Legal

Privacy Policy

Last updated: 26 February 2026

Home Terms Support

Overview

Tummy Trace is a food and symptom tracking app for parents of babies and toddlers. We built it to be private by design: your child’s data belongs to your family, not to us.

This policy explains what information we collect when you use Tummy Trace, why we collect it, how it is stored, and the choices you have over it. We have tried to write it plainly. If something is unclear, please contact us.

Short version: We collect only what is necessary to run the app. We do not sell your data, serve you ads, or share your information with third parties for their own marketing purposes.

This policy applies to the Tummy Trace iOS app and the services that support it. The developer is an independent individual, not a company.

What we collect

Account information

When you create an account you provide either an email address and password, or you authenticate using Sign in with Apple. If you use Sign in with Apple, Apple may share a private relay email address with us. We store your account identifier so we can associate your data with your account.

Child profiles

You create one or more child profiles, each with a name. A date of birth is optional and is used only to provide context within the app (such as age-appropriate information). We do not use it for any other purpose.

Meal and symptom logs

The core purpose of the app. When you log entries, we store:

  • Meals: ingredients, optional title, and the time eaten
  • Symptoms: type, severity, optional notes, and the time they occurred
  • Allergen exposures: allergen name, exposure status, and the time recorded

All log entries are timestamped and linked to a child profile.

Symptom photos

You may optionally attach a photo to a symptom log entry — for example, a photo of a rash or visible reaction. These photos are stored only on your device, in your local photo library under a “Tummy Trace” album. We store only a reference identifier (an opaque local asset ID) so the app can retrieve the photo from your device. The image itself is never uploaded to our servers, and it is never sent to any AI feature or third-party provider. This applies unconditionally — symptom photos cannot be sent to any external service by any part of the app.

Meal templates

If you save a meal as a template for reuse, the template name and ingredient list are stored.

What we do not collect

  • Your location, at any time
  • Your contacts or calendar
  • Device advertising identifiers
  • Any data from your child directly — Tummy Trace is used by parents, not children

How we use it

We use the information you provide solely to operate Tummy Trace for you:

  • To display your logs, timeline, and weekly summaries
  • To generate the Doctor Visit Report PDF
  • To run pattern analysis on your meal and symptom history
  • To sync your data across your devices via a secure server
  • To send you reminder notifications if you have enabled them
  • To process your subscription payment (handled entirely by Apple)

We do not use your data for advertising, profiling, or any purpose beyond operating the service you signed up for.

AI features

Premium users have access to AI-powered features: AI Photo Logging, Voice Capture, Label Scanner, Recipe Import, and Pattern Analysis. Each feature is described below. All AI requests are routed through a secure proxy server we operate before reaching any AI provider.

AI Photo Logging

When you photograph a meal, the image is compressed on your device (reduced to a maximum of 1024×1024 pixels at reduced quality) and sent as an encoded image file to our proxy server, which forwards it to Google Gemini for ingredient identification. Gemini returns a list of identified ingredients. The image is used for processing only and is not stored — neither on our servers nor by Google under standard Gemini API terms. Only the returned ingredient list is saved, locally on your device and synced to Supabase as structured text.

Food photos are photos of plates and packaged food. They are never photos of your child. If you happen to capture a child in a food photo, that image is transmitted to Google as described above, processed, and immediately discarded — it is not stored anywhere.

Voice Capture

Audio from Voice Capture is never transmitted anywhere. Speech-to-text transcription is performed entirely on your device using Apple’s on-device speech recognition framework, which requires no network connection and sends nothing to Apple. Only the resulting text transcript is sent to our proxy (and then to Gemini) to extract ingredient and timing information. The audio recording itself is discarded on-device immediately after transcription.

Label Scanner and Recipe Import

For label scanning, text is read from the camera image using on-device optical character recognition. Only the extracted text (the ingredient list from the label) is sent to the AI proxy — the camera image itself is not transmitted. Recipe import sends the text content of a recipe URL or pasted text to the proxy for ingredient parsing.

Pattern Analysis

Pattern analysis uses the structured list of ingredient names and symptom types from your logs (not free-form notes) to identify correlations. Before this is sent to the AI proxy, personal identifiers — names, email addresses, dates of birth, and any fields matching common personal identifier patterns — are automatically removed by our proxy server. Gemini receives only anonymised ingredient and symptom category data.

Provider and data use

All AI features are processed by Google Gemini via our proxy. Data sent to Gemini is subject to Google’s privacy policy. We use the Gemini API under terms that do not permit Google to use submitted data to train its models.

