Privacy Policy — Tummy Trace

Overview

Tummy Trace is a food and symptom tracking app for parents of babies and toddlers. We built it to be private by design: your child’s data belongs to your family, not to us.

This policy explains what information we collect when you use Tummy Trace, why we collect it, how it is stored, and the choices you have over it. We have tried to write it plainly. If something is unclear, please contact us.

Short version: We collect only what is necessary to run the app. We do not sell your data, serve you ads, or share your information with third parties for their own marketing purposes.

This policy applies to the Tummy Trace iOS app and the services that support it. The data controller is Tameem Siddiquee, an independent developer based in the United States. You can reach the data controller at support@tummytrace.com.

What we collect

Account information

When you create an account you provide either an email address and password, or you authenticate using Sign in with Apple. If you use Sign in with Apple, Apple may share a private relay email address with us. We store your account identifier so we can associate your data with your account.

Child profiles

You create one or more child profiles, each with a name. A date of birth is optional and is used only to provide context within the app (such as age-appropriate information). We do not use it for any other purpose.

Meal and symptom logs

The core purpose of the app. When you log entries, we store:

Meals: ingredients, optional title, and the time eaten
Symptoms: type, severity, optional notes, and the time they occurred
Allergen exposures: allergen name, exposure status, and the time recorded

All log entries are timestamped and linked to a child profile.

Symptom photos

You may optionally attach a photo to a symptom log entry — for example, a photo of a rash or visible reaction. These photos are stored only on your device, in your local photo library under a “Tummy Trace” album. We store only a reference identifier (an opaque local asset ID) so the app can retrieve the photo from your device. The image itself is never uploaded to our servers, and it is never sent to any AI feature or third-party provider. This applies unconditionally — symptom photos cannot be sent to any external service by any part of the app.

Meal templates

If you save a meal as a template for reuse, the template name and ingredient list are stored.

What we do not collect

Your location, at any time
Your contacts or calendar
Device advertising identifiers
Any data from your child directly — Tummy Trace is used by parents, not children

How we use it

We use the information you provide solely to operate Tummy Trace for you:

To display your logs, timeline, and weekly summaries
To generate the Doctor Visit Report PDF
To run pattern analysis on your meal and symptom history
To sync your data across your devices via a secure server
To send you reminder notifications if you have enabled them
To process your subscription payment (handled entirely by Apple)

We do not use your data for advertising, profiling, or any purpose beyond operating the service you signed up for.

Legal basis for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires a lawful basis for processing personal data, we rely on the following grounds:

Contract performance

Processing your account information, child profiles, meal logs, and symptom logs is necessary to provide the core Tummy Trace service you signed up for — including data sync, timeline display, and the Doctor Visit Report.

Consent

AI-powered features (Photo Logging, Voice Capture, Label Scanner, Recipe Import, and Pattern Analysis) process your data only after you give explicit, in-app consent. You can withdraw this consent at any time by turning off AI features in the app settings. Withdrawing consent does not affect data already processed before the withdrawal, and you can continue using all non-AI features of Tummy Trace normally.

Legitimate interest

We collect anonymous usage telemetry (described in the Analytics section) under a legitimate interest basis — specifically, to maintain app quality, identify bugs, and understand which features are useful. This telemetry contains no personal identifiers and poses minimal privacy risk.

International data transfers

Your data is stored on Supabase servers running on Amazon Web Services infrastructure in the United States. For transfers of personal data from the EEA or UK to the US, Supabase relies on Standard Contractual Clauses (SCCs) approved by the European Commission. AI requests processed by Google Gemini are transient — data is sent to Gemini’s API for processing and is not stored by Google. Google’s Gemini API paid tier does not use submitted data for model training.

Data retention periods

We retain different categories of data for different periods:

Account and log data (child profiles, meals, symptoms, allergen records): retained for the lifetime of your account. Deleted immediately and permanently when you delete your account or a child profile.
Authentication credentials: retained for the lifetime of your account. Deleted when you delete your account.
Anonymous telemetry events: retained for up to 12 months, then automatically purged. De-identified on collection.
AI processing data (images, text sent to Gemini): not retained. Processed transiently and discarded immediately after a response is returned.

