Last updated: June 2026
We wrote this in plain English on purpose. If something is unclear, email us.
WSIET is a meal tracking and AI suggestion app. You log what you eat, set your preferences, and we use AI to suggest meals suited to your habits and the time of day.
Account data
Your email address and a unique ID from Firebase Authentication (our authentication provider, operated by Google). We do not store passwords — Firebase handles that.
Meal logs
Every meal you log: name, description, meal type, cuisine, and the time you ate it. This is the core data the app runs on.
Preferences and dietary restrictions
The cuisines you prefer and any dietary restrictions you set (vegan, gluten-free, nut allergy, halal, kosher, etc.).
Important: Dietary restrictions — especially food allergies and medically-motivated restrictions — may qualify as health data under GDPR (Article 9) and as sensitive personal information under CCPA. We treat all dietary restriction data as sensitive regardless of where you live.
Device and usage data
Standard server logs: IP address, browser type, pages visited, timestamps. We use this for security and debugging. We do not use it for advertising.
Signup provenance (anti-fraud)
The first time you create an account, we store on your user record: the IP address and User-Agent of the signup request, the sign-in method you used (Google, Apple, or email/password), and basic device information reported by the app — whether you signed up from a real device or an emulator, the platform (iOS / Android / web), and, on mobile, the device model name. From these we derive an internal quality classification (human / suspected automated test account / unknown). We use this only to detect and exclude automated and test-lab accounts from our real-user counts and to prevent abuse — never for advertising or profiling. It is captured only at first signup, never refreshed, and kept until you delete your account.
Region and timezone
We store your device's timezone (so meal slots, daily resets, and reminders use your local time) and a coarse country code derived from it (used only for aggregate measurement). Neither is precise location.
Location data (optional)
If you enable "Find restaurants near me," we request your device's GPS coordinates at that moment. Coordinates are sent to our API to query nearby restaurants. Precise coordinates are never stored in our database. For internal cost monitoring, each Google Places API call is logged with the coordinates rounded to 2 decimal places (approximately ±1.1 km accuracy), along with the type of request, page number, and result count. These rounded coordinates are not linked to your account or identity.
Food photos (optional)
If you use photo logging, your photo is sent to our API, processed by AI to identify the dish and estimate nutrition, and stored in Supabase Storage associated with your meal log. Photos are retained for as long as your meal log entry exists and are deleted when you delete the meal or your account.
Daily nutrition goals (premium, optional)
If you set daily nutrition targets, we store four numbers on your user record — a daily calorie target and daily protein, carbohydrate, and fat targets (grams) — plus the timestamp when you last set them. These are entered by you, are entirely optional and skippable, and any subset can be left blank. We use them only to shape your meal suggestions toward the headroom remaining for the day and to show approximate dashboard progress; they are AI-estimate-based guidance, not precise tracking. You can clear all of them at any time in Settings.
Important: Like dietary restrictions, daily nutrition goals are health-related information. They may qualify as health data under GDPR (Article 9), as sensitive personal information under CCPA, and as consumer health data under the Washington My Health My Data Act. We treat them as sensitive regardless of where you live, and we make no medical claims about them.
| Data | Why |
|---|---|
| Meal logs | Generate AI suggestions; build your eating history |
| Dietary restrictions | Filter suggestions; pass to AI as constraints |
| Cuisine preferences | Tailor suggestions to your taste |
| Location (on-demand) | Find nearby restaurants for your suggestion |
| Food photos (on-demand) | Identify the dish and estimate nutrition via AI; pre-fill your meal log |
| Nutrition data | Display daily calorie and macro totals; included in AI suggestion context |
| Daily nutrition goals (premium) | Shape suggestions toward the day's remaining headroom; show approximate dashboard progress |
| IP address / logs | Security, abuse prevention, debugging |
| Signup provenance (IP, User-Agent, sign-in method, device type / platform / model, derived classification) | Detect/exclude automated & test-lab accounts; anti-fraud |
| Timezone / coarse country code | Localize meal slots, daily resets, and reminders; aggregate measurement |
We do not use your data for advertising. We do not sell your data. Ever.
WSIET uses two AI providers.
