Contents
- Who we are
- Scope of this policy
- What we collect
- How we use it
- Our legal basis
- Third-party processors
- Where your data is stored
- How long we keep it
- Who we share it with
- Tracking and advertising
- Cookies and the website
- Children and age 13+
- Your rights
- Account deletion
- International data transfers
- Security
- Changes to this policy
- Contact us
1. Who we are
Labelz ("Labelz", "we", "us") provides the Labelz mobile application and the labelzai.app website. Labelz is based in Australia. For any privacy question, contact us at contact@labelzai.app.
2. Scope of this policy
This Privacy Policy describes how we collect, use, share, store and protect personal information when you use the Labelz mobile application, the labelzai.app website, and any related services. It should be read together with our Terms of Service.
3. What we collect
We keep data collection to what is needed to operate the Service. Categories of personal information we collect are set out below.
3.1 Account information (you give us)
- Email address — to create and sign in to your account.
- User identifier — a unique ID generated when you sign up. Linked to your email internally.
- Authentication tokens — short-lived session tokens issued by our authentication provider. Used to keep you signed in.
- First name — optional, for personalisation inside the app.
3.2 Profile information (you give us)
- Region (e.g. Australia, United States).
- Dietary preferences, allergen preferences and ingredient-avoidance preferences you select during onboarding and in Settings. This may include sensitive health-adjacent information you choose to disclose (for example, an allergy to peanuts, or a preference to avoid parabens). We treat this information as sensitive regardless of jurisdiction.
- Age range (e.g. 18–24, 25–34) — used for demographic insights and to confirm age eligibility.
- Primary goal (e.g. "Know what I'm consuming", "Check what's in my skincare").
- Theme preference (Light, Dark, Pink).
- Consent timestamps — when you accepted the Terms, the allergen consent disclosure, and the AI/data processing consent.
3.3 Scan and usage information (generated as you use the app)
- Scan photos — the image you capture when scanning a label. Uploaded securely for OCR processing. We do not store the photos long-term after a scan result is produced unless a very small sample is flagged for quality review.
- Barcode numbers — when scanning a barcode.
- Extracted ingredient text — text parsed out of the label by OCR.
- Normalised ingredient atoms and classifications — structured ingredient data derived from the label.
- Scan history — the products you've scanned, the date/time, the verdict returned, and the preferences matched.
- Gamification state — XP, streaks, badges earned, daily-goal progress, league standing.
- User-submitted reports — any inaccuracies or concerns you report through the in-app reporting tool.
- In-app interactions — anonymised event data such as "scan started", "scan result viewed", "settings opened", used for product analytics.
3.4 Subscription and billing information (from Apple and Google)
- Subscription status — whether you are on a free trial, paid plan, cancelled, or expired.
- Product identifier — monthly or annual plan.
- Anonymous app-user identifier — from our subscription management provider.
We do not receive or store your credit card, bank card, or full payment details. All payments are processed by Apple (iOS) or Google (Android).
3.5 Device and technical information (collected automatically)
- Device identifier — a per-installation identifier used by our subscription provider for attribution and entitlement checks.
- App version, operating system version, device model.
- Approximate region inferred from your device locale and IP address at the network level. We do not collect precise GPS location.
- Crash and diagnostic data where enabled by you at the OS level.
3.6 Referral and affiliate information
- If you sign up through a referral link, we record the referring code so the referrer can receive their one-time commission. If you become an affiliate, we also collect a PayPal email address so we can pay you out.
4. How we use it
We use personal information to:
- create and secure your account and keep you signed in;
- run the core Service — read labels, classify ingredients, and show you a verdict personalised to your preferences;
- process and manage your subscription and free trial;
- send you essential transactional messages (for example, trial-ending reminders, receipts, security alerts);
- operate gamification, streaks, leagues and achievements;
- provide customer support when you contact us;
- improve the Service (aggregate analytics, debugging, product research);
- detect, prevent and investigate fraud, abuse, and security incidents;
- process referral credits and affiliate payouts;
- comply with legal obligations and enforce our Terms.
We do not sell your personal information. We do not use your data for cross-app advertising or share it with advertising networks.
5. Our legal basis
Where the General Data Protection Regulation (GDPR), the UK GDPR, or similar laws apply, we rely on the following legal bases:
- Performance of a contract — to provide the Service you signed up for.
- Consent — for processing sensitive preference data (for example, declared allergies) and for any non-essential analytics. You can withdraw consent at any time by changing your preferences or deleting your account.
- Legitimate interest — to operate, improve and secure the Service, where that interest is not overridden by your rights.
- Legal obligation — to comply with applicable laws.
Where Australian law applies, we handle personal information in line with the Australian Privacy Principles under the Privacy Act 1988 (Cth).