AI features are optional and only available to Premium subscribers. If you do not use them, no log content is ever sent to an AI provider. Symptom photos are never used with any AI feature — they remain on your device only.

Analytics

Tummy Trace collects anonymous usage telemetry to help us understand how the app is being used and where things break. This is a first-party system — we do not use third-party analytics SDKs (no Firebase, no Mixpanel, no Meta Pixel).

What is tracked

We track a fixed allowlist of events such as “meal logged”, “symptom logged”, “pattern analysis viewed”, and “reminder sent”. Before any event is sent:

  • All personal identifiers are automatically stripped from event data
  • Events are batched and sent in bulk rather than in real time
  • Events not in the approved allowlist are silently discarded on-device

What is not tracked

The actual content of your logs — ingredient names, symptom descriptions, notes — is never included in telemetry. We track that a meal was logged, not what it contained.

Data sharing

We do not sell your personal information. We share data only with the following service providers, and only to the extent necessary to operate the app:

Supabase

Our database, authentication, and sync infrastructure is provided by Supabase, Inc. Your account credentials, child profiles, and log data are stored on Supabase’s servers, which run on Amazon Web Services infrastructure in the United States. Supabase processes this data as a data processor under our instructions. See Supabase’s privacy policy.

Google (Gemini)

AI features route sanitised requests to Google’s Gemini API via our proxy. See the AI features section above for detail on what is sent. See Google’s privacy policy.

Apple

Subscription purchases and payments are handled entirely by Apple through StoreKit. We never see or store your payment card details. Apple’s handling of purchase data is governed by Apple’s privacy policy.

Law enforcement

We will disclose information if required to do so by law or in response to a valid legal process, and where permitted will attempt to notify you before doing so.

Storage & security

Tummy Trace is an offline-first app. Your data is stored locally on your device using Apple’s SwiftData framework, and synchronised to Supabase over an encrypted HTTPS connection when you are online. You can use the app fully while offline.

Access to your data on our servers is controlled by row-level security policies — your data is only accessible to your own authenticated account. Connections to the server require a valid authenticated session token; there is no unauthenticated access to any user data.

Symptom photos are stored in your device’s local photo library only and are never uploaded.

No security system is perfect. If you believe you have found a security vulnerability, please contact us at [email protected] before disclosing it publicly.

Retention

Your data is retained for as long as your account exists. When you delete your account, your data is permanently removed from our servers. This is handled by a server-side process that cascades deletion through all associated records.

You can delete your account at any time from Settings → Account → Delete Account within the app. Deletion is immediate and irreversible.

Anonymous telemetry events are retained for up to 12 months for the purpose of product analytics, after which they are deleted.

Your rights

Depending on where you live, you may have rights regarding your personal data, including the right to access, correct, or delete it. We support these rights regardless of where you are located:

  • Access: You can view all your data directly within the app at any time
  • Correction: You can edit any log entry, child profile, or account detail from within the app
  • Deletion: You can delete individual entries, child profiles, or your entire account from within the app
  • Export: Premium users can generate a Doctor Visit Report PDF covering any date range
  • Portability: If you need a machine-readable export of your data, contact us and we will provide one

To exercise any right not covered by the app itself, contact us at [email protected]. We will respond within 30 days.

Children’s privacy

Tummy Trace is a tool for parents and caregivers. The account holder — and the person using the app — is always an adult. The app is not directed at children and does not invite or permit children to use it.

Information about children (name, optional date of birth, and the meal and symptom logs a parent creates) is entered by and belongs to the parent or guardian. It is treated as part of the parent’s account data, under the parent’s control.

No photos of children are uploaded. Symptom photos — which may include photos of a child’s skin, reactions, or appearance — are stored only on your device and are never transmitted to any server or AI provider. Food photos sent to AI Photo Logging are photos of plates and food, not of your child.

We do not knowingly collect personal information directly from any person under the age of 13. Tummy Trace requires account creation, which is appropriate only for adults. If you believe a child has created an account independently, please contact us and we will promptly delete it.

Parents can delete all data associated with a child profile — including every log entry — by deleting the child profile within the app, or by deleting their account entirely.

Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top of this page. If the changes are material, we will notify you within the app. Continued use of Tummy Trace after a policy update constitutes acceptance of the revised policy.

Prior versions of this policy are available on request.

Contact us

If you have questions about this policy or about how your data is handled, please write to us:

[email protected]

We aim to respond to all privacy enquiries within 5 business days.