Privacy Policy

Last Updated: June 20, 2026

This Privacy Policy explains how Bazu Technologies, LLC (“Bazu,” “we,” “us”) collects, uses, shares, and protects your personal information when you use the Bazu mobile application, website, and related services (collectively, the “Service”).

Bazu is a wellness and food-tracking app intended for adults (18+) in the United States. The Service is not designed to diagnose, treat, or manage any medical condition. Please also read our Terms of Service and Medical Disclaimer.

If you are a Washington or Nevada resident, additional disclosures and rights apply to your consumer health data — please read our separate Consumer Health Data Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

  • Name (first and last)
  • Email address
  • Username
  • Date of birth
  • Password (stored as a one-way hash; we never see your plaintext password)
  • OAuth provider information if you sign in with Google or Apple (see below)

OAuth Sign-In Details

If you sign in with Google or Apple, we receive your email address and an authentication token. We do NOT access your Gmail, Google Drive, iCloud, or other Google/Apple services. If you sign in with OAuth, you cannot change your email inside Bazu — update it with Google or Apple directly.

Wellness Profile

  • Gender
  • Height and weight (with the units you prefer)
  • Weight goal (lose / maintain / gain)
  • Wellness goal (steady energy / fewer cravings / etc.)
  • Nutrition goals (cut added sugar / more protein / etc.)
  • Self-reported diabetic status (none / pre-diabetes / Type 2 / Type 1 / other / not sure) — collected once during onboarding and editable later. Used to personalize the Service and to gate the Estimated Glucose Curve for Type 1 users. Never shared with advertisers, insurers, or any third party.

Meal and Food Data

  • Meal descriptions you type
  • Meal photos you take
  • Food ratings, meal feelings, and notes
  • Timestamps and meal-type buckets (breakfast / lunch / dinner / snack)

Optional Health Data (only if you provide it)

  • Blood glucose readings, if you manually enter them
  • Continuous glucose monitor (CGM) glucose readings, if you enable CGM integration via Apple HealthKit (see Section 1.4)
  • Insulin doses, if you manually enter them

Most users do not provide any of the above. They are optional and never required to use the Service.

1.2 Information We Generate About You

Based on the data you provide, the Service generates algorithmic outputs. These are derived from your inputs and stored alongside your account:

  • Bazu Scores for each meal (overall and per-nutrient)
  • AI nutrition estimates (macros, calories, glycemic index/load) for each meal
  • Per-meal predicted glucose curves used to power the Estimated Glucose Curve
  • The 24-hour Estimated Glucose Curve itself (computed on your device from your logged meals and demographics)
  • XP, streaks, achievements, ranks, and other gamification state
  • Aggregated tracking statistics (e.g., your weekly nutrition averages)

These outputs are estimates only. See our Medical Disclaimer and the Estimated Glucose Curve disclaimer in our Terms of Service.

1.3 Information Collected Automatically

Usage Data

  • Activity logs (meal entries, scans, ratings)
  • App interactions and feature usage
  • Session duration and frequency

Device Information

  • Device type and model
  • Operating system version
  • Unique device identifiers (for push notifications and crash diagnostics)
  • App version
  • Advertising identifier (IDFA) — on iOS, only if you grant permission through the App Tracking Transparency prompt (see Section 4.2 and Section 11)

Local Device Storage

The following are stored encrypted on your device:

  • Authentication tokens (for automatic sign-in)
  • Cached profile data (for faster app performance)
  • App settings and preferences

Local data is encrypted by your device's operating system and is deleted when you log out or uninstall the app.

We Do NOT Collect

  • Precise geolocation
  • Contact lists
  • Photos or media (except meal photos you choose to upload)
  • Biometric data
  • Voice or microphone data

About Meal Photos

  • Photos are uploaded to secure cloud storage (Supabase)
  • Photos are processed by AI providers (OpenAI and/or Anthropic) to identify food items and estimate nutrition (see Section 4.1)
  • Photos are stored with time-limited, authenticated URLs that require you to be logged in
  • Photos are permanently deleted when you delete your account
  • Photos are NOT used for advertising, NOT shared publicly, and NOT used to train third-party AI models

1.4 Apple HealthKit / CGM Integration

If you choose to enable CGM integration, Bazu can read glucose data from Apple HealthKit. This is entirely optional and requires your explicit permission.

