Privacy Policy

1. Introduction

StatsKey ("StatsKey," "we," "us," or "our") operates a nutrition, fitness, and biometric tracking application. This Privacy Policy describes the information we collect, how we use and share it, and your choices. By using StatsKey you agree to the practices described here. If you do not agree, do not use the application.

2. Information We Collect

Account Information. Name (optional), email address, password (stored as a salted hash by Firebase Authentication when you sign up with email and password), federated sign-in identifiers (Apple ID or Google), and an internal user ID.

Health & Fitness Data. Meals and nutrition entries, food photographs and text descriptions, exercise activities, durations, caloric estimates, weight and body metrics, custom goals, current and historical continuous glucose monitor (CGM) and glucose records, wellness logs, and — if you grant permission — Apple HealthKit data (including but not limited to energy, macronutrients, weight, heart rate, glucose, and workout data).

Location Data. If you enable location services, we collect GPS data during active workout recording to track route, distance, pace, and elevation. Background location access occurs only while a workout session is in progress and ceases when the session ends or is paused. We do not collect location data outside of workout recording.

Subscription & Transaction Data. Purchase history, subscription status, billing channel (App Store or Stripe), Apple receipt tokens (for App Store subscriptions), Stripe customer and subscription identifiers (for web subscriptions), and limited device and application identifiers used for receipt validation, billing reconciliation, and fraud prevention. We do not store full payment card details; card data is processed and stored by Apple or Stripe.

Device & Usage Data. Device model, operating system version, application version, feature usage patterns, and performance event data.

Diagnostics. Crash logs, error reports, and performance diagnostics.

Support Communications. Messages and attachments you send to our support channels.

3. How We Use Your Information

• Service delivery: Account creation, authentication, data synchronization, and core application functionality.
• AI-powered analysis: Processing food photographs, text descriptions, chat messages, and relevant historical health records, including glucose records, through third-party AI services to generate nutritional estimates, summaries, and conversational responses. These outputs are approximations only and should not be relied upon for medical, dietary, or clinical decisions.
• Personalization: Tailoring recommendations and goals based on your profile and historical data.
• Health integrations: Reading and/or writing HealthKit data strictly to power health and fitness features you explicitly enable, including using Apple Health as an optional source for glucose and other historical records.
• Analytics and quality: Understanding feature usage, diagnosing errors, and improving application performance.
• Security and fraud prevention: Validating purchases, preventing abuse, and protecting user accounts.
• Communications: Sending service-related notices (e.g., subscription status changes, material changes to terms).

4. Apple HealthKit Disclosure

• HealthKit data is used exclusively to provide or improve health and fitness features within the application, including importing historical glucose records when you grant the relevant Apple Health permission.
• HealthKit data is never used for marketing, advertising, or data brokering and is never sold to any party.
• HealthKit data is not shared with third parties except as necessary to process it on your behalf to provide the service, and never for independent use by those parties.
• Glucose and other HealthKit records that you choose to sync may be backed up to your StatsKey account using Firebase / Google Cloud Platform so they are available across devices and to enabled StatsKey features, including AI conversation features.
• You may revoke Health permissions at any time through Apple Health settings. Revocation stops new data flows but does not automatically delete previously stored data — see Section 10 ("Your Rights").

5. AI Processing

When you use an AI-powered feature in the app (Flow chat, food photo analysis, nutrition-label scanning, AI-generated training plans, AI-generated nutrition insights), we transmit the content the active feature needs to one or more third-party AI processors so they can compute a response. The current set of AI processors is:

• Google LLC — Gemini, accessed through Firebase AI Logic and the Google Generative AI API. Google Privacy Policy.
• Anthropic, PBC — Claude, accessed through Anthropic's API. Anthropic Privacy Policy.
• OpenAI OpCo, LLC — ChatGPT models, accessed through the OpenAI API (including the Responses API for image-based food analysis fallback). OpenAI Privacy Policy.
• xAI Corp. — Grok, accessed through the xAI API. xAI Privacy Policy.

