Privacy Policy
Effective Date: March 15, 2026 · Last Updated: March 15, 2026
California Residents
You have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). See Section 10 for details, including how to exercise your rights.
1. Introduction
Websites by Dano (“we,” “us,” or “our”) operates NutriTracker (the “Service”) at https://nutritrackerdemo.vercel.app. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service, and describes the rights available to you.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Email address, full name, and password (stored as a one-way cryptographic hash using bcrypt; we never store your plaintext password).
- Health & Biometric Profile: Age, sex, height, weight, BMI, activity level, and fitness goal (e.g., weight loss, maintenance, muscle gain). This is sensitive personal information under CCPA.
- Nutrition Goals: Calorie targets, macro targets (protein, carbs, fat, fiber, sodium), target weight, and target date.
- Food Logs: Foods you log, meal type, serving size, date and time, and the full nutritional breakdown for each logged item — including macronutrients, micronutrients (vitamins and minerals), cholesterol, sodium, and other nutritional data. This is sensitive personal information under CCPA.
- Body Measurement Logs: Periodic body measurements (e.g., waist, hips, arms) and weight log entries. This is sensitive personal information under CCPA.
- Workout & Activity Data: Workout sessions, exercise sets, cardio logs, and related fitness data. This may be sensitive personal information under CCPA.
- Water Intake Logs: Daily water consumption entries.
- Custom Foods & Recipes: Foods and recipes you create within the Service.
- Grocery Lists: Items you add to your in-app shopping list.
- Saved Favorites: Foods and recipes you mark as favorites.
2.2 Information Collected Automatically
- Usage Data: Pages visited, features used, timestamps of interactions, and referral URLs. Collected via our error monitoring service (Sentry).
- Error & Diagnostic Data: Crash reports, error logs, browser type, device operating system, and error stack traces — collected via Sentry to help us diagnose and fix issues.
- IP Address: Logged by our server infrastructure (Vercel) and used for rate limiting, security monitoring, and fraud prevention.
- Session Data: Session tokens stored in encrypted cookies for authentication purposes. These expire automatically.
2.3 Information from Third-Party Food Databases
When you search for foods, we may transmit your search query to the USDA FoodData Central API and/or the Spoonacular API to retrieve nutritional data. These queries may include the food name you searched for. We cache responses to minimize repeated API calls.
3. How We Use Your Information
We use the information we collect to:
- Create and manage your account;
- Provide, operate, and improve the Service;
- Calculate and display personalized nutrition targets and progress;
- Process and store your food logs, workout data, and health metrics;
- Send transactional emails (account verification, password reset) via Resend;
- Monitor service performance and diagnose errors via Sentry;
- Enforce our Terms of Service and protect against fraud or abuse;
- Comply with legal obligations;
- Respond to your requests, questions, or support inquiries.
We do not use your information for targeted advertising, and we do not sell your personal information or sensitive personal information to any third party.
4. How We Share Your Information
We share your information only with the following categories of service providers, and only to the extent necessary to operate the Service:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Neon (Neon Inc.) | PostgreSQL database hosting | All user data (encrypted in transit and at rest) |
| Vercel, Inc. | Application hosting & CDN | Request logs including IP addresses |
| Resend | Transactional email delivery | Email address, email content (verification/reset links) |
| Sentry (Functional Software, Inc.) | Error monitoring & diagnostics | Error logs, browser/device info, anonymized user IDs |
| USDA FoodData Central | Food nutritional data lookup | Food search queries only |
| Spoonacular | Recipe & food data | Food/recipe search queries only |
All service providers are contractually obligated to use your data only as necessary to provide services to us and to maintain appropriate security measures.
We may also disclose your information: (a) if required by law, regulation, or legal process; (b) to protect the rights, property, or safety of Websites by Dano, our users, or the public; (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case you will be notified via email and/or a prominent notice on the Service.
5. Sensitive Personal Information
The following categories of information we collect are considered “sensitive personal information” under the California Privacy Rights Act (CPRA):
- Health and medical information (food logs, nutrition data, body measurements, weight logs, workout data);
- Physical characteristics and biometric-adjacent data (height, weight, BMI, age, sex).
We use sensitive personal information only to provide the Service — specifically, to display your nutrition data to you, calculate your personalized targets, and enable the core tracking functionality. We do not:
- Sell sensitive personal information;
- Share sensitive personal information for cross-context behavioral advertising;
- Use sensitive personal information for purposes beyond what is necessary to provide the Service.
You have the right to direct us to limit our use and disclosure of your sensitive personal information. To exercise this right, see Section 10 below or email legal@nutritracker.app.
6. Cookies & Tracking Technologies
We use the following types of cookies and storage mechanisms:
- Session Cookies (Essential): Encrypted cookies to maintain your authenticated session. Required for the Service to function. Cannot be disabled.
- Local/Session Storage: Used to store UI preferences (e.g., dark mode), not linked to personal information.
- IndexedDB (Offline Queue): Used by the service worker to queue offline food log submissions. Data is synced and cleared upon upload.
