Bite Built AIBite Built AI — home

Legal

Privacy Policy

How Bite Built AI handles the data you share with us.

Last updated April 25, 2026

Bite Built AI (“we,” “us,” or “our”) provides a mobile application and website (the “Service”) that help you log meals, track macros, and record workouts. This policy explains what data we collect, why, and the choices you have.

We designed the Service to collect as little as the feature you're using needs. When in doubt, we don't collect it.

1. Data we collect

Account data

When you create an account, we store your email, a hashed password, your display name (if provided), and optional profile details (age, sex, height, weight) used for BMR and macro calculations. If you sign in with Apple or Google, we receive the identifier the provider returns and, where you grant it, your email.

Health and fitness data

The core of the Service is health-related. We collect and store:

  • Foods you log (name, portion, macros, meal type, timestamp)
  • Workouts (exercise, sets, reps, weight, duration)
  • Body-metric entries you add (weight, body-fat %)
  • Optional data from Apple HealthKit or Google Health Connect when you explicitly grant permission — typically steps, active energy, workouts, and resting heart rate

Apple HealthKit specifics

When you authorise HealthKit access, Bite Built AI reads (and, where you enable it, writes) only the specific health data types you grant in the iOS permission prompt. We use this data to display your activity inside the app, surface progress charts, and inform macro suggestions. We do notuse HealthKit data for advertising, do not transmit raw HealthKit data to advertising networks or data brokers, and do not sell it to anyone. Aggregated copies of selected health metrics are stored on our servers so the data is available across your devices and survives reinstall; you can request deletion at any time via Settings → Account or by emailing privacy@bitebuiltai.com. You can revoke HealthKit access at any time from iOS Settings → Privacy & Security → Health → Bite Built AI.

Health data is never used to train third-party AI models.

Photos you take for meal logging

When you use the in-app camera or attach a photo to a meal, the image is uploaded to our private object store (Cloudflare R2) and sent to OpenAI's vision API to identify the foods on the plate and estimate portions. We do not use your meal photos to train any model. OpenAI may retain submitted content briefly for abuse detection before deletion under their API terms (see Section 4).

Photos are retained inside your account so you can review past meals. When you delete your account, we delete every photo associated with it from our object store as part of the same deletion request.

Device and usage data

When you use the app or site we collect standard technical data: device type, operating system, app version, crash reports, and privacy-respecting analytics events (which screen you visited, which features you used). We do not track you across other apps or sites.

2. How we use your data

  • To provide the core tracking, photo-logging, and analytics features
  • To personalize macro targets and suggestions
  • To authenticate your account and keep it secure
  • To process subscription payments through Apple, Google, or RevenueCat
  • To diagnose crashes and fix bugs
  • To send transactional email (password resets, receipts, security alerts)

3. Service providers we use

We rely on a small set of trusted providers to run the Service. Each receives only the data it needs to do its job.

  • Neon— managed PostgreSQL database (hosts your account, diary, and workout records; US region).
  • Cloudflare R2— private object storage for meal photos.
  • Render— application hosting for our API.
  • RevenueCat— subscription and in-app purchase management. Receives your in-app user ID and subscription status; no payment card data.
  • Apple App Store / Google Play— process all payment transactions under their respective privacy policies. We never see your card details.
  • Sentry— crash and error reporting. We configure Sentry to scrub personal identifiers from stack traces.
  • SendGrid— transactional email delivery.
  • OpenAI— AI provider for meal photo recognition and in-app coach text suggestions. See Section 4 for what is sent and our retention/training agreement.
  • Vercel— hosts this marketing website.

4. Third-party AI processing

Some Service features rely on OpenAI as our third-party AI provider:

  • Meal photo recognition.When you take or attach a photo to log a meal, the image is sent to OpenAI to estimate foods and portions. The request contains the image only — no name, email, account ID, or other personal identifiers are attached. Per our agreement with OpenAI under their API terms, submitted content is not used to train their models, and OpenAI retains the request only for the limited window needed to operate the API and detect abuse.
  • In-app coach and text suggestions. When you ask the in-app coach a question, the prompt and the relevant context you have explicitly entered (macro targets, recent meals, goals) are sent to OpenAI under the same API terms. We do not include payment data, Apple HealthKit data, or content from other users in these requests.

We never send Apple HealthKit data, raw photos other than the meal image you have just taken, or payment data to OpenAI or any other AI provider.

OpenAI's own privacy practices are governed by their privacy policy. If we ever switch or add an AI provider, we will update this policy and notify you in-app or by email before the change takes effect.

5. Data retention

  • Account and diary data persist while your account is active. Account deletion (Settings → Account → Delete account) is immediate and irreversible — we remove your account record, diary, workouts, body metrics, and stored photos in the same request. We retain only the limited records we must for tax or legal compliance.
  • Meal photos are stored alongside your meal entries for as long as your account exists, and are removed when you delete your account.
  • Crash and analytics events are retained for 90 days.

6. Your rights

Depending on your jurisdiction, you may have rights to access, export, correct, or delete your personal data, and to object to certain processing. You can exercise most of these directly in-app (Settings → Account). For anything you can't do in-app, email support@bitebuiltai.com.

California residents: under the CCPA/CPRA, you have rights to know, delete, correct, and opt out of “sharing” of personal information. We do not sell or share your personal information for cross-context behavioral advertising.

EU/UK residents: under GDPR, our legal bases for processing are contract performance (to deliver the Service), legitimate interests (security, debugging), and consent (for optional Health integrations and marketing email).

7. Children

Bite Built AI is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has provided data to us, contact support@bitebuiltai.com and we will delete it.

8. Security

We use TLS in transit, encryption at rest on our database and object store, hashed passwords, rotating refresh tokens with theft detection, and account lockout on repeated failed logins. No system is perfect, but we treat your data the way we'd want ours treated.

9. International transfers

Data is processed in the United States. By using the Service you acknowledge your data may be transferred to the US.

10. Changes

If we make material changes to this policy, we'll notify you in-app or by email before they take effect. The “Last updated” date above always reflects the current version.

11. Contact

Questions? Reach us at support@bitebuiltai.com.