← Retour

Privacy Policy

Last updated: July 2026

1. Overview

Onyx Tenet is designed with privacy as a first principle. The core principle: your core nutrition data stays on your device.

2. What data we collect

  • On-device data: Nutrition logs, food entries, weight records, conversations, and profile information are stored locally on your device using SwiftData (iOS) or Room (Android). Normal encrypted operating-system backup and device-transfer behavior remains available so replacement devices can restore app state. The optional cross-platform Onyx backup and AI features are described below.
  • Synced health-data boundary: New portable exports and backups exclude records imported from Apple HealthKit or Android Health Connect and their provider/device provenance. Earlier backup snapshots created by older app versions may contain those records until the snapshot or backup account is deleted. Connecting Apple HealthKit or Android Health Connect enables personalized AI to use the synced datasets the user has allowed Onyx to read. Existing Health-connected upgrades retain the same personalized-AI behavior, so installing an update does not silently remove functionality. “Share health data with AI” can be disabled at any time in Settings; the change applies to future structured dataset reads and the visible conversation remains continuous.
  • Pseudonymous product analytics: We use PostHog and Google Analytics for Firebase to collect usage events such as screen views, feature interactions, app version, and device/OS information under random app-scoped identifiers. If both analytics and optional backup are enabled, a pseudonymous Firebase UID may join activity across your devices. We do not send names, email addresses, food logs, nutrition values, or health measurements to analytics. In-app analytics is enabled by default and can be disabled at any time in Settings.
  • Platform identifiers: On Android we disable Advertising ID collection and advertising-personalization signals for Google Analytics. On iOS the app does not link Apple's AdSupport framework, request App Tracking Transparency permission, or access IDFA. Analytics providers may still create random app-scoped installation or session identifiers for measurement. We do not use those identifiers to show ads, build advertising profiles, or sell data.
  • Crash reports: We use Sentry and Firebase Crashlytics for diagnostic crash reports containing device/OS information, technical error details, and stack traces. We configure our own diagnostic context to avoid attaching email addresses, message text, food or nutrition values, and health measurements.
  • Barcode lookups: When you scan a barcode, the barcode number is sent to OpenFoodFacts (world.openfoodfacts.org) to retrieve product information. No personal data is attached to this request.
  • AI estimation: If you use AI estimation, a resized meal photo or the text you submit and a random app-generated installation identifier are sent through our Firebase Cloud Functions and processed by OpenAI to return the estimate. AI Insights may process your user-entered nutrition and settings context with OpenAI; Onyx Chat sends your prompt, visible conversation history, and selected context needed for that turn to Google Gemini. When HealthKit or Health Connect is connected, personalized AI can also use the synced nutrition, weight, activity, exercise, body, and heart datasets Onyx has permission to read. This behavior is consistent for new and existing users. Disabling “Share health data with AI” affects future structured dataset reads and clears health-scoped insight cache without erasing conversation memory. The installation identifier enforces AI limits and, only while analytics is enabled, provides pseudonymous request telemetry; it is not your email or real-world name.

3. Optional backup account

You may optionally enable cloud backup in Settings. If you do:

  • Email address: We collect your email address via Firebase Authentication for passwordless sign-in. Your email is stored only in Firebase Auth and is not sent to analytics services.
  • Backup data: A compressed portable snapshot of your user-entered nutrition logs, food items and recipes, manual weight/body measurements, manual or AI-created exercise and water entries, conversations, and compatible profile settings is uploaded to Firebase Cloud Storage. In backups created by current versions, HealthKit/Health Connect-imported records, derived health aggregates, provider provenance, and the health-AI permission are excluded. Older snapshots may predate that filter. Backups are isolated per user. You may ask us to delete an optional backup account and all stored snapshots as described in section 8.
  • Pseudonymous analytics: If you have both backup and analytics enabled, we identify your analytics profile using your Firebase UID (not your email). This provides cross-session continuity without linking analytics to your real-world identity.

Backup is entirely optional. You can disable it at any time in Settings, which stops future backups. Disabling backup does not itself delete existing snapshots; contact us using section 10 to request deletion.

