Privacy policy
Last updated 15 May 2026. What's stored where, what leaves your device, and what we never collect.
The short version
Your weight, cycle, sleep, meals, and Apple Health data stay on your device. The only things that leave it are (1) a meal photo if you use Take Photo, (2) a chat question if you use the chat feature - both go to our AI proxy and are not used to train any model. We don't run analytics, advertising SDKs, or any third-party tracking.
On your device (we never see it)
Weight entries, period dates, meal logs, sleep observations, hydration logs, cravings, calendar context, settings, and any notes you type - all stored locally in iOS's Documents folder. If you grant Apple Health permission, weight entries also flow into Health, governed by Apple's iCloud Health settings.
Sent to our AI proxy (only when you use AI features)
If you tap Take Photo on the Food tab, the photo (resized to 1024×1024) is sent to our proxy and forwarded to Google's Gemini API for a calorie estimate. If you use the chat feature, your typed question is sent along with a summary of your data (trend numbers, sleep stage averages, cycle phase, last 15 meal names) - never your raw entries, name, email, or any identifier you'd recognize as yours.
The proxy adds no extra data. Neither we nor Google retain your photos or chats for training. Daily usage counters (how many photos, how many chats today) are kept anonymously to enforce free / Plus / Pro caps.
Stored server-side (anonymous)
To make subscriptions and daily caps work, we keep three small records keyed on an anonymous Firebase ID (auto-generated on first launch - not linked to your Apple ID, email, or name):
- Subscription state - your current tier (free, Plus, Pro), renewal date, transaction ID from Apple.
- Daily usage counters - `{ chat: 7, photos: 2 }` for the current UTC day. Reset at midnight UTC.
- Sign in with Apple link (optional) - only if you use SIWA, we store the opaque Apple-provided user ID so your subscription follows you to a new device.
That's it. No weight, no cycle, no meals, no Health data, no analytics events.
Weigh has no third-party analytics, no advertising SDKs, no crash-tracking SDK that ships data outside our own infrastructure, and no marketing pixels. Specifically:
- No Google Analytics, Mixpanel, Segment, Amplitude, Posthog, or similar.
- No Facebook SDK, AppLovin, ad networks, or attribution providers.
- No device fingerprinting beyond Apple's per-app vendor ID (used only for one-shot diagnostics code activation, when you're a beta tester).
- No name, no email (except an opaque token if you use Sign in with Apple), no phone number, no location, no contacts, no other photos.
Apple Health (read + write)
Reads weight history, body mass, sleep, workouts, steps, active calories, heart rate, and menstrual flow to build your trend chart, sleep view, and cycle context. Writes weight entries you log. You can revoke individual data types in iOS Settings → Privacy & Security → Health → Weigh.
Camera and Photos (optional)
Used only when you tap Take Photo on the Food tab. The captured or chosen photo is sent to our AI proxy for a calorie estimate, then discarded - only the dish name, calorie estimate, and a small 200×200 thumbnail are saved on your device.
Calendars (optional)
If granted, upcoming events appear as "Coming up" context next to your weigh-ins. Calendar data is read-only and never leaves your device. Denying this permission only hides the Coming up card.
Sign in with Apple (optional)
Lets your Plus / Pro subscription follow you to a new iPhone. We store only the opaque Apple-provided user identifier. Email is never requested, even when Apple offers to share it.
Photo meal log (Plus / Pro)
The photo is base64-encoded and sent to our proxy on Firebase Functions in Singapore (asia-southeast1). The proxy adds your tier and daily usage counters, then forwards the photo + a prompt to Google's Gemini API. Gemini's response is parsed into {dish, kcal, protein, carbs, fat} and sent back. Photos are not stored on our infrastructure; they pass through memory only for the duration of the request (typically < 3 seconds).
Chat with your data (Plus / Pro)
Your question and a summary of your data (trend numbers, sleep stage averages, recent meal names, cycle phase if applicable, last 7 days of activity) are sent to the same proxy and forwarded to Gemini. The summary contains derived numbers, not raw entries - your individual weigh-ins, dates, or personal identifiers never appear.
Training and retention
Google's Gemini API terms commit to not using API traffic for model training. We do not retain prompts, photos, or responses beyond the request lifetime. The only durable record is the daily counter (photos and chats per day) needed to enforce caps.
Subscriptions are processed entirely by Apple via StoreKit and the App Store. We never see your card details. After purchase, Apple sends our server an anonymous notification with a transaction ID and product ID, which we store against your anonymous Firebase ID. Cancellation and refunds are handled in iOS Settings → your Apple ID → Subscriptions.
You can delete every server-side trace from inside the app: Settings → Account → Delete account. This wipes your subscription record, usage counters, and Sign in with Apple link from our database, then removes all local data on this device. Apple Health entries stay in Health - iOS owns those, and you can delete them in the Health app.
Weigh is not directed at children under 13. The app has no public profile, no social feed, no chat with strangers, and no user-generated content visible to others.
If this policy materially changes, the in-app feedback prompt or a brief banner will flag it on the next launch. Questions or concerns: support.agrcollective@gmail.com - one person reads every email.