Last updated: June 16, 2026
TL;DR: We don't store your photos, we don't track you, and we don't sell your data. Photos are analyzed in-memory and immediately discarded. Your scan history lives on your device, and only syncs through your own private iCloud account if you turn on iCloud Sync (which only you can access). CarbZen can write carbs to Apple Health (iOS) or Health Connect (Android) if you opt in; it never reads them back.
CarbZen processes food photos to estimate carbohydrate content. Photos are sent to our secure server for AI analysis and are not stored after processing. We do not collect your name, email, account information, or location.
We send anonymous, non-identifying usage events (for example: "scan started", "paywall viewed") to a privacy-focused analytics service so we can improve the app. These events contain no personal data and no scan content. See the "Anonymous Usage Analytics" section below for the full list of what we send and what we never send.
If the app crashes or hits an unexpected error, we also send a technical crash and diagnostic report to a third-party error-monitoring service so we can fix stability problems. These reports contain no personal data and no scan content. See the "Crash & Diagnostic Data" section below for details.
Your scan history (photos, food items, carb estimates) is stored locally on your device, on iOS using Apple's SwiftData framework, on Android using Room. This data stays on your device unless you turn on iCloud Sync (iOS), which syncs it privately through your own iCloud account, we never have access to it. It otherwise never leaves your device.
We use the following services to process food analysis:
Anthropic (Claude AI), Analyzes food photos to identify items and estimate carbs. Photos are processed per Anthropic's privacy policy and are not used for training.
USDA FoodData Central, Provides verified nutritional data. Only food names are sent (no photos).
RevenueCat, Manages subscriptions and unlocks Pro across your devices. Receives your purchase and subscription status (which plan, and whether it is active, renewed, cancelled, or refunded) and a random per-install identifier, never your name, email, Apple or Google account, or payment card details. US-based; see RevenueCat's privacy policy.
Subscription and Lifetime purchases are processed entirely by the platform's billing system, on iOS by Apple through StoreKit, on Android by Google through Play Billing. We do not have access to your payment information. We use RevenueCat (US-based) to manage and validate your subscription status and unlock Pro across your devices; it receives your purchase and subscription status and a random per-install identifier, but never your name, email, account, or payment card details.
CarbZen uses TelemetryDeck to measure how the app is used so we can improve it. TelemetryDeck is a privacy-focused analytics service based in Hannover, Germany and operates under GDPR by default.
What we send to TelemetryDeck:
• Anonymous product-interaction events (for example: scan started, scan completed, paywall viewed, purchase started, onboarding completed, camera permission granted or denied, HealthKit or Health Connect permission granted or denied).
• Anonymous diagnostic events (for example: an error occurred during image preparation).
• App version, OS version, device model, and locale.
• A salted, irreversibly hashed install identifier so duplicate events from the same install can be deduplicated.
What we do not send to TelemetryDeck:
• No name, email, account, phone number, or any other personal identifier.
• No photos, food items, carb counts, scan content, or any data derived from a scan.
• No Apple ID, Google account, IDFA, advertising ID, or any advertising identifier.
• No location, contacts, HealthKit values, or Health Connect values.
The salted hash means events cannot be linked back to you. We use this data only to count things (how many people reached the paywall, how often scans fail), never to identify a person.
Alongside TelemetryDeck, CarbZen uses PostHog, a product-analytics and error-tracking service (US-based). The same product-interaction and diagnostic events described above are also sent to PostHog, and crash and error reports are sent to PostHog so we can find and fix stability problems.
What we send to PostHog:
• The product-interaction and diagnostic events listed in the Analytics section above (for example: scan started, scan completed, paywall viewed, purchase started, an error during image preparation).
• Crash and error reports: the type of error, where in the app it occurred, the technical stack trace, and diagnostic context (app version, OS version, device model, locale, and whether the build is a release or TestFlight build).
• A persistent per-install identifier (the same random identifier the app uses for its own features) so events from the same installation can be grouped. It is specific to your installation of CarbZen, not your name, email, or account.
• Your approximate location (city / region / country), which PostHog derives from your IP address when your device contacts it.