6. Third-party processors
We use a small number of vetted third-party providers to operate the Service. Each processor is bound by a contract and handles data only on our instructions. Current processors:
| Provider | Purpose | Data handled | Region |
|---|---|---|---|
| Apple | App distribution, Sign in with Apple, in-app purchases | Account, purchase, device | Global |
| App distribution, Sign in with Google, in-app purchases | Account, purchase, device | Global | |
| Supabase | Database, authentication, file storage, serverless functions | Account, profile, scan, usage | Sydney, Australia (ap-southeast-2) |
| Google Cloud Vision | OCR text extraction from scan photos | Scan photo, extracted text | United States |
| OpenAI | AI-assisted ingredient normalisation and classification | OCR ingredient text | United States |
| Anthropic | AI fallback for ambiguous ingredient classification | Ingredient text | United States |
| RevenueCat | Subscription management, entitlement checks, receipt validation | App-user ID, subscription status, device ID | United States |
| Expo | Push notification delivery, over-the-air updates | Device push token | United States |
| PayPal | Affiliate payouts (for affiliates only) | PayPal email | Global |
| Vercel | Website hosting for labelzai.app | Website request logs only | Global edge network |
The list of processors may change over time as we refine the stack. Where a change materially affects how your data is handled, we will update this policy and, where required, seek fresh consent.
7. Where your data is stored
Your account, profile, scans and usage data are stored in Supabase infrastructure hosted in Sydney, Australia (ap-southeast-2). OCR processing and AI classification may be carried out by providers based in the United States — we send only the text (and for a scan, the image) necessary to return a result. We do not send your email, account identifier, or preferences to the OCR or AI providers.
8. How long we keep it
- Account and profile data — kept for as long as your account is active.
- Scan photos — processed for OCR and then removed from our storage once the scan result is produced, unless a small sample is flagged for quality review (in which case we retain it for up to 90 days).
- Scan history, preferences, gamification state — kept for as long as your account is active.
- Subscription data — kept for as long as required by tax and consumer protection law (typically seven years in Australia).
- Server and security logs — typically 30 to 90 days.
- Anonymised, aggregated analytics — kept indefinitely. This data does not identify you.
When you delete your account, we delete personally identifying information as described in section 14. Aggregated and anonymised data may be retained under Recital 26 of the GDPR (which treats truly anonymised data as outside the scope of the GDPR) and equivalent Australian guidance.
9. Who we share it with
We share personal information only with:
- the third-party processors listed in section 6, for the narrow purposes described there;
- legal or law-enforcement authorities, when we are required to do so by a valid legal process or when there is a real and imminent threat to health, safety or security;
- a successor entity in the event of a corporate transaction (merger, acquisition, asset sale), in which case your data continues to be protected by this policy or an equivalent one.
We do not sell your personal information. We do not rent or trade it. We do not share it with advertisers or data brokers.
10. Tracking and advertising
Labelz does not track you across other apps or websites. The Labelz app contains no advertising SDKs and no cross-app tracking pixels. Our iOS privacy manifest declares NSPrivacyTracking = false and an empty tracking-domains list.
11. Cookies and the website
The labelzai.app website uses essential, first-party cookies only — for example, to remember whether you have dismissed a banner or to route you through a referral link. We do not use third-party advertising cookies and we do not run Google Analytics or Meta Pixel on the website. Server access logs retained by our hosting provider may contain IP addresses for a short period to detect abuse.
12. Children and age 13+
Labelz is intended for users aged 13 and over. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact contact@labelzai.app and we will take prompt steps to delete it. Users between 13 and 17 must have parent or guardian permission to use the Service.
13. Your rights
Depending on where you live, you may have the following rights:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct information that is inaccurate or incomplete.
- Deletion — ask us to delete your personal information (see section 14).
- Portability — receive your information in a commonly used, machine-readable format.
- Objection and restriction — object to, or ask us to restrict, certain uses of your information (in particular, uses based on legitimate interest).
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Complain — lodge a complaint with a data protection authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC). In the EU, your local data protection authority. In the UK, the Information Commissioner's Office (ICO).
To exercise any of these rights, contact contact@labelzai.app. We aim to respond within 30 days. We may need to verify your identity before we act on your request.
14. Account deletion
You can delete your account at any time from inside the app: Settings → Danger Zone → Delete Account. When you delete your account we:
- delete your authentication record and email address;
- delete your profile, including dietary and allergen preferences;
- delete scan photos stored on our servers;
- sever the link between your scan history and your identity — remaining scan rows and gamification rows are retained as anonymised data;
- cancel any future processing of referral credits that had not yet been paid out;
- retain subscription transaction records for as long as required by tax and consumer law.
After deletion, the remaining data cannot reasonably be re-associated with you and is treated as anonymised under applicable privacy law. You may also request deletion by email at contact@labelzai.app.
15. International data transfers
Some of our processors (including OCR, AI classification, subscription management and push notifications) are based in the United States. When we send your data to them, it leaves Australia. Where required, we rely on standard contractual clauses and similar safeguards to protect the data during transfer and processing. By using the Service you acknowledge that your data may be processed in jurisdictions with privacy laws different from your home country.
16. Security
We take reasonable steps to protect personal information:
- HTTPS/TLS in transit, end-to-end.
- Row-level security on the database with per-user policies.
- Encrypted on-device cache for recent scan results.
- Short-lived authentication tokens, refreshed automatically.
- Rate limiting on scan and OCR endpoints.
- Scoped admin access, audit logging on sensitive actions.
No system is 100% secure. If we ever become aware of a breach that poses a real risk to your rights, we will notify you and the relevant authority in line with applicable law.
17. Changes to this policy
We may update this Privacy Policy from time to time. When we make a material change we update the "Last updated" date at the top, and where appropriate we also notify you in the app or by email. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the change.
18. Contact us
For any privacy question, rights request, or complaint, contact contact@labelzai.app. If you are not happy with our response, you can also contact your local data protection authority, for example the Office of the Australian Information Commissioner at oaic.gov.au.