Skip to content
Back to home

Privacy Policy

Last updated: February 28, 2026 · zuppyhealth.com

A. Account Information (Required)

  • Email address
  • Full name
  • Password (hashed, never stored in plaintext)
  • Authentication method (email, Google, or Apple Sign-In)

B. Profile & Health Data (Required for app functionality)

  • Sex/gender
  • Date of birth
  • Country
  • Height and weight (current & target)
  • Body fat percentage, waist circumference (optional)
  • Fitness goal (lose/gain/maintain weight, recomposition)
  • Weekly weight goal (0.2–1 kg/week)
  • Activity level, training days, steps per day, sleep hours, job activity level
  • Diet type (omnivore, vegetarian, vegan, pescatarian, keto, paleo)
  • Allergies, intolerances, excluded foods, religious/cultural dietary restrictions
  • Computed nutrition targets (calories, protein, carbs, fat, fiber, water)

C. Daily Tracking Data

  • Meal entries — title, ingredients, calories, macros, meal tag (breakfast/snack/lunch/dinner), source (photo scan, manual, from plan), optional meal photo
  • Water intake — amount in ml, timestamps
  • Activity events — workout type, duration, distance, active calories (synced from Apple Health/Health Connect)
  • Daily summaries — computed totals for calories, macros, water, exercise

D. Meal Plan Data

  • AI-generated 7-day meal plans (titles, ingredients, macros, images)
  • Meal template feedback (like/dislike, optional comments)

E. Device & Usage Data

  • App version
  • Device locale/language preference
  • Unit preferences (kg/lbs, cm/ft, km/mi)
  • Timezone
  • App Tracking Transparency (ATT) status (iOS)
  • Notification permission status

F. Analytics & Diagnostics

  • Screen views, feature usage, navigation events (via PostHog)
  • Crash reports, error logs, breadcrumbs (via Sentry)
  • Push notification delivery and engagement metrics (via OneSignal)

G. Feedback Data

  • User feedback messages (text, app version)
  • Meal template ratings
  • Account deletion reasons

Account creation & authentication

Email, password, OAuth identity

Personalized nutrition calculations (BMR/TDEE)

Age, sex, height, weight, activity level, goal

AI meal plan generation

Diet type, allergies, calorie targets, macros, language

AI meal photo analysis

Camera photos (compressed, sent to OpenAI)

Daily nutrition & hydration tracking

Meal entries, water entries

Activity & exercise tracking

HealthKit/Health Connect workout data

Progress visualization

Daily summaries, weight history

Subscription management

User ID, purchase status

Push notifications

Device token, notification preferences

App improvement & bug fixing

Analytics events, crash reports

Customer support

Feedback messages, app version

Supabase

Purpose: Authentication, database, file storage

Data shared: All user data (encrypted in transit & at rest)

Privacy policy

OpenAI

Purpose: Meal photo analysis (GPT-4o Vision), meal plan generation (GPT-4o-mini), meal image generation (DALL-E 3)

Data shared: Compressed meal photos, dietary preferences, nutrition targets, user language

Privacy policy

RevenueCat

Purpose: Subscription & in-app purchase management

Data shared: User ID, purchase history, subscription status, device identifiers

Privacy policy

PostHog

Purpose: Product analytics

Data shared: User ID, feature usage events, session data

Privacy policy

Sentry

Purpose: Error tracking & crash reporting

Data shared: User ID, error logs, device metadata, screenshots (production only)

Privacy policy

OneSignal

Purpose: Push notifications

Data shared: Device token, user ID, notification engagement

Privacy policy

Google (OAuth)

Purpose: Sign-in authentication

Data shared: Email, name (user-authorized scope only)

Privacy policy

Apple (Sign-In)

Purpose: Sign-in authentication

Data shared: Email (optional), name (user-authorized)

Privacy policy

Apple HealthKit

Purpose: Activity & workout syncing (iOS)

Data shared: Workouts, step count, walking/running distance

Privacy policy

  • • All data transmitted via HTTPS/TLS encryption
  • • Database hosted on Supabase (PostgreSQL with encryption at rest)
  • • Row Level Security (RLS) on all user data tables — users can only access their own data
  • • Authentication tokens stored in device-level encrypted storage (iOS Keychain / Android Keystore)
  • • Meal images stored in a private storage bucket (signed URLs required)
  • • Passwords are hashed — never stored in plaintext
  • • API keys and secrets stored as server-side environment variables only

User profile & health data

Until account deletion

User request

Meal, water, & activity entries

Until account deletion

User can delete individual entries; full wipe on account deletion

Meal plan & images

Until account deletion

Account deletion

Feedback & ratings

Until account deletion

Account deletion

Analytics events (PostHog)

