Privacy Policy

Effective date: May 11, 2026 · Last updated: May 31, 2026

This Privacy Policy explains how BodyPal, operated by Vancko Systems LTD ("BodyPal", "we", "us", or "our"), collects, uses, shares, and protects information when you use our iOS application and related services (collectively, the "Service"). By using BodyPal, you agree to the practices described below.

1. Who we are

BodyPal is operated by Vancko Systems LTD, a company registered in Bulgaria (UIC: 208812009, VAT: BG208812009), with registered office at 72 Knyaginya Maria Luiza Blvd, Floor 2, Office 18, 4000 Plovdiv, Bulgaria. Vancko Systems LTD is the data controller responsible for the personal data described in this Policy. If you have privacy questions, contact us at support@bodypalapp.com.

2. Information we collect

2.1 Sign in with Apple

BodyPal uses Sign in with Apple at the end of onboarding to create your account and back up your data across devices and reinstalls. When you sign in, Apple shares with us:

A stable, unique Apple-provided user identifier (a long opaque string, not your real Apple ID).
Your name, only if you choose to share it on the Apple sign-in sheet.
An email address — either your real Apple ID email or Apple's privacy relay address (@privaterelay.appleid.com) — if you choose to share it.

You may decline to share your name and use a relay email. We do not receive any other Apple ID information.

2.2 Profile and onboarding data

During the onboarding flow you enter the following so BodyPal can calculate your personalized calorie and macro targets:

Age, sex, height, and current weight.
Target weight and weight goal (lose, maintain, or gain).
Weekly pace (e.g. 0.25, 0.40, or 0.50 kg per week).
Activity level.
Tracking style (e.g. casual, focused, detailed).
Eating rhythm and meal times.
Meals per day.
Nutrition preference (e.g. no preference, vegetarian, vegan, keto, low-carb, high-protein, balanced, paleo, DASH, Mediterranean).
Long-term motivation and goal context.
Reminder preferences (which reminders to send and at what time).

2.3 Daily food, water, and progress data

Meal logs: photos you take with the camera, AI-estimated foods, ingredients, portion sizes, calories, and macros.
Water logs: hydration entries you record.
Weight check-ins: weight values you enter over time.
Progress photos: optional body/progress photos you choose to attach to a weight check-in to track visual changes over time. These are stored only for your own review and sharing — they are never sent to any AI service and never used for advertising.
Gamification telemetry: streak counts, badges unlocked, and when each badge was earned — used to display your Achievements view.

2.4 Information collected automatically

Device information: device model, operating system version, app version, and language.
IP address: collected by our backend (Firebase) for spam prevention and rough geolocation (country/region). We do not store precise location.
Usage data and crash reports: screens viewed, features used, and crash diagnostic data via Firebase Crashlytics and Analytics — used to improve the app.
Subscription status: whether you have an active BodyPal Premium subscription (managed by Apple and RevenueCat).
Push notification token (only if you grant notification permission): used to deliver meal, water, and reminder pings.
Attribution & install measurement: via AppsFlyer (configured in SKAdNetwork-only mode), we measure where new BodyPal installs come from (e.g. App Store search, a paid campaign, a referral link) and a small set of post-install conversion events (e.g. "registered", "logged in", "started trial", "subscribed"). What AppsFlyer receives is limited to a per-app vendor identifier (Apple IDFV), basic device information, those events, and the aggregated, privacy-preserving postbacks that iOS itself generates through Apple's SKAdNetwork / AdAttributionKit. We do not collect Apple's device-level advertising identifier (IDFA), we do not ask you for App Tracking Transparency permission, and we do not link your data with data from other companies' apps or websites for advertising purposes.
Customer support correspondence: when you email support@bodypalapp.com, we retain the email thread (your message, attached screenshots, and our reply) so we can follow up and resolve your issue. Support correspondence is kept for up to 24 months after the case is closed, then deleted.

2.5 What we do not collect

We do not access your contacts, calendar, location precise to street level, or microphone.
The only Apple Health (HealthKit) data we read is your step count, and only if you connect it — see §2.6. We never read any other health data and never write to Apple Health.
We do not access your photo library to read existing photos — only photos you actively capture inside the meal scanner, or images you explicitly pick to import a meal.
We do not collect Apple's device-level advertising identifier (IDFA), we do not ask you for App Tracking Transparency permission, and we do not show in-app advertising.

