Skip to main content
safeforme

Privacy Policy

Last updated: 10 June 2026

safeforme is a personal allergen checker. We never claim a product is safe or unsafe — we only show whether detected ingredients match your personal allergen profile. Always read product labels and consult a healthcare professional for medical advice.

Who we are

safeforme ("we", "us", "our") is a personal-project allergen scanner. The mobile app and this website are operated by an individual based in the Slovak Republic. We are the data controller for the personal data described below.

For privacy questions or data requests, email us at privacy@safeforme.app.

What data we collect

We try to collect as little as possible. Here is everything:

  • Your account. safeforme needs an account to sync your data: an email address, or your identity from Sign in with Apple / Google. We receive only the basics (email, name where the provider shares it) — never your provider password.
  • Photos of product labels. When you scan a product, the photo is sent to our backend for text extraction. It is not stored long-term — see Retention below.
  • Your personal allergen profile and special modes. The list of ingredients you mark as relevant to you, and — if you turn them on — special modes such as pregnancy, breastfeeding, or baby & kids' skin. Mode settings can reveal health-related information, so they are stored only when you enable them, and only to filter your own results.
  • Your scan history and results. The product name, detected ingredients, and the match outcome of each check, so you can revisit past scans and re-check them when your profile changes. You can delete individual scans or the whole history at any time.
  • Your safe library. Products you choose to save. For saved products we also watch the community formulation data for ingredient changes so we can alert you.
  • Safe-shopping browser checks. When you browse an e-shop inside the app, the product identity found on the page (such as its barcode/EAN) is checked against our product database to power the live badge. When you explicitly tap "Check", the content of that product page is sent to our backend to extract the ingredient list, and the product image may be processed into the app's illustration style. Your address-bar history and favourite shops stay on your device — we do not keep a server-side log of your browsing.
  • Skin diary (optional). If you use the skin diary, the reactions you log (date, severity, affected area) are stored with your account. This is health-related data: we process it only because you actively enter it, only to show you your own patterns, and never share it. You can delete entries or the whole diary at any time.
  • Connections and sharing (optional). If you invite family or friends, we store who you are connected with and which profiles or safe libraries you have chosen to share with them. We never read your phone's address book — connections exist only when both sides accept an invite.
  • Push notification token. If you enable notifications (for example reformulation alerts), we store the device push token needed to deliver them. Disable notifications and the token is removed.
  • Subscription status. If you buy Premium, the purchase is processed by Apple. We — through our subscription processor RevenueCat — receive only the subscription state (active plan, expiry). We never see your card details.
  • Basic usage analytics. We use Google Firebase Analytics to understand which features are used (for example "scan completed", screen views) so we can improve the app. This is not used for advertising, and we do not track you across other apps or sites.
  • Basic technical logs. Request metadata (timestamp, status code) used for debugging and abuse prevention.

Community formulation data. Scans contribute product-level data (product ↔ detected ingredients, when it was read) to a shared catalog. This powers community reads, freshness signals, and reformulation alerts — which are only sent after several independent users confirm a change. This is data about products, not about you: it is not linked to your identity for other users, and no one can see what you scanned.

We do not collect: your location, your phone's address book, device identifiers for advertising, or your payment card details (payments are handled entirely by Apple).

Legal basis for processing (GDPR Art. 6 and 9)

  • Contract — providing the service you signed up for: your account, sync, scans, library, sharing, and Premium.
  • Consent — when you submit a photo or page for checking, you actively initiate the processing.
  • Explicit consent (Art. 9(2)(a)) — for health-related data you choose to enter: your allergen profile, special modes, and the skin diary. You can withdraw it at any time by deleting the data or your account.
  • Legitimate interest — keeping the service running, preventing abuse, debugging errors, improving the app through basic analytics, and responding to support requests.

Who processes your data on our behalf

We use a small number of trusted sub-processors:

  • Supabase (database + edge functions, EU region) — stores your account, allergen profile, scans, safe library, skin diary, connections, and push tokens, and runs the backend functions that handle checks. Supabase acts as our data processor.
  • OpenAI — used for AI processing: extracting text from label photos, extracting ingredient lists from product-page content, verifying new catalog ingredients, and generating the stylized product illustrations. Per OpenAI's API terms, this data is not used to train their models. We send only what the specific task needs — never your allergen profile, diary, or email.
  • RevenueCat — manages Premium subscription state (an anonymous app user ID and purchase receipts from Apple). No card data.
  • Google Firebase — basic, non-advertising usage analytics.
  • Vercel — hosts this website. Standard request logs only.

We do not sell your data, and we do not share it with advertisers, data brokers, or any other third parties.

Retention

  • Scanned photos: deleted within minutes of text extraction. They are not archived.
  • Allergen profile, scan history, safe library, skin diary: kept until you delete them in the app, or until you delete your account.
  • Account email: kept until you delete your account.
  • Push tokens: removed when you disable notifications or sign out.
  • Contact form messages: kept for up to 12 months so we can follow up on conversations, then deleted.
  • Technical logs: kept for up to 30 days, then rotated out.
  • Community formulation data: product-level data (not linked to your identity) remains in the shared catalog so it can keep helping other users.

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectification — ask us to correct anything that's wrong.
  • Erasure ("right to be forgotten") — delete your account directly in the app, or ask us to delete your account, profile, scans, diary, and contact-form history.
  • Portability — receive your data in a structured, machine-readable format (JSON).
  • Restriction — ask us to pause processing while a question is resolved.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, without affecting the lawfulness of past processing.
  • Lodge a complaint with your local supervisory authority. In Slovakia, that is the Úrad na ochranu osobných údajov SR.

To exercise any of these rights, email privacy@safeforme.app. We respond within 30 days.

Security

Data in transit is encrypted with TLS. Data at rest in Supabase is encrypted by the provider. We use the principle of least privilege for backend access and rotate credentials regularly. No service is perfectly secure — if you suspect a problem, please tell us at privacy@safeforme.app.

Children's privacy

safeforme is not directed at children under 13 (or under 16 in some EU member states). We do not knowingly collect personal data directly from children. Family profiles for children (for example through the baby & kids' skin mode) are created and managed by the adult account holder, who is responsible for them. If you believe a child has provided us data directly, contact privacy@safeforme.app and we will delete it.

International transfers

Our infrastructure runs primarily in the EU. When data is processed by OpenAI, Google Firebase, or RevenueCat, it may be processed in the United States. We rely on the EU–US Data Privacy Framework and standard contractual clauses where applicable.

Changes to this policy

We will update this page when we change how we handle data. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes will be announced in the app and, where you have an account, by email.

Contact