Categories of personal content we may transmit to the providers above include: messages and prompts you type into the AI chat; photos you capture or pick for food / nutrition-label analysis; summaries of your nutrition, weight, hydration, supplement, and glucose logs; historical glucose records and related trends when relevant to your request; summaries of your workouts, pace, heart-rate, and training plan; and basic profile fields you provided in onboarding (name, biological sex, weight, height, goals).

Before we transmit any content to these processors for the first time, the iOS app presents an in-app disclosure that names the processors and the categories of content above and asks you to grant permission. You can review or revoke this permission at any time from Settings → AI & Privacy → AI Features. Revoking permission disables every AI-powered feature in the app while leaving the rest of the app fully functional.

• We do not send account identifiers, contact details, or other personal identifiers with the content the AI processors receive.
• AI-generated outputs are estimates and approximations. They may be inaccurate, incomplete, or incorrect. You should not rely on them for medical, clinical, or critical dietary decisions.
• We do not opt in to having your data used to train third-party AI models. Providers may temporarily retain data for abuse prevention and diagnostics in accordance with their respective policies.
• The set of AI providers, the specific models used, and the routing between them may change. Material changes to this list will trigger a new in-app disclosure prompt before the new provider receives any of your content.

6. Third-Party Service Providers

We use the following categories of service providers to operate the application:

• Firebase / Google Cloud Platform: Authentication, secure data storage, including synced historical glucose records, analytics, and crash reporting.
• Apple App Store: Subscription billing for users who subscribe through the iOS app.
• Stripe: Subscription billing and payment processing for users who subscribe through the website. Stripe receives card details, billing address, and an opaque user identifier; we receive only customer and subscription IDs and high-level status.
• AI Providers (Google Gemini, Anthropic Claude, OpenAI ChatGPT, xAI Grok): AI-powered food analysis, nutrition estimation, training plan generation, and conversational features. See Section 5 for the per-provider links and the in-app permission flow.
• Apple HealthKit: Optional health data synchronization with your explicit permission.
• CGM Providers (Dexcom, Abbott, Nightscout): Optional continuous glucose monitor data integration with your explicit permission.
• Nutrition data sources: Public or licensed databases to enrich nutritional information. We transmit only food context, not personal identifiers.

All processors are required to protect your information and use it only in accordance with our instructions and applicable law.

7. Data Sharing

• No sale: We do not sell your personal data. We do not share data with third parties for cross-context behavioral advertising.
• Service providers: Shared only as necessary to provide the application, subject to confidentiality and security obligations.
• Legal compliance: We may disclose information if required by law, subpoena, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect rights, safety, or property.
• Aggregated data: We may share non-identifiable, aggregated statistics that cannot reasonably be linked to any individual.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

8. Data Security

We employ encryption in transit (TLS) and at rest, access controls, least-privilege principles, and industry-standard security practices. However, no method of electronic transmission or storage is completely secure. We cannot and do not guarantee absolute security of your data. You use the application and transmit information at your own risk.

9. Data Retention

• Account data: Retained while your account is active. Upon account deletion, we delete or de-identify associated personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, financial records).
• Purchase records: Retained as required for financial, audit, and fraud-prevention obligations.
• Analytics and diagnostics: Typically retained up to 24 months unless longer retention is required for security or legal compliance.
• You may delete individual entries (meals, workouts, photos) within the application at any time.

10. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data.
• Export your data in a common, machine-readable format.
• Withdraw consent (e.g., HealthKit permissions, location services).
• Opt out of non-essential analytics where available.

To exercise these rights, use in-app settings or contact us at the address below. We may need to verify your identity before processing a request and may decline requests where permitted by applicable law.

11. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including:

• The right to know what personal information is collected, used, shared, or sold.
• The right to delete personal information held by us.
• The right to opt out of the sale or sharing of personal information. We do not sell personal information.
• The right to non-discrimination for exercising your privacy rights.

12. Consumer Health Data (Washington, Nevada, Connecticut, and similar laws)

If you are a resident of a state with a consumer health data law — including the Washington My Health My Data Act (MHMDA), Nevada SB 370, and the Connecticut Data Privacy Act (as amended) — this section describes the additional categories of information we treat as "consumer health data" and your rights with respect to that information. Glucose values, continuous glucose monitor (CGM) records, and related metabolic data are treated as consumer health data under this Privacy Policy regardless of your state of residence.

Categories of consumer health data we collect. Glucose readings and CGM trend data (current and historical, whether imported from Apple Health, Dexcom Share, Abbott LibreLinkUp, Nightscout, or entered manually); food, beverage, supplement, and hydration logs that may reveal health condition or treatment patterns; weight, body composition, and biometric measurements; symptoms, energy, mood, sleep, and wellness logs; workout, heart rate, and other physical activity records; and any other information you provide that identifies your past, present, or future physical or mental health status, conditions, or treatments.

How we use it. Consumer health data is processed only to (i) provide the application features you have explicitly enabled, (ii) sync your data across your devices, (iii) generate the personal nutrition, wellness, and AI summaries you request, and (iv) maintain account security and prevent abuse. We do not sell consumer health data, share it with third parties for cross-context behavioral advertising, or use it to target advertising on our behalf or anyone else's behalf.

Sharing. Consumer health data is disclosed only to the processors described in Sections 5 and 6 (Firebase / Google Cloud Platform for secure storage, AI providers when you actively use AI features, and Stripe / Apple for billing — none of which receive raw glucose data for the purpose of training models on you), and only as required to provide the application or comply with applicable law.

Your rights. You have the right to (a) confirm whether we are collecting, sharing, or selling your consumer health data and access that data, (b) withdraw consent for our collection and sharing of consumer health data, (c) have your consumer health data deleted, including from our processors that hold the data on our behalf, and (d) appeal a decision we make about your request. We do not sell consumer health data, so there is no separate opt-out of sale to exercise. To exercise these rights, contact us at ryanws@statskeybiometrics.com; we will respond within the timeframes required by the applicable state law. If we deny a request, you may appeal by replying to that decision with the word "Appeal" in the subject line, and you may also file a complaint with the attorney general of your state of residence.

Geofencing. StatsKey does not use geofences around any healthcare facility, mental health facility, reproductive health facility, or similar location.

Authorization for sharing. We do not share or sell consumer health data without your prior written authorization. If you connect a CGM or HealthKit integration, you are authorizing StatsKey to retrieve and process consumer health data from that source to provide the application features you have enabled, and to store that data in your StatsKey account until you delete it. You may revoke this authorization at any time by disconnecting the integration in the application or by emailing us; revocation stops new data retrieval and triggers deletion under Section 9.

13. EEA/UK Residents (GDPR)

Our legal bases for processing personal data include:

• Contract: To provide the application and fulfill our agreement with you.
• Consent: For HealthKit access, location services, and certain analytics.
• Legitimate interests: Application safety, fraud prevention, quality improvement — balanced against your rights.
• Legal obligation: Compliance with applicable laws.

We may process and store data in the United States and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for international transfers.

14. Children's Privacy

StatsKey is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

15. Camera & Photos

• Camera access is used solely to capture meal photographs you choose to log.
• Photographs are processed to identify foods and generate nutritional estimates.
• Original photographs remain on your device unless you choose to synchronize them with the application.
• We do not access your photo library without your explicit permission.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the application or by other reasonable means. Your continued use of StatsKey after the effective date of any changes constitutes your acceptance of the updated policy.

17. Contact

If you have questions about this Privacy Policy or wish to exercise your rights:

Email: ryanws@statskeybiometrics.com