Privacy Policy

1. What this policy covers

This Privacy Policy describes what information MacroSquad ("we," "us," "our," operated by Karan Sharma (sole proprietor)) collects, how we use and disclose it, the third parties that process it on our behalf, and your rights over it.

It applies to the MacroSquad mobile application, the MacroSquad website at getmacrosquad.com, and related services (collectively, the "Service"). [CONFIRM FINAL DOMAIN — getmacrosquad.com is used across the live landing pages; macrosquad.app appeared in an earlier draft. Pick one and use it everywhere.]

This policy does not cover third-party services you reach through links, or the independent data practices of the app stores and platforms you use to access the Service (e.g., Apple).

2. The short version

• We collect only what we need to run the Service.
• We do not sell your personal information and we do not "share" it for cross-context behavioral advertising, as those terms are defined under California law.
• We use third-party processors (listed in Section 7) under contracts that restrict them to processing your data only on our instructions.
• We do not use your data to train our own AI models, and our image-processing provider does not train on your photos: FatSecret has confirmed in writing (2026-06-10) that customer-submitted images are processed for the requested output only and are not used to train or improve its Image Recognition models (license §2.4.3).
• You can export or delete your data at any time (Section 9).
• Your friend graph is mutual-only. No public profiles. No discoverability without your action.
• Importing your contacts to find friends is optional and opt-in, and we do not store your full address book (Section 3).

3. Information we collect

3.1 Information you provide

• Account info: email, username, password (stored only as a salted hash), optional display name and profile photo.
• Food / meal logs: food entries, macros, restaurant selections, free-text notes, timestamps.
• Photos: meal photos you upload for AI macro estimation; optional profile photo.
• Body metrics (health data): body weight, optional height, fitness goals (cut / recomp / bulk), and any other body metrics you choose to enter.
• Social content: friend connections, reactions, comments.
• Contacts (friend-finding — optional, opt-in): if and only if you tap to find friends from your contacts and grant the OS contacts permission, we process phone numbers and/or email addresses from your device address book solely to match against existing MacroSquad accounts. See Section 3.4 for exactly what we retain.
• Subscription info: managed by Apple via RevenueCat; we receive subscription status and entitlement, not payment card details.
• Support communications: emails or in-app messages you send.

3.2 Information collected automatically

• Device info: model, OS version, app version, language/region.
• Usage analytics: feature taps, sessions, and error logs. Individual food-log content is not transmitted to analytics; analytics events are designed to avoid carrying meal contents.
• Push notification tokens (only if you enable notifications).
• Approximate diagnostics: crash stack traces and performance metrics, used to debug the app.

3.3 Information from third parties

• Apple In-App Purchase / RevenueCat: subscription status, entitlement, and transaction IDs (no card numbers).
• Sign in with Apple (if used): only the email (or Apple private-relay proxy) and name you choose to share.

3.4 Contacts-import (friend-finding): exactly what we do

This is the most sensitive optional feature, so we describe it precisely:

1. The feature is off by default. It runs only after you tap "Find friends from contacts" and grant the iOS contacts permission.
2. On your device, we read phone numbers and email addresses from your address book.
3. We transmit one-way cryptographic hashes of those phone numbers/emails (normalized, then hashed; [CONFIRM HASH ALGORITHM + SALT STRATEGY]) to our server, where they are matched against hashes of registered MacroSquad accounts.
4. We return only the matches that correspond to existing MacroSquad users.
5. We do not store your raw address book, do not store contacts who are not MacroSquad users beyond the transient matching operation, and do not message or invite anyone on your behalf without a separate explicit action by you.

4. What we do with it

• Operate the Service: log meals, run AI macro inference, sync your friends-only feed, deliver notifications, and match contacts you opt to import.
• Improve the Service: aggregate, de-identified analytics; debug crashes; evaluate AI prompt changes using de-identified or synthetic samples.
• Communicate: account-related emails, support replies, and occasional product updates (you can unsubscribe from non-transactional messages).
• Safety & integrity: detect abuse, enforce our Terms, and protect users.
• Legal: comply with subpoenas, court orders, and regulatory requests.

