Privacy Policy

Scope

This Privacy Policy describes how S8D (“S8D,” “we,” “us”) collects, uses, and shares information when you use the S8D website and web application at s8d.app (the “Service”). It applies to all users of the Service.

Information we collect

We collect the following categories of information:

• Account information. Email address and (for email/password accounts) a hashed password. If you sign in with Google, we receive your email address and Google account identifier from Google.
• Profile data. Sex, age, weight, height, activity level, dietary preset, dietary preferences, and exclusions — everything you enter to personalize your nutrition plan.
• Body metrics. The numerical inputs above are used to compute calorie and macro targets via standard equations (Mifflin-St Jeor × IOM activity multipliers).
• Food selections and solve outputs. The foods you include, exclude, or pin; the solver inputs and resulting daily food plans; saved recipes; and timestamps for each.
• Solve events. Anonymized event records (timestamp, preset, goal, status) used for streak tracking and aggregate usage analytics.
• Technical data. Browser type, operating system, device type, IP address (transient — used only to route requests and detect abuse), pages viewed, and timestamps. Collected automatically by our hosting and analytics providers.
• Error and performance data. When the application encounters an error, we capture stack traces, the URL, and relevant browser context (anonymized; no PII unless you triggered the error while interacting with a form). Used to fix bugs.

How we use it

• To generate your personalized daily nutrition plan.
• To save your profile and food preferences across sessions and devices.
• To improve the Service: identify bugs, monitor performance, understand which features are used.
• To communicate with you about the Service (account confirmations, password resets, material changes to these terms or policies).
• To comply with legal obligations.

HIPAA

S8D is not a HIPAA covered entity, and the information you provide to S8D is not protected health information (PHI) under HIPAA. S8D is a consumer wellness and educational tool, not a healthcare provider, health plan, or healthcare clearinghouse. If you require HIPAA-protected handling of your health data, do not use S8D for that purpose.

Sub-processors

We share data with the following service providers strictly to operate the Service. Each is contractually obligated to protect your data:

• Supabase (database, authentication) — stores your account credentials, profile, food preferences, saved recipes, and solve history. Hosted on AWS in the United States with row-level security ensuring you can only access your own data.
• Vercel (frontend hosting, analytics) — serves the web application and provides anonymized usage analytics (page views, referrers, device types).
• Render (backend hosting) — runs the nutrition optimization API.
• Sentry (error and performance monitoring) — receives anonymized error reports when the application malfunctions, so we can fix bugs.
• Google (OAuth sign-in, optional) — handles authentication only when you choose to sign in with Google. We receive your email address and account ID; Google does not receive your S8D activity.
• USDA FoodData Central — public nutrition database. We send no user data to USDA.

We do not share your personal information with advertisers or data brokers. We do not sell or rent your personal information. We do not use your data to train AI or machine learning models.

Cookies and tracking technologies

S8D uses a small number of cookies and similar technologies:

• Authentication cookies set by Supabase to keep you signed in.
• Local storage in your browser to cache nutrition reference data and PWA assets for offline access.
• Analytics via Vercel Analytics, which uses a privacy-friendly approach (no third-party cookies, no cross-site tracking, no advertising IDs).

We do not use third-party advertising cookies, tracking pixels, or social-media SDKs.

Data security

We protect your data with industry-standard measures:

• All connections use TLS encryption.
• Passwords are hashed using bcrypt; we never see or store your plaintext password.
• Database access is restricted by row-level security so each user can only read and write their own records.
• Service accounts and API keys are stored as encrypted secrets in our hosting providers and rotated when needed.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@s8d.app.

Data retention

We retain your account information and profile data for as long as your account is active. If you delete your account, we permanently remove your personal data within 30 days, with the following exceptions:

• Backups may retain copies for up to 90 days before being overwritten.
• Anonymized, aggregated usage statistics may be retained indefinitely for product analytics.
• We may retain limited records if required to comply with legal obligations, resolve disputes, or enforce our agreements.

International data transfers

S8D is operated from and hosts data in the United States. If you access the Service from outside the United States, your data will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer. Where required by law (e.g., for users in the EEA, UK, or Switzerland), we rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors.

Your rights

You can access, correct, or delete most of your data directly from the Settings tab in the app. For requests we cannot fulfill in-app, email privacy@s8d.app and we will respond within 30 days.

If you are in the EEA, UK, or Switzerland (GDPR): you have the right to access, rectify, erase, restrict processing, object to processing, and data portability. You may withdraw consent at any time. You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident (CCPA/CPRA): you have the right to know what personal information we collect, to delete it, to correct it, to limit use of sensitive personal information, to opt out of sale or sharing (we do neither), and to non-discrimination for exercising these rights.

Other US state privacy laws: if you are a resident of Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia, you have substantially similar rights. Contact us at privacy@s8d.app to exercise them.

Children’s privacy

S8D is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us at privacy@s8d.app and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify registered users by email before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact

Questions about this policy or our privacy practices? Email privacy@s8d.app.