Privacy Policy
Effective 3 June 2026
Health Tracker is a free, self-hosted personal health tool operated by Pratyush Aswal. This Privacy Policy explains what data the Service collects, why, where it is stored, who can access it, and the rights you have over it. It reflects exactly how the app actually works — there are no hidden trackers.
1. Data we collect
We only collect what is needed to make the app work for you:
- Account credentials — your email address and a password (hashed by Supabase Auth; we never see the plaintext).
- Profile information — name, age, sex, height, weight, fitness goal, activity level, and your calculated daily targets.
- Tracker logs — every entry you make: water, meals, workouts, sleep, weight, body measurements, energy, meditation, supplement doses, and any custom foods you add.
- Push subscription— if and only if you enable daily reminders, your browser's push endpoint and VAPID keys are stored so the server can send notifications. You can revoke this at any time.
- Server logs — Vercel and Supabase log request metadata (IP, user agent, status code) for short retention periods as part of normal operations.
2. Data we deliberately do NOT collect
- No analytics SDKs (no Google Analytics, no Mixpanel, no Segment).
- No advertising or marketing identifiers.
- No cross-site tracking pixels.
- No location data.
- No contacts, photos, or device sensors.
- No Apple HealthKit, Google Fit, or Samsung Health reads.
3. How we use your data
Exclusively to operate the Service for you:
- Render your dashboard, charts, and history.
- Compute your daily targets (BMR, TDEE, macros, water goal).
- Calculate streaks, weekly recaps, and personal bests from your own logs.
- Send your daily push reminder if you have opted in.
- Restore your account on sign-in across devices.
We do not use your data for advertising, profiling, or model training. Your data is never sold or shared with third parties for marketing purposes.
4. Where your data is stored
- Database & authentication: Supabase (Postgres), ap-south-1 region (Mumbai, India).
- App hosting & serverless functions: Vercel, bom1 region (Mumbai, India).
- Static assets (CSS, JS, images):Vercel's global CDN. No personal data is on the edge — only public app assets.
5. Third-party processors
- Supabase Inc. — database, authentication, and storage. Privacy policy: supabase.com/privacy
- Vercel Inc. — hosting and edge functions. Privacy policy: vercel.com/legal/privacy-policy
- USDA FoodData Central — public US-government food database used for ingredient search. Only the search string you type is sent; no account information, no PII. API documentation: fdc.nal.usda.gov/api-guide
- Web Push (browser vendor) — if you enable reminders, the push server (operated by Apple/Google/Mozilla depending on your browser) routes notifications. We only send the message; we do not learn your device.
6. Data isolation between users
Every table in the database is protected by Postgres Row-Level Security. Each query, including queries made by the operator, is automatically scoped to the authenticated user's ID. Another user cannot read your rows — not by accident, not by a bug in app code, not by guessing identifiers.
7. Cookies
The only cookie set by the Service is the Supabase authentication session cookie, which is strictly necessary to keep you signed in. There are no analytics, marketing, or advertising cookies, so no consent banner is required in most jurisdictions.
8. Push notifications
Push reminders are entirely opt-in via Profile → Reminders. If you do not enable them, no push subscription is created and no reminder data is stored. If you do enable them and later change your mind, you can disable them from the same screen, and the subscription is deleted from our database. You can also revoke permission from your browser or device settings.
9. Your rights
- Access & portability. Download a complete JSON dump of every row associated with your account from Profile → Export my data.
- Correction. Edit your profile fields, daily targets, and any logged entry directly in the app.
- Deletion of tracker data. Use Profile → Danger zone → Clear all data to wipe every tracker row associated with your account.
- Deletion of your account. Email pratyush.aswal@gmail.com from the address on your account and we will delete it.
10. Retention
Account data is kept for as long as your account is active. Deletions performed through the in-app controls are immediate and unrecoverable; there is no soft delete. Push subscriptions that fail repeatedly (HTTP 404/410) are automatically pruned during the daily reminder job.
11. Security
- HTTPS/TLS on every connection.
- Passwords hashed by Supabase Auth (Argon2 / bcrypt — provider managed).
- Row-Level Security on every table.
- VAPID-signed Web Push (no anonymous sends).
- Service-role keys never exposed to the browser; only the cron endpoint uses them on the server.
- Authorization on the cron route is gated by a shared secret known only to the deployment.
12. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has created an account, please contact us so we can remove it.
13. International data transfers
Personal data is stored exclusively in ap-south-1 (Mumbai, India). Static assets served from Vercel's CDN may be cached at edge locations closer to you, but they contain no personal data.
14. Changes to this policy
Material changes will be announced inside the app. The effective date at the top of this page will be updated whenever the policy changes.
15. Contact
For privacy questions, data requests, or account deletion, email pratyush.aswal@gmail.com.