Carbly Privacy Policy
Effective date: 2026-05-28 Last updated: 2026-05-28 Version: 1.3
This Privacy Policy describes how Carbly ("we", "us", "our") collects, uses, stores, shares, and protects personal information when you use the Carbly iOS application ("the App"). By using the App you agree to the practices described below.
This policy is written to satisfy the requirements of Apple's App Store Review Guideline 5.1.1, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and the Children's Online Privacy Protection Act (COPPA).
1. Data controller
The data controller for personal information processed through the App is:
Carbly (operated by the developer registered on the Apple App Store as nahuelcpdev).
Contact: nahuelcp.dev@gmail.com
Data Protection contact (DPO): nahuelcp.dev@gmail.com
If you are in the European Economic Area or the United Kingdom and need a local representative, contact nahuelcp.dev@gmail.com and we will route your request to the appropriate channel.
2. Summary of what we collect
The sections below describe every category of data we collect. This summary mirrors the App Privacy Label published on the App Store listing. If you believe the two differ, please email nahuelcp.dev@gmail.com.
| Category | Linked to you? | Purpose |
|---|---|---|
| Anonymous user identifier | Yes | App functionality, analytics |
| Health data (body-metric inputs, net-carb target) | Yes | App functionality |
| Fitness data (food logs with macros, fasting logs) | Yes | App functionality |
| Other User Content (food names, voice transcripts) | Yes | App functionality |
| Purchase history (subscription state) | Yes | App functionality |
| Crash reports, performance traces, breadcrumbs | Yes | App functionality |
| Food photos (in-memory only, discarded after analysis) | No | App functionality |
| Product interaction events, usage data (bucketed) | No | Analytics |
We do not use data for cross-app tracking. We do not collect the Identifier for Advertisers (IDFA). We do not sell personal information under the CCPA definition.
3. Categories of data collected and why
3.1 Anonymous account identifier
On first launch, the App creates an anonymous account on our backend. The backend issues an anonymous user identifier and a session token. The identifier is linked to all data you create in the App (food logs, fasting logs, profile inputs, subscription state) so that the App can show you your own data.
This anonymous account counts as an "account" for the purposes of Apple App Store Review Guideline 5.1.1(v). You can delete it at any time from Settings → Account → Delete Account, which triggers the deletion flow described in section 10.
3.2 Keychain storage of session tokens
The session token that authenticates your anonymous account across app launches is stored in the iOS Keychain. The Keychain is encrypted at rest by iOS and scoped to the App. The token is sent over HTTPS when your device makes authenticated requests to our backend.
3.3 Profile and health inputs
During onboarding, we ask for inputs used to compute a daily net-carb target: approximate weight, age, height, activity level, and fasting interest. These inputs are summarized into nutritional targets stored on your profile. We classify this data under the App Store Privacy Label "Health" category because it consists of user-provided body-metric and nutrition-target information.
3.4 Food logs and fasting logs (fitness data)
Every food scan, manual entry, and barcode lookup creates a food log record containing: food name, estimated net carbs, estimated macros (fat, protein, fiber, calories), estimated electrolytes (sodium, potassium, magnesium), optional voice transcript, confidence level, and a timestamp. Every fast creates a fasting log record containing: start time, end time, duration, preset or custom type, and zone reached. Apple's App Privacy Label "Fitness" category covers movement plus nutrition and macro data.
3.5 Food photos
When you tap the scan button and capture or select a food photo, the App:
- Strips identifying metadata (such as GPS coordinates, device model, and capture date) from the image on-device.
- Sends the stripped image over HTTPS to our backend.
- The backend forwards the image bytes in memory to a third-party AI provider for analysis.
- Image bytes are discarded as soon as the AI response is received.
- Only the structured nutritional result (net carbs, macros, food name, confidence) is persisted to your account. The photo bytes themselves are never written to server-side storage.
Because the photo bytes are not retained against your identity, we declare "Photos or Videos" as unlinked on the App Privacy Label.
3.6 Voice transcripts
If you add a voice note during a scan, the App transcribes your speech entirely on-device using Apple's Speech framework. Audio bytes never leave your device and are not written to disk. Only the resulting text is sent alongside the photo to the AI provider for context, and only the text is saved with the corresponding food log entry.