2.6 Apple Health (steps)

If you connect Apple Health — either on the Apple Health screen during onboarding or by turning on the Apple Health toggle in Settings — BodyPal reads your daily step count from the iOS Health app, with your explicit permission. Steps are used only to display your daily activity on the dashboard and to show an informational estimate of calories burned. This step data stays on your device: it is never transmitted to our servers, never stored in our backend, never sold or shared with third parties, and never used for advertising or marketing. BodyPal requests read-only access to step count and nothing else — it never writes any data to Apple Health, and we never use Apple Health data for any purpose other than the in-app activity display described here. You can revoke this access at any time in iOS Settings → Privacy & Security → Health → BodyPal, or by turning the Apple Health toggle off in the app.

3. How we use information

To calculate your daily calorie and macro targets from the profile data you provide.
To analyze meal photos with AI and return calorie and macro estimates.
To let you build and save your own recipes from our ingredient database, and to log them to your diary.
To save your food, water, weight, and achievement history so you can view it later and restore it across reinstalls.
To display your daily steps and an informational estimate of calories burned, if you connect Apple Health — this step data stays on your device (see §2.6).
To send the reminders you have opted into (meal pings, water reminders, evening summaries).
To diagnose crashes, detect abuse, and improve the app.
To verify subscription status and process purchases through Apple and RevenueCat.
To measure, in aggregate and without your device's advertising identifier, which marketing channel brought you to BodyPal, so we can evaluate the effectiveness of our marketing (see §2.4).

We do not sell your personal information. We do not show in-app advertising and we do not retarget you with ads elsewhere. We do not link your in-app data with data from other companies' apps or websites for advertising purposes. We do not share your health, food, water, weight, photo, or achievement data with any advertiser or ad network — the only thing shared for marketing measurement is the aggregated, privacy-preserving install attribution data described in §2.4.

3.1 Legal basis for processing (GDPR users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 GDPR:

Contract (Article 6(1)(b)): processing necessary to provide the Service you signed up for — calculating your calorie targets, saving your meals and recipes, and syncing your account.
Consent (Article 6(1)(a)): push notifications, camera access, photo selection, and processing of health-adjacent data (see §3.2). You can withdraw consent at any time by revoking the relevant iOS permission or by deleting your account.
Legitimate interests (Article 6(1)(f)): crash diagnostics, abuse prevention, basic analytics to improve the app, and product security. Our interest in operating a secure, working service is balanced against your privacy interests, and you can object via support@bodypalapp.com.
Legal obligation (Article 6(1)(c)): retaining purchase records to meet tax and consumer-protection requirements.

3.2 Health-adjacent data (GDPR Article 9)

Some of the data you enter (current weight, target weight, height, sex, age, food choices, and any progress photos you attach to weight check-ins) may qualify as "data concerning health" under Article 9 GDPR. We process this data only with your explicit consent, given when you complete the BodyPal onboarding and confirm your Apple sign-in, and — for sending meal photos to Google's AI — through the separate in-app AI-scan consent described in §4. This data is used solely to calculate your personalized calorie and macro targets — never for profiling outside the app or for marketing. If you connect Apple Health, your step count is also "data concerning health"; it is read only on your device to show your activity and estimated calories burned, is never transmitted to us, and is processed on the basis of the explicit permission you grant in the iOS Health prompt (see §2.6). You can withdraw this consent at any time by deleting your account (see §6) or, for Apple Health, by revoking access in iOS Settings.

3.3 Automated decision-making

BodyPal's AI estimates of calories and macros are automated and produced without human review. These are informational estimates only — they do not produce legal or similarly significant effects on you (Article 22 GDPR is not triggered). You can always edit any AI-generated value before saving it to your log.

4. AI processing of your meal photos

When you scan a meal, BodyPal sends the photo to Google's Gemini 2.5 Flash model (Generative Language API) through our secure backend (Google Cloud Functions) to identify the food and estimate calories and macros. The photo is processed transiently to produce a result; under Google's API data usage policy for the Generative Language API, prompts and responses are not used to train Google's general-purpose AI models. Before your first AI scan, BodyPal asks for your explicit consent to send photos to Google for this analysis. You can decline and still log food manually through the food database and barcode search, and you can withdraw your consent at any time in BodyPal → Settings → Preferences → AI photo scan; after withdrawing, you will be asked again the next time you start a scan.

A compressed JPEG copy of the meal photo (≈30–60 KB) is stored in our Firebase Storage bucket under your account so you can review or edit the scan later. Photos in this bucket are automatically deleted by our 35-day Google Cloud Storage lifecycle rule. Only the resulting nutrition data (calories, macros, ingredients) is kept in your long-term meal log.

