Metrify Privacy Policy
Metrify ("Metrify," "we," "us," or "our") is an AI-assisted fitness and nutrition tracking application. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It applies to the Metrify mobile application and the backend services that power it (together, the "Service").
Metrify is built privacy-first: your fitness data lives on your device, not on our servers. The sections below explain exactly what stays local, what leaves your phone and why, and what happens to it when it does.
1. Summary (TL;DR)
- Your food logs, exercise logs, weight history, sleep records, goals, profile details, custom foods, and the AI assistant's saved "memory" facts are stored locally on your device in an on-device database, never on our servers.
- We store a minimal account record (your email, authentication identifiers, subscription tier, and daily chat-usage counts) so the Service can function.
- If you buy a Premium subscription, the purchase is processed by the Apple App Store or Google Play and managed through RevenueCat; we receive your subscription status and transaction identifiers, never your full payment-card details.
- If you connect Apple Health or Health Connect, Metrify reads weight, workouts, steps, and sleep from your device's health hub — read-only, with your permission — and stores them in your on-device database. This health data is never sold and never used for advertising.
- When you use the AI chat assistant, your messages — and any fitness data the assistant reads from your device to answer you, and any food photos you submit — are sent to our server and relayed to our AI provider (OpenAI) to generate a response. Chat sessions are held in server memory only and expire automatically; we do not write chat transcripts to a database.
- If you scan a product barcode, only the barcode number is sent to our server to look up the food. If the product isn't in our catalog yet, our server queries Open Food Facts and the USDA FoodData Central databases with the barcode number only — never your identity.
- We use Sentry for crash and performance reporting (device and app diagnostics, stack traces).
- We do not sell your personal information. We do not use your health and fitness data for advertising.
- You can delete your account and all associated server-side data at any time from within the app (Profile → Danger Zone → Delete Account).
2. Information Stored Only on Your Device
The following data is created and stored in a local database on your device and is not uploaded to or retained by our servers (except transiently during AI chat turns, as described in Section 4):
- Food logs, including meals, quantities, and nutritional breakdowns
- Exercise and workout logs, workout templates, and custom exercises
- Weight history
- Sleep records
- Step counts and other health metrics imported from your device's health hub (see Section 5)
- Your profile details (name, age, date of birth, gender, height, weight, units preference)
- Calorie and macronutrient goals, including goal history
- Custom foods you create (these are never uploaded to our food catalog)
- Facts the AI assistant saves at your direction (e.g., allergies, movement limitations, goal motivations)
- Cached copies of catalog foods you have searched for or scanned, so search and barcode lookups work offline
- Reminder settings (reminders are delivered as local, on-device notifications — no server is involved)
- App preferences (theme, units, filters)
If you uninstall the app, this local data is deleted with it and we cannot recover it.
3. Information We Collect on Our Servers
Account information. When you create an account we collect your email address and a password (stored as a secure hash by our authentication provider, Supabase), or your identity token if you sign in with Google or Apple. Authentication session tokens are stored on your device in platform-protected secure storage (Keychain on iOS, Keystore on Android, DPAPI on Windows).
Usage and quota records. We record your subscription tier and a daily count of AI chat turns to enforce usage limits (these reset daily). We also track a lifetime turn count for analytics.
Subscription and purchase data. If you purchase a Premium subscription, the transaction is handled by the Apple App Store or Google Play and managed through RevenueCat. RevenueCat associates the purchase with an identifier tied to your account so our server can keep your subscription tier current (including when a subscription renews, lapses, or is refunded outside the app). We receive your subscription status, the plan you bought, and store transaction identifiers. We never receive or store your full payment-card number — the app stores handle payment.
Food catalog popularity signals. When you log a food from our shared catalog, the app sends an anonymous-in-effect "selection" signal that increments a popularity counter on that food to improve search ranking. This counter is attached to the food, not to your account.