3.7 Purchase history
If you subscribe to Carbly Premium, our subscription management provider records the purchase, plan, trial state, and renewal timestamps. This data is linked to your anonymous user identifier so entitlement syncs across reinstalls and devices.
3.8 Crash reports and performance traces
Our crash-reporting provider collects crash stack traces, sampled performance traces, and breadcrumbs describing recent in-app actions (for example, scan started, fast started, paywall viewed). Screenshot attachment is disabled, so no screen contents are ever captured. User-interaction tracing is gated to debug builds only.
3.9 Product analytics
Our analytics provider records product interaction events: screens viewed, paywall shown and dismissed, scan started and completed, fast started and ended, settings changed. We deliberately do not ship user-entered text (food names, voice transcripts, product names) as event properties. Instead we send bucketed categorical values (for example, low / medium / high net-carb buckets; scan / manual / barcode log source). These events are identified by your anonymous user identifier for retention and funnel analysis, but the payloads themselves contain no personal text.
3.10 Feature flags
The same analytics provider evaluates feature flags based on your anonymous user identifier (or, in pre-identify sessions, a pseudonymous install identifier generated once and persisted on-device). Feature flag decisions control which copy variants and gradual rollouts you see. No new data category is collected for this purpose; the identifier used to evaluate the flag is the same one already covered in section 3.1.
3.11 Coach chat messages
If you use the in-app Coach (chat), the messages you send and the Coach's replies are stored against your anonymous user identifier, and your messages plus the context needed to answer them are sent to a third-party AI provider (see section 4.2). We classify chat content under the App Store Privacy Label "Other User Content" category.
4. How data is processed and who receives it
Carbly engages a small number of third-party sub-processors to deliver the App's functionality. Each sub-processor receives only the data needed for its specific role and is bound by data-processing terms consistent with this Policy.
4.1 Backend infrastructure (transit and storage)
Authenticated requests from the App go to our backend. The backend authenticates your session, forwards AI requests to the AI provider, and persists your account data (profile, food logs, fasting logs, daily streaks). Backend operational logs containing request metadata (anonymous user identifier, timestamp, response code) are retained for a limited duration and then automatically deleted. No image bytes, no voice transcripts, and no scan results are written to these logs.
4.2 AI providers
Carbly uses two third-party AI services as data sub-processors, selected per feature. All AI requests are mediated by our backend; your device never calls an AI provider directly. Neither provider uses your inputs or outputs to train its models, and each retains API inputs and outputs for up to 30 days (for trust, safety, and abuse-monitoring purposes only), after which they are automatically deleted.
Scan analysis — Anthropic (Claude Haiku 4.5). When you scan a food photo, the metadata-stripped image and any accompanying voice transcript text are sent to Anthropic's Claude Haiku 4.5 model for analysis. Anthropic acts as a data sub-processor under its Commercial Terms.
Coach chat — xAI (Grok 4.3). When you send a message to the in-app Coach, your message and the context needed to answer it — which may include your profile inputs, recent food and fasting logs, and, if you have chosen to provide it, your GLP-1 medication status — are sent to xAI's Grok 4.3 model to generate the reply. Your messages and the Coach's replies are stored against your anonymous user identifier. xAI acts as a data sub-processor under its Enterprise Terms.
Weekly Intelligence digest — xAI (Grok 4.3). If you are a Carbly Premium subscriber and have enabled Weekly Insights in Settings, the App sends a structured summary of your aggregated weekly data (net-carb averages, fasting session counts, activity totals, streak counts, electrolyte log summaries — no raw food photos, no voice audio, no food names) to xAI's Grok 4.3 model once per week. The AI-generated weekly insight prose is returned and stored against your account. Weekly Insights can be disabled at any time in Settings → Intelligence.
We maintain data-processing terms with both Anthropic and xAI that require each provider to protect your data at a level consistent with this Policy.
4.3 Subscription management provider
Subscription purchase state, renewal status, and trial eligibility are synchronized with our subscription management provider. The provider receives your anonymous user identifier, your Apple-issued original transaction identifier, and the product identifier you purchased. The provider does not receive any food log, fasting log, or profile data.
4.4 Product analytics provider
The analytics provider receives bucketed event payloads identified by your anonymous user identifier. See section 3.9 for the hygiene rules we apply to these payloads.
