Privacy Policy

Last Updated: May 26, 2026

Enchanting Labs Pte Ltd ("we," "us," or "our") operates the Before I Bite mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not use the App.

1. Information We Collect

1.1 Account Information

When you create an account using Apple Sign-In or Google Sign-In, we collect:

  • Your email address (or relay address, if you choose to hide it)
  • Your name (if provided)
  • A unique authentication identifier from the sign-in provider

1.2 Health Data

With your explicit permission, the App reads and writes data through Apple HealthKit.

Data the App reads from HealthKit:

  • Date of Birth
  • Biological Sex
  • Height
  • Weight
  • Active Energy (calories burned)
  • Resting Energy (basal metabolic rate)
  • Workouts (completed exercise sessions and their active energy)

Data the App writes to HealthKit:

  • Dietary Energy / Calories (from logged meals)
  • Protein (from logged meals)
  • Carbohydrates (from logged meals)
  • Total Fat (from logged meals)
  • Saturated Fat (from logged meals)
  • Fiber (from logged meals)
  • Sugar (from logged meals)
  • Sodium (from logged meals)

During onboarding you also provide profile information we use to calculate your daily nutrition targets: your height, weight, activity level, birthday, biological sex, fitness goal, and target preferences. Your height, weight, and activity level are stored on our servers and associated with your account (see Section 4.1). Your fitness goal and the resulting daily targets are stored on your device (see Section 1.3).

1.3 Nutrition and Meal Data

When you use Before I Bite's tracking features, the following data is created and stored locally on your device (and synced via iCloud if enabled). This data is not uploaded to or stored on our servers:

  • Photos of your meals (captured via camera or selected from your photo library), stored as thumbnails on-device
  • Food item details including name, portion size, calories, protein, carbohydrates, and fat
  • Meal timestamps and notes
  • Daily nutrition goals you set
  • Nutrient-tracking preferences (which nutrients you've chosen to display on your daily tracking screen — for example, sodium, fiber, or added sugar). Stored on your device and your account; used only to personalize the targets shown to you.

When you analyze a meal, the photo or text description is sent to Google's Gemini API for nutritional estimation (see Section 3.1), but it is not stored on our servers. Barcode scan queries are sent to third-party food databases (see Section 3.1) but are likewise not stored by us.

1.4 Usage Data

We collect data about how you use the App's API services, including daily request counts for photo analysis, barcode lookups, label scans, and text food queries. This is used to enforce usage limits and monitor service health.

When one of these API requests fails, we also record a diagnostic error log entry to help us detect and fix problems. Each entry contains a request identifier, the API route, an HTTP status and error code, a short technical error message, the request duration, and — if you are signed in — your user ID.

1.5 Crash and Performance Data

We use Firebase Crashlytics to collect crash reports, stack traces, and app performance metrics. This data helps us identify and fix bugs. Crashlytics may collect your device model, operating system version, and app state at the time of a crash.

1.6 Payment and Subscription Data

If you purchase a subscription or other paid access through the App Store, Apple processes the payment. We do not receive or store your full payment card details. We may receive subscription status information, transaction identifiers, product identifiers, renewal status, and related App Store purchase metadata needed to provide paid features, manage access, prevent fraud, and support customer service.

1.7 Feedback

When you submit feedback through the App, we collect the message you write, an optional 1–5 rating, and basic device metadata to help us reproduce issues (platform, app version and build, OS name and version, device model, locale). If you are signed in at the time, the feedback is associated with your user ID; otherwise it is stored without an account identifier. Please do not include sensitive personal information (such as health details, identifiers, or other people's information) in feedback messages.

1.8 Voice Dictation

The Quick Add feature lets you dictate food names instead of typing them. When you use voice dictation:

  • The microphone captures audio only while you are actively holding or using the dictation control. Audio is not captured in the background.
  • Audio is processed by Apple's Speech Recognition framework (SFSpeechRecognizer). Depending on your device and locale, Apple may route the audio to its servers for cloud-based recognition; this processing is governed by Apple's privacy policy.
  • We do not receive, store, or process the raw audio. We receive only the transcribed text that Apple's framework returns, which is then treated as a food name you typed.

You can revoke microphone and speech recognition access at any time through your device's Settings.

1.9 Product Analytics

We collect product-usage analytics through Firebase Analytics to understand how features are used and to improve the App. Specifically, we log:

  • Feature-interaction events — for example, sign-in, onboarding step views, meal capture started or completed, Quick Add usage, and screen views
  • Aggregate user properties such as the month you joined, your chosen unit system (metric or imperial), and any survey cohort you belong to
  • Our namespaced user ID (beforeibite:<sub>) as the Firebase Analytics user identifier, so we can measure per-user engagement without linking analytics to your email or real name

We do not log food names, user-entered text, meal photo content, email addresses, or HealthKit values to analytics. We use the FirebaseAnalyticsWithoutAdIdSupport SDK variant, which means we never read or transmit the Identifier for Advertisers (IDFA). Analytics data is processed by Google LLC and governed by the Firebase privacy policy.

