The short version

We built Imperfit to help you track nutrition without the shame. Here is an honest summary of how we handle your data — no legalese:

  • We collect your food logs, macros, step counts, and health goals so the app can actually work.
  • Photos you take are sent to Google Gemini for analysis and then deleted — we never store raw images.
  • Voice input is transcribed on your device — the audio never leaves your phone. Only the text transcript is sent to our servers.
  • Your payment is processed by Stripe. We never see your card number — only whether your subscription is active.
  • We do not sell your data. Not to advertisers, not to insurance companies, not to anyone. Ever.
  • You can delete your account and all your data at any time, from inside the app or by emailing us.
  • Our servers are in the United States (US East region).

Questions? Email us at privacy@imperfit.app.

1. Introduction

OKO Labs Inc. ("Company," "we," "us," or "our") operates the Imperfit mobile application and associated services (collectively, the "Service") available at imperfit.app. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.

This policy applies to all users worldwide. Additional rights for residents of the European Economic Area (EEA), United Kingdom, and California are described in Sections 6 and 13 below.

2. Information We Collect

2.1 Account Information

When you create an account we collect:

  • Email address
  • Display name (optional)
  • Profile photo (optional, if provided via Google SSO)
  • Authentication method (email/password, Google Sign-In, or anonymous session)
  • Account creation date and last login timestamp

Anonymous sessions (created via Firebase Anonymous Authentication) do not require an email address. If you later upgrade an anonymous session to a full account, we link your existing data to your new credentials.

2.2 Health & Nutrition Data

The core of the Service involves storing health and nutrition information you provide, including:

  • Food logs (meal name, portion size, timestamp)
  • Macro-nutrient data (protein, carbohydrates, fat, calories, fiber, and other nutritional attributes)
  • User-set health goals (calorie targets, macro splits, weight goals)
  • Step count and activity data (synced from your device health platform, e.g., Google Fit / Health Connect, with your permission)
  • Body metrics you choose to log (weight, height, body measurements)

This data is stored in our database and is considered sensitive health information. See Section 7 for additional protections that apply.

2.3 Voice Data

Raw audio is never recorded or stored. Voice input is processed entirely on your device by our on-device AI model (Liquid LFM 2.5). Only the resulting text transcript is transmitted to our servers. If you deny microphone permission, voice features will not be available, but no other functionality is affected.

Text transcripts derived from voice input are treated the same as any other text you type and are subject to the same retention rules described in Section 5.

2.4 Photo Data

Food photos are not stored on our servers. When you photograph food, the image is transmitted over TLS to the Google Gemini Vision API for nutritional analysis. After Google returns the analysis result, the image is discarded. We store only the nutritional analysis result (text/structured data), not the original photo.

Google processes the image under its own privacy terms. See the Third-Party Services table in Section 4 for a link to Google's privacy policy.

2.5 Device & Usage Data

We automatically collect certain technical information to operate and improve the Service:

  • Device type, operating system version, and app version
  • App session events (screens visited, features used — no content is captured in event names)
  • Crash reports, error stack traces, and performance metrics (via Sentry)
  • IP address (used for fraud prevention and rate-limiting; not linked to health data in our analytics)
  • Push notification delivery status (via Firebase Cloud Messaging)

2.6 Payment Data

Subscription payments are processed by Stripe, Inc. All payment card data is entered directly into Stripe's secure form and is never transmitted to or stored on our servers. We receive only:

  • Subscription status (active, canceled, trialing, past due)
  • Subscription plan identifier
  • Last four digits of the card (displayed to you for reference only)
  • Billing country (used for tax purposes)

Stripe is a PCI-DSS Level 1 certified payment processor. For details on how Stripe handles payment data, see stripe.com/privacy.

3. How We Use Your Data

We use the information we collect for the following purposes:

To provide and operate the Service

  • Authenticating your account and maintaining your session
  • Storing and displaying your food logs, macro totals, and progress history
  • Powering AI-assisted food analysis, voice logging, and personalized recommendations
  • Processing subscription payments and managing your billing status
  • Sending push notifications you have opted in to (meal reminders, streak alerts, etc.)