4.5 Crash and performance reporting provider
The crash-reporting provider receives crash stack traces, performance traces, breadcrumbs, and the anonymous user identifier. No screenshots, no food photos, no voice audio, no free-text food log content.
4.6 Aggregated sub-processors
| Role | Data received | Retention |
|---|---|---|
| Backend infrastructure | Auth token, request metadata, scan payloads in memory; persistent user data | Operational logs retained for a limited duration; persistent user data retained until account deletion |
| AI inference — scan (Anthropic, Claude Haiku 4.5) | Stripped scan image, voice transcript text, structured scan prompt | Up to 30 days abuse-monitoring retention then auto-deleted; not used for model training |
| AI inference — Coach chat + Weekly Intelligence (xAI, Grok 4.3) | Chat messages + context (profile, recent logs, GLP-1 status if provided); aggregated weekly data summary (premium only) | Up to 30 days abuse-monitoring retention then auto-deleted; not used for model training |
| Subscription management | Anonymous user identifier, purchase records | Until account deletion |
| Product analytics | Bucketed event payloads, anonymous user identifier | Per provider's standard retention |
| Crash and performance reporting | Stack traces, breadcrumbs, performance traces, anonymous user identifier | Per provider's standard retention |
| Apple | Standard StoreKit purchase data | Per Apple policies |
For the identity of any specific current sub-processor, or a copy of the data-processing terms we have in place with a sub-processor, email nahuelcp.dev@gmail.com.
5. Legal bases for processing (GDPR Art. 6 and Art. 13)
For users in the European Economic Area, the United Kingdom, or Switzerland, the lawful bases on which we process personal information are:
- Performance of a contract (Art. 6(1)(b)) — processing food logs, fasting logs, profile inputs, subscription state, and Keychain session tokens is necessary to deliver the App's core functionality that you requested by installing and using it.
- Legitimate interests (Art. 6(1)(f)) — crash reports, performance traces, and bucketed analytics events are processed to keep the App stable and to understand which features work. We balance our interest in operational reliability and product improvement against your reasonable expectations. You may object to processing on this basis at any time by emailing
nahuelcp.dev@gmail.com. - Consent (Art. 6(1)(a)) — where applicable (for example, in EU analytics-consent jurisdictions), we obtain opt-in consent before enabling non-essential analytics.
- Compliance with a legal obligation (Art. 6(1)(c)) — for example, responding to valid law enforcement requests.
6. International transfers
Your data may be processed in the following jurisdictions:
- European Union — backend infrastructure for persistent user data.
- United States — AI inference, content delivery, analytics, crash reporting, subscription management, and Apple.
Transfers from the EEA, UK, or Switzerland to the United States or any other jurisdiction outside the UK and EEA rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards where available. Where a sub-processor is enrolled in the EU–US Data Privacy Framework, we rely on that framework.
If you would like a copy of the specific safeguard that applies to a given transfer, email nahuelcp.dev@gmail.com.
7. Retention
| Data category | Retention |
|---|---|
| Anonymous account | Until you delete your account |
| Food logs | Until you delete your account |
| Fasting logs | Until you delete your account |
| Daily streaks | Until you delete your account |
| User profile | Until you delete your account |
| Voice transcripts (text only) | Until you delete your account |
| Session tokens (iOS Keychain) | Until sign-out or account deletion |
| Backend operational logs | Limited duration, then auto-deleted |
| Scan image bytes on backend | Discarded immediately after AI response |
| Voice audio on device | Discarded immediately after transcription |
| Crash and performance reports | Per provider's standard retention |
| Product analytics events | Per provider's standard retention |
| Subscription purchase records | For the life of the anonymous user identifier |
Deleting your account removes your profile, food logs, fasting history, streak data, and any related records from our backend. Sub-processor retention runs on the clocks listed above; we pass the deletion request through to our subscription management provider and can submit erasure requests to other sub-processors on your behalf when you email nahuelcp.dev@gmail.com.
8. Your rights
8.1 EEA, UK, and Switzerland (GDPR Art. 15–22)
You have the right to:
- Access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your data (see section 10 for the in-app path).
- Restrict processing (Art. 18) — pause processing while we investigate an objection or inaccuracy claim.
- Data portability (Art. 20) — receive a machine-readable export of the data you provided (JSON format).
- Object to processing (Art. 21) — including a specific right to object to any legitimate-interest processing described in section 5.
