Skip to content
PlateStack

Legal

Privacy Policy

Effective: · Last updated:

PlateStack is built by StackForge Studios. This policy explains exactly what data we collect, why we collect it, who we share it with, and what rights you have over it. No buried surprises. If something changes materially, we'll tell you.

Short version: your health data is yours. We don't sell it. We don't share it with advertisers. We don't use it to profile you for anything outside PlateStack.

1. What we collect

1.1 What you give us directly

  • Account: email address and display name.
  • Apple / Google sign-in: you can sign in with Sign in with Apple or Google. When you do, we receive a stable user identifier and, on first sign-in, your name and email if you choose to share them. We use these only to create your PlateStack account. We never share your Apple Relay email or Google profile back to anyone.
  • Health and fitness data: food logs, calorie and macro entries, workout logs (exercises, sets, reps, weight), cardio logs, body weight, measurements, body fat %, sleep summaries, activity totals, and PR history.
  • Apple Health / HealthKit: on iOS, PlateStack may request permission to read steps, active energy, workout history, body weight, body fat percentage, sleep, resting heart rate, heart-rate variability (HRV), blood oxygen / SpO2, respiratory rate, blood pressure, VO2 max, mindful minutes, and nutrition data from Apple Health. PlateStack may also request permission to write workout and nutrition records back to Apple Health. HealthKit access is optional, permission-based, and can be changed any time in iOS Settings. We use Apple Health data only to sync your activity, nutrition, recovery context, and body metrics inside PlateStack. We do not use Apple Health data for advertising, marketing, data mining, or sharing with advertisers.
  • Android Health Connect: on Android, PlateStack may request permission to read steps, active calories burned, body weight, body fat percentage, and sleep data from Health Connect, and to write workouts, active calories, distance, body weight, and nutrition records where you explicitly enable those integrations. Health Connect access is optional and can be changed any time in Android settings. We use Health Connect data only to sync your activity, nutrition, and body metrics inside PlateStack.
  • Profile: age, height, weight, fitness goals, and dietary preferences.
  • Camera access: PlateStack may request camera access so you can scan barcodes, nutrition labels, or food images for faster meal logging. Camera access is used only when you choose to scan. PlateStack does not use the camera in the background.
  • Microphone and voice logging: if you choose to log food by voice, PlateStack records the audio you provide, sends it for transcription, and uses the transcript to create a food log draft. We do not record in the background. The saved food log may include the text or nutrition result you choose to keep.
  • Food photos: images you take for AI food scanning. The photo is sent to an AI vision model in real time, not stored on our servers. Only the resulting log entry (food name, calories, macros) is saved to your account.
  • Progress photos: optional progress photos you take in PlateStack are stored privately in your account so you can review them over time. They are never used for AI scanning, never shared, and you can delete them at any time.
  • Social and squad activity: if you use social features, we store friend requests, squad memberships, invitations, shared workouts, milestones, cheers, League activity, and related profile details needed to show those features. Information you choose to share may be visible to the friends, squad members, or recipients you select.

1.2 What we collect automatically

  • Usage data: which features you use, screens viewed, session length, in-app events.
  • Device info: device type, OS version, anonymous device identifier.
  • Crash and performance data: anonymous error logs used to fix bugs. Never tied to your identity.

1.3 What we collect on our website

The platestackapp.com marketing website uses third-party analytics and advertising measurement tools. These tools may set cookies or use similar technologies to understand how people find and use the site:

  • Google Analytics (GA4) / Google Tag Manager: anonymous page-view and event data used to understand site performance.
  • Meta (Facebook) Pixel: conversion tracking so we know if ads are reaching the right people. Meta may use this data per Meta's Privacy Policy.
  • TikTok Pixel: same as above for TikTok ad campaigns. Governed by TikTok's Privacy Policy.
  • PostHog: optional product analytics for website page views and events, only when configured for the site.
  • Cloudflare: CDN, DDoS protection, and edge performance. Cloudflare processes IP addresses and request metadata as part of serving the site.

We also record first-party website events such as download-button clicks, referral source, page path, session identifier, and broad device/browser details so we can understand which pages and campaigns are working. This website data is separate from your in-app health and fitness data.

If you prefer not to be tracked by these tools, you can opt out via the website cookie banner where available, your browser's "Do Not Track" setting, a browser extension like uBlock Origin, or by not visiting the website. The app itself has no advertising trackers.