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the App's core features, including calorie tracking and health data integration
  • Authenticate your identity and secure your account
  • Analyze meal photos and nutrition labels using AI to estimate nutritional content
  • Look up food items by barcode or text search
  • Sync your data across your Apple devices via iCloud
  • Enforce daily API usage limits
  • Process subscription status and provide paid features
  • Monitor app stability and fix crashes
  • Improve and optimize the App

3. How We Share Your Information

3.1 Third-Party Service Providers

We share specific data with the following third-party services to provide App functionality:

  • Google Gemini API — When you photograph or describe a meal, or capture a nutrition label, we send the image (as encoded data) or text description to Google's Gemini API for nutritional analysis. Google's privacy policy governs their handling of this data.
  • Open Food Facts — When you scan a barcode, we query the Open Food Facts database. Our request includes the barcode number and a user-agent string.
  • USDA FoodData Central — As a fallback for barcode lookups, we query the USDA FoodData Central API with the barcode number.
  • Firebase Crashlytics (Google) — Crash reports and performance data are sent to Firebase Crashlytics. Google's privacy policy governs this data.
  • Apple CloudKit / iCloud — Your App data (profile, meal logs, nutrition goals) is synced through Apple's CloudKit service if iCloud is enabled on your device. Apple's privacy policy governs their handling of this data.

3.2 Authentication Providers

When you sign in with Apple or Google, those providers process your authentication data according to their own privacy policies. We receive only the information listed in Section 1.1.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, such as a court order or government request.

3.4 No Sale of Personal Data

We do not sell your personal information to third parties.

3.5 Sub-processors

We rely on the following sub-processors to operate the App. Each is bound by its own privacy terms; the data we share is limited to what is necessary for the listed purpose.

  • Cloudflare, Inc. — hosts our backend (Cloudflare Pages) and database (Cloudflare D1). Receives all account data and API request metadata. Privacy policy.
  • Google LLC (Gemini API) — receives meal photos, nutrition label photos, and free-text food queries for AI nutritional analysis. Privacy policy.
  • Google LLC (Firebase Crashlytics) — receives crash reports and performance metrics. Privacy policy.
  • Open Food Facts — receives barcode numbers when you scan a product. Terms and privacy.
  • U.S. Department of Agriculture (FoodData Central) — receives barcode numbers as a fallback lookup. API terms.
  • Apple Inc. — provides Sign in with Apple, App Store payments, and CloudKit/iCloud sync of your local App data when iCloud is enabled. Privacy policy.
  • Google LLC (Sign in with Google) — handles authentication when you sign in with a Google account. Privacy policy.
  • Apple Inc. (Speech Recognition) — receives audio captured by the microphone during voice dictation in Quick Add. Audio is processed by Apple and is not stored by us; we receive only the resulting transcribed text. Privacy policy.
  • Google LLC (Firebase Analytics) — receives product-usage analytics events and our namespaced user ID as described in Section 1.9. Privacy policy.
  • Google LLC (Google Analytics 4 — beforeibite.com) — receives website analytics events from the marketing site. Subject to Consent Mode v2; operates in cookieless/anonymized mode unless the visitor has accepted analytics cookies. Privacy policy.

4. Data Storage and Security

4.1 Where Your Data Is Stored

  • On your device: Health data, meal logs, nutrition goals, and meal photo thumbnails are stored locally using Apple's SwiftData framework within the App's sandboxed storage.
  • iCloud: If iCloud is enabled, local data is synced across your devices through Apple CloudKit.
  • Our servers: Your account and profile information — your email, height, weight, and activity level — together with API usage logs and diagnostic error logs, are stored on Cloudflare's infrastructure (Cloudflare D1). Your authentication token is signed and verified server-side.
  • iOS Keychain: Your authentication token is stored securely in the iOS Keychain.

4.2 Security Measures

We use the following measures to protect your data:

  • All network communication uses HTTPS/TLS encryption, enforced by iOS App Transport Security
  • Authentication tokens are signed using HMAC-SHA256 and stored securely in the iOS Keychain
  • Server-side data is hosted on Cloudflare's edge infrastructure with their platform-level security protections
  • Each user can only access their own data through authenticated API requests with per-user database isolation
  • API endpoints enforce per-user daily rate limits and validate all input (file type, size, and query length)
  • The App runs within iOS's application sandbox, preventing other apps from accessing your data

