Skip to content

Privacy Policy

Last updated: 21 April 2026

Overview

EdibleFactor ("we", "our", "us") operates the EdibleFactor mobile application and website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using EdibleFactor, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Personal Information you provide:

  • Name, email address, and profile photo (via Google OAuth sign-in)
  • Health data: age, sex, weight, height, activity level (provided during onboarding)
  • Dietary preferences (vegetarian, vegan, keto, halal, gluten-free, dairy-free, nut-free)
  • Daily calorie targets and monthly food budget

    • Usage Data we collect automatically:

  • Meal logs (items logged, calories, macros, timestamps)
  • Favorite items and order history
  • Chat messages with our AI assistant
  • Menu scan images (processed in real-time, not stored permanently)
  • Device information, IP address, and interaction analytics (via PostHog)
  • Push notification tokens (if notifications are enabled)

    • Payment Information:

  • Subscription plan selections and billing status
  • Payment processing is handled entirely by Razorpay; we do not store card numbers, UPI IDs, or bank details

    • 2. How We Use Your Information

    We use your data to:

  • Calculate your Basal Metabolic Rate (BMR) and Total Daily Energy Expenditure (TDEE)
  • Provide personalised meal recommendations within your calorie and budget limits
  • Power AI chat responses and menu scanning via Google Gemini
  • Track your daily nutrition intake and spending
  • Send meal reminders and budget alerts (with your permission)
  • Process subscription payments via Razorpay
  • Analyse usage patterns to improve the Service (via PostHog, hosted in the EU)
  • Enforce our Terms of Service and prevent misuse

    • 3. Third-Party Services

    We share data with the following processors, strictly for Service operation:

    ServicePurposeData SharedLocation
    SupabaseDatabase & authenticationProfile, meal logs, ordersCloud (check project region)
    Google (OAuth)Sign-inEmail, name, profile photoGlobal
    Google Gemini AIChat & menu scanningChat messages, scanned images, dietary contextGlobal
    RazorpayPayment processingSubscription plan, billing eventsIndia
    PostHogProduct analyticsAnonymised usage eventsEU
    FirebasePush notificationsDevice tokenGlobal
    VercelHostingRequest logs, IP addressGlobal

    We do not sell your personal data to any third party.

    4. Data Retention

  • Account data is retained for as long as your account is active.
  • Meal logs and chat history are retained indefinitely unless you request deletion.
  • Menu scan images are processed in memory and are not permanently stored.
  • Analytics data (PostHog) is retained for 12 months.
  • Upon account deletion, all personal data is removed within 30 days. Anonymised, aggregated data may be retained for analytical purposes.

    • 5. Your Rights

    Under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable laws, you have the right to:

  • Access your personal data held by us
  • Correct inaccurate or incomplete data
  • Delete your account and associated data
  • Withdraw consent for data processing at any time
  • Port your data in a machine-readable format
  • Nominate a person to exercise your rights on your behalf

    • To exercise any of these rights, contact us at privacy@ediblefactor.com.

    6. Data Security

    We implement industry-standard measures to protect your data:

  • All data in transit is encrypted via TLS/HTTPS
  • Database access is controlled via Row-Level Security (RLS) policies
  • API keys and secrets are stored as environment variables, never in client code
  • Razorpay webhook signatures are verified using HMAC SHA-256
  • Authentication tokens are managed by Supabase with secure cookie handling

    • No method of transmission or storage is 100% secure. If you discover a vulnerability, please report it to security@ediblefactor.com.

    7. Cookies & Local Storage

    We use:

  • Authentication cookies (Supabase session) — essential for login
  • Guest mode cookie (ef-guest) — tracks guest session, expires in 24 hours
  • localStorage — stores daily macro totals, notification preferences, and UI state (install prompt dismissal, engagement tracking)
  • Service Worker cache — caches static assets for offline access

    • We do not use third-party advertising cookies.

    8. Children's Privacy

    EdibleFactor is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will promptly delete it.

    9. Changes to This Policy

    We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

    10. Contact Us

    For privacy-related enquiries:

  • Email: privacy@ediblefactor.com
  • Address: Bangalore, Karnataka, India

    • For grievances under the DPDP Act, you may also contact the Data Protection Board of India.