Why Your Calorie Tracker Doesn't Need Your Email

← Blog

MyFitnessPal, Cronometer, MacroFactor, Lose It!. All of them want your email, password, sometimes your date of birth and gender, before you can record a single chicken breast.

We built Onyx Tenet without that requirement. Download, open, log. No server between you and your food diary.

This was the first architectural decision we made, and it informed everything else.

Why they ask

There are three reasons a calorie tracker requires an account, and none of them are "to make the app work."

1. Ad targeting

MyFitnessPal and Lose It! offer ad-supported free tiers. An email address ties your usage data to an identity that ad networks can target. Your food log becomes a behavioral signal: what you eat, when you eat, how consistently you track. That signal has value.

MyFitnessPal's own privacy policy acknowledges sharing user information with "marketing and advertising partners" and states that certain uses of tracking cookies "may constitute sales or sharing of personal information" under applicable privacy laws. This isn't speculation. It's their disclosure.

2. Lock-in

Once your food log lives on someone else's server behind their login, leaving means losing your data. Years of meals, weight history, custom foods, recipes. The account isn't a feature. It's a moat.

MyFitnessPal makes this structural: CSV export is locked behind Premium at $80/year. Free users cannot export their own data. You can put data in, but you can't take it out without paying.

3. Engagement metrics

DAU/MAU ratios, retention cohorts, funnel conversion rates. These are the numbers that matter to investors and advertisers, and they all require identified users. An anonymous user who opens the app daily is invisible to these metrics. An account turns that person into a data point.

MacroFactor doesn't even offer a free tier. Cronometer's free tier serves ads. Every major tracker has built its business model around the assumption that users will create accounts. The account serves the business. The app would work fine without it.

What happens when it goes wrong

This wouldn't matter as much if the data stayed safe. It doesn't.

In February 2018, MyFitnessPal disclosed that an unauthorized party had accessed 150 million user accounts: usernames, email addresses, and hashed passwords. At the time, it was one of the largest data breaches on record.

In March 2026, Cal AI (which had acquired MyFitnessPal) suffered a second breach. Security researchers found an unauthenticated Firebase backend, readable without any credentials. The exposed data included names, emails, dates of birth, gender, height, weight, health goals, macro targets, and meal logs with timestamps. 3.2 million user records across 14.59 GB of data. One record belonged to a child born in 2014.

These aren't isolated incidents. In 2021, a fitness data aggregator called GetHealth left an unprotected database exposing 61 million records pulled from Fitbit, Strava, and Google Fit. The data was sitting on a server with no password.

Your food log, weight history, and email are now in breach databases. There was no architectural reason they needed to be on someone else's server in the first place.

What a no-account architecture looks like

Here's what we built instead.

Data flow comparison: when you log a meal in an account-required app vs Onyx Tenet. The account-required path sends your data to their server, ad networks, and analytics platforms. The local-first path stores everything on your device.

Local-first database. Your food log, weight history, and custom foods live in a local database on your device (SwiftData on iOS, Room on Android). Nothing is uploaded by default. No internet connection required. The app works fully offline.

No server dependency for core functionality. Logging a meal, scanning a barcode, viewing your history, checking your adaptive TDEE: none of these require a network connection or a user account. The server is not in the critical path.

Barcode scanning via a public API. Barcode lookups use OpenFoodFacts, a community-maintained open database. No account needed on their end or ours.

Full data portability. Your data can be exported as a JSON file at any time, from any screen in Settings. This isn't a limited weekly CSV or a Premium-only feature. It's your data. It's a file. You control it.

Anonymous analytics. We use PostHog for usage analytics with a strict policy: no PII, no food log data, no weight data. The analytics toggle in Settings lets you opt out entirely. For users who enable cloud backup, we use a pseudonymous Firebase UID for analytics continuity. Not your email. Not your name.

"But what if I lose my phone?"

This is the honest counterargument, and we take it seriously. If your data only lives on your device, losing the device means losing the data.

Three lines of defense:

JSON export. Export your data to Files, iCloud Drive, Google Drive, or anywhere else you keep files. It's one tap in Settings. The export is a complete snapshot: food log, weight history, custom foods, recipes, settings.

Platform backup. Both iOS and Android automatically back up app data to iCloud and Google respectively, unless you've disabled it. For most users, their data is already backed up without any action on their part.

Optional cloud backup. If you want explicit cloud backup with restore-on-any-device, Onyx Tenet offers it. You sign in with an email link. We use that email for one thing: to let you access your own backups. No password. No profile. No account in the traditional sense. If we ever build full accounts in the future, they will be opt-in, and they will exist for reasons that benefit you, not us.

The point isn't that backups are unnecessary. The point is that backup should be a conscious choice, not a mandatory account creation that doubles as a data collection mechanism.

How the landscape compares

	MyFitnessPal	Cronometer	MacroFactor	Lose It!	Onyx Tenet
Account required	Yes	Yes	Yes	Yes	No
Food log stored	Their servers	Their servers	Their servers	Their servers	Your device
Free tier ads	Yes	Yes	No free tier	Yes	No ads. Ever.
Ad network sharing	Yes	Yes (free tier)	No	Ad identifiers	No
Data export	CSV (Premium only)	CSV (all tiers)	Spreadsheet (subscribers)	CSV (weekly, web only)	JSON (full, anytime)
Annual price	$80/yr Premium	Gold (paid)	$72/yr	$40/yr	Free core

Sources: each company's current privacy policy and App Store listing. All claims are publicly verifiable.

The trade-offs

Local-first means real trade-offs. We're not going to pretend otherwise.

No automatic cross-device sync by default. Your data lives on the device where you logged it. Cloud backup (opt-in) provides restore-on-any-device, but it's not real-time sync across multiple devices. That's a feature we may add later, and it will be optional and encrypted.

No password recovery for local data. If you delete the app without exporting or backing up, your data is gone. JSON export is your insurance policy.

You're responsible for your own backups. We give you the tools (export, platform backup, cloud backup), but the default is that your data stays local. That's the whole point.

These are conscious design decisions, not oversights. The alternative is what every other tracker does: require an account on day one, put your data on their server, and call it a feature.

Onyx Tenet doesn't need your email. Download, open, log. Your data stays on your device unless you explicitly choose otherwise.

Onyx Tenet is free. No account required.