Anthropic (Claude) generates meal suggestions and nutrition estimates for each suggestion. We send:
Google DeepMind (Gemini) is used for three separate tasks:
We do not send your name, email, or account ID to either provider. Both act as data processors under Data Processing Agreements. Neither Anthropic nor Google uses API inputs to train their models under standard API terms.
Current AI models in use: meal suggestions + nutrition — claude-haiku-4-5-20251001 (Anthropic); restaurant scoring — gemini-2.5-flash-lite, food photo identification — gemini-2.5-flash, and suggestion image generation — gemini-2.5-flash-image (Google DeepMind)
When you tap "Find near me":
When you submit a photo:
We do not use food photos to train AI models. Google does not use Gemini API inputs for training under standard API terms.
| Data | Retention |
|---|---|
| Meal logs | Until you delete your account, then purged within 30 days |
| Dietary restrictions and preferences | Until you change or delete them, or delete your account |
| Daily nutrition goals (premium) | Until you change or clear them (via "Clear goals" / DELETE /goals), or delete your account; then purged within 30 days |
| Account data (email, Firebase UID) | Until account deletion, then purged within 30 days |
| Location coordinates (precise) | Not retained — discarded after each request |
| Location coordinates (rounded, API log) | Internal places_api_log table; rounded to ~1.1 km, no user identifier, not linked to you; retained for internal cost monitoring |
| Food photos | Retained with meal log until you delete the meal or your account, then purged within 30 days |
| AI-generated suggestion images | Retained with the cached suggestion / meal log; cache key is the meal slug, no user identifier in the cache |
| Push notification tokens | Until you sign out, disable notifications, or delete your account |
| Push notification log | Used for de-duplication only; pruned automatically as new entries land |
| Share links + referrals | Until you delete your account; then purged within 30 days |
| Subscription / billing records | Until you delete your account; then purged within 30 days (RevenueCat retains its own copy under its DPA) |
| Server logs (IP, access logs) | 90 days, then deleted |
| Signup provenance (signup IP, User-Agent, sign-in method, device type / platform / model, derived classification) | Stored on your user record from first signup until account deletion, then purged within 30 days |
These companies process data on our behalf under Data Processing Agreements:
| Processor | What they handle |
|---|---|
| Firebase Authentication (Google) | Authentication, session management, user identity |
| Resend | Sends transactional auth emails (email verification, password reset). Receives the recipient email address and a one-time Firebase action link. |
| Supabase | File storage (food photos and AI suggestion images) |
| RevenueCat | Subscription entitlement management; receives Stripe / App Store / Play Store billing events |
| Stripe | Web payment processing (via RevenueCat Web Billing) |
| Anthropic | AI meal suggestions and nutrition estimates |
| Google DeepMind (Gemini API) | Food photo identification + nutrition; suggestion image generation; restaurant scoring |
| Google (Places API) | Restaurant location queries (location data only) |
| Railway | API server infrastructure |
| Vercel | Web frontend hosting |
| Sentry | Error monitoring and diagnostics; may receive request metadata and, for suspected automated test-account signups, an internal warning event including external ID, email, IP, sign-in method, and device type / platform / model |
We do not use advertising networks, tracking pixels, or analytics SDKs that share data with third parties.
You can:
For EU residents (GDPR): you have the right to lodge a complaint with your national supervisory authority.
For California residents (CCPA/CPRA): you have the right to limit the use of sensitive personal information (dietary restrictions and nutrition goals) to what's necessary to provide the service. We already do this — we don't use it for anything else.
For Washington state residents (My Health My Data Act): dietary data, nutrition goals, and location data qualify as consumer health data. You have the right to access, delete, and withdraw consent at any time.
WSIET suggests meals. It is not a medical device, a dietitian, or a healthcare provider. Nothing in the app constitutes medical or nutritional advice. If you have a medical condition that affects your diet, consult a qualified healthcare professional.
WSIET is not intended for users under 13. We do not knowingly collect data from children.
If we make material changes (new data types, new processors, new uses), we'll update the "Last updated" date at the top and notify you by email if the change affects how we use sensitive data.
Questions about your data: privacy@wsiet.org