- Not be subject to automated decision-making (Art. 22) — the App's AI scan output is informational and does not produce a legal or similarly significant effect on you.
To exercise any of these rights, email nahuelcp.dev@gmail.com with your anonymous user identifier (found in Settings → Account). We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
8.2 California (CCPA / CPRA)
California residents have the right to:
- Know what personal information we have collected about them in the past 12 months.
- Delete their personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information. We do not sell or share personal information under the CCPA definition.
- Limit the use of sensitive personal information.
- Non-discrimination for exercising these rights.
To submit a verifiable consumer request, email nahuelcp.dev@gmail.com with your anonymous user identifier. We respond within 45 days (with up to a 45-day extension where permitted). Because accounts are anonymous, we verify a request by matching the anonymous user identifier the requester supplies against the account record and by sending a confirmation challenge to the requester's email of record.
8.3 Other jurisdictions
Residents of other jurisdictions (for example, Brazil under the LGPD, Canada under PIPEDA, Australia under the Privacy Act 1988) may have analogous rights. Email nahuelcp.dev@gmail.com and we will route your request.
9. Children
The App is rated 13+ on the App Store. We do not knowingly collect personal information from children under the age of 13. If you believe a child under 13 has provided personal information, email nahuelcp.dev@gmail.com and we will delete the associated data. The onboarding flow includes a hard age gate that blocks under-18 users from the fasting feature entirely; the fasting timer and preset selector are unreachable for that age bracket.
10. Data deletion
You can delete your account at any time from inside the App:
- Open Settings.
- Tap Account.
- Tap Delete Account.
- Confirm the deletion in the prompt.
This initiates an account deletion request on our backend, which permanently removes your profile, food logs, fasting history, streak data, and any related records. The confirmation screen states explicitly: "This will delete your food logs, fasting history, streak data, and preferences permanently. This cannot be undone." (See the Carbly Terms of Service section on account termination for additional information.)
If the in-app path is unavailable (for example, you have lost access to the device), you can submit a Data Subject Access Request by emailing nahuelcp.dev@gmail.com with the anonymous user identifier that appears in your prior App session. We will process the deletion within 30 days.
11. Cookies and local storage
The App itself is not a web browser and does not set cookies. Inside the App we use the following on-device storage mechanisms:
- iOS Keychain — your authentication session token.
- iOS standard preferences storage — first-launch flag, appearance preference, fasting-safety acknowledgment timestamp, install identifier for feature flags, and similar low-sensitivity preferences.
- Local file system (app container) — authentication session file.
- On-device cache — cached food logs and fasting logs for offline viewing.
If you reach the Carbly marketing website (carbly.pro) through an in-App link, that website may set its own cookies. Its cookie notice, served by the website, governs that behavior.
12. Security
We protect your data through:
- HTTPS / TLS in transit for all network calls between the App, our backend, and our sub-processors.
- Encryption at rest for the iOS Keychain and for our backend database at the provider level.
- Access controls on our backend that restrict every record to its owning anonymous user identifier.
- Server-side-only storage of administrative credentials used by sensitive operations such as account deletion.
- No direct device-side access to AI provider API keys; all AI requests are mediated by our backend.
No transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.
13. Changes to this policy
We may update this Privacy Policy to reflect changes to our practices, our sub-processor list, the legal environment, or the App's feature set. When we do:
- The "Last updated" date at the top of this document will change.
- Material changes (new data categories, new sub-processors in a different jurisdiction, changes to lawful basis) will be announced in the App on the first launch after the change and, where we have your email of record, by email, at least 14 days before the change takes effect.
- We will keep prior versions of this policy available on request at
nahuelcp.dev@gmail.com.
Continuing to use the App after a change becomes effective indicates acceptance of the updated policy.
14. Contact
- General privacy questions:
nahuelcp.dev@gmail.com - Data Protection contact (EU / UK):
nahuelcp.dev@gmail.com - DSAR and erasure requests:
nahuelcp.dev@gmail.com(include your anonymous user identifier; 30-day SLA under GDPR, 45-day SLA under CCPA) - Security reports:
nahuelcp.dev@gmail.com
If you prefer to write us, include "Carbly Privacy" in the subject line so your request is routed correctly.
This document is published at https://carbly.pro/privacy and is referenced from the in-App paywall in compliance with App Store Review Guideline 3.1.2.