Privacy Policy

Last Updated: April 2, 2026 · Effective Date: March 10, 2026

This Privacy Policy describes how Vijay Umapathy (“Developer”, “we”, “us”, “our”) handles information in connection with the BiteSmart mobile application (“App”). By using the App, you agree to the practices described in this policy.

1. Our Privacy Commitment

BiteSmart is designed with a privacy-first approach. We do not create user accounts, do not require login, and collect the minimum information necessary to provide the service. We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes.

2. Information We Collect

2a. Information You Provide Directly

Child’s age in months. You may optionally enter your child’s age to receive age-appropriate product assessments. This value is stored locally on your device and is transmitted to our server only as a numeric parameter in API requests. It is not linked to any name, account, or identifier.
Allergen selections. You may optionally select known allergens (e.g., milk, peanuts) from a predefined list. These selections are stored locally on your device and transmitted to our server only as part of API requests. They are not linked to any name, account, or identifier.

2b. Information Collected Automatically

When you scan a product and the App makes a request to our server, the following information is transmitted and may be logged:

Product barcode. The barcode number you scanned.
Child age and allergen parameters. As described above, sent as query parameters.
Request metadata. HTTP method, request path, response status code, and response time. This is standard server logging used for debugging and monitoring service health.

IP addresses: Your device’s IP address is received by our server as part of standard internet communication but is not logged or stored. IP addresses are processed in memory only for rate limiting (abuse prevention) and are discarded immediately after the request is completed.

2c. Information We Do NOT Collect

We do not collect your name, email address, phone number, or any contact information.
We do not create user accounts or profiles.
We do not log or store IP addresses.
We do not collect location data (GPS, Wi-Fi, or cell tower).
We do not access your contacts, photos, files, or any device data beyond the camera (used solely for barcode scanning).
We do not use advertising SDKs or third-party tracking tools for advertising or marketing purposes.
We do not use cookies.
We do not collect biometric data.
We do not collect payment information (the App is free and contains no in-app purchases).
We do not collect your name, email address, phone number, or any contact information.
We do not create user accounts or profiles.
We do not log or store IP addresses.

2d. Analytics and Session Replay (PostHog)

The App uses PostHog, a product analytics service, to help us understand how the App is used and improve it over time. PostHog collects the following data from your device:

Anonymous device identifier. A randomly generated UUID stored on your device (PostHog’s “distinct ID”). This ID is not linked to your name, email address, or any account. It persists across sessions so we can understand aggregate usage patterns, but cannot be used to identify you personally.
App lifecycle events. App opened, backgrounded, and foregrounded.
Screen views. Which screens you visit within the App and navigation paths between them.
Behavioral events. Actions such as scanning a product, viewing a result, adding or updating a child profile (age in months and allergen count only — no child names are ever sent), accepting terms, and similar in-app interactions.
Session replay. PostHog records session replays to help us diagnose usability issues. All text inputs are masked before recording — no text you type (including child names) is ever captured or transmitted. Images are not masked.
Device and app metadata. Device OS and version, app version, device type, and locale.

PostHog data does not include your name, email address, phone number, IP address, GPS location, or any directly identifying information. Child names are never sent to PostHog. Child ages are transmitted only as a numeric value in months (e.g., “8”), with no association to any name or identity.

PostHog is used solely for our own product analytics. PostHog does not use your data for advertising and does not sell it to third parties.

3. How We Use Information

We use the information described above solely for the following purposes:

Providing the service. Your barcode scan, child age, and allergen selections are sent to our server to look up product data and generate a scored assessment, which is returned to your device.
Abuse prevention. IP addresses are processed in memory for real-time rate limiting to prevent automated abuse of our service. They are not logged or stored.
Service monitoring. Server logs (including request paths and response codes, but not IP addresses) are used to monitor service health, debug errors, and understand aggregate usage patterns.
Product analytics. PostHog analytics data (described in Section 2d) is used to understand how users interact with the App, identify usability issues, and improve App features over time.

We do not use any information for advertising, marketing, or cross-context behavioral tracking.