To improve and develop the Service

  • Diagnosing and fixing crashes and bugs using error reports
  • Analyzing aggregated, de-identified usage patterns to prioritize features
  • Training internal quality-assurance processes (using de-identified, aggregated data only — never your personal health data in a way that is linked back to you)

To communicate with you

  • Responding to support requests and feedback you send us
  • Sending transactional emails (account confirmation, password reset, billing receipts)
  • Notifying you of material changes to this Privacy Policy or our Terms of Service

To comply with legal obligations

  • Responding to lawful requests from law enforcement or courts where required
  • Enforcing our Terms of Service and preventing fraud or abuse

We do not use your health or nutrition data to serve you targeted advertisements, and we do not engage in any automated profiling that produces legal or similarly significant effects without human review.

4. Third-Party Services

We use the following third-party services to operate Imperfit. Each service has its own privacy policy and data processing terms. Where we rely on a sub-processor to process personal data, we maintain a Data Processing Agreement (DPA) with that provider.

Service Purpose Data Shared Their Privacy Policy
Firebase Auth (Google) User authentication, anonymous sessions, Google SSO Email, display name, UID firebase.google.com/support/privacy
Neon (PostgreSQL) Primary database — all user data stored here (US East region) All structured user data neon.tech/privacy
Google Gemini 2.0 Flash Food photo analysis — image sent, result returned Food photos (transient, not stored by us after analysis) policies.google.com/privacy
Liquid AI LFM 2.5 On-device voice transcription and local inference None — runs entirely on device, no data transmitted to Liquid AI liquid.ai/privacy
Sentry Crash reporting and error monitoring Device info, app version, error stack traces (no health data) sentry.io/privacy
Stripe Subscription payment processing Billing email, billing country, subscription status (no card numbers sent by us) stripe.com/privacy
Firebase Cloud Messaging (FCM) Push notifications Device push token, notification delivery status firebase.google.com/support/privacy

We do not share your personal data with any other third parties for their own marketing purposes. We will never sell or rent your data to data brokers or advertisers.

5. Data Retention

We retain your data only as long as necessary to provide the Service and comply with our legal obligations.

Active account data

All account and health data is retained for as long as your account is active. If you request account deletion, we will delete or de-identify your personal data within 30 days of receiving and confirming your request. A small subset of data may be retained for an additional period to comply with legal, tax, or fraud-prevention obligations — this data is isolated and not used for any other purpose.

Food logs and nutrition history

Food logs are retained for up to 2 years from the date of entry by default, after which they are automatically purged. You may delete individual log entries or your entire log history at any time from within the app.

Voice transcripts

Voice transcripts are processed to extract the food logging intent and then stored as a standard food log entry. The raw transcript text is not retained separately beyond what is stored in your food log.

Photos

Food photos are transmitted to Google Gemini for analysis and are not stored on our servers at any point. The photo is discarded as soon as the Gemini API returns the nutritional analysis result, typically within seconds.

Error and crash data

Error reports collected via Sentry are retained for 90 days and are automatically purged thereafter.

Payment records

Subscription status records are retained for a minimum of 7 years to comply with applicable financial and tax regulations, consistent with Stripe's own data retention practices.

6. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

Access

Request a copy of the personal data we hold about you.

Deletion

Delete your account and associated data, in-app or by emailing us.

Correction

Update or correct inaccurate personal information at any time in the app.

Export

Download your food log and health data in a portable format. (Feature in development — contact us to request manually.)

Opt-out of notifications

Disable push notifications at any time in app or device settings.

Withdraw consent

Revoke optional permissions (camera, microphone, health data) from your device settings at any time.

How to exercise your rights

You can delete your account directly inside the app under Settings → Account → Delete Account. For all other requests — data access, export, correction, or questions — email us at privacy@imperfit.app. We will respond within 30 days (or within the timeframe required by applicable law).

GDPR rights (EEA / UK users)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16): Have inaccurate data corrected without undue delay.
  • Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your data where there is no compelling reason to continue processing.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to object (Art. 21): Object to processing based on our legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions that produce significant legal effects. We do not engage in such processing.

Our legal bases for processing your personal data are: (a) performance of a contract — processing necessary to provide the Service you have agreed to use; (b) legitimate interests — security, fraud prevention, and product improvement; and (c) your consent — for optional permissions such as camera, microphone, and health data access, which you may withdraw at any time.

If you have a complaint about how we handle your data, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant Data Protection Authority in your EEA member state).

