Privacy Policy · FoodFat

Section 01 · The short version

If you remember nothing else

FoodFat is built to be useful without watching you. The on-device scoring engine runs offline. Scan history lives on your phone, in a local SQLite file, not on a server. The only data that leaves the device is what you explicitly need to leave: a barcode lookup to Open Food Facts, an authentication token to Firebase, and — if you opt in to AI label reading — the photo of a pack to Anthropic.

No analytics, no ad networks, no SDK that tracks you across apps.
No selling, sharing, or renting of your data to anyone.
Your Anthropic API key is stored on your device only.
You can use the app without an account. Anonymous sign-in is the default.

Section 02 · Who we are

The publisher

FoodFat is published by Arju Singh ("we", "us"). The app is distributed under the bundle identifier com.arju.foodfat on iOS and com.foodfat.foodfat on Android. Questions or requests: connect@arjusingh.com.

Section 03 · The data we handle

What's collected, why, and where it goes

Data

Purpose

Lifetime

Where it lives

Firebase Auth UIDAnonymous by default, or email if you sign up.

Sign-in, syncing your admin status, attaching scans to your account.

Until you sign out or delete the account.

Google Firebase (US, EU regions).

Email + passwordOnly if you choose to upgrade from anonymous.

Recovering your scan history on a new device. Admin sign-in to the web console.

Until you delete the account.

Firebase Authentication.

User profile docUID, email if any, scan count, last login.

Showing the admin desk a list of recent users.

Until account deletion.

Firestore users/ collection.

Scan recordsBarcode, product name, score, verdict, timestamp.

Your personal scan history. Visible only to you and admins (for stats).

Until you delete it or your account.

Local SQLite + Firestore scans/.

Camera frames (barcode)Live preview only.

Decoding the barcode locally. Frames are never stored or uploaded.

Processed in memory, discarded immediately.

On-device only.

Photos of the packOnly if you tap "Photograph the label."

Sent to Anthropic's vision API to extract ingredients + nutrition table.

Held by Anthropic per their retention policy; not stored by us.

Your device → Anthropic API.

Anthropic API keyYou paste it in Settings.

Authenticating the vision call. Required only if you use AI label reading.

Until you clear it from Settings.

Encrypted local storage on your device only.

Barcode lookupsThe 13-digit number on the pack.

Fetching product data from Open Food Facts.

Per Open Food Facts' own logs (anonymous, no UID).

world.openfoodfacts.org.

Section 04 · What we deliberately don't do

The list of things we avoid

No analytics. Firebase Analytics is disabled in the iOS configuration (IS_ANALYTICS_ENABLED = false) and is not initialised in the Android build.
No advertising SDKs. The "ads" we serve are first-party promo cards from our own Firestore, authored by us, never personalised.
No third-party tracking. No Facebook Pixel, no Google Tag Manager, no Segment, no Mixpanel, no anything.
No cross-app identifiers. We do not read your Advertising ID (IDFA / GAID).
No location. We never request location permission. We don't need it.
No microphone. Camera is requested for scanning; mic is not.
No contacts, calendar, health-kit, photos library — unless you tap "Pick from gallery" in the label-reader, in which case you pick one image, we read it, that's it.

Section 05 · Third-party services

Who else sees a slice of the data

Google Firebase · Auth + Firestore

Stores your UID, optional email, user profile and scan records. Subject to Google's privacy policy and Data Processing Addendum. Region: US multi-region by default.

firebase.google.com/support/privacy ↗

Anthropic · Claude vision API

Only invoked when you tap "Photograph the label" and have pasted your own Anthropic API key. The photo + a fixed prompt go to Anthropic; the response (ingredients + nutrition JSON) comes back. Anthropic's enterprise terms apply to your account; please review them.

anthropic.com/legal/privacy ↗

Open Food Facts · product database

Public, community-curated database. We send the barcode you scanned and receive the product entry. Open Food Facts logs the lookup anonymously; no UID is sent.

world.openfoodfacts.org/privacy ↗

Google Fonts · magazine website only

The marketing site (this one) loads fonts from fonts.gstatic.com. The app itself ships fonts locally and does not call Google Fonts.

policies.google.com/privacy ↗

Section 06 · Your rights and controls

How to see, fix or delete your data

See it. Open the History tab to view every scan we've kept. Open Settings to view the Anthropic key state and your account email (if any).
Delete a scan. Swipe a row in History → delete. Removes the local copy and the Firestore copy.
Clear the API key. Settings → "Forget my Anthropic key."
Sign out / delete account. Settings → Sign out. To delete the account itself, email connect@arjusingh.com from the email on file; we remove your user doc and every scan attached to your UID within 7 days.
GDPR / CCPA. Residents of the EU, UK and California have the right to access, correct, port and delete their data. We honour these requests free of charge; email us.
Children. The app is not directed at children under 13 (under 16 in the EU). If you believe we've collected data from a child, email us and we'll delete it.

Section 07 · Permissions, on each platform

What the OS dialogs really mean

Camera

Used to scan a barcode or photograph a label. Frames stay on device. Granting camera permission does not grant anything else.

Photo library (optional)

Requested only when you choose "Pick from gallery" instead of the camera. We read the one image you select; we never browse your library.

Internet

Standard. Used to call Open Food Facts, Firebase, and (if you opt in) Anthropic.

Section 08 · Security

What protects the data

Firestore access is gated by the rules in firestore.rules: each user can only read/write their own documents; only members of the admins/ collection can read everyone's scans or edit promo cards. The Anthropic API key is stored using the OS's secure preference storage (Keychain on iOS, EncryptedSharedPreferences on Android). All network calls are over HTTPS / TLS 1.2+.

No system is perfectly secure. If you believe you've found a vulnerability, email connect@arjusingh.com.

Section 09 · International transfers

Where the data physically sits

Firebase data is stored in Google's US multi-region by default. If you are accessing the app from the EU / UK, your data is transferred to the US under the EU-US Data Privacy Framework and Google's Standard Contractual Clauses. Anthropic processes vision requests on their own infrastructure under their terms.

Section 10 · Changes to this policy

What happens when this page changes

If we change how the app handles data in any material way, we'll bump the "Last updated" date at the top and surface an in-app notice on next launch. We won't silently broaden what we collect.

Section 11 · Contact

Reach a human

Privacy questions, data requests, security issues, GDPR / CCPA invocations — the same inbox:
connect@arjusingh.com

We try to reply within 7 days. Please mention "FoodFat · Privacy" in the subject.