Privacy Policy

SlayCal is an AI-powered calorie and nutrition tracking mobile application developed and operated by MirrorBit AI ("Company", "we", "us", or "our"). The App is available on iOS (bundle ID: com.slaycal.ios) and Android (bundle ID: com.slaycal.android).

This Privacy Policy describes how we collect, use, disclose, and safeguard information about you when you use SlayCal. It applies to all users regardless of account status, including anonymous (guest) users.

By downloading or using the App, you agree to this Privacy Policy. If you do not agree, please do not use the App. This policy is incorporated into and subject to our Terms of Service.

We collect information you provide directly, information generated through your use of the App, and limited technical information from your device.

2.1 Account Information

Collected only when you register for an account:

2.2 Anonymous & Device Data

Collected for all users, including anonymous sessions:

• Device identifier — iOS IDFV (Identifier for Vendor) or Android ID. Used to maintain anonymous sessions and enforce daily usage quotas. This identifier is NOT used to track you across other apps or websites.
• Platform — iOS or Android.
• App version — to provide version-appropriate features and support.
• Locale / language preference — to display the App in your preferred language.

2.3 Health & Fitness Data

Data collected via the onboarding survey includes:

• Gender, age, height, current weight, and goal weight
• Activity level and fitness level
• Health conditions (e.g., diabetes, hypertension — as disclosed voluntarily)
• Physical limitations or injuries
• Workout and exercise preferences
• Goal type (e.g., weight loss, muscle gain) and target timeline
• Raw survey responses and survey completion timestamp

Health conditions and physical limitations are considered special category (sensitive) personal data under GDPR. We process this data solely to generate personalised nutrition and fitness recommendations at your explicit request. You may delete this data at any time from within the App or by contacting us.

2.4 Dietary Preferences

• Dietary style (e.g., vegan, vegetarian, keto, halal)
• Food allergens and intolerances
• Cuisine preferences
• Preferred meals per day
• Maximum cook time preference

2.5 Nutrition & Lifestyle Logs

• Food log entries — meal name, macronutrients (calories, protein, carbohydrates, fat), quantity, meal type (breakfast/lunch/dinner/snack), and timestamp.
• Meal images — photos taken with your camera or selected from your photo library. Important: meal images are uploaded to Firebase Storage and are accessible to anyone with the URL. Do not photograph anything other than food you intend to log.
• Water intake logs — volume (ml) and timestamp per entry.
• Weight logs — body weight entries with date and unit (kg/lb).
• Goal plans — daily calorie target, macro targets (protein/carbs/fat), water goal, and weight goal.

2.6 Subscription & Payment Data

• Subscription tier (free, premium, or trial)
• Trial period start and end dates
• Apple App Store transaction ID and product ID (iOS in-app purchases)

2.7 Push Notification Data

• Firebase Cloud Messaging (FCM) token — a device-specific token used to deliver push notifications.
• FCM token platform (iOS / Android).

2.8 Usage Data

• Feature usage quotas — daily counters for AI meal scans, food recognition requests, and AI recipe generations. Stored transiently in Redis and reset every 24 hours.
• JWT refresh tokens — session tokens stored server-side to maintain authenticated sessions securely.

We do not use your information for targeted advertising, behavioural profiling, or any purpose other than those described above.

We share data only with the following service providers, strictly to operate the App:

AI-Processed Data Notice

Other Disclosures

We may also disclose your information:

• Legal requirements — if required by law, court order, or government authority.
• Protect rights — to enforce our Terms of Service or protect the rights, property, or safety of MirrorBit AI, our users, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of all or a portion of our assets. You will be notified via email or a prominent in-app notice prior to your data being transferred and becoming subject to a different privacy policy.
• With your consent — for any other purpose with your explicit consent.

Where We Store Data

• MongoDB Atlas — primary database for all user account data, health profiles, food logs, and settings. Hosted on secure, managed cloud infrastructure.
• Firebase Cloud Storage (Google) — stores meal images and AI-generated recipe images. Images are stored under unique paths and are publicly accessible via URL once uploaded.
• Redis — in-memory cache for daily usage quota counters. Data is ephemeral and automatically expires every 24 hours.

Security Measures

• Encryption in transit — all data transmitted between the App and our servers uses HTTPS/TLS encryption.
• Password hashing — passwords are hashed with bcrypt (industry-standard adaptive hashing) before storage. We never store passwords in plain text.
• JWT authentication — session management uses short-lived JSON Web Tokens (JWT) with server-side refresh token rotation.
• Access controls — database access is restricted to authorised server-side services only, with role-based permissions.
• No cross-app tracking — NSPrivacyTracking is set to false; we do not track users across apps or websites.

No method of transmission over the Internet or electronic storage is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to [email protected].

Account Deletion

You may delete your account at any time from Settings → Account → Delete Account within the App, or by emailing [email protected].