We process the categories of data above on the legal bases described in Section 12 (for EU/UK users).

5. Photo handling and the SHA-256 content-addressed cache

When you upload a meal photo:

• It is transmitted over TLS to our infrastructure (Cloudflare Workers + Supabase storage).
• It is processed by FatSecret's Image Recognition API — our sole image-recognition provider — to identify the food and estimate macros.
• A result is cached by SHA-256 hash of the image bytes so identical photos are not re-processed. The cache is content-addressed (keyed on the image bytes), contains no user identifiers, and stores only the derived nutrition estimate.

Cache persistence and deletion: because cache rows are keyed on image bytes and contain no link to you, an individual cache row can persist after your photo is deleted from your meal log and after account deletion. The cached row is not personal data because it cannot be associated with you. Your stored photo itself (which is personal data) is deleted as described in Sections 6 and 10.

6. AI image recognition and model-training (READ CAREFULLY — accuracy-sensitive)

Your meal photos are sent to an AI image-recognition provider so the Service can identify foods and estimate macros. Specifically:

• FatSecret is our sole AI image-recognition provider. Meal photos you submit for macro estimation are sent to FatSecret's Image Recognition API and processed to return the food identification and macro estimate. No general-purpose large language model provider is in the runtime path.
• FatSecret does not train on your photos. FatSecret has confirmed in writing (2026-06-10) that customer-submitted images are processed for the requested output only and are not used to train or improve its Image Recognition models (FatSecret license agreement §2.4.3).
• We do not train our own models on your personal data. Any internal evaluation of our estimation pipeline uses de-identified, aggregated, or synthetic data. (FatSecret's §2.4.3 likewise prohibits us from using FatSecret API data to train external models — our practices comply.)

✅ RESOLVED 2026-06-10 (HUMAN-TASKS #4b closed)

FatSecret confirmed no-training in writing (James Recto / api-support email, 2026-06-10, Gmail thread "Premier Free → paid tier … — MacroSquad"): images are processed for the requested output only; license §2.4.3 cited. FatSecret offered to review our compliance language. Sections 2, 6, 7, and 8 reconciled to this position.

You can delete any photo at any time from the meal log. Deletion removes it from our storage and from your friends' feeds within reasonable engineering time.

7. Processors and disclosures (GDPR Art. 28 / CCPA service-provider framing)

We disclose personal information to the third parties below only as processors / service providers acting on our behalf. Each is engaged under a written contract (a Data Processing Addendum under GDPR Article 28, and "service provider" / "contractor" terms under the CCPA/CPRA) that: (a) limits the provider to processing data solely for the purposes we specify; (b) prohibits selling or sharing the data or using it for the provider's own purposes; (c) requires appropriate security; and (d) requires deletion or return of data on termination. Engaging any of these in a way that meets the CCPA "service provider" exemption means these disclosures are not a "sale" or "share."

We do not disclose personal information to advertising networks, data brokers, or analytics resellers.

8. What we don't do

• We don't sell your personal information, and we don't "share" it for cross-context behavioral advertising (as defined under California law).
• We don't share your friend graph with third parties.
• We don't share individual meal content with anyone other than the friends you've explicitly added — except that your meal photos are sent to the AI processor in Sections 5–7 (FatSecret) so the app can identify foods and estimate macros.
• We don't use your personal data to train our own AI models.
• FatSecret confirmed in writing (2026-06-10) that submitted images are processed for the requested output only and not used for model training — see Section 6.
• We don't show ads inside the logging flow. Free tier shows ads on home, paywall, and settings surfaces only; Premium has no ads at all.
• We don't store your full address book; contacts-import is opt-in and match-then-discard (Section 3.4).

9. Your rights and how to exercise them

Depending on where you live, you have some or all of the following rights:

• Access / know: request a copy of the personal information we hold about you.
• Portability / export: export your data (Settings → Account → Export My Data).
• Deletion: delete your account and associated data (Settings → Account → Delete Account).
• Correction / rectification: correct inaccurate data.
• Object / restrict / withdraw consent: object to or restrict certain processing, and withdraw consent where processing is consent-based (e.g., contacts-import).
• Non-discrimination: we will not discriminate against you for exercising your rights.

