Privacy Policy

Last updated: May 1, 2026

Tmrrw ("we", "our", "the app") is a personal fitness and nutrition tracking app for iOS. This policy describes exactly what data Tmrrw collects, where it goes, what we do — and don't do — with it. Read it before installing.

1. What stays on your device

The following data is stored only on your device using Apple's SwiftData framework. We never receive a copy of it:

Profile information — name, date of birth, height, current and target weight, activity level, and fitness goal
Nutrition log — meal entries, calories, macronutrients, water intake, food diary, custom foods, and favourites
Workout log — sessions, sets, reps, weights, templates, and history
Body measurements — weight entries you add over time
Apple Health data you grant access to (if you enable the integration; see section 5) — these values are read into the app's UI but are never copied to our servers

2. What we send off your device, and why

Two features require sending data to outside services so the feature can work. Each request goes over an encrypted (HTTPS / TLS 1.2+) connection.

2.1 AI-assisted nutrition analysis (text and photo)

When you log a meal by voice or by photo, your input is sent to OpenAI via our backend proxy (described in section 4):

Voice path: the spoken phrase is converted to text on your device by Apple's speech recognition (which may itself transmit audio to Apple's speech servers — see section 6). The resulting text transcript is then sent to OpenAI for nutrition estimation.
Photo path: the food photo (taken with the camera or selected from your library) is downscaled and JPEG-compressed on your device, then the resulting image is sent to OpenAI for nutrition estimation.

Tmrrw does not retain your transcripts or photos after the analysis result is returned. OpenAI processes the request under their API terms (OpenAI Privacy Policy); per OpenAI's API policy, inputs are not used to train their models and are retained for at most 30 days for abuse-monitoring purposes before deletion.

2.2 Barcode lookups

When you scan a product barcode (live with the camera or by decoding a photo), only the barcode number itself — a public product code, e.g. 4823063129367 — is sent to one or more food databases:

Open Food Facts — a free, public food database. Requests go from your device directly to world.openfoodfacts.org over HTTPS; they do not pass through our proxy. (Open Food Facts Terms & Privacy)
FatSecret Platform API — a third-party food database. Requests go through our proxy so the FatSecret API key never ships in the app. (FatSecret Privacy Policy)

If neither database recognises the code, the barcode number is sent to OpenAI as a last-resort lookup. No other personal data is included in any barcode request.

3. Data we do not collect

We do not use analytics, advertising, or tracking SDKs of any kind
We do not show ads
We do not sell or rent any data to anyone
We do not request the App Tracking Transparency permission, because we don't track you
We do not use crash-reporting or telemetry SDKs
We do not ship third-party SDKs at all (the app links only against Apple's frameworks)

4. Our backend proxy

To avoid embedding API keys for OpenAI and FatSecret in the app binary (which would let anyone with a copy of the app abuse those services on our account), Tmrrw routes the requests in section 2.1 and the FatSecret part of section 2.2 through a small Cloudflare Worker that we operate. The worker:

Holds the OpenAI and FatSecret credentials server-side
Verifies each request's HMAC-SHA256 signature, derived per-device from a UUID stored in your iOS Keychain, so anonymous traffic from outside the app is rejected
Enforces a per-device daily usage limit on AI features
Caches barcode-to-product mappings for 7 days to reduce duplicate upstream requests (the cache contains only public product data, never anything personal)

The proxy logs only operational metadata: HTTP status codes, response durations, and which endpoint was called. It does not log request bodies, transcripts, photos, food names, or any other content you submit.

The only persistent storage on the proxy is:

A daily request counter under your device UUID, which expires automatically within 36 hours
A barcode-to-product cache (no personal data attached)

Your device UUID is generated locally on first launch, is stored only in your iOS Keychain, and is not linked to your name, email, or any other identifier. We never receive an Apple ID, IDFA, IDFV, or email address. If you uninstall the app, the only residue tied to you is the daily counter, which expires shortly thereafter and cannot be joined to your real identity.

The proxy runs on Cloudflare's edge network. Traffic may be processed in a Cloudflare data centre near you (Cloudflare's automatic geo-routing). Cloudflare's privacy practices are described at cloudflare.com/privacypolicy.

5. Apple Health (HealthKit)

If you grant permission, Tmrrw integrates with Apple Health. We request access to the following types:

Read: step count, active energy burned, exercise time, distance (walking/running and cycling), heart rate, resting heart rate, heart rate variability, body mass, body fat percentage, lean body mass, stand hours, activity summary, and workouts
Write: body weight entries you enter in the app, and workouts you complete in the app

HealthKit data stays on your device and in Apple's HealthKit store. It is never sent to our proxy or to any third party. You can revoke any of these permissions at any time via iOS Settings → Privacy & Security → Health.

6. Permissions we ask for

Permission	Why
Camera	Scan barcodes on food packaging and take photos of meals for AI nutrition analysis
Photo library	Pick existing photos for barcode decoding or AI meal analysis (only photos you explicitly pick, not your full library)
Microphone	Record your voice when you log meals by speaking
Speech recognition	Convert recorded audio to text. Apple's speech recognition may process the audio on-device or via Apple's speech servers depending on the device, language, and connectivity. This is governed by Apple's privacy policy.
Apple Health	Read activity, vitals, and body-mass data; write your in-app weight entries and completed workouts

Each permission is requested only the first time the related feature is used. You can deny or revoke any of them — the rest of the app continues to work.

7. AI accuracy disclaimer

The nutrition values returned by Tmrrw's AI features are estimates. They can be wrong. Do not rely on them for medical decisions, diagnosis, or treatment. If you have a medical condition or specific dietary requirements, consult a qualified healthcare professional.

8. Data retention

Because the app stores nearly everything locally, we have very little to retain on our side:

On your device: data lives until you delete it (per-entry, or by uninstalling the app)
On our proxy: the daily request counter expires automatically within 36 hours; the barcode cache expires within 7 days
At third parties: OpenAI retains API inputs for at most 30 days for abuse monitoring before deletion (per their API policy); Open Food Facts and FatSecret only see the public barcode number, not personal data

9. Your rights

If you are in the EU, UK, or another jurisdiction with comparable privacy law (GDPR, UK GDPR, CCPA, etc.), you have the right to:

Access the data we hold about you (in our case: at most a numeric counter under your device UUID)
Have it corrected or deleted
Object to processing or restrict it
Lodge a complaint with your local data protection authority

To exercise any of these rights, email us at the address in section 12.

10. International data transfers

OpenAI and FatSecret are based in the United States; Open Food Facts is based in France; Cloudflare operates a global network. By using AI or barcode features, you accept that the requests in section 2 may be processed outside your country, including in jurisdictions whose data-protection laws differ from yours. We use only providers that publicly commit to industry-standard safeguards (HTTPS, encrypted storage, access controls).

11. Children's privacy

Tmrrw is not directed at children under 13 (or under 16 in the EU/UK) and we do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided data to the app, contact us so we can assist.

12. Changes to this policy

We may update this policy as the app evolves. Material changes will be reflected by the "Last updated" date at the top of this page. Continued use of the app after a change indicates acceptance of the updated policy.

13. Contact

If you have questions about this privacy policy or want to exercise any of the rights described in section 9, contact:

nikolaienko.bv@gmail.com