4.3 Data Retention

  • Account data is retained on our servers for as long as your account is active. When you delete your account in the App (Settings > Profile > Delete account), the following records are permanently deleted from our database: your account record, profile, API usage logs, feedback, subscription entitlement records, and Apple refresh tokens (which are also revoked with Apple to terminate your Sign in with Apple session). Diagnostic error logs are handled differently: rather than being deleted, any error log entries linked to your account are de-identified by removing your user ID, so the remaining records can no longer be traced to you.
  • Local App data (meal logs, nutrition goals) is retained on your device and in iCloud until you delete it.
  • API usage logs are retained for service monitoring and rate-limiting purposes for up to 12 months from the date of the call, then deleted.
  • Diagnostic error logs are retained to help us monitor service health, debug failures, and protect against abuse. If you delete your account, your user ID is removed from any error log entries that referenced it, as described above.
  • Feedback messages are retained for up to 24 months from the date submitted, then deleted, unless we need to retain them longer to resolve a specific issue you reported.
  • Waitlist emails are retained until the App launches and you receive the download link, or until you ask us to remove your email at [email protected] — whichever comes first.
  • Crash reports are retained according to Firebase Crashlytics' retention policies.

5. Your Rights and Choices

5.1 General Rights

You have the right to:

  • Access the personal data we hold about you
  • Delete your account and all associated server data using the "Delete account" option under Settings > Profile in the App. The same action also erases your local profile, daily targets, and meal logs from the device.
  • Control HealthKit access through your device's Settings > Health > Before I Bite
  • Disable iCloud sync through your device's iCloud settings
  • Manage subscriptions through your Apple ID account settings or the App Store

5.2 Rights for European Economic Area (EEA) Residents

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including:

  • The right to request rectification of inaccurate personal data
  • The right to request erasure of your personal data ("right to be forgotten")
  • The right to restrict or object to processing of your personal data
  • The right to data portability
  • The right to withdraw consent at any time
  • The right to lodge a complaint with a supervisory authority

Our legal basis for processing your data is: (a) your consent (e.g., granting HealthKit or camera access), (b) performance of a contract (providing the App's services), and (c) our legitimate interests (improving the App, preventing abuse).

5.3 Rights for California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of your personal information (we do not sell personal information)
  • The right to non-discrimination for exercising your privacy rights

5.4 Exercising Your Rights

To exercise any of these rights, please contact us at the email address listed in Section 10. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

6. Apple HealthKit Data

We treat HealthKit data with special care in accordance with Apple's requirements:

  • HealthKit data is used solely to provide the App's nutrition tracking features.
  • We do not use HealthKit data for advertising or marketing purposes.
  • We do not share HealthKit data with third parties for advertising or marketing.
  • We do not sell HealthKit data.
  • We do not directly send raw HealthKit data to our servers. During onboarding, your height and weight may be pre-filled from HealthKit so you don't have to type them manually. You can review and edit these values before saving — and when you tap Save, the values you confirmed (whether HealthKit-prefilled or manually entered) are stored on our servers as part of your profile (see Section 1.2). All other HealthKit reads — active energy, resting energy, workouts, date of birth, biological sex — stay on your device and are never sent to our servers. We never use any HealthKit-derived data for advertising or sell it to anyone.
  • You can revoke HealthKit access at any time through your device's Health settings.

7. Camera and Photo Library

The App requests access to your camera and photo library solely for the purpose of photographing or selecting images of your meals and nutrition labels for analysis. Meal photos are:

  • Processed locally to create thumbnail images
  • Sent to Google's Gemini API in encoded form for nutritional analysis
  • Stored locally as thumbnails within the App's data
  • Never shared publicly or with other users

You can revoke camera or photo library access at any time through your device's Settings.

8. Website Analytics & Cookies

When you visit our marketing website at beforeibite.com, we use Google Analytics 4 (GA4) to measure page views and basic engagement. Here is what that means in practice:

  • Consent Mode v2 — GA4 is loaded with Google Consent Mode v2 configured with denied defaults. Until you explicitly accept analytics, GA4 operates in cookieless and anonymized mode, meaning no advertising cookies are set and measurement is based on aggregate modeling rather than individual tracking.
  • Accept / Decline banner — on your first visit, a consent banner asks whether you accept or decline analytics. Your choice is saved to your browser's localStorage under the key bib-consent-v1. Declining keeps the website fully functional; no features are gated on accepting analytics.
  • Local storage — the marketing site writes two localStorage values: your analytics consent preference (bib-consent-v1) and, after a successful waitlist signup, a signup-complete flag (beforeibite_waitlist) so the page can remember that you already joined. If you accept analytics, GA4 may also set its own first-party cookies in accordance with Google's policies.
  • No App data — website analytics are entirely separate from the Before I Bite iOS app. Your in-app nutrition data, health data, and account information are never shared with or influenced by website analytics.

Google's handling of website analytics data is governed by the Google Privacy Policy. You can also opt out globally using the Google Analytics Opt-out Browser Add-on.

9. Children's Privacy

The App is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete such information.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Enchanting Labs Pte Ltd
Email: [email protected]

For data protection inquiries from the EEA, you may also contact your local data protection authority.