Food search and barcode lookups. When you search the shared food catalog or scan a product barcode, the search text or barcode number is sent to our server to return matching foods. These lookups are processed transiently to answer the request — we do not log your search terms or scanned barcodes, and they are not linked to your account. If a scanned barcode is not in our catalog, our server performs a one-time lookup against Open Food Facts and the USDA FoodData Central database. That external request is made by our server and contains only the barcode number — never your identity, account, or IP address. Product data returned by these sources is saved into our shared food catalog (it describes the product, not you), so future scans of that product resolve instantly for everyone.
Crash and diagnostic data. We use Sentry to collect crash reports and performance traces. These may include device model, operating system version, app version, and stack traces. We use this data solely to diagnose and fix problems. If we ever enable screenshot capture at the moment of an error (which could incidentally include on-screen content), we will update this Policy first.
Network metadata. Like virtually all internet services, our servers process IP addresses to deliver responses and to rate-limit certain endpoints (e.g., the pre-signup email check). We do not build profiles from this data.
4. AI Chat, Photos, and Voice
Chat. Metrify's assistant works through a tool loop: your message goes to our server, which forwards it to our AI model provider (currently OpenAI). When the assistant needs your data to answer (e.g., "how was my protein this week?"), your device executes the request locally and returns the relevant results — which may include food logs, weights, exercise and sleep history, step counts, profile details, and goals — through our server to the model. This means health and fitness data transits our server and the AI provider during a chat turn.
- Chat conversations are held in server memory only, keyed to your session, and are automatically discarded after a period of inactivity (approximately one hour) or when you reset the chat. We do not persist chat transcripts in a database. If this ever changes, we will update this Policy before doing so.
- Per OpenAI's API data usage policies in effect as of this writing, data submitted via the API is not used to train OpenAI's models. We do not opt in to any training programs.
- Write actions the assistant proposes (logging food, changing goals, deleting entries) execute on your device and require your in-app confirmation.
Photos. If you use photo-based food logging, the image you submit is downscaled on your device (to a maximum of 1,536 pixels on its longest side), sent to our server, and relayed to the AI vision model to identify the food. Images are processed transiently as part of the chat turn and are not stored by us.
Voice. Speech-to-text uses your device platform's native speech recognition (with your microphone permission). Audio is processed by your device and/or its platform speech service (Apple or Google, per your device settings) — Metrify's servers never receive your audio; we receive only the resulting text if you send it as a chat message.
Knowledge retrieval. To ground answers, the server may search a curated nutrition and exercise reference library. This search runs server-side over reference content, not over your personal data.
5. Health and Fitness Platform Integration
Metrify can connect to your device's health hub — Apple Health on iOS and Health Connect on Android — to bring in readings you have recorded elsewhere (for example, from a smart scale, a wearable, or another fitness app) automatically. This integration is optional and stays off until you turn it on from the in-app Connections tab.
- Permission. Connecting triggers the operating system's own permission sheet. Metrify cannot read any health data until you grant access there. You can review or revoke this access at any time in your device settings (on iOS: Settings → Health → Data Access & Devices → Metrify; on Android: your Health Connect settings).
- What we read. With your permission, Metrify reads body weight, workouts, step counts, and sleep from the health hub to keep your logs current.
- Read-only. Metrify only reads from the health hub. It does not write any data back to Apple Health or Health Connect.
- Stays on your device. Data imported from the health hub is stored in your on-device database alongside your other logs (Section 2). It is not uploaded to or retained by our servers, except transiently if the assistant reads it to answer you during a chat turn (Section 4).
- Use limits. Consistent with Apple and Google platform policies, data obtained from Apple Health or Health Connect is used only to provide Metrify's features — such as showing and logging your weight, workouts, steps, and sleep, and estimating calories burned. It is never used for advertising or marketing, is never sold, and is never shared with third parties for their own purposes.
Synced weigh-ins, workouts, and sleep first appear as pending items you can review and then log or dismiss; you may also enable auto-logging for each type. Step totals are shown as an activity metric. Disconnecting in your device settings stops any further reads.