We do not use third-party advertising cookies, social media tracking pixels, or behavioral profiling cookies.
Do Not Track: The Service recognizes and respects browser “Do Not Track” (DNT) signals where technically feasible. Because we do not engage in cross-site tracking or behavioral advertising, your privacy experience does not meaningfully differ whether DNT is enabled.
7. Data Retention
We retain your data as follows:
- Account & Profile Data: Retained until you delete your account or request deletion, plus up to 30 days for backup purge cycles.
- Food Logs, Workout Data, Measurements: Retained for the life of your account. Upon account deletion, all logs are permanently deleted within 30 days.
- Email Verification Tokens: Automatically expire after 24 hours.
- Password Reset Tokens: Automatically expire after 1 hour.
- Session Tokens: Expire upon logout or after a period of inactivity.
- Error Logs (Sentry): Retained per Sentry's default retention policy (90 days) and do not contain sensitive health data.
8. Data Security
We implement industry-standard security measures to protect your information, including:
- TLS/HTTPS encryption for all data in transit;
- Encrypted database connections and encrypted data at rest (Neon managed PostgreSQL);
- Passwords hashed with bcrypt (12 rounds) — we never store plaintext passwords;
- Single-use, time-limited tokens for email verification and password resets;
- Authenticated session management with HTTP-only, secure cookies;
- Rate limiting on sensitive endpoints to prevent brute-force attacks;
- Automated error monitoring via Sentry to detect anomalies.
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you as required by applicable law.
9. Children's Privacy (COPPA)
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at legal@nutritracker.app. We will promptly delete such information.
Users between 13 and 17 must use the Service only with verifiable parental consent. A parent or legal guardian who discovers that a minor has created an account without their consent may contact us to request deletion.
10. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), effective January 1, 2023:
Right to Know
You have the right to request that we disclose: (a) the categories and specific pieces of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) our business purpose for collecting it; and (d) the categories of third parties with whom we share it.
Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions (e.g., where we are required to retain it by law or to complete a transaction you requested).
Right to Correct
You have the right to request correction of inaccurate personal information we maintain about you. You can update most of your information directly in your account settings.
Right to Opt-Out of Sale or Sharing
We do not sell your personal information or sensitive personal information, and we do not share it for cross-context behavioral advertising. No opt-out action is required. If this practice ever changes, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” link as required by law.
Right to Limit Use of Sensitive Personal Information
You may direct us to limit our use and disclosure of your sensitive personal information (health data, biometric data) to only what is necessary to provide the Service. Contact us at legal@nutritracker.app to exercise this right.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide you a different level of service solely because you exercised your privacy rights.
How to Submit a Request
To exercise any of the rights above, submit a verifiable consumer request by:
- Emailing us at legal@nutritracker.app with subject line “CCPA Privacy Request”;
- Including your full name, email address associated with your account, and the specific right you wish to exercise.
We will respond within 45 days. If reasonably necessary, we may extend this period by an additional 45 days and notify you of the extension.
You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide written authorization and verify your identity directly.
You may submit up to two verifiable consumer requests in a 12-month period without charge. For excessive or repetitive requests, we reserve the right to charge a reasonable fee or refuse, with explanation.
11. California Online Privacy Protection Act (CalOPPA)
Pursuant to CalOPPA, please note the following:
- This Privacy Policy is conspicuously posted and linked from our homepage footer;
- Users can visit our Service anonymously except for features requiring account creation;
- We will notify users of Privacy Policy changes by updating the “Last Updated” date and, for material changes, by email notice;
- Users can change their personal information by logging into their account or contacting us;
- Our Do Not Track policy is described in Section 6.
12. Nevada Residents
Nevada SB 220 grants Nevada residents the right to opt out of the sale of certain covered information. We do not sell your covered information. If you have questions, contact us at legal@nutritracker.app.
13. International Users
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We apply the same privacy protections regardless of where you are located.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent laws. Our lawful bases for processing your personal data include: (a) performance of a contract (to operate your account); (b) your consent (for optional data); and (c) our legitimate interests in securing and improving the Service. To exercise GDPR rights (access, rectification, erasure, portability, objection), contact us at legal@nutritracker.app.
14. Account Deletion & Data Portability
Deletion: You may request deletion of your account and all associated data at any time by emailing legal@nutritracker.app. We will permanently delete your account and all personal data within 30 days, except where retention is required by law. Deletion is irreversible.
Data Export: You may request a copy of your personal data in a machine-readable format (JSON) by contacting us at the email above. We will fulfill this request within 45 days.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last Updated” date at the top of this page and by sending an email to the address associated with your account at least 14 days before the change takes effect.
We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
- Email: legal@nutritracker.app
- Subject line for privacy requests: “Privacy Request — NutriTracker”
- Website: https://nutritrackerdemo.vercel.app
- Business: Websites by Dano
We are committed to resolving complaints about our collection or use of your personal information. California residents who cannot resolve a complaint with us directly may contact the California Attorney General's office or the California Privacy Protection Agency (CPPA) at cppa.ca.gov.