Privacy Policy for Sugar Sidekicks

Sugar Sidekicks ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web-based administration dashboard (collectively, the "Services"). Sugar Sidekicks helps children and families track nutritional information from meal photos.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Services.

Personal Information You Provide

When you use Sugar Sidekicks, we collect the following personal information:

• Account Information: When you sign in with Google OAuth, we collect your name, email address, profile picture (if provided by Google), and Google user ID. If you sign in with email and password, we collect your email address and a securely hashed version of your password.
• Meal Photos & Nutrition Labels: Images of meals and packaged food nutrition labels that you capture using the app's camera feature.
• Meal Descriptions: Optional text descriptions you provide about your meals.
• Reference Object Preference: You may optionally place a common object — such as a coin or a standard-size card (metro card, credit card, etc.) — next to your meal when taking a photo. This helps the app estimate portion sizes more accurately, but it is not required to analyze a meal.
• Plate Measurement Data: If you use the optional plate measurement feature, we collect tap coordinates and plate dimensions to improve portion size estimation.
• Nutrition Goals: If you set daily nutrition targets (calories, protein, carbohydrates, fat), we store these preferences to track your progress.

Automatically Collected Information

When you use the Services, we automatically collect:

• Device Information: Device type, operating system version, and device motion sensor data (used to validate camera angle during photo capture).
• Usage Data: App features used, session duration, crash reports.
• Analytics Data: Aggregated usage statistics such as daily meal analysis counts and AI processing metrics. This data is used for service monitoring and improvement and is not shared with third parties.
• Error Logs: When errors occur, we log technical details (error type, timestamp) to diagnose and fix issues. Error logs are automatically deleted after 90 days.
• Authentication Tokens: Secure JWT tokens for maintaining your login session (stored locally on your device).

Information from Third Parties

• Google Account Information: We receive basic profile information from Google when you sign in using Google OAuth.

We use the information we collect to:

1. Provide Core Services: Authenticate your identity, analyze meal photos using AI to estimate nutritional content (including optional reference-object-based and on-server depth estimation for improved portion sizing), store your meal history, and display nutritional information.
2. Improve the Services: Understand how users interact with the Services, monitor aggregated analytics, debug issues, and develop new features.
3. Communicate with You: Send important updates and respond to support requests.
4. Ensure Security: Protect against unauthorized access, verify your identity, and prevent fraud.

We do NOT sell, rent, or trade your personal information. We may share your information only in these limited circumstances:

• Service Providers: We use Google Cloud Platform (for authentication), Amazon Web Services (for secure data storage and transactional emails such as password reset codes via AWS SES), and Anthropic Claude API (for AI-powered meal analysis). These providers are contractually obligated to protect your data.
• Legal Requirements: We may disclose your information if required by law or to comply with legal processes, enforce our terms of service, or protect rights, property, or safety.
• Business Transfers: If Sugar Sidekicks is acquired or merged, your information may be transferred to the new owner.

Security Measures

• Encryption in Transit: All data transmitted uses HTTPS/TLS encryption.
• Encryption at Rest: Data is encrypted in AWS DynamoDB.
• Secure Authentication: JWT tokens are stored securely using expo-secure-store.
• Limited Access: Only authorized personnel can access user data.

Data Retention

• Account Data: Retained as long as your account is active.
• Meal Photos, Nutrition Labels & Analysis: Retained until you delete them or close your account.
• Error Logs: Automatically deleted after 90 days.
• Analytics Data: Aggregated usage statistics are retained indefinitely but contain no personally identifiable information.
• Authentication Tokens: JWT tokens expire after 7 days and are automatically refreshed.

• Access and Portability: You can access your meal history and account information within the app.
• Correction: You can update your profile information through the Settings screen.
• Deletion: You can request deletion of your account and all associated data by contacting us at [email protected]. We will delete your data within 30 days.
• Opt-Out: You can stop all data collection by uninstalling the app and requesting account deletion.

Sugar Sidekicks is designed for use by children with Type 1 diabetes under parental supervision. We comply with the Children's Online Privacy Protection Act (COPPA):

• We recommend that parents or guardians oversee children's use of the app.
• We collect only the minimum information necessary.
• We do not display advertisements or collect data for advertising.
• We do not share children's data with third parties except as described in this policy.

Parents/Guardians: If you believe your child has provided us with personal information without your consent, please contact us at [email protected] and we will delete the information promptly.

• Google OAuth: Google's privacy policy applies to the sign-in process: https://policies.google.com/privacy
• Anthropic Claude API: Anthropic's privacy policy applies: https://www.anthropic.com/privacy
• Amazon Web Services: AWS's privacy policy applies: https://aws.amazon.com/privacy/

Your information may be transferred to and stored on servers located in the United States. By using the Services, you consent to this transfer. We ensure appropriate safeguards are in place to protect your data.

We may update this Privacy Policy from time to time. We will notify you by updating the "Last Updated" date, displaying a notification in the app, or sending an email. Your continued use of the Services after changes constitutes acceptance of the updated policy.

Some browsers have "Do Not Track" features. Our Services do not respond to Do Not Track signals as there is no standard for how to handle them.

If you have questions or concerns about this Privacy Policy, please contact us:

• Email: [email protected]

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA) for users under 13.

GDPR Compliance (if applicable)

For users in the European Union, you have additional rights: right to be forgotten, right to data portability, right to restrict processing, and right to object to processing. Contact us at [email protected].

California Privacy Rights

California residents have additional rights under CCPA. Contact us at [email protected] for more information.