Privacy Policy

Last Updated: February 11, 2026

1. Introduction & Contact Information

BoilerBites ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

Contact Information

Email: ttvaroh@icloud.com

2. Information We Collect

2.1 Account Information

  • Email Address: Collected during sign-up for account creation and authentication
  • Full Name: Collected during registration or profile editing
  • Password: Stored securely by Supabase (hashed, not in plain text)
  • Authentication Tokens: Session tokens stored locally on device via AsyncStorage

2.2 Health & Nutrition Data

  • Food Entries: What foods you consume, quantities, meal times, and dates
  • Nutrition Goals: Daily calorie, protein, carbohydrate, and fat goals
  • Nutrition Preferences: Allergen information (dairy, gluten, nuts, soy, eggs, shellfish, fish, peanuts)
  • Daily Nutrition Tracking: Consumed calories and macronutrients per day
  • Favorite Items: Food items you mark as favorites

2.3 Usage Data

  • Search Queries: Food search terms sent to FatSecret API (via proxy)
  • Barcode Scans: Product barcodes scanned for nutrition lookup (sent to FatSecret API)
  • App Usage: Basic app functionality usage (handled by Expo platform)

2.4 Device Information

  • Camera Access: Used only for barcode scanning (no images stored)
  • Device Information: Basic device info for app functionality (via Expo)

2.5 Third-Party Authentication Data

If using Purdue.edu sign-in, Microsoft/Azure AD provides:

  • • Email address
  • • Profile information (name, email)
  • • Authentication tokens

2.6 Health App Connection & Sync Data (Optional)

If you choose to connect Apple Health or Fitbit, we collect and use the following only to sync your BoilerBites food logs to the health app:

  • Connection status: Whether you have connected Apple Health or Fitbit, and whether auto-sync is enabled
  • Fitbit: OAuth tokens (access and refresh) stored securely so we can send your logged foods to your Fitbit food log. We do not read your existing Fitbit activity or health data.
  • Apple Health: We only write dietary data (calories, protein, carbs, fat, etc.) for foods you log in BoilerBites. We do not read your other Health app data. Permission is requested on-device and can be revoked in iOS Settings.
  • Sync records: We store which BoilerBites food entry IDs were synced to which external log IDs (e.g., Fitbit log ID) so we can update or remove them when you edit or delete entries in BoilerBites.

Health app connection is optional. Disconnecting in the app or revoking permissions in your device or Fitbit account stops all sync and use of this data.

⚠️ Important Note: Camera access is used ONLY for barcode scanning. No photos or images are stored or transmitted.

3. How We Use Your Information

Account Management

  • • Create and manage your user account
  • • Authenticate your identity
  • • Provide password reset functionality

Core App Functionality

  • • Track your daily nutrition intake
  • • Store your food entries and favorites
  • • Calculate nutrition goals and progress
  • • Filter menu items based on your allergen preferences
  • • Provide personalized dining hall menu information

Search & Discovery

  • • Process food search queries through FatSecret API
  • • Look up nutrition information for scanned barcodes
  • • Display relevant food items and nutrition data

Health App Sync (Optional)

  • • Send your BoilerBites food entries (name, calories, macros, meal type, date) to Apple Health or Fitbit when you have connected and enabled sync
  • • Update or remove entries in the health app when you edit or delete them in BoilerBites
  • • Store connection and sync metadata only as needed to keep health app logs in sync with your BoilerBites diary

Service Improvement

  • • Improve app functionality and user experience
  • • Fix bugs and technical issues

4. Data Storage & Security

4.1 Where Data is Stored

  • Supabase Database: All user data (profile, food entries, nutrition tracking, favorites), health app connection status, and sync metadata (e.g., Fitbit log IDs linked to your food entries) are stored in Supabase's secure PostgreSQL database
  • Local Device Storage: Authentication tokens stored locally via AsyncStorage for session management
  • Supabase Authentication: User credentials and authentication data managed by Supabase
  • Fitbit: When connected, we send only the food log data you create in BoilerBites to Fitbit; we do not store your Fitbit health or activity data on our servers
  • Apple Health: Dietary data we write is stored in the Health app on your device only; we do not receive or store your Health app data on our servers

4.2 Security Measures

  • Encryption: Data transmitted using HTTPS/TLS encryption
  • Authentication: Secure password hashing (handled by Supabase)
  • Row Level Security (RLS): Database-level security ensuring users can only access their own data
  • Secure Tokens: Authentication tokens stored securely on device

5. Third-Party Services & Data Sharing

5.1 Supabase

  • Purpose: Backend services (authentication, database, hosting)
  • Data Shared: All user account data, food entries, nutrition tracking, preferences
  • Privacy Policy: https://supabase.com/privacy

5.2 Microsoft Azure AD

  • Purpose: OAuth authentication for Purdue.edu email sign-in
  • Data Shared: Email address, profile information (only during authentication)
  • Privacy Policy: https://privacy.microsoft.com/privacystatement
  • Note: Only used if user chooses "Sign in with Purdue.edu"

5.3 FatSecret API

  • Purpose: Nutrition database for food search and barcode lookup
  • Data Shared: Food search queries and product barcodes (GTIN-13 format)
  • Privacy Policy: https://www.fatsecret.com/privacy
  • Note: Search queries and barcodes are sent via Oracle Cloud proxy server

