viewed, features used, session duration, taps and scroll events at an aggregated level, and referral source.
• Diagnostic data. Crash logs, error reports, and performance metrics. Crash logs may incidentally include parts of the screen state at the time of the crash.
• Approximate location. Derived from IP address (typically city-level) for fraud prevention and regional content. The App does not access your precise GPS location unless you explicitly enable it for a specific feature.
• Cookies and similar technologies. The Site uses strictly necessary cookies and, with your consent where required, analytics cookies. The App uses local storage and secure keychain entries equivalent in function to cookies.

1.3 Information from third parties

• Sign-in providers. If you sign in with Apple or Google, we receive a stable user identifier and the email you choose to share.
• Health integrations.If you connect Apple Health or Google Fit, we read and write only the data categories you authorize (e.g. dietary energy, water, weight). You can revoke access at any time from the platform’s settings.

2. How we use your information

We use personal data to:

• Provide, operate, and maintain the Service, including running our vision-recognition pipeline to estimate the foods, portions, and nutrition values shown for a meal.
• Personalize features such as goal tracking, streaks, and recommendations.
• Improve the accuracy of our recognition models. Photos used for model improvement are de-identified and stripped of account identifiers and EXIF metadata before being added to a training corpus. You can opt out at any time from Settings → Privacy → Improve recognition.
• Communicate with you about your account, security alerts, product updates, and (with your consent where required) marketing.
• Process transactions, manage subscriptions, prevent fraud, and enforce our Terms.
• Comply with legal obligations and respond to lawful requests from public authorities.

3. Legal bases (EEA, UK, and Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases of the GDPR and equivalent laws:

• Contract (Art. 6(1)(b)): to provide the Service you requested, including account creation, meal logging, and subscription management.
• Legitimate interests (Art. 6(1)(f)): to secure and improve the Service, prevent abuse, and conduct aggregated analytics.
• Consent (Art. 6(1)(a) and Art. 9(2)(a) for health-related data): for optional features such as health-app integrations, marketing emails, and inclusion of your photos in our training corpus. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws, court orders, and tax requirements.

4. How we share information

We do not sell your personal data, and we do not share it for cross-context behavioral advertising. We share information only as described below.

• Service providers (subprocessors). We use trusted vendors that process data on our behalf under written data-processing agreements:
  • Cloud hosting and storage: Amazon Web Services (us-east-1, eu-west-1).
  • Vision-model inference: a US-based AI provider that processes meal images to return food labels and portion estimates; images are not retained by the provider beyond the inference window.
  • Authentication: Apple Sign In, Google Sign-In, Firebase Auth.
  • Subscription management: RevenueCat.
  • Crash reporting and product analytics: Sentry, PostHog (EU host).
  • Customer support: Help Scout.
  • Transactional email: Postmark.
• Legal and safety. We may disclose information when we believe in good faith it is necessary to comply with law, valid legal process, or to protect the rights, property, or safety of PhotoMeal, our users, or the public.
• Business transfers. If PhotoMeal is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections and notice to you where required.
• With your direction.When you choose to export, share, or sync data (e.g. sending a meal summary to Apple Health).

5. International data transfers

PhotoMeal is headquartered in the United States. Personal data we collect may be transferred to, and processed in, countries other than the country in which you are resident. Where we transfer personal data out of the EEA, UK, or Switzerland to a country not deemed adequate, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) and implement supplementary measures such as encryption in transit and at rest.

6. Data retention

We keep personal data only as long as necessary for the purposes described in this Policy:

• Account data: for the life of your account. If you delete your account, this data is permanently removed within 30 days, except where retention is required for legal, tax, or fraud-prevention purposes (typically up to 7 years for billing records).
• Meal photos and logs: stored for the life of your account; you can delete any individual entry from the App at any time. Deleted entries are removed from primary systems immediately and from encrypted backups within 35 days.
• Diagnostic and crash logs: retained for up to 90 days.
• Support correspondence: retained for up to 24 months after the case is closed.

7. Security

We use industry-standard technical and organizational measures to protect your data, including TLS 1.2+ for data in transit, AES-256 encryption for data at rest, role-based access controls, single sign-on with mandatory two-factor authentication for staff, audit logging, and an annual third-party penetration test. No system is perfectly secure, and we cannot guarantee absolute security; please notify us immediately if you suspect your account has been compromised.

8. Your rights and choices

Depending on where you live, you may have some or all of the following rights:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data.
• Export your data in a machine-readable format (JSON or CSV).
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority (for EEA/UK residents).

Most of these can be exercised directly in Settings → Account. You can also email us at privacy@photomeal.com. We respond to verified requests within 30 days. We will not discriminate against you for exercising any of these rights.

9. California privacy notice

Under the California Consumer Privacy Act, as amended by the CPRA, California residents have the rights described in Section 8, plus the right to know the categories of personal information we have collected, used, and disclosed in the preceding 12 months. In the past 12 months we have collected the categories listed in Section 1 for the business purposes described in Section 2, and disclosed them only to the categories of recipients listed in Section 4. We do not “sell” or “share” personal information as those terms are defined under the CCPA, and we do not knowingly collect personal information from consumers under 16.

10. Children’s privacy

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, please contact privacy@photomeal.com and we will take steps to delete it.

11. Health-related data

Information you log in PhotoMeal — including photos of food, body measurements, and dietary preferences — may reveal information about your health. We treat this information with heightened care and only process it with your consent or as otherwise permitted by law. PhotoMeal is not a medical device and is not intended to diagnose, treat, cure, or prevent any disease.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices or for legal reasons. If we make material changes, we will notify you in the App, by email, or by a prominent notice on the Site at least 14 days before the changes take effect. The “Last updated” date at the top tells you when this Policy was last revised.

13. Contact us

For privacy questions, requests, or complaints, contact our Data Protection Officer at:

For general support, email support@photomeal.com.