Active BodyPal Premium subscribers may opt to keep individual meal photos longer by marking the corresponding food as a favorite. In that case the photo is copied to a separate favorites storage path and retained for the duration of the active subscription; when the subscription ends, the copy is deleted by our daily cleanup job. Non-favorited meal photos continue to follow the 35-day rule above for all users.

4.1 Food database queries (text search and barcode lookup)

When you search the food database by text, or scan a product barcode, BodyPal's backend queries two public nutrition data sources to return the result:

USDA FoodData Central (fdc.nal.usda.gov) — U.S. government nutrition reference database, public domain.
Open Food Facts (world.openfoodfacts.org) — community-maintained packaged-product database, made available under the Open Database License (ODbL).

Only the food name you typed or the barcode you scanned is forwarded to these sources. No personal identifiers, account IDs, device IDs, IP address, or other profile data is included — these databases simply return matching nutrition records, which BodyPal then displays to you.

5. Third-party services we use

BodyPal relies on the following processors to operate. Each handles only the data necessary for its function and is bound by its own privacy commitments.

Apple — handles Sign in with Apple, App Store distribution, in-app purchases, App Attest device verification, and push notification delivery. Apple Privacy.
Google Firebase (Authentication, Realtime Database, Storage, Cloud Functions, Crashlytics, Analytics) — stores your user account, profile, meal photos, and daily logs; processes callable function requests; and reports crashes. Firebase Privacy.
Google Generative Language API (Gemini 2.5 Flash) — receives meal photos and structured prompts via our backend to generate calorie and macro estimates. Prompts and responses are not used to train Google's general models per the Generative Language API data policy. Gemini API Terms.
fal.ai (ByteDance Seedream and Flux models) — used only on our server side and one-time, to pre-generate BodyPal's static food and ingredient image thumbnails during our internal image builds. This is never triggered by you and never happens during normal use of the app. The food images you see are served from our own storage; the food names you search are not sent to fal.ai (or to any image-generation AI), and no meal photos, account identifiers, location, weight, calorie history, or other personal data are ever sent to fal.ai. fal.ai Privacy.
RevenueCat — manages your BodyPal Premium subscription, trial state, and purchase entitlements. RevenueCat Privacy.
AppsFlyer (configured in SKAdNetwork-only mode) — mobile attribution and install-measurement provider. Receives a per-app vendor identifier (Apple IDFV), basic device information, the source of your install (e.g. App Store, paid campaign, referral link), and a small set of in-app conversion events (e.g. "registered", "logged in", "trial started", "subscription purchased") used to measure marketing performance. AppsFlyer does not receive Apple's device-level advertising identifier (IDFA) and does not link your data with data from other companies' apps or websites for advertising purposes. AppsFlyer does not receive your Firebase user ID, meal photos, health-adjacent profile data, or any food / water / weight / achievement log content. AppsFlyer Privacy.

6. Data retention

Account & profile: retained for as long as your Sign in with Apple account remains active.
Meal photos: automatically deleted after 35 days via Google Cloud Storage lifecycle.
Progress photos (attached to weight check-ins): kept while your account is active so you can review your journey. If you had a Premium subscription that later lapses, these photos are deleted after a 30-day grace period. They are removed immediately when you delete the corresponding check-in or your account.
Meal nutrition logs, water, weight, badges: retained as long as your account is active so you can view your history.
Crash logs and analytics: retained according to Firebase's standard retention windows.

You can permanently delete your account and all associated data at any time, directly from inside the app: open BodyPal → Settings → Delete Account and confirm. The in-app flow removes your Firebase profile, daily logs (meals, water, weight), meal photos, favorites, badge state, streak history, and authentication record on our servers. Some data may be retained for a limited period to comply with legal obligations (e.g. fraud prevention, payment records). If you cannot access the app (e.g. you no longer have the device), you can also email support@bodypalapp.com from the email tied to your Apple ID, or revoke Sign in with Apple in iPhone Settings → Apple ID → Sign in with Apple → BodyPal.

7. Your rights

Depending on your location, you may have the following rights:

Access (GDPR Art. 15): request a copy of the data we hold about you.
Correction (Art. 16): ask us to correct inaccurate data.
Deletion (Art. 17, "right to be forgotten"): ask us to delete your data.
Restriction (Art. 18): ask us to limit processing while a dispute or correction is resolved.
Portability (Art. 20): receive your data in a machine-readable format (JSON export available on request).
Object (Art. 21): object to processing based on our legitimate interests — for example, crash diagnostics, abuse prevention, or basic analytics described in §3.1. We will stop the objected processing unless we can show overriding legitimate grounds.
Opt-out of "sale" of personal information (we do not sell — but California residents may exercise this right under the CCPA).