4. What we do not collect

  • No account is required to use the app. Backup accounts are optional.
  • No GPS or precise device location. Website analytics/conversion providers may receive the request IP address as described in section 5.
  • No ads, ad targeting, or advertising profiles. We do not serve advertising, and advertising-identifier collection is disabled as described in section 2.
  • Health data is not sent to analytics or advertising services and is never sold. HealthKit/Health Connect-imported records are excluded from portable backup/export and leave the device for AI only after the separate, revocable setting described in sections 2 and 7 is enabled.
  • Your raw email is never sent to PostHog or Google Analytics. When you join the mailing list, a one-way SHA-256 hash of the normalized email may be sent to Reddit Ads for signup attribution, as described below.

5. Cookies and website analytics

Our website uses optional PostHog, Google Analytics, and Reddit campaign analytics to understand how visitors discover the site and whether they continue to an app store or join the mailing list. In regions that require prior consent (including the EU/EEA, the UK, and California) these services load only after you accept the analytics banner; in other regions they may load automatically unless you decline. A Global Privacy Control signal is always treated as a decline. We store your choice locally; once analytics is active, PostHog may store a pseudonymous browser or campaign-click identifier, and session replay is disabled. When you tap an app-store smart link, the redirect is measured server-side so campaign clicks are counted even though your browser is sent straight to the store; that measurement records the campaign parameters, destination platform, referring URL, IP address, and User-Agent, and is not gated by the banner. For a mailing-list signup, Reddit conversion measurement may receive the Reddit click ID, a random conversion ID, a one-way SHA-256 hash of the normalized email, and the request IP address and User-Agent. We do not use website analytics to serve ads or build our own cross-site profiles. You can decline via the banner, enable Global Privacy Control, or clear site data to reset your choice.

6. Email signups

If you sign up for product updates on our website, we store your email address via SendGrid to send those updates. The signup emits a PostHog event and, server-side, a Reddit conversion event carrying campaign information; PostHog does not receive your email. Reddit receives the attribution values listed in section 5. You can unsubscribe at any time. We will never sell your email address.

7. HealthKit and Health Connect

Onyx Tenet integrates with Apple HealthKit (iOS) and Health Connect (Android) so your fitness and body data can power features like adaptive TDEE, energy expenditure, trends, and personal insights. With your permission, we read: body weight, body fat percentage, and lean body mass; active, resting/basal, and total energy burned; steps and workouts/exercise sessions; resting heart rate and heart rate variability; and nutrition entries logged by other apps. This data is stored and used on-device for calculations, charts, and trends. Current versions exclude native Health records and provider provenance from new cross-platform Onyx backups/exports; normal encrypted operating-system backup and device transfer remain available. Earlier Onyx backup snapshots may predate the portable filter and can be removed through the deletion process in section 8. Connecting HealthKit or Health Connect enables personalized AI to use the synced datasets Onyx has permission to read, consistently for new users and existing upgrades. The “Share health data with AI” setting names OpenAI and Google Gemini and can be disabled for future structured dataset reads at any time, while the visible conversation remains available when you continue a chat. With your permission, we write meals you log in Onyx Tenet (calories and macronutrients) back to HealthKit / Health Connect so you can view them in other health apps; we only write your own logged food while permission is granted. Health data is never sent to analytics or advertising services and is never sold. You can revoke health-store access in the Health app (iOS), Health Connect settings (Android), or Onyx Tenet settings, and manage cloud-health AI sharing separately in Onyx Tenet's AI settings.

8. Data deletion

Uninstalling the app removes its active on-device data. Separate server-side records may still exist according to provider retention windows, including pseudonymous analytics, diagnostic crash reports, AI rate-limit records keyed to app-scoped identifiers, and portable Onyx cloud backup snapshots if enabled. To request deletion of an optional Onyx backup account and its server-side data, email support@onyxtenet.com and we will remove it. If you signed up for email updates, unsubscribe via the link in any email we've sent.

9. Third-party services

  • OpenFoodFacts (barcode data): world.openfoodfacts.org
  • PostHog (pseudonymous analytics, in-app + website): posthog.com
  • Google Analytics for Firebase (pseudonymous in-app analytics; advertising identifiers disabled): firebase.google.com
  • Google Analytics (website analytics): analytics.google.com
  • Reddit Ads (website campaign attribution): reddit.com
  • Sentry (crash reporting): sentry.io
  • Firebase Crashlytics (crash reporting): firebase.google.com
  • Firebase (AI proxy, auth, cloud storage): firebase.google.com
  • OpenAI (AI meal/text estimation and AI Insights): openai.com
  • Google Gemini (Onyx Chat): ai.google.dev
  • SendGrid (email, website only): sendgrid.com

10. Contact

Questions about privacy: support@onyxtenet.com