How to exercise: use the in-app controls above, or email privacy@getmacrosquad.com. We will verify your identity before fulfilling a request and respond within the timeframe required by applicable law (generally 30–45 days, extendable where the law allows). You may use an authorized agent where the law permits.

Appeals: if we decline a request, you may appeal by replying to our response or emailing privacy@getmacrosquad.com with "Appeal" in the subject line. [CONFIRM appeal workflow + statutory deadlines per state.]

10. Data retention and deletion

• Active accounts: data retained for the life of the account.
• Account deletion: when you trigger account deletion, your account record, meal logs, social content, and stored photos (including object-storage bytes, e.g., R2/Supabase storage) are deleted promptly (typically within minutes). Deletion is tracked verifiably in our account_deletion_jobs system.
• Cache: content-addressed AI-estimate rows (keyed on image SHA-256, no user identifiers) persist; these are not personal data (Section 5).
• Backups: nightly/transaction backups age out and are rotated within [30/90] days — [CONFIRM single retention window; v1 stated both 30 and 90 days in different places — reconcile].
• Contacts-import: non-matching contact hashes are not retained beyond the transient match (Section 3.4); [CONFIRM retention of match results].
• Legal retention exceptions: transaction/tax records held for audit purposes (typically up to 7 years) are retained in de-identified form (no link to you) wherever feasible.

11. Security

We use industry-standard safeguards: TLS in transit, encryption at rest, restricted access controls, salted password hashing, dependency scanning, and incident response. Body-weight and other health metrics are treated as sensitive and access-restricted.

No system is 100% secure. If you suspect unauthorized access to your account, contact security@getmacrosquad.com immediately. [CONFIRM breach-notification process and statutory timelines per jurisdiction.]

12. Legal bases for processing (EU/UK / GDPR)

Where GDPR or UK GDPR applies, we process personal data on these bases:

• Contract: to provide the Service you signed up for (account, logging, AI inference, social feed).
• Consent: for optional features such as contacts-import and push notifications; you may withdraw consent at any time.
• Legitimate interests: to secure the Service, prevent abuse, and improve the product using de-identified data, balanced against your rights.
• Legal obligation: to comply with law and respond to lawful requests.

We are the controller of your personal data; the providers in Section 7 act as processors under Article 28 contracts. [CONFIRM controller identity = Karan Sharma (sole proprietor).]

13. International data transfers

Data is processed in the United States and may be processed in other regions where our providers operate. For transfers of EU/UK/Swiss personal data to the US or other countries, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum / Swiss equivalents) and, where applicable, provider participation in the EU–US Data Privacy Framework. [CONFIRM transfer mechanism per processor.]

14. Children (COPPA and minimum-age policy)

The Service is intended for users 13 and older and is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. Because our minimum age is 13, the Service is not subject to COPPA's under-13 obligations. Users between 13 and 17 are subject to the additional terms in our Terms of Service (parental review and consent).

If we learn that we have collected personal information from someone under 13, we will delete it. If you believe a child under 13 has provided us information, contact privacy@getmacrosquad.com.

[CONFIRM App Store age rating is consistent with a 13+ minimum. A 13+ minimum requires parental-consent handling for 13–17 users in some US states and under GDPR (digital-consent age varies 13–16 by EU member state). The earlier draft used 17+ specifically to sidestep this; the product decision is now 13+. Counsel should confirm the consent flow for 13–17 users is adequate.]

15. US state privacy rights (California CCPA/CPRA and other states)

California (CCPA/CPRA). California residents have the rights in Section 9, plus the right to know the categories of personal information collected, the purposes, and the categories of third parties to whom it is disclosed (see Sections 3 and 7). We do not sell or "share" personal information for cross-context behavioral advertising. We collect the categories: identifiers; customer records; commercial information (subscriptions); internet/usage activity; sensitive personal information (health metrics such as body weight; account credentials). We use sensitive personal information only for permitted purposes and not to infer characteristics. We honor the Global Privacy Control (GPC) and other recognized opt-out preference signals where required. [CONFIRM GPC handling on web; the iOS app is the primary surface.]