What We Access

  • Blood glucose samples stored in Apple Health (timestamp, value, unit, source device/app)

What We Do NOT Access

  • We do not write data to Apple Health
  • We do not access any other HealthKit data types (heart rate, steps, sleep, etc.)
  • We do not connect directly to CGM hardware — all data flows through Apple Health

How It Works

  • You grant read-only access via the iOS HealthKit permission prompt
  • Bazu periodically reads new glucose samples and syncs them to your account
  • You can revoke access at any time in iOS Settings → Health → Data Access & Devices → Bazu
  • Revoking access stops future syncing; previously synced data stays in your account until you delete it

How We Use CGM Data

To display your glucose trends inside the app and to overlay your real readings on the Estimated Glucose Curve for comparison. We do not use CGM data for advertising. We do not sell CGM data. We do not use CGM data to train any AI model.

2. How We Use Your Information

2.1 Provide and Operate the Service

  • Create and manage your account
  • Display the meals, scores, curves, and history you log
  • Generate the AI nutrition estimates, predicted curves, and the Estimated Glucose Curve described in Section 1.2
  • Personalize the Service to your goals, demographics, and self-reported diabetic status
  • Award XP, streaks, and achievements
  • Process subscription state through the Apple App Store and RevenueCat

2.2 AI Features

We use third-party AI providers (currently OpenAI and Anthropic) to parse your meal descriptions and photos and to estimate nutrition. We send only the meal-related text or image needed to do the task. We do NOT send your name, email, glucose readings, insulin doses, weight, diabetic status, or other profile information to AI providers.

We do not use your data to train AI models for any third party. OpenAI and Anthropic confirm in their API terms that data submitted via API is not used to train their models by default. We rely on those commitments and never opt in to training-data programs.

We may use aggregated, de-identified data — data that cannot reasonably be linked back to you — to evaluate and improve our own models, scoring algorithms, and product features.

2.3 Communication

  • Meal logging reminders and gentle streak nudges (you can disable these in app settings)
  • Achievement and gamification notifications
  • Important service updates, security alerts, and policy changes
  • Responses to your support requests

2.4 Service Improvement, Security, and Fraud Prevention

  • Diagnose crashes (via Sentry) and analyze usage patterns (via PostHog) to improve features and fix bugs
  • Detect and prevent fraud, abuse, and unauthorized access
  • Maintain the security of the Service and its infrastructure

2.5 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to lawful legal requests
  • Enforce our Terms of Service and other policies

3. We Do Not Sell Your Health Data

We do not sell, rent, or trade your health-related data — including glucose readings, insulin doses, meals, meal photos, nutrition data, weight, or diabetic status — to advertisers, data brokers, insurers, or anyone else, ever.

We have not sold or shared any personal information for cross-context behavioral advertising in the preceding twelve (12) months, with one limited exception: if you grant permission through the iOS App Tracking Transparency prompt, your device's advertising identifier (IDFA) and standard app install/launch events may be shared with Meta Platforms, Inc. for app-install advertising attribution. Under the California Consumer Privacy Act (CCPA/CPRA), this activity may be considered a “sale” or “share” of personal information. It involves only the advertising identifier and non-health events; it never involves your health data. You can opt out at any time (see Section 4.2 and Section 8.5).

4. How We Share Your Information

4.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service. Each is contractually obligated to protect your data and use it only for the purposes we specify.

Supabase — cloud database, storage, and authentication

  • Stores account data, profile data, meal data, photos, and any optional health data you provide
  • Located in the United States
  • Row-Level Security ensures users can only access their own data
  • Privacy Policy: https://supabase.com/privacy

Railway — backend application hosting

  • Runs the Bazu API servers in the United States
  • Processes your requests but does not retain your data outside the request lifecycle
  • Privacy Policy: https://railway.com/legal/privacy

OpenAI and Anthropic — AI nutrition and meal parsing

  • Receive only meal descriptions (text) and meal photos (images) needed to identify foods and estimate nutrition
  • Do NOT receive your glucose readings, insulin doses, profile information, or other health data
  • Do NOT use data submitted via API to train their models, per their API terms
  • Your data is processed and not retained for our use beyond the request
  • Privacy Policies: https://openai.com/api-data-privacy and https://www.anthropic.com/legal/privacy

Edamam and Open Food Facts — food databases

  • Receive food names and barcode scans from your meal searches
  • Do NOT receive your health data or personal information
  • Privacy Policies: https://www.edamam.com/privacy-policy and https://world.openfoodfacts.org/privacy

RevenueCat — subscription processing

  • Manages subscription state for purchases made through the Apple App Store
  • Receives your user ID, subscription status, and purchase events
  • Does NOT receive your health data or meals
  • Privacy Policy: https://www.revenuecat.com/privacy

