Privacy Policy

Last updated: April 27, 2026

in/out ("we", "us", or "our") operates the in/out: Calorie Companion mobile application. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our app.

1. Information We Collect

We collect the following types of information:

• Account information: Email address and display name when you create an account via email or Google Sign-In.
• Health & nutrition data: Food logs, calorie entries, exercise records, weight logs, sleep data, mood entries, and step counts that you manually enter or import.
• Profile data: Age, height, weight, sex, and activity level you provide to calculate calorie goals and BMR.
• Usage data: App interactions, feature usage, and anonymous analytics to improve the app.
• Device information: Device type, operating system version, and app version for crash reporting and support.

2. How We Use Your Information

• To provide and maintain the app's core features
• To calculate personalized calorie goals, BMR, and nutrition insights
• To sync your data across sessions via Supabase (our backend provider)
• To process AI food analysis requests via our secure Edge Function proxy
• To send optional email notifications (daily briefs, if enabled)
• To improve the app based on aggregated usage patterns

3. Data Storage & Security

Your data is stored securely in Supabase (supabase.com), which provides row-level security and encryption at rest and in transit. We use HTTPS for all network communication. API keys are never exposed to the client — all AI requests are proxied through our secure backend.

Local data is also stored on your device via localStorage and is not shared with third parties.

4. Third-Party Services

• Supabase — database and authentication (supabase.com/privacy)
• Anthropic Claude API — AI food analysis, accessed via our backend proxy only (anthropic.com/privacy)
• Google Sign-In — optional OAuth login (policies.google.com/privacy)
• RevenueCat — in-app purchase management (revenuecat.com/privacy)
• Open Food Facts — barcode food database (openfoodfacts.org/privacy)
• PostHog — anonymous usage analytics (posthog.com/privacy)
• Spoonacular — recipe data (spoonacular.com/food-api/terms)

5. Connected Fitness Services

In/out optionally connects to third-party fitness platforms to import health data directly into your dashboard. You must explicitly authorize each connection via that service's secure OAuth login. The following services may be connected:

• Fitbit (fitbit.com/legal/privacy-policy)
• Strava (strava.com/legal/privacy)
• Withings (withings.com)
• Oura Ring (ouraring.com/privacy-policy)
• WHOOP (whoop.com/privacy-policy)
• Garmin (garmin.com/privacy)
• Samsung Health (samsung.com/privacy)

For each connected service, we collect only the data you explicitly authorize and only the minimum scopes required to display information in your dashboard (steps, heart rate, sleep, weight, and activity summaries). Specifically:

• Data from Fitbit and other connected services is not sold to any third party.
• Data from Fitbit and other connected services is not used for advertising or marketing profiling.
• Data is stored securely in your personal Supabase account and is never shared with other users or external services.
• You may revoke access at any time from Settings → Connected Services → Unlink. Revoking access removes your stored token immediately.
• We comply with each connected platform's API terms of service and developer policies.

6. AI Features & Data

When you use voice logging, barcode scanning, or AI food analysis, your food description or query is sent to the Anthropic Claude API via our secure backend proxy. We do not store AI query content beyond what is necessary to return the response. No personal health data is sent to AI providers.

7. Health Data

If you connect a wearable device or grant health permissions, step count and sleep data may be read from Android Health Connect or connected third-party services. This data is used solely within the app to populate your fitness dashboard and is never sold or shared with advertisers.

8. Data Retention & Deletion

You may delete your account and all associated data at any time from Settings → Account → Delete Account. Upon deletion, all personal data is permanently removed from our servers within 30 days. Disconnecting a fitness service (Settings → Connected Services → Unlink) removes only the stored access token; any data already imported remains in your account until account deletion.

9. Children's Privacy

in/out is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe your child has provided us with personal data, please contact us to have it removed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by updating the "Last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at: inoutsupport@proton.me