Automated decision-making

Pattern Analysis uses automated processing to surface statistical correlations between ingredients and symptoms in your logs. This processing highlights patterns for your review — it does not make any decisions on your behalf, does not constitute medical advice, and does not restrict your use of the app in any way. You can always view the raw, unfiltered data alongside any AI-curated results.

AI features

Premium users have access to AI-powered features: AI Photo Logging, Voice Capture, Label Scanner, Recipe Import, and Pattern Analysis. Each feature is described below. All AI requests are routed through a secure proxy server we operate before reaching any AI provider.

Before any data is sent to an AI provider for the first time, the app asks for your explicit permission. You can use Tummy Trace fully without AI features — they are optional.

AI Photo Logging

When you photograph a meal, the image is compressed on your device (reduced to a maximum of 1024×1024 pixels at reduced quality) and sent as an encoded image file to our proxy server, which forwards it to Google Gemini for ingredient identification. Gemini returns a list of identified ingredients. The image is used for processing only and is not stored on our servers. Under the paid Gemini API terms we use, Google does not use submitted data to train its models and does not retain it beyond the time needed to process the request, except as may be required for safety monitoring. Only the returned ingredient list is saved, locally on your device and synced to Supabase as structured text.

Food photos are intended to be photos of plates and packaged food, not of your child. If a person happens to appear in a food photo, the image is still processed as described above and immediately discarded — it is not stored by our servers or by Google.

Voice Capture

Audio from Voice Capture is never transmitted anywhere. Speech-to-text transcription is performed entirely on your device using Apple’s on-device speech recognition framework, which requires no network connection and sends nothing to Apple. Only the resulting text transcript is sent to our proxy (and then to Gemini) to extract ingredient and timing information. The audio recording itself is discarded on-device immediately after transcription.

Label Scanner

For label scanning, text is read from the camera image using on-device optical character recognition. Only the extracted text (the ingredient list from the label) is sent to the AI proxy — the camera image itself is not transmitted.

Recipe Import

Recipe Import lets you photograph or screenshot a recipe. The image is compressed on your device (reduced to a maximum of 1024×1024 pixels at reduced quality) and sent as an encoded image file to our proxy server, which forwards it to Google Gemini for ingredient extraction. This works the same way as AI Photo Logging described above. The image is used for processing only and is not stored on our servers. Under the paid Gemini API terms we use, Google does not retain submitted data beyond processing time, except as may be required for safety monitoring. Only the returned ingredient list is saved.

Pattern Analysis

Pattern analysis sends only structured ingredient names, symptom types, and statistical co-occurrence counts to the AI proxy. No child names, notes, or personal details are included in this data. Gemini receives only anonymised ingredient and symptom category data.

Provider and data use

All AI features are processed by Google Gemini via our proxy. Data sent to Gemini is subject to Google’s privacy policy. We use the Gemini API under terms that do not permit Google to use submitted data to train its models. AI responses (structured ingredient lists, not images or audio) may be temporarily cached on our servers for up to 24 hours to improve response speed for identical requests. Cached data is automatically deleted after expiration.

AI features are optional and only available to Premium subscribers. If you do not use them, no log content is ever sent to an AI provider. Symptom photos are never used with any AI feature — they remain on your device only.

Analytics

Tummy Trace collects anonymous usage telemetry to help us understand how the app is being used and where things break. This is a first-party system — we do not use third-party analytics SDKs (no Firebase, no Mixpanel, no Meta Pixel).

What is tracked

We track a fixed allowlist of events such as “meal logged”, “symptom logged”, “pattern analysis viewed”, and “reminder sent”. Before any event is sent:

All personal identifiers are automatically stripped from event data
Events are batched and sent in bulk rather than in real time
Events not in the approved allowlist are silently discarded on-device

What is not tracked

The actual content of your logs — ingredient names, symptom descriptions, notes — is never included in telemetry. We track that a meal was logged, not what it contained.