4. Data Retention

On-device data. Child age and allergen selections are stored locally on your device using standard device storage. You can clear this data at any time by clearing the App’s data in your device settings or uninstalling the App. The App does not persist scan history.
Server logs. Server request logs (which include request paths, response codes, and response times, but not IP addresses or other user-identifying information) are retained on our hosting infrastructure (Railway) for up to 7 days for operational purposes, after which they are automatically deleted per the hosting provider’s log retention policy.
Cached results. Scored product results may be cached on our server for up to 7 days to improve performance. Cached results are keyed by barcode, child age, and an anonymized hash of allergen selections — they are not linked to any individual user or device.
Analytics data. PostHog analytics events and session replays are retained in PostHog’s cloud infrastructure for up to 1 year, after which they are automatically deleted. PostHog is a US-based company; their privacy policy is available at posthog.com/privacy.

5. Data Sharing and Third Parties

5a. Third-Party Data Sources

To generate product assessments, our server retrieves product data from the following third-party sources:

Open Food Facts (openfoodfacts.org) — open-source food product database
U.S. Food and Drug Administration (FDA) — public recall and enforcement data
California OEHHA — Proposition 65 chemical listings

When our server queries these sources, it transmits the barcode number. Our server makes these requests — your device does not communicate with these third parties directly. These third parties receive no information about you, your child, or your device.

5b. Hosting and Infrastructure

Our server is hosted on Railway (railway.app). Cached data is stored using Redis, hosted by Railway. These infrastructure providers may process server logs and network data in accordance with their own privacy policies. We do not share user-specific data with these providers beyond what is inherent in hosting the service.

Analytics data is processed by PostHog, Inc. (posthog.com), a US-based product analytics service. PostHog acts as a data processor on our behalf. They do not sell your data or use it for advertising. PostHog’s privacy policy is available at posthog.com/privacy.

5c. We Do Not Sell Your Data

We do not sell, rent, license, or otherwise provide your personal information to third parties for their own commercial purposes. We do not participate in data brokerages or advertising networks.

5d. Legal Requirements

We may disclose information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Children’s Privacy

BiteSmart is a tool used by parents and caregivers. It is not directed at children and is not intended to be used by children.

We do not knowingly collect personal information from children under 13 years of age, as defined by the Children’s Online Privacy Protection Act (COPPA).

The child age value entered by a parent or caregiver is a general numeric parameter (e.g., “8 months”) that cannot identify any specific child. It is not linked to a name, device, account, or any other identifying information.

If you believe that we have inadvertently collected personal information from a child under 13, please contact us immediately at the address below and we will take steps to delete such information.

7. California Residents — CCPA/CPRA Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of personal information collected:

Internet or other electronic network activity information. App usage events, screen views, and behavioral interactions collected via PostHog analytics (Section 2d), as well as server-side request logs (request paths and response codes, Section 2b).
Device information. Device OS, app version, device type, and locale, collected via PostHog (Section 2d).

We do not log IP addresses or collect names, contact information, or any directly identifying information.

We do not:

Sell your personal information.
Share your personal information for cross-context behavioral advertising.
Use sensitive personal information for purposes beyond providing the service.
Collect personal information beyond what is disclosed in this policy.

Your rights: You have the right to know what personal information we collect, to request deletion of your personal information, to opt out of the sale or sharing of personal information (we do not sell or share), and to not be discriminated against for exercising these rights.

To exercise any of these rights, please contact us at the email address below. We will respond within 45 days.

8. International Users

Our server is located in the United States. If you access the App from outside the United States, your request data (including barcode, child age, and allergen parameters) will be transmitted to and processed in the United States. By using the App, you consent to this transfer. We do not log IP addresses or other information that could identify your location.

We do not currently target or market the App to users in the European Economic Area (EEA) or United Kingdom. If this changes, we will update this policy to address GDPR requirements.

9. Camera Permission

The App requests access to your device’s camera solely for the purpose of scanning product barcodes. Camera data is processed on-device in real time by the barcode scanning library. We do not capture, store, or transmit photos or video from your camera. No images leave your device.

10. Security

We use commercially reasonable measures to protect information transmitted to and stored on our server, including encrypted HTTPS connections for all API communication and access-controlled hosting infrastructure. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Links to External Sources

The App may display links to third-party websites (e.g., FDA recall notices, scientific publications, Open Food Facts pages) as source citations for product findings. These links are provided for informational purposes. We do not control the content or privacy practices of these external sites, and this Privacy Policy does not apply to them.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last Updated” date at the top of this page and, where practicable, provide notice through the App. Your continued use of the App after changes are posted constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or believe we have collected information from a child under 13, please contact:

Vijay Umapathy
Email: contact.bitesmart@gmail.com

By using BiteSmart, you acknowledge that you have read and understood this Privacy Policy.