Upon account deletion:

• Your personal data is permanently deleted from our primary database within 30 days.
• Meal images are removed from Firebase Storage within 30 days.
• Usage quota counters expire automatically within 24 hours.
• Backup copies may persist for up to 90 days in automated backup systems, after which they are also purged.
• Financial transaction records are retained for the legally required period (up to 7 years) with all personal identifiers anonymised where possible.

Depending on your location, you may have the following rights regarding your personal data. See Section 15 (California) and Section 16 (Europe) for jurisdiction-specific rights.

SlayCal is not intended for children under the age of 13 (or under 16 in the European Economic Area and the United Kingdom, where a higher age threshold applies under GDPR). We do not knowingly collect personal data from children below these ages.

Our App is rated 4+ on the Apple App Store and the appropriate maturity rating on Google Play. However, we rely on users to confirm they meet the minimum age requirement during account registration.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at [email protected]. We will delete any such information promptly upon verification.

MirrorBit AI operates globally. Your personal data may be transferred to, and processed in, countries other than the country in which you reside. In particular, our servers are hosted via MongoDB Atlas, and we use cloud services from Google (Firebase) and OpenAI, which may process data in the United States and other countries.

These countries may have data protection laws that differ from those in your country. Where we transfer personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to third countries, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) — approved by the European Commission, used with relevant service providers.
• Adequacy decisions — where the European Commission has recognised the recipient country as providing adequate protection.
• Data Processing Agreements — entered into with all sub-processors who handle EU personal data.

By using SlayCal, you acknowledge and consent to the transfer of your information to countries outside your country of residence, including the United States, as described in this policy.

SlayCal is a native mobile application. We do not use web cookies. Instead, the App uses React Native AsyncStorage — a local, on-device key-value storage system — to persist the following data locally on your device:

This data is stored entirely on your device and is not transmitted to our servers (with the exception of tokens, which are validated server-side). Uninstalling the App clears all locally stored data.

With your permission, SlayCal sends push notifications to remind you to log meals, drink water, check your daily progress, and receive motivational tips.

Push notifications are delivered via Firebase Cloud Messaging (FCM). To send notifications, we store your FCM device token on our servers.

How to Opt Out

• iOS: Go to Settings → Notifications → SlayCal and toggle off "Allow Notifications".
• Android: Go to Settings → Apps → SlayCal → Notifications and disable notifications.
• In-App: Go to SlayCal → Settings → Notifications to manage individual notification types.

Disabling notifications will not affect your ability to use the core features of the App. Upon opt-out, we will stop sending notifications, though the FCM token may remain stored on our servers until the next app session when it is cleared.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy.
• Send a push notification or in-app alert to registered users if the changes are significant.
• For changes that materially affect how we process special category data (health data), we will request renewed consent before processing.

Your continued use of SlayCal after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the App and may delete your account.

Previous versions of this policy are available upon request by emailing [email protected].

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters, please include "URGENT" in your email subject line.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories:

Your California Rights

How to Exercise Your California Rights

Submit a verifiable consumer request by:

• Emailing [email protected] with the subject line "California Privacy Request"
• Using the in-app account deletion feature (Settings → Account → Delete Account)

We will respond to verifiable requests within 45 days. If we need additional time (up to 90 days), we will notify you of the extension in writing. You may designate an authorised agent to submit requests on your behalf.

Shine the Light

California Civil Code Section 1798.83 ("Shine the Light") allows California residents to request information once per year about the categories of personal information (if any) we disclosed to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for direct marketing purposes.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) (or equivalent UK/Swiss law) applies to our processing of your personal data.

Data Controller

MirrorBit AI is the data controller for your personal data. For the purposes of GDPR, your data is controlled by:

Legal Bases for Processing

We process your personal data on the following legal bases under GDPR Article 6 (and Article 9 for special category data):

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the App's core features (account management, food logging, AI analysis).
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, and usage quota enforcement, where our interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)) — push notifications and optional personalisation features. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — financial record retention and regulatory compliance.
• Explicit consent for special category data (Art. 9(2)(a)) — health conditions, physical limitations, and other sensitive health data provided during onboarding.

Your GDPR Rights

Under GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restrict processing in certain circumstances (Art. 18)
• Data portability in a machine-readable format (Art. 20)
• Object to processing based on legitimate interests or for direct marketing (Art. 21)
• Withdraw consent at any time without affecting lawfulness of prior processing (Art. 7(3))
• Not be subject to solely automated decision-making that produces significant legal effects (Art. 22)

How to Exercise Your GDPR Rights

Submit requests to [email protected]. We will respond within 30 days (extendable to 3 months for complex requests with notice). We may request proof of identity before fulfilling your request.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. For EU residents, find your national DPA at edpb.europa.eu. For UK residents, contact the Information Commissioner's Office (ICO).

Automated Decision-Making

SlayCal generates personalised calorie goals and nutrition targets based on your self-reported health profile. While these are generated algorithmically (including via AI), they do not produce legal or similarly significant effects — they are nutritional suggestions only. You retain full control and may adjust or override any generated recommendations within the App.