Privacy Policy
Your data stays yours. We don't sell it, we don't share it, and we don't monetize it.
Last updated: December 2025
TL;DR — The Short Version
Privacy Overview
Track4U is built with privacy as a core principle. We're an open-source project, which means our code is fully auditable. We don't sell your data, we don't run ads, and we don't use your information to train AI models.
The BYOK (Bring Your Own Key) model means your AI usage goes directly to your provider — we never see your API billing, usage patterns, or the images you scan.
What We Collect
Account Information
When you create an account, we collect: - Email address (for authentication) - Name (optional, for personalization) - Password (hashed, never stored in plain text)
Food Log Data
When you log meals, we store: - Nutritional information (calories, protein, carbs, fat) - Food descriptions - Timestamps
What We Don't Store
- Food photos (processed and immediately discarded) - Your OpenAI API key in plain text (encrypted with AES-256-GCM) - Your AI usage or billing data
API Key Security
Your OpenAI API key is encrypted using AES-256-GCM encryption before being stored in our database. This is the same encryption standard used by banks and government agencies.
When you make a scan request: 1. Your encrypted key is retrieved 2. Decrypted in memory only for the API call 3. The image is sent directly to OpenAI 4. Results are returned to you 5. No image data is retained
We never log, store, or have access to your plain-text API key after encryption.
Image Processing
When you photograph a meal: 1. The image is sent to OpenAI's API for analysis 2. OpenAI returns nutritional estimates 3. The image is immediately discarded 4. Only the nutritional data is stored in your food log
We do not: - Store your food photos on our servers - Use your images to train AI models - Share your images with third parties - Retain any visual data after processing
Data Sharing
We do not sell your data. Ever.
The only third party that receives your data is: - OpenAI (or your chosen AI provider): Receives your food images for analysis via your own API key. Their privacy policy governs their handling of this data.
We may disclose information if required by law or to protect the safety of our users.
Data Retention
Active Accounts
Your food log and account data are retained as long as your account is active.
Account Deletion
When you delete your account: - All your food log entries are permanently deleted - Your encrypted API key is deleted - Your account information is removed - This process is irreversible
Export Your Data
You can export all your data at any time from your account settings. We believe in data portability — your data belongs to you.
Self-Hosting
Track4U is fully open source under the MIT license. You can: - Clone the repository - Deploy on your own infrastructure - Have complete control over all data - Modify the code as needed
Self-hosted instances operate independently and are not covered by this privacy policy. You are responsible for your own data handling practices when self-hosting.
Children's Privacy
Track4U is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
Changes to This Policy
We may update this privacy policy from time to time. When we do: - The "Last updated" date will change - Significant changes will be announced on our GitHub repository - Continued use of the service constitutes acceptance of the updated policy
As an open-source project, all changes to our privacy practices are public and auditable.
Contact
For privacy-related questions or concerns: - Open an issue on GitHub - Email: privacy@track4u.app
For data deletion requests, use the account settings in the app or contact us directly.
Questions about privacy?
Our code is open source — audit it yourself or reach out with questions.