← Back to app

Privacy policy

Last updated: April 2026. Suppr helps you log recipes, nutrition, and discover meals. This policy describes what we process, who we share it with, and your choices.

What we collect

  • Account: email and profile fields you provide (e.g. display name, goals, measurements) when you create an account and sign in.
  • App usage data: nutrition logs, saved recipes, and preferences you store in the application or synced to our database.
  • Technical: standard server logs (e.g. IP address for rate limiting and abuse prevention), device type, and optional analytics or error reporting if you do not opt out.

How we use data

To provide the service (logging, meal planning, barcode and recipe features), improve reliability, and comply with law. We do not sell your personal data.

AI, voice, and images

If you use optional features, we send the minimum content needed to operate them to our servers and, where described below, to model providers:

  • Photo meal logging: images you upload are processed to suggest food items and nutrition estimates. This processing uses third-party AI (OpenAI vision models).
  • Voice / text meal logging: text you submit (typed or transcribed) is processed to parse foods and estimates and uses third-party AI (OpenAI). On the web, browser-based speech recognition (Web Speech API) may run on your device or via your browser/OS vendor before text reaches us; review your browser and OS privacy settings if you use that path.
  • Recipe and social import: URLs or shared links you provide may be fetched or parsed to extract recipe content. Images from imports are treated like other uploads when you choose image-based flows.

Sub-processors

We use the following third-party service providers to operate Suppr. Each is bound by a data-processing agreement and processes your data only on our instructions.

ProviderPurposeData receivedRegion
SupabaseDatabase, auth, storageAccount, app data, uploadsEU (Frankfurt)
VercelHosting, edge networkHTTP requests, IPGlobal edge, US primary
UpstashRate-limit stateIP, request countersUS / EU
StripeWeb billingEmail, payment card (collected by Stripe directly)US / Ireland
Apple (App Store, HealthKit, Sign in with Apple)iOS purchases, sign-in relay, HealthKit syncIAP receipt, private relay email, Health permission grantsGlobal
RevenueCatiOS IAP receipt verificationIAP receipt, user idUS
Expo / EASMobile OTA updates, push tokens, crash logsDevice id, push tokenUS
OpenAIAI features (photo / text meal logging, recipe parsing)Uploaded image, caption / URL text (no account data)US
EdamamFood database lookupsIngredient text query (no account data)US
FatSecretFood database lookupsIngredient text query (no account data)US
USDA FoodData CentralPublic-domain food databaseIngredient text query (no account data)US (public sector)
Open Food FactsProduct / barcode lookupsBarcode or product name (no account data)EU (France)
PostHogProduct analytics (if not opted out)Event names, device id, page viewsEU (Frankfurt)
SentryError reporting (if not opted out)Stack traces, device type, user idEU (Frankfurt)
Google PlayAndroid purchases (future)Purchase token, account emailGlobal

International transfers

Several sub-processors listed above are located in the United States (OpenAI, Stripe, Upstash, RevenueCat, Expo, Edamam, FatSecret, USDA). Where we transfer personal data of EU or UK users to a country not covered by an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum or the UK IDTA, together with supplementary technical and organisational measures (encryption in transit, access controls). A copy of the relevant transfer safeguards for any specific sub-processor is available on request by emailing the address at the foot of this page.

Legal basis (EU/UK)

  • Providing the service (account, logging, planning): performance of a contract.
  • AI features, analytics, error reporting: our legitimate interests in improving and securing the service (you can opt out of analytics and error reporting; AI features are opt-in per action).
  • Marketing email (if any): your consent.
  • Legal and safety: compliance with legal obligations.

Automated processing

AI-derived nutrition matches, meal photo identification and ingredient parsing are automated but are estimates — a human (you) reviews and edits every saved entry before it enters your tracker. These features do not make decisions that produce legal or similarly significant effects about you.

Apple Health (iOS)

If you enable the Apple Health integration on iOS, Suppr reads the following data to keep your tracker in sync: steps, active energy, basal energy, workouts, weight, body fat percentage, and any dietary entries already in Apple Health (for example logs you created in other apps). Suppr writes the calories, protein, carbohydrates, fat, and fibre of the meals you log back to Apple Health so other apps on your phone can read them. Data shared with Apple Health is governed by Apple’s privacy policy and stored on your device; Suppr does not send your Health data to our servers unless you explicitly log a meal. You can revoke Suppr’s Health access at any time in iOS Settings → Privacy & Security → Health → Suppr.

Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. billing records may be retained for up to 7 years for tax compliance). Anonymised, aggregated analytics data from which you cannot reasonably be re-identified may be retained indefinitely.

Your rights and choices

  • Export your data: You can export locally stored data from Settings (Download your data).
  • Delete your account: You can permanently delete your account and all associated data from Settings on web or mobile. Deletion is processed immediately for app data; billing records may be retained for up to 7 years as required by law.
  • Withdraw consent: You can sign out at any time and disable optional analytics or error reporting via your cookie preferences.
  • Access and correction: You can view and update your personal data in your profile at any time, or request a copy by contacting support.
  • EU/UK residents: Under GDPR / UK GDPR you have the right to access, rectify, erase, restrict processing, data portability, and to object to processing. You also have the right to complain to your national data-protection authority (in the UK, the Information Commissioner’s Office at ico.org.uk). To exercise these rights, contact the support channel below.

Contact

For questions about this policy, data requests, or to exercise your rights, email us at privacy@suppr-club.com. We aim to respond within 14 days.