CCPA rights (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to know: Request information about the categories and specific pieces of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to delete: Request deletion of your personal information, subject to limited exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale or sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising. You therefore have no sale to opt out of.
  • Right to limit use of sensitive personal information: We use sensitive personal information (including health data) only to provide the Service you requested — not for inferring characteristics about you or for advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of the rights listed here.

To submit a CCPA request, email privacy@imperfit.app from the email address associated with your account. We will respond within 45 days and may extend by an additional 45 days where reasonably necessary.

7. Health Data — Special Protections

Sensitive data — read carefully

Health and nutrition data is among the most sensitive categories of personal information. We treat it accordingly with heightened protections beyond what we apply to other data categories.

Your health data — food logs, macro-nutrient records, activity data, health goals, and body metrics — is used exclusively to provide and improve the features of the Imperfit Service you are actively using. Specifically, we commit to the following:

  • No sale to third parties. Your health data will never be sold, licensed, or transferred to any third party for any purpose.
  • No insurance use. We will never share your health data with health insurance companies, life insurance providers, disability insurers, or any underwriting entity.
  • No employer sharing. We will never share your health data with your current or prospective employer.
  • No advertising targeting. Your health data will never be used to build advertising profiles, target ads, or be shared with ad networks or data brokers.
  • No unauthorized AI training. Your identifiable health data is not used to train or fine-tune external AI models. Any internal quality improvements use aggregated, irreversibly de-identified data.
  • Strict access controls. Access to health data within OKO Labs Inc. is limited to engineering personnel with a documented business need. Access is logged and audited.

If you connect third-party health platforms (e.g., Google Fit, Health Connect), only the data types you explicitly authorize will be read. You can revoke this access at any time from your device settings.

8. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13, do not use the Service or submit any personal information.

If you are between 13 and 18 years of age, you must have the consent of a parent or legal guardian to use the Service. Parents or guardians who believe their child under 13 has provided personal information to us should contact us immediately at privacy@imperfit.app. Upon confirmation, we will promptly delete that information from our records.

We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly market to or collect personal data from children under 13.

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction:

Encryption

  • In transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher. We enforce HTTPS with HSTS on all endpoints.
  • At rest: Data stored in our Neon PostgreSQL database is encrypted at rest using AES-256.
  • Authentication tokens: Firebase Authentication issues short-lived JSON Web Tokens (JWTs) that are verified server-side on every request. Refresh tokens are stored securely in device-managed storage.

Access controls

  • Row-Level Security (RLS): Our database enforces row-level security policies so that each user can only access their own data — even internal queries are constrained by these policies.
  • Principle of least privilege: Database credentials and API keys follow least-privilege access. Sentry only receives error data and is configured to scrub personally identifiable information from stack traces.
  • Employee access: Access to production data requires multi-factor authentication and is logged. Access is granted on a need-to-know basis and reviewed regularly.

Incident response

In the event of a data breach that affects your personal data, we will notify you and any applicable regulatory authorities within the timeframes required by law (72 hours under GDPR where feasible; as soon as practicable under other applicable laws).

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. We encourage you to use a strong, unique password for your account and to enable any two-factor authentication options available to you.

10. International Data Transfers

Imperfit is operated from the United States. Our primary database is hosted in the US East region (Neon/AWS us-east-1). If you are accessing the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For users in the EEA and UK, where we transfer personal data to third-party processors outside the EEA/UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) adopted by the European Commission, or other approved transfer mechanisms.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send you an in-app notification or email at least 14 days before the changes take effect (for material changes)
  • Where required by law, seek your renewed consent before processing your data under the new terms

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

12. Cookies and Tracking Technologies

The Imperfit mobile application does not use browser cookies. However, our website (imperfit.app) may use technically necessary cookies to operate correctly. We do not use third-party advertising cookies or cross-site tracking technologies on our website.

Within the mobile app, we use Firebase SDKs that may use device identifiers (such as the Android advertising ID or iOS IDFA) for analytics and crash reporting. You can limit ad tracking through your device's privacy settings.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a privacy-related concern, please contact us:

OKO Labs Inc.
Privacy requests: privacy@imperfit.app
General support: support@imperfit.app
Website: imperfit.app

For GDPR-related inquiries from EEA or UK residents, you may also contact your local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office at ico.org.uk.

We aim to respond to all privacy inquiries within 30 days. For requests requiring identity verification, we may ask for additional information to confirm your identity before processing your request.

This Privacy Policy was last updated on April 12, 2026 and replaces all prior versions.