Data sharing

We do not sell your personal information. We share data only with the following service providers, and only to the extent necessary to operate the app:

Each provider is contractually required to protect your data to at least the same standard we apply ourselves.

Supabase

Our database, authentication, sync, and analytics infrastructure is provided by Supabase, Inc. Your account credentials, child profiles, and log data are stored on Supabase’s servers, which run on Amazon Web Services infrastructure in the United States. Supabase processes this data as a data processor under our instructions. See Supabase’s privacy policy.

Google (Gemini)

AI features route sanitised requests to Google’s Gemini API via our proxy. See the AI features section above for detail on what is sent. See Google’s privacy policy.

Apple

Subscription purchases and payments are handled entirely by Apple through StoreKit. We never see or store your payment card details. Apple’s handling of purchase data is governed by Apple’s privacy policy.

Law enforcement

We will disclose information if required to do so by law or in response to a valid legal process, and where permitted will attempt to notify you before doing so.

Storage & security

Tummy Trace is an offline-first app. Your data is stored locally on your device using Apple’s SwiftData framework, and synchronised to Supabase over an encrypted HTTPS connection when you are online. You can use the app fully while offline.

Access to your data on our servers is controlled by row-level security policies — your data is only accessible to your own authenticated account. Connections to the server require a valid authenticated session token; there is no unauthenticated access to any user data.

Symptom photos are stored in your device’s local photo library only and are never uploaded.

Retention

Your account and log data (child profiles, meal logs, symptom logs, allergen records) is retained for the lifetime of your account. Anonymous telemetry events are retained for up to 12 months. Data sent to AI features is processed transiently and never stored. For a full breakdown of retention periods, see the Legal basis section.

When you delete your account, your personal data is permanently removed from our servers. You can delete your account at any time from Settings → Delete Account within the app. You can also delete individual child profiles and their associated logs. Deletion of personal data is immediate and irreversible.

Your rights

Depending on where you live, you may have rights regarding your personal data, including the right to access, correct, or delete it. We support these rights regardless of where you are located:

Access: You can view all your data directly within the app at any time
Correction: You can edit any log entry, child profile, or account detail from within the app
Deletion: You can delete individual entries, child profiles, or your entire account from within the app
Export: Premium users can generate a Doctor Visit Report PDF covering any date range
Portability: If you need a machine-readable export of your data, contact us and we will provide one
Withdraw consent: You can withdraw consent for AI features at any time within the app. Withdrawal does not affect data processed before that point
Complaint: If you are in the EEA or UK and believe your data protection rights have not been addressed, you have the right to lodge a complaint with your local data protection supervisory authority

To exercise any right not covered by the app itself, contact us at support@tummytrace.com. We will respond within 30 days.

Children’s privacy

Tummy Trace is a tool for parents and caregivers. The account holder — and the person using the app — is always an adult. The app is not directed at children and does not invite or permit children to use it.

Information about children (name, optional date of birth, and the meal and symptom logs a parent creates) is entered by and belongs to the parent or guardian. It is treated as part of the parent’s account data, under the parent’s control.

No photos of children are uploaded. Symptom photos — which may include photos of a child’s skin, reactions, or appearance — are stored only on your device and are never transmitted to any server or AI provider. Food photos sent to AI Photo Logging are photos of plates and food, not of your child.

We do not knowingly collect personal information directly from any person under the age of 13. Tummy Trace requires account creation, which is appropriate only for adults. If you believe a child has created an account independently, please contact us and we will promptly delete it.

Parents can delete all data associated with a child profile — including every log entry — by deleting the child profile within the app, or by deleting their account entirely.

Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top of this page. If the changes are material, we will notify you within the app. Continued use of Tummy Trace after a policy update constitutes acceptance of the revised policy.

Prior versions of this policy are available on request.

Contact us

If you have questions about this policy or about how your data is handled, please write to us:

support@tummytrace.com

We aim to respond to all privacy enquiries within 5 business days.