OneSignal — push notification delivery

  • Receives device identifier and notification preferences to deliver push notifications
  • Does NOT receive your health data or meals
  • Privacy Policy: https://onesignal.com/privacy_policy

PostHog — product analytics

  • Receives anonymized event data (e.g., “meal logged,” “scan opened”) to help us understand which features are used
  • Does NOT receive the contents of your meals, glucose readings, or other health data
  • Privacy Policy: https://posthog.com/privacy

Sentry — crash and error monitoring

  • Receives stack traces, device context, and minimal user identifiers when the app crashes or hits an error
  • Does NOT receive the contents of your meals or your health data
  • Privacy Policy: https://sentry.io/privacy

Resend — transactional email

  • Sends account verification, password reset, and subscription emails
  • Receives your email address to deliver messages
  • Does NOT receive your health data
  • Privacy Policy: https://resend.com/legal/privacy-policy

Google — OAuth (if you sign in with Google)

  • Authenticates your identity; we receive your email and an auth token
  • Privacy Policy: https://policies.google.com/privacy

Apple — OAuth and HealthKit

  • Authenticates your identity (Sign in with Apple); we receive your email and an auth token
  • Provides HealthKit data flow described in Section 1.4 — Apple does not receive any data from Bazu
  • Privacy Policy: https://www.apple.com/legal/privacy/

4.2 Advertising Attribution (Meta SDK)

Bazu uses one third-party advertising service: the Meta (Facebook) SDK, integrated solely for app-install advertising attribution.

What Meta Receives

  • Your device's advertising identifier (IDFA), on iOS
  • Standard app events automatically logged by the Meta SDK, such as app installs and app launches

What Meta Does NOT Receive

  • Your health data — glucose readings, insulin doses, meals, nutrition info, weight, diabetic status, or any other health information
  • Your profile information (name, email, date of birth, etc.)
  • Any custom or health-related events — we send only Meta's standard, auto-logged install and launch events

Your Control

  • On iOS, this is gated by the App Tracking Transparency (ATT) prompt. If you choose “Ask App Not to Track,” no advertising identifier is collected or shared with Meta.
  • You can change your choice anytime in iOS Settings → Privacy & Security → Tracking.
  • Declining tracking does not affect any feature of Bazu.

Meta receives no health data from Bazu. Only the advertising identifier and non-health install/launch events, and only with your permission.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or lawful government request, or if we reasonably believe disclosure is necessary to:

  • Comply with legal obligations
  • Protect our rights or property
  • Prevent fraud or security issues
  • Protect the safety of our users or the public

4.4 Business Transfers

If Bazu is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Data Security

We use industry-standard security measures to protect your information:

  • Encryption in transit (TLS) and at rest
  • Secure authentication, including OAuth options
  • Row-Level Security in the database so users can only access their own data
  • Principle-of-least-privilege access controls for our team
  • Ongoing monitoring for vulnerabilities and threats

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We keep your information only as long as needed to provide the Service and meet legal obligations:

  • Account data (name, email, profile): Retained while your account is active.
  • Meal data, photos, scores, predicted curves: Retained while your account is active.
  • Optional health data (glucose, insulin, CGM readings): Retained while your account is active.
  • Crash logs and analytics events: Retained for up to 90 days, then automatically purged or rotated.
  • Account-deletion records: Retained as needed to comply with our legal obligations (typically 30 days after deletion).
  • Aggregated, de-identified statistics: Retained indefinitely.

When You Delete Your Account

Your account data, meal data, photos, and any optional health data are deleted within 30 days. We do not maintain long-term backups of deleted user data. CGM readings previously synced from Apple Health are deleted along with the rest of your account; they cannot be re-synced after deletion.

7. Your Rights and Choices

7.1 Access and Correct

You can view and edit most of your profile information directly in the app (Settings and Update Your Profile). For other access or correction requests, email hello@withbazu.com.

7.2 Delete Your Account

You can delete your account using the “Delete Account” option in Settings, or by emailing hello@withbazu.com. Deletion is permanent and removes all your data within 30 days (see Section 6).

7.3 Export Your Data

To request a copy of your data in a structured, machine-readable format, email hello@withbazu.com with your account email. We will respond within 30 days. An in-app export feature is in development.

7.4 Opt Out of Communications

  • App notification settings (per-category controls)
  • Device notification settings (iOS Settings)
  • Email unsubscribe links (transactional emails like security alerts cannot be opted out)

7.5 Opt Out of Ad Attribution

The iOS App Tracking Transparency prompt is your opt-out for advertising-identifier sharing with Meta. Choose “Ask App Not to Track,” or change your choice anytime in iOS Settings → Privacy & Security → Tracking. See also our Your Privacy Choices page.

