What we see, what we don't, and why.

KetoCypher is built so we cannot read your food log, weight, biometrics, or any other entry you make. This policy describes the few things we do see, and the architectural reason we don't see the rest.

Effective: June 21, 2026.

1. The short version

• Your food log, weight, biometric readings, ratings, fasting sessions, and any notes are encrypted on your phone before they leave it. The server stores ciphertext only.
• There is no admin key. No "reset password and recover data" path on our side, because both would be backdoors.
• The only personal data we knowingly see is your email address (for the waitlist and your account) and an unguessable password verifier (so you can sign in).
• We do not sell data. We do not run ad networks. We do not share data with third parties for marketing.
• If a court compels us, we can hand over ciphertext and account email. We cannot hand over what we cannot read.

2. What the server actually receives

To run an account and (optionally) a cloud backup, the server stores:

• Email address. So you can sign in and recover your account.
• Password verifier. A derived value, not your password. It lets the server confirm you know your password without ever seeing it.
• Account metadata. Account creation timestamp, tier (Free or Premium Backup), basic billing state if you are on Premium.
• Encrypted backup blobs (Premium Backup only). Ciphertext, plus the minimum metadata required to upload, list versions, and download (size, version counter, timestamp).
• Standard request logs. IP address and user-agent at request time, retained for security and abuse handling, not used for advertising or profiling.

The server does not see your food log entries, weight, heart rate, sleep, glucose, steps, electrolyte totals, ratings, fasting sessions, custom foods, recipes, or any other data you enter in the app. Those values are encrypted on your device with a key derived from your password (Argon2id) before they ever leave it.

3. What stays on your device

Everything you enter, everything Health Connect returns to the app, and everything KetoCypher computes from those values, stays on your phone in an encrypted local database (SQLCipher). Single-signal insights and correlations are computed on-device. We do not see what your sleep is, what your blood glucose was, or which foods you logged.

4. Google Health Connect

If you connect Google Health Connect, KetoCypher reads weight, sleep, heart rate, blood glucose, and steps locally to pair them with your food log. We do not store, transmit, or process those readings on our servers. Health Connect runs inside Android's sandbox; the data flows app-to-app on your device.

You can revoke individual signal permissions at any time in Android Settings → Health Connect → KetoCypher.

5. Waitlist

If you submit your email on the landing page waitlist, we store the address and a tag indicating the source (the landing page) in our database. We use it only to notify you when the Android beta opens. To remove yourself, reply to the confirmation email or write to [email protected].

6. Analytics

We use Cloudflare Web Analytics, which is cookieless and does not track individuals across sites. It records aggregate page-view counts and approximate location at the country level. No personal profile is built.

7. Children

KetoCypher is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, write to [email protected] and we will remove the account.

8. Data location

Account data and (for Premium Backup users) encrypted backup blobs are stored on infrastructure hosted in the United States. Cloudflare handles the public web edge.

9. Your rights

You can:

• Export your data. Free and Premium users can export a portable .kcbak file from inside the app. It is still encrypted with your master key.
• Delete your account. Email [email protected] from the address on the account. We delete the account record and (for Premium Backup) the stored ciphertext blobs. Because we cannot read the blobs, no further "data" exists for us to delete after that.
• Correct or update contact details by writing to [email protected].

If you are in the EU/UK, the GDPR/UK GDPR rights of access, rectification, erasure, restriction, portability, and objection apply. The architecture (we cannot read your data) means that for most categories there is no plaintext to access, rectify, or port from our side; the export inside the app is the only complete copy.

10. Subprocessors

• Cloudflare (CDN, DNS, web analytics).
• Supabase (database and auth for account email + verifier + waitlist).
• Amazon SES (transactional email: account, password reset, beta invite).

If we add or change a subprocessor in a way that affects this policy, we will update this page.

11. Changes

If we materially change how the app handles your data, we will update the "Effective" date above and call out the change at the top of this page. Continued use after a change means you accept the updated policy.

12. Contact

General questions: [email protected]. Privacy, account, or data requests: [email protected].