1.4 What we never collect

  • Location: PlateStack never requests or stores your GPS location.
  • Contacts: we don't touch your address book.
  • Biometrics: Face ID / Touch ID data never leaves your device. We call your OS's biometric API — we never see or store the underlying biometric data.
  • Payment info: payment processing is handled by Apple (App Store), Google (Play Store), or Stripe (web checkout) and RevenueCat. We never receive or store your card or banking details.

2. How we use your information

  • Run the app: store your logs, calculate progress, and power your dashboards.
  • AI features: send food photos, voice transcripts, and coach queries to OpenAI and Anthropic APIs to generate nutrition estimates, coaching responses, and meal plans. See Section 5.
  • Gamification: calculate XP, levels, streaks, achievements, and quests.
  • Social features: show the friends, squads, shared workouts, milestones, cheers, League activity, and invitations you choose to use.
  • Push notifications: send streak reminders and milestone alerts — only if you grant permission.
  • Subscriptions: verify your membership status via RevenueCat (mobile) and Stripe (web).
  • Improve the app: analyze anonymous usage patterns to fix bugs and build new features.
  • Legal: meet our legal obligations, resolve disputes, and enforce our Terms of Service.

3. Storage and security

  • Database: your account, food logs, and workout logs are stored in Supabase (PostgreSQL) on AWS infrastructure in the United States.
  • On-device: an encrypted session cache is stored locally via Expo SecureStore.
  • In transit: all data in transit is encrypted via TLS 1.3.
  • At rest: data at rest is encrypted with AES-256.
  • Access controls: row-level security (RLS) policies mean only your account can read or write your records.
  • Retention: your data stays as long as your account is active. Delete your account and everything is permanently purged within 30 days. See /delete-account.

4. Advertising and tracking

We do not use your personal data to serve ads inside PlateStack. We do not sell your data. We do not share it with data brokers or advertising networks. We never use Apple Health / HealthKit or Android Health Connect data for advertising, marketing, data mining, or profiling. The marketing pixels on the website (Meta, TikTok) are used only to measure whether our own ads are working — not to build profiles for resale.

5. Third-party processors

We work with the following processors to run the service. We share only what each one needs, nothing more:

  • Supabase: primary database, authentication, edge functions.
  • AWS: hosting infrastructure under Supabase.
  • Cloudflare: CDN, DDoS protection, and Workers for web API routes.
  • OpenAI: food photo scanning, nutrition estimation, and voice transcription through OpenAI APIs.
  • Anthropic: AI Coach chat and meal plan generation via the Claude API.
  • RevenueCat: mobile subscription management for App Store and Play Store purchases.
  • Stripe: web checkout and payment processing for subscriptions.
  • Apple App Store / Google Play: app distribution and mobile payment processing.
  • Expo: push notification delivery (only if you enable notifications).
  • Google Analytics / Meta / TikTok / PostHog: website analytics and ad measurement (website only, as described in Section 1.3).

AI model providers (OpenAI, Anthropic) do not train on your data under our commercial agreements.

6. Your rights

  • Access: view your data inside the app at any time.
  • Correction: edit your profile, logs, and settings inside the app.
  • Export: request a data export by emailing [email protected].
  • Deletion: you can initiate account deletion in the app or at /delete-account. We purge everything within 30 days unless we are legally required to keep limited records.
  • Opt-out of website tracking: use a browser extension, "Do Not Track," or contact us to opt out of website analytics. Does not affect in-app data.

6.1 California residents (CCPA / CPRA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know: request disclosure of the categories and specific pieces of personal information we've collected about you.
  • Right to delete: request deletion of your personal information (subject to legal exceptions).
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: we do not sell personal information. We do not share personal information for cross-context behavioral advertising for any purpose beyond what is described in Section 1.3.
  • Right to non-discrimination: we won't discriminate against you for exercising these rights.

To exercise any California right, email [email protected] with the subject "CCPA Request." We respond within 45 days.

7. Children's Privacy

PlateStack is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has created an account or provided personal information, we will take reasonable steps to delete that information as soon as possible.

If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

8. Health disclaimer

PlateStack is a fitness tracker, not a medical device. Nothing in the app is medical advice or a substitute for professional care. AI calorie estimates are best-effort and may be inaccurate — always review before logging. Talk to a doctor, dietitian, or trainer before starting any program.

9. International users

PlateStack is hosted in the United States. If you're outside the US, your data is transferred to and processed in the US. By using PlateStack, you consent to that transfer.

10. Changes to this policy

We update this policy when we need to. "Last updated" at the top tells you when. We'll notify you in-app if something material changes.

11. Contact

Questions? Email [email protected].

StackForge Studios
United States