Per PostHog policy (typically 1–3 years)

Vendor policy

Error logs (Sentry)

~90 days

Sentry automatic purge

Push notification tokens (OneSignal)

Until account deletion

User action or opt-out

Account Deletion

  • Available in Profile > Delete Account
  • Two-step confirmation (reason selection + native OS alert)
  • On deletion, all user data is permanently removed: profile, health data, meal plans, meal entries, water entries, activity events, daily summaries, feedback, meal images (storage bucket)
  • Cascade delete across all database tables
  • Storage files removed from cloud

Data You Can Manage

  • Edit profile information (name, height, weight, goals, diet, allergies)
  • Delete individual meal entries and water entries
  • Toggle push notifications on/off
  • Revoke HealthKit permissions via iOS Settings
  • Sign out (clears local session tokens)

What We Don't Currently Offer (transparency)

  • Bulk data export (GDPR portability) — not yet available
  • Granular analytics opt-out — analytics are collected for all users
  • In-app privacy dashboard

Not requested: Location, contacts, microphone (for meal features), calendar, files.

Camera

iOS, Android · Scan meals via photo

Optional (for scan feature)

HealthKit

iOS · Sync workouts, steps, distance

Optional (user grants per data type)

Push Notifications

iOS, Android · Health reminders & updates

Optional (opt-in)

App Tracking Transparency

iOS · Analytics attribution

Optional (iOS prompt)

Advertising ID

Android · Analytics attribution

Declared in manifest

On iOS, Zuppy may request access to Apple HealthKit to sync workout activity, step count, and walking/running distance. If you grant this permission, the following strict rules apply to how we handle that data:

  • No advertising use. HealthKit data will never be used for advertising, marketing, or ad targeting of any kind.
  • No sale of data. HealthKit data will never be sold to third parties, data brokers, or any other entity.
  • No unauthorized sharing. HealthKit data will not be shared with third parties except as strictly necessary to provide the Services to you (e.g., securely storing your data in our database).
  • Purpose-limited use only. HealthKit data is used exclusively to display your activity and calorie burn within the Zuppy app.

You can revoke HealthKit access at any time via iOS Settings → Privacy & Security → Health → Zuppy. Revoking access will stop future syncing but will not delete previously synced data from our servers — you must delete your account to remove that data.

This section applies only to data received via the Apple HealthKit API and is required by Apple's App Store Review Guidelines.

  • • Zuppy is designed for users 16 years and older
  • • We do not knowingly collect data from children under 16
  • • If we discover data from a child under 16, we will delete the account
  • • Parents/guardians can contact us to request deletion

  • • Primary data infrastructure: United States (Supabase, PostHog, RevenueCat, Sentry, OneSignal)
  • • Users in the EU/EEA: data is transferred to the US under standard contractual clauses maintained by our service providers
  • • Google/Apple OAuth: processed on respective provider infrastructure

  • • The mobile app does not use cookies
  • • The zuppyhealth.com website may use: essential cookies (session management), analytics cookies (if web analytics added)
  • • No third-party advertising cookies

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights regarding your personal information.

Your California Rights

  • Right to Know. You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, and the purposes for which it is used.
  • Right to Delete. You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., data needed to complete a transaction or comply with law). You can delete your account directly in the app under Profile → Delete Account.
  • Right to Correct. You may request correction of inaccurate personal information we hold about you. Profile data can be edited directly in the app.
  • Right to Opt-Out of Sale or Sharing. We do not sell your personal information to third parties and we do not share your personal information for cross-context behavioral advertising. There is nothing to opt out of with respect to sale or sharing.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Limit Use of Sensitive Information. We use sensitive personal information (health data, dietary preferences) only to provide the Services to you. We do not use it for inferring characteristics or for advertising.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (email address, name, user ID)
  • Personal information categories listed in Cal. Civ. Code § 1798.80(e) (name)
  • Health and fitness information (weight, height, calorie data, activity data)
  • Internet or network activity (analytics events, crash logs)
  • Inferences drawn to create a user profile (nutrition targets, BMR)

How to Submit a Request

To exercise your California privacy rights, contact us at privacy@zuppyhealth.com with the subject line "California Privacy Request." We will respond within 45 days. We may need to verify your identity before processing your request.

  • • We may update this privacy policy periodically
  • • Material changes will be communicated via in-app notification or email
  • • Continued use after changes constitutes acceptance

This privacy policy is based on code analysis. Have a lawyer review before publishing.