Other US states (e.g., Virginia, Colorado, Connecticut, Utah, Texas, and others as enacted): residents have access, correction, deletion, portability, and opt-out rights as provided by their state laws; exercise them as described in Section 9.

16. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated in-app or via email at least 30 days before they take effect (or sooner where the law requires immediate notice).

17. Contact

• Privacy questions / data subject requests: privacy@getmacrosquad.com
• Security: security@getmacrosquad.com
• General contact: support@getmacrosquad.com

Karan Sharma (sole proprietor) Ann Arbor, Michigan, USA

EU representative (if required, GDPR Art. 27): Not yet appointed — EU availability deferred until a rep is appointed UK representative (if required): Not yet appointed — UK availability deferred until a rep is appointed Data Protection Officer / privacy contact (if appointed): Karan Sharma — ksharm@umich.edu

Effective date: June 11, 2026

Last updated: June 11, 2026

Version: 2.1 (DRAFT — pending attorney review; see docs/legal-review-checklist.md)

App Privacy "nutrition label" mapping (App Store Connect questionnaire)

This table maps our data practices to Apple's App Privacy ("privacy nutrition label") questionnaire required during App Store submission. Linked = associated with the user's identity. Tracking = used to track across apps/websites owned by other companies (ATT scope). Update as the schema locks. Current design intent: no Tracking.

Open items / pre-launch checklist (carried from this draft)

• [x] RESOLVED 2026-06-10 (HUMAN-TASKS #4b): FatSecret confirmed no-training in writing (§2.4.3); Sections 2, 6, 7, 8 reconciled.
• [x] RESOLVED 2026-06-11: Removed leftover dual-provider / "fallback image recognition" framing (Sections 5–7); FatSecret stated as the sole image-recognition provider — no general-purpose LLM provider is in the runtime path.
• [x] RESOLVED 2026-06-11: Minimum age set to 13+ across Privacy (Section 14) and Terms (Section 2). App Store age-rating consistency still needs confirmation (flagged in Section 14).
• [x] RESOLVED 2026-06-11: Contact emails normalized to @getmacrosquad.com; website domain set to getmacrosquad.com (final domain still needs the human decision below).
• [ ] HUMAN-GATED: Lock the final domain (getmacrosquad.com vs macrosquad.app) and use it identically across app, landing, App Store listing, and these docs.
• [ ] HUMAN-GATED: Confirm legal entity / controller identity. Currently "Karan Sharma (sole proprietor), Ann Arbor, Michigan, USA." If an LLC is formed before launch, update [ENTITY] and [STATE] everywhere.
• [ ] HUMAN-GATED: Confirm App Store age rating is consistent with a 13+ minimum and that the 13–17 parental-consent flow is adequate (US states + EU digital-consent age).
• [ ] HUMAN-GATED: Reconcile backup retention window (30 vs 90 days) to a single number.
• [ ] HUMAN-GATED: Confirm contacts-import hash algorithm, salt strategy, and non-user retention = zero, then remove the [CONFIRM HASH ALGORITHM + SALT STRATEGY] placeholder in Section 3.4.
• [ ] HUMAN-GATED: Confirm every DPA in Section 7 is executed (Supabase, FatSecret, RevenueCat, Nutritionix, Cloudflare, Expo Push) and the international-transfer mechanism per processor.
• [ ] HUMAN-GATED: Confirm the crash/analytics vendor (Section 7) and that neither it nor any provider introduces ATT "Tracking."
• [ ] HUMAN-GATED: Confirm GPC / opt-out-preference-signal handling on the web surface.
• [ ] HUMAN-GATED: Confirm EU/UK Art. 27 representative necessity and DPO necessity (currently deferred; EU/UK availability deferred until a rep is appointed).
• [ ] HUMAN-GATED: Publish this policy at the live URL referenced by the app and App Store Connect before submission.
• [ ] HUMAN-GATED — Final attorney review of the entire document. This draft is engineering-accurate but is not a substitute for legal counsel.

This Privacy Policy is an engineering-accurate working draft. It has not been reviewed by an attorney and is not legal advice. See docs/legal-review-checklist.md for the full sign-off list.