5.4 Oracle Cloud Infrastructure

  • Purpose: Proxy server for FatSecret API calls (required for IP whitelisting)
  • Data Shared: Food search queries and barcodes (passed through, not stored)
  • Privacy Policy: https://www.oracle.com/legal/privacy/
  • Note: Acts as a pass-through proxy; does not store user data

5.5 Expo

  • Purpose: App development platform, updates, and basic analytics
  • Data Shared: Basic usage metrics, crash reports (if enabled)
  • Privacy Policy: https://expo.dev/privacy

5.6 Fitbit (Optional)

  • Purpose: Sync your BoilerBites food log to your Fitbit food log so you can see your nutrition in the Fitbit app
  • Data Shared: Food name, calories, macronutrients, meal type, and date for entries you add, edit, or delete in BoilerBites. OAuth tokens are stored so we can perform sync on your behalf.
  • Privacy Policy: https://www.fitbit.com/global/us/legal/privacy-policy
  • Note: Only used if you connect Fitbit in the app. You can disconnect at any time in BoilerBites or in your Fitbit account.

5.7 Apple Health (Optional)

  • Purpose: Write dietary nutrition data (calories, protein, carbs, fat, etc.) for foods you log in BoilerBites into the Health app on your iPhone
  • Data Shared: Data is written to Health on your device only; we do not send your Health data to our servers. We only send the dietary entries you create in BoilerBites to the Health app.
  • Privacy Policy: Apple Health data is governed by Apple's privacy practices. See https://www.apple.com/legal/privacy/
  • Note: Only used if you enable Apple Health in the app. You can revoke access in iOS Settings → Privacy & Security → Health → BoilerBites.

⚠️ Important: We do NOT sell your personal data to third parties. Data is only shared with the services listed above to provide app functionality.

6. Data Retention

  • Account Data: Retained while your account is active
  • Food Entries: Retained until you delete them or your account is deleted
  • Nutrition Tracking: Historical data retained for progress tracking
  • Health App Connections: Connection and sync metadata retained until you disconnect the health app or delete your account
  • Deletion: You can delete your account at any time, which will delete all associated data, including health app connection and sync records

7. Your Rights & Choices

7.1 Access & Control

  • View Your Data: Access your profile, food entries, and nutrition data through the app
  • Edit Your Data: Update your profile, nutrition goals, and preferences in-app
  • Delete Data: Delete individual food entries or your entire account

7.2 Account Deletion

You can delete your account at any time. Account deletion will remove:

  • • Your profile information
  • • All food entries
  • • Nutrition tracking data
  • • Favorite items
  • • Nutrition preferences

7.3 Camera Permission

  • • Camera access is optional and only needed for barcode scanning
  • • You can revoke camera permission in device settings
  • • App will continue to function without camera access (manual food entry still available)

7.4 Authentication Options

  • • You can choose between email/password or Azure AD (Purdue.edu) authentication
  • • You can switch authentication methods (contact support for assistance)

7.5 Health App Connections

  • Disconnect anytime: In the app, go to Health Connections and disconnect Apple Health or Fitbit. This stops all syncing and we will no longer send data to that service.
  • Fitbit: You can also revoke BoilerBites access in your Fitbit account settings
  • Apple Health: You can revoke BoilerBites' access to Health in iOS Settings → Privacy & Security → Health → BoilerBites
  • • Disconnecting or revoking does not delete data already sent to the health app; you may need to remove those entries in the Fitbit or Health app if desired

8. Children's Privacy

  • Age Requirement: BoilerBites is not intended for users under 13 years of age
  • COPPA Compliance: We do not knowingly collect personal information from children under 13
  • If you discover a child under 13 has provided information: Contact us immediately to have it removed

9. California Privacy Rights (CCPA)

If applicable, California residents have specific rights regarding their personal information:

  • • Right to know what personal information is collected
  • • Right to delete personal information
  • • Right to opt-out of sale of personal information (we do not sell data)

10. International Users

  • Data Location: Data is stored in Supabase's cloud infrastructure (location may vary)
  • GDPR: If you are in the EU, you have additional rights under GDPR
  • Data Transfer: Data may be transferred to and processed in countries outside your jurisdiction

11. Changes to Privacy Policy

  • • We may update this privacy policy from time to time
  • • Material changes will be notified through the app or email
  • • Continued use of the app after changes constitutes acceptance

12. Contact Us

For privacy concerns or questions about this Privacy Policy, please contact us:

Email: ttvaroh@icloud.com

Important Notes

  • Camera Usage: Camera is ONLY used for barcode scanning, no images stored
  • No Location Tracking: The app does NOT collect location data (only dining hall preferences)
  • No Advertising: The app does NOT show ads or use advertising networks
  • No Cross-App Tracking: We do NOT track users across other apps or websites
  • Health Data: Apple Health and Fitbit integration is optional. We only send your BoilerBites food logs to the health app you connect; we do not read your existing health or activity data from those apps for any other purpose.
  • Data Minimization: We only collect data necessary for app functionality
  • User Control: Users can delete their data and disconnect health apps at any time