6. How We Use Information
We use the information described above to:
- Provide, maintain, and improve the Service
- Authenticate you and secure your account
- Generate AI assistant responses
- Import and display health data from Apple Health or Health Connect when you connect them
- Enforce usage quotas and tier entitlements
- Rank food search results
- Diagnose crashes, errors, and performance problems
- Comply with legal obligations
We do not:
- Sell your personal information
- Use your health and fitness data for advertising or marketing
- Share your data with third parties except the service providers listed in Section 7
7. Service Providers (Subprocessors)
We share data with the following providers, only as needed to operate the Service:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication, account database, food catalog, knowledge base hosting | Email, password hash, OAuth identities, tier/usage records |
| OpenAI | AI chat and image understanding | Chat messages, tool results (may include fitness data), submitted food photos |
| RevenueCat | Subscription management and purchase validation | Account identifier, subscription status, plan, store transaction identifiers (no card details) |
| Sentry | Crash and performance reporting | Device/app diagnostics, stack traces |
| Sign-in with Google (optional); platform speech recognition | OAuth identity; on-device audio per your device settings | |
| Apple | Sign in with Apple (optional); platform speech recognition | OAuth identity; on-device audio per your device settings |
| Open Food Facts | Barcode lookup for products not yet in our catalog | Barcode number only, sent from our server (no user identity) |
| USDA FoodData Central | Barcode lookup for products not yet in our catalog | Barcode number only, sent from our server (no user identity) |
Each provider processes data under its own terms and our agreements with it. Apple Health (on iOS) and Health Connect (on Android) act as on-device sources you can choose to import from; we read from them locally and do not transmit your data to them (see Section 5). We may update this list as the Service evolves and will revise this Policy accordingly.
8. Data Retention and Deletion
- Local data: retained on your device until you delete it, delete your account, or uninstall the app.
- Account and usage records: retained while your account is active.
- Chat sessions: held in server memory only and expire automatically (approximately one hour of inactivity) or upon chat reset.
- Crash reports: retained per Sentry's retention settings, then deleted.
Account deletion is available in-app (Profile → Danger Zone → Delete Account). Deletion removes your server-side records (profile, usage, device records) and your authentication account, and then wipes the app's local data on your device. This action is permanent and cannot be undone.
9. Security
We use industry-standard measures to protect your data, including TLS encryption in transit, signed JSON Web Tokens for authentication, platform secure storage for credentials on device, row-level security on shared database tables, and per-IP rate limiting on unauthenticated endpoints. No system is perfectly secure, and we cannot guarantee absolute security.
10. Planned Features That Will Affect This Policy
Metrify is under active development. The following planned features will change how data is handled. We will update this Policy and, where required, ask for your consent before any of these take effect:
- Rewarded video ads. A planned opt-in feature lets free-tier users watch an ad to earn additional chat turns. An ad network would receive standard advertising identifiers for ad delivery; health and fitness data will not be shared with ad networks.
11. Your Rights and Choices
Depending on where you live (e.g., the EU/EEA under GDPR, or California under CCPA/CPRA), you may have rights to access, correct, delete, export, or restrict the processing of your personal information, and the right not to be discriminated against for exercising those rights.
Because Metrify is local-first, you can directly view, edit, and delete nearly all of your data in the app itself. For server-side data, you can delete everything via in-app account deletion, or contact us (Section 14) to exercise any right. We do not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.
You may also control app permissions (camera, microphone, health-data access, and notifications) at any time in your device settings.
12. Children's Privacy
The Service is not directed to children under 13 (or the higher minimum age required in your jurisdiction, such as 16 in parts of the EU). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
13. Changes to This Policy
We may update this Policy as the Service evolves — including for the planned features in Section 10. We will post the updated Policy with a new effective date and, for material changes, provide notice in the app. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
14. Contact
Questions, requests, or concerns about this Policy or your data:
Email: support@metrify.fit
Food catalog data includes content derived from the U.S. Department of Agriculture's FoodData Central (public domain) and from Open Food Facts (https://world.openfoodfacts.org), © Open Food Facts contributors, used under the Open Database License (ODbL) v1.0 (https://opendatacommons.org/licenses/odbl/1-0/). Foods sourced from Open Food Facts are labeled as such in the app.