What we do not send to PostHog:
• No name, email, account, or phone number.
• No photos, food items, carb counts, scan content, or any data derived from a scan.
• No precise (GPS) location, contacts, HealthKit values, or Health Connect values.
• No Apple ID, Google account, IDFA, advertising ID, or any advertising identifier, and PostHog is not used to track you across other apps or websites.
This data is collected only to understand product usage and improve app stability, and is never sold or used for advertising. See PostHog's Privacy Policy.
On Android, CarbZen Pro users can opt in to write per-scan nutrition values (carbohydrates, protein, fat, fiber, calories) to Health Connect, Android's user-controlled on-device health data store. This is a Pro feature, off by default, and explicitly opted in via Android's standard permission UI.
What we write to Health Connect:
• Nutrition records derived from your saved scans (carbohydrates, protein, fat, fiber, calories), so the values appear alongside other diabetes data you may already track on the device.
What we do not do with Health Connect:
• We never read from Health Connect. The Android app declares only the WRITE_NUTRITION permission and does not request any read permission.
• We do not upload Health Connect data anywhere. The write is an on-device operation; the values never leave your device through this path.
• We do not share Health Connect data with any third party.
You can revoke Health Connect access at any time in the Health Connect app or in Android Settings → Apps. CarbZen-written nutrition records remain in Health Connect under your control until you delete them there; "Reset Scan History" in CarbZen does not delete Health Connect entries (that is by design, your Health Connect data belongs to you, not to us).
CarbZen does not knowingly collect data from children under 13.
Photos are processed in-memory by our server infrastructure and are never stored after analysis is complete. Server request logs are retained for up to 72 hours for operational monitoring and then automatically deleted. On-device scan history persists locally (Apple SwiftData on iOS, Room on Android) until you manually delete individual records or uninstall the app.
If you are located in the European Economic Area, you have the right to access, rectify, erase, restrict processing of, and port your personal data, as well as the right to object to processing. Because CarbZen does not store personal data on our servers, most of these rights are satisfied by design, your data lives entirely on your device under your control. To exercise any data rights or make a request, contact us at support@cognfy.com.
If you are a California resident, you have the right to know what personal information is collected, to request deletion of your data, and to opt out of the sale of personal information. CarbZen does not sell your personal information. Because all scan data is stored locally on your device, you can delete it at any time by removing individual records within the app or by uninstalling. For questions, contact support@cognfy.com.
When you scan food, image data is transmitted to our server infrastructure powered by Cloudflare Workers (processed at the nearest global edge location) and forwarded to Anthropic's Claude AI (US-based) for analysis. Food names may be sent to the USDA FoodData Central API (US-based) for nutritional enrichment. Anonymous usage events are sent to TelemetryDeck (Germany-based, processed in the EU). The same product-usage events and our crash and diagnostic reports are also sent to PostHog (US-based), which derives an approximate location (city / region / country) from your IP address. Your purchase and subscription status, with a random per-install identifier, is sent to RevenueCat (US-based) to manage subscriptions and unlock Pro. These transfers are governed by each provider's standard data processing agreements. See Cloudflare's Privacy Policy, Anthropic's Privacy Policy, TelemetryDeck's Privacy Policy, PostHog's Privacy Policy, and RevenueCat's Privacy Policy.
CarbZen does not use cookies, tracking pixels, advertising identifiers (such as IDFA on iOS or the Android Advertising ID), or cross-app tracking. Our usage analytics (see the sections above) are keyed to a per-install identifier and, for PostHog, an approximate location derived from your IP address; neither is your real-world identity, and we have no mechanism to track you across other apps or websites.
CarbZen relies on the following third-party services to deliver its functionality:
Cloudflare, Edge compute and request routing. Privacy Policy
Anthropic (Claude AI), Food photo analysis. Privacy Policy
USDA FoodData Central, Nutritional data lookup. Website
TelemetryDeck, Anonymous usage analytics. Privacy Policy
PostHog, Product analytics and crash/error reporting (US-based). Privacy Policy
RevenueCat, Subscription management and entitlement validation (US-based). Privacy Policy
Questions about this policy? Contact us at support@cognfy.com.