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Your Rights

  • Right to know: Request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out: Opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising (see Section 7.5 for our only such activity).
  • Right to limit use of sensitive personal information: We do not use your sensitive personal information beyond what is necessary to provide and improve the Service.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

“Sale” and “Sharing” Disclosure

We do not exchange your personal information for money. The only activity that may be considered a “sale” or “share” under CCPA/CPRA is the sharing of your IDFA and standard app install/launch events with Meta for app-install advertising attribution, and only when you grant permission via the iOS ATT prompt. See Section 4.2.

How to Exercise Your Rights

Email hello@withbazu.com, use the in-app account deletion feature, or visit our Your Privacy Choices page. We will respond within 45 days.

9. Washington and Nevada — Consumer Health Data

If you are a Washington or Nevada resident, the health-related information you provide to Bazu is treated as “consumer health data” under Washington's My Health My Data Act (MHMDA) and Nevada's SB 370.

Please read our separate Consumer Health Data Privacy Policy for the full disclosures and rights that apply to that data, including your rights to access, delete, withdraw consent, and appeal.

We provide the Consumer Health Data Privacy Policy as a separate, distinctly linked document as required by Washington law.

10. Health Information and HIPAA

Bazu is not a HIPAA-covered entity and is not a business associate of one. The health-related information you enter into Bazu is:

  • Entered voluntarily by you
  • Not received from a healthcare provider
  • Not used for medical diagnosis or treatment
  • Not shared with healthcare providers unless you explicitly do so yourself

Your information is instead protected by general consumer-privacy laws (such as CCPA/CPRA and, where applicable, Washington MHMDA and Nevada SB 370 — see Section 9) and by this Privacy Policy. We strongly recommend that you do not rely solely on Bazu for any health-related decision and that you consult a qualified healthcare provider when needed.

11. App Tracking Transparency (iOS)

On iOS, Bazu uses Apple's App Tracking Transparency (ATT) framework. The first time it is relevant, iOS will show you a prompt asking whether you allow Bazu to track you across apps and websites owned by other companies.

What the Prompt Controls

  • If you allow tracking, Bazu may collect your IDFA and share it with Meta for app-install attribution as described in Section 4.2.
  • If you choose “Ask App Not to Track,” no advertising identifier is collected and nothing is shared with Meta for tracking purposes.

Important

  • Granting permission is entirely optional.
  • Declining tracking does not affect any feature of Bazu.
  • You can change your choice anytime in iOS Settings → Privacy & Security → Tracking.
  • The ATT choice never affects your health data, which is never used for tracking or advertising regardless of your choice.

12. Children's Privacy

Bazu is intended for adults aged 18 or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will prohibit and block that account and delete the associated information promptly.

If you believe a person under 18 has provided us personal information, contact us at hello@withbazu.com.

13. Users Outside the United States

Bazu is designed for, marketed to, and intended for use by individuals in the United States. We do not target the European Economic Area, the United Kingdom, or other jurisdictions outside the U.S. The Service and all data are hosted and processed in the United States.

If you access the Service from outside the United States and believe we hold your personal data, you may contact us at hello@withbazu.com to request access, correction, or deletion. We will respond within 30 days. This contact pathway does not constitute an offering of the Service in your jurisdiction.

14. Data Processing Location

All personal data collected by Bazu is processed and stored in the United States. We do not intentionally transfer your data outside the United States. By using the Service, you consent to this processing location.

15. Breach Notification

If we experience a security breach involving your personal information, we will notify you and the relevant authorities as required by applicable law, including the FTC Health Breach Notification Rule (16 CFR Part 318) for breaches involving identifiable health information, and applicable state breach-notification statutes. Notice will be given without unreasonable delay and, in any event, within the timeframes those laws require.

16. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. Review their privacy policies before providing any information.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the “Last Updated” date at the top.
  • For material changes, we will notify you in the app or by email.
  • Continued use of the Service after the changes take effect means you accept the updated Privacy Policy.

18. Contact Us

For questions, concerns, or requests about this Privacy Policy or our data practices:

Bazu Technologies, LLC

Email: hello@withbazu.com

Website: https://withbazu.com

For data subject requests (access, deletion, etc.), please include your full name, the email address on your account, and the specific request. We will respond within 30 to 45 days, depending on the applicable law.

19. Your Consent

By using Bazu, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

© 2026 Bazu Technologies, LLC. All rights reserved.