Privacy Policy
Last updated: March 27, 2026
Overview
CarbCam is a food-scanning app that estimates carbohydrate and nutritional content. This policy explains what data is collected by the app and by the third-party services it relies on, how that data is used, and your choices regarding it.
CarbCam does not require an account or registration. We do not collect, store, or have access to any personally identifiable information on our own servers.
Data We Collect
CarbCam itself does not operate any servers. All data processing is performed either on your device or by the third-party services described below. The app does not collect your name, email address, phone number, location, contacts, or any other personal information.
Camera & Photo Library
CarbCam requests camera access to photograph food items for nutritional analysis. If you use the photo library, only the image you select is accessed.
Photos are used solely for nutritional analysis. Small thumbnail copies are stored locally on your device as part of your scan history. When Advanced AI analysis is enabled, a resized copy of the image is transmitted to Google's Gemini API as described below.
Third-Party Services
CarbCam integrates the following third-party services. Each service receives only the data necessary to perform its function.
Google Gemini API
When you use Advanced AI analysis, your food image and a text prompt describing the analysis request are sent to Google's Gemini API. If you provide follow-up corrections, those text messages and the conversation history are also sent.
The app uses Grounding with Google Search, which allows the AI to perform web searches to look up product information. Google stores prompts, contextual information, and output from Grounding with Google Search for 30 days for debugging and system testing.
Under Google's Gemini API Additional Terms of Service, Google may use the content you submit (including food images and prompts) and any generated responses to provide, improve, and develop Google products and services and machine learning technologies. Human reviewers at Google may read, annotate, and process your API input and output as part of quality improvement. Google takes steps to disconnect this data from your identity before review.
For more information, see: - Gemini API Terms of Service - Firebase Privacy and Security - Google Privacy Policy
Firebase SDK (Google)
CarbCam uses the Firebase SDK to access the Gemini API. The Firebase SDK may collect baseline Firebase Service Data including app identifiers, IP addresses, and basic technical/operational details.
CarbCam uses Firebase Analytics (Google Analytics for Firebase) to collect anonymous usage data. This data helps us understand how the app is used and improve the experience. Analytics data is associated with an anonymous app-instance identifier — it is not linked to your name, email, or Apple ID. Google may use aggregated analytics data to improve its products. For details, see Firebase Privacy and Security.
CarbCam uses Firebase Crashlytics to collect anonymous crash reports and non-fatal error data. This helps us identify and fix bugs. Crash data includes device state and stack traces but does not include personally identifiable information. For details, see Firebase Privacy and Security.
Firebase encrypts data in transit using HTTPS. For more detail, see Privacy and Security in Firebase.
USDA FoodData Central
When a barcode is scanned or a food item is searched, CarbCam may query the U.S. Department of Agriculture FoodData Central API to retrieve nutritional information. These requests include only the barcode number or food search term. No personal data is transmitted. As a U.S. government service, standard federal web logging applies (IP address, timestamp, request URL). The USDA does not use this data for commercial purposes.
Open Food Facts
CarbCam may also query the Open Food Facts API, an open-source, non-profit food database. These requests include only the barcode number or food search term. Per Open Food Facts' privacy policy, IP addresses from API visits are logged for up to 3 years for security and technical analysis. Open Food Facts does not profile users, does not sell data, and does not communicate personal data to third parties for commercial purposes.
On-Device Processing
The following processing happens entirely on your device and no data leaves your device:
- Barcode detection
- Optical character recognition (OCR) of nutrition labels
- On-device AI analysis using Apple Intelligence, when available
- Image classification
Local Storage
The following data is stored locally on your device:
- Scan history: previous food analysis results
- Thumbnail images: small copies of scanned items
- Subscription status: usage tracking for your subscription
- App preferences: your chosen settings
This data never leaves your device unless you back up your device via iCloud or Finder. You can delete scan history from within the app at any time.
Analytics & Advertising
CarbCam does not include any advertising SDKs, does not display ads, and does not sell or share your data with advertisers or data brokers. CarbCam does not use the Apple Advertising Identifier (IDFA).
CarbCam uses Firebase Analytics to collect anonymous usage data. No personally identifiable information is collected. Analytics data is associated with an anonymous app-instance identifier and is used solely to improve the app. See the Firebase SDK section above for details.
Subscriptions & Payments
CarbCam offers an optional subscription managed entirely by Apple through the App Store. We never have access to your payment information, credit card number, or Apple ID. Apple's privacy policy governs payment processing.
Third-Party App Links
CarbCam can open companion diabetes-management apps (such as Dexcom, mySugr, Omnipod, and t:connect). No data is passed to these apps -- they are simply launched so you can manually enter information if you choose.
Children's Privacy
CarbCam is not directed at children under the age of 18. The Gemini API Terms of Service require that the service not be used as part of an application directed towards or likely to be accessed by individuals under 18.
Data Retention Summary
| Data | Where Stored | Retention |
|---|---|---|
| Food images sent to Gemini API | Google servers | Subject to Google's retention policies; Grounding data stored up to 30 days |
| Food search queries (USDA) | USDA servers | Subject to federal government logging policies |
| Food search queries (Open Food Facts) | Open Food Facts servers | IP logs retained up to 3 years |
| Firebase Service Data | Google servers | See Firebase privacy documentation |
| Firebase Analytics data | Google servers | See Firebase privacy documentation |
| Crash reports | Google servers | See Firebase privacy documentation |
| Scan history & thumbnails | Your device only | Until you delete them |
| App preferences | Your device only | Until you delete the app |
Your Rights
Because CarbCam does not collect personal information on its own servers, there is no personal data for us to access, correct, or delete. For data held by third-party services, you may exercise your rights directly with those providers:
- Google: Google Privacy Tools
- Open Food Facts: privacy@openfoodfacts.org
Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact
If you have any questions about this privacy policy, please contact us through the App Store support link on our app page.