Privacy Policy

Last updated: 25 January 2026

1. Who We Are

Calorie Tracker ("we", "us", "our") is a personal nutrition tracking web application operated by Michael Smith. We are the data controller for the personal data processed through this application.

Contact: privacy@masmith.uk

2. What Data We Collect

We collect and process the following personal data:

  • Account information: Name, email address, and profile picture (if signing in via Google)
  • Authentication data: Hashed password (if using email/password sign-in), OAuth tokens (if using Google sign-in)
  • Nutritional data: Food diary entries, meal logs, custom foods you create, and nutritional goals
  • Preferences: Measurement unit settings (weight, volume, calorie, and macronutrient units)
  • Technical data: Session tokens and authentication cookies necessary for the application to function

3. How We Use Your Data

We process your personal data for the following purposes:

  • To provide and maintain the calorie tracking service (legal basis: contract performance)
  • To authenticate your identity and secure your account (legal basis: contract performance and legitimate interest)
  • To send account-related emails such as verification and password reset emails (legal basis: contract performance)
  • To protect against fraud, abuse, and security threats (legal basis: legitimate interest)

We do not use your data for marketing, profiling, automated decision-making, or selling to third parties.

4. Cookies

We use only strictly necessary cookies that are essential for the application to function. These include:

  • Session cookie (authjs.session-token): Keeps you signed in during your session
  • CSRF cookie (authjs.csrf-token): Protects against cross-site request forgery attacks
  • Callback URL cookie (authjs.callback-url): Handles authentication redirect flow
  • Cookie consent cookie (cookie-consent): Remembers that you have acknowledged this cookie notice

We do not use any analytics, advertising, or third-party tracking cookies. Because all our cookies are strictly necessary for the service to operate, they do not require your consent under the Privacy and Electronic Communications Regulations (PECR).

5. Third Parties

We share data with the following third-party services only as necessary:

  • Google (OAuth authentication): If you sign in with Google, we receive your name, email, and profile image from Google. See Google's Privacy Policy.
  • Resend (email delivery): Used to send verification and password reset emails. See Resend's Privacy Policy.

We do not sell, rent, or trade your personal data to any third party.

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all of your personal data — including your profile, meal diary, custom foods, and preferences — is permanently deleted from our systems.

Verification and password reset tokens are automatically deleted after they expire (typically within 24 hours).

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using bcrypt with a cost factor of 12
  • All communication is encrypted via HTTPS/TLS
  • CSRF protection, rate limiting, and account lockout mechanisms are in place
  • Verification and reset tokens are hashed using SHA-256 before storage
  • Security headers are applied to all responses

8. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

  • Right of access: You can download a copy of all your personal data from the Settings page.
  • Right to rectification: You can update your personal information through your account settings.
  • Right to erasure: You can delete your account and all associated data from the Settings page.
  • Right to data portability: You can export your data in a machine-readable format (JSON) from the Settings page.
  • Right to restrict processing: Contact us at privacy@masmith.uk.
  • Right to object: Contact us at privacy@masmith.uk.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

https://ico.org.uk/make-a-complaint/

9. International Transfers

Your data is stored on servers that may be located outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

10. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

Back to sign in