To exercise any of these rights, email support@bodypalapp.com from the email tied to your Apple ID, or include the Apple user identifier shown in BodyPal's Settings → About screen so we can locate the correct record.

7.1 Right to lodge a complaint

If you are in the EU/EEA, the UK, or Switzerland, you have the right to lodge a complaint with your local data-protection supervisory authority — for example, the Bulgarian Commission for Personal Data Protection (cpdp.bg), or the supervisory authority of your habitual residence. We would, however, appreciate the opportunity to address your concerns directly before you escalate — please reach out to support@bodypalapp.com.

8. Security

Data in transit between your device and our backend is encrypted using TLS. Data at rest in Firebase Realtime Database and Firebase Storage is protected by industry-standard encryption. Access to our paid AI endpoints is protected by Firebase Authentication and per-user rate limits to prevent abuse.

9. Minors

BodyPal is intended for adults aged 18 and older. BodyPal uses adult body-mass and energy-expenditure calculations that are not appropriate for minors, and our onboarding enforces this minimum age. We do not knowingly collect data from anyone under 18. If you believe someone under 18 has provided data to BodyPal, contact us and we will delete it promptly.

10. International transfers

Our backend (Apple, Firebase, Google Generative Language API, fal.ai, RevenueCat) is hosted primarily in the United States. If you use BodyPal from outside the US, your data will be transferred to and processed in the US under standard contractual clauses or equivalent safeguards.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you in the app. Continued use of BodyPal after a change constitutes acceptance of the revised policy.

12. Contact

Questions, requests, or complaints? Email support@bodypalapp.com.

13. California Privacy Notice (CCPA / CPRA)

This section applies to California residents and supplements the disclosures above. It describes the categories of personal information we have collected from California residents in the preceding 12 months, the purposes for which we use it, and your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

13.1 Categories of personal information collected

Identifiers: Apple Sign in opaque user ID, Firebase user ID, optional email address.
Customer records (Cal. Civ. Code §1798.80): the profile data you enter during onboarding (age, height, weight, dietary preference, goal).
Commercial information: BodyPal Premium subscription status and transaction identifiers from Apple / RevenueCat.
Internet or other electronic activity: in-app screen views, feature usage events (e.g. paywall_viewed, meal_logged), crash reports.
Health-adjacent inferences: calorie and macronutrient estimates derived from the meal photos you scan. See §4.
Geolocation: approximate country derived from IP address only. No precise GPS data is collected.
Sensory data: meal photographs you choose to capture (deleted after 35 days per §6).

13.2 Sources of personal information

Directly from you (account creation, profile entry, meal scans), automatically from your device (crash logs, in-app events), and from our service providers (Apple subscription status, Firebase analytics).

13.3 Business or commercial purposes for processing

Account creation and authentication; delivering nutrition estimates; providing Premium features; preventing fraud and abuse of paid AI endpoints; debugging crashes; aggregate analytics to improve the app. See §3 for full detail.

13.4 Categories of third parties to whom information is disclosed

Service providers listed in §5 (Apple, Google Firebase, Google Generative Language API, fal.ai, RevenueCat) — strictly for the purposes set out in this Policy and under written agreements that prohibit further use.

13.5 "Sale" and "Sharing" of personal information

We do not sell your personal information for money or other valuable consideration, and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the preceding 12 months and do not plan to. We do not knowingly sell or share the personal information of minors under 16 years of age.

13.6 Your California privacy rights

Right to know: request the categories and specific pieces of personal information we have collected about you.
Right to delete: request that we delete personal information we have collected. You can also exercise this right yourself in-app via BodyPal → Settings → Delete Account.
Right to correct: request that we correct inaccurate personal information we maintain about you.
Right to opt out of sale/sharing: not applicable — we do not sell or share, as stated in §13.5.
Right to limit use of sensitive personal information: we use sensitive personal information (health-adjacent inferences) only for the purposes you reasonably expect — to provide the calorie tracking service. We do not use it to infer characteristics about you for advertising.
Right to non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised any of these rights.

13.7 How to exercise your California rights

Email support@bodypalapp.com from the address tied to your Apple ID, or include the Apple opaque user identifier shown in BodyPal's Settings → About screen so we can locate the correct record. We will respond within 45 days as required by the CCPA. We may take reasonable steps to verify your identity before fulfilling the request — typically by asking you to confirm details associated with your account.

13.8 Authorized agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide written, signed permission, and we may still ask you to verify your identity directly.

13.9 Notice of financial incentives

We do not offer financial incentives in exchange for personal information.