Contents
Mealborne is anonymous-first. You don't need an account or email address to play. We collect the minimum data needed to make the game work and improve it — nothing more.
This data lives on your device only (in the app's local storage). It is not sent to our servers in plaintext. An encrypted backup is created during the beta programme — see below.
| Data | Stored | Purpose |
|---|---|---|
| Weight | Your device (+ encrypted beta backup) | Calculates your daily calorie target using the Mifflin-St Jeor formula |
| Body fat % (optional) | Your device only | Refines protein target estimate. Entirely optional — the game works without it. |
| Age | Your device only | Required input for the BMR formula |
| Biological sex | Your device only | Required input for the BMR formula |
| Calorie & macro targets | Your device only | Drives the daily nutrition scoring in every battle |
| Data | Stored | Purpose |
|---|---|---|
| Meal logs (food, macros, timestamp) | Your device only | Every meal is a battle — we score it against your targets |
| Weigh-in history | Your device only | Trend tracking and plateau detection |
| Training records (optional) | Your device only | Affects Day Boss scoring and energy expenditure |
| Meal photos | Transient on our side — sent to our AI provider for food identification, then discarded. Not stored on Mealborne's servers. | AI-powered food logging — take a photo instead of typing |
| Game progression (XP, quests, Squire) | Your device only | Your game state |
| Data | Stored | Purpose |
|---|---|---|
| Anonymous device ID | Your device + hashed in server logs | Links your sessions together without requiring a login. Never linked to your name or email. |
| Country code (2-letter, from IP) | Our servers (keyed to hashed device ID) | Product analytics — understanding which markets play Mealborne. No city, no street, no GPS. |
| Crash & error reports | Sentry (scrubbed — no health data, no name) | Catching bugs you can't report manually (app crashes before the screen loads) |
| Anonymous gameplay events (beta, opt-in) | PostHog (US). Hashed ID only — no email, no name, no health values. | Understanding how people play during beta so we can improve the game |
| Session recordings (recruited testers, explicit opt-in) | PostHog. All text, numbers, and inputs are masked — we see that you tapped a field, not what you typed. | Watching where the UI is confusing during beta |
During the current closed beta, two additional data flows apply — both opt-in and revocable in Settings → Privacy:
By participating in the closed beta, you acknowledge that the product is pre-release and may change; that analytics are collected as described; that feedback you share may be used to improve the game without separate compensation.
Every piece of data we collect has exactly one stated purpose. We don't collect data speculatively.
| Purpose | Data used |
|---|---|
| Calculate your daily calorie & macro targets | Weight, age, sex, body fat % (optional) |
| Run the gameplay loop | Meal logs, weigh-ins, training records, game progression |
| AI food identification from photos | Meal photo (transient), food description you type |
| Corvus AI coaching (Champion tier) | Derived context only: your calorie target and recent eating history — never raw weight, age, or sex |
| Beta cache-clear recovery | Encrypted game state snapshot |
| Rate limiting and cost control | Hashed device ID |
| Crash detection | Error traces (scrubbed of personal data) |
| Product improvement during beta | Anonymous gameplay events (opt-in), masked session recordings (opt-in) |
We share data only with the services needed to run Mealborne. We sign data processing agreements with vendors where available.
| Vendor | What we share | Why |
|---|---|---|
| USDA FoodData Central | Food search queries (e.g. "chicken breast") | Nutrition database — looks up calories and macros for the foods you log |
| OpenRouter (AI gateway) | Meal photos (transient); Corvus coaching context (derived calorie/macro data — not your raw weight, age, or sex); cost telemetry | Routes AI requests to the models that power photo-to-tray and Corvus advice. Sub-processors include OpenAI, Google, xAI, and Alibaba Cloud (qwen). |
| Vercel (hosting) | API request metadata; anonymised country code | Hosts the game and serves the API |
| Supabase (database) | Encrypted state-snapshot backups (beta only; health fields are ciphertext — Supabase cannot read them) | Beta backup and future account infrastructure |
| Sentry (error tracking) | Scrubbed error traces; hashed device ID only. No health data, no name, no email. | Crash reporting and error detection |
| PostHog (analytics) | Anonymous gameplay events (9 allowed fields — no health values, no name); masked session recordings (recruited testers, opt-in) | Beta product analytics. Opt-in only. GeoIP disabled. Hashed distinct ID. |
| RevenueCat (planned) | App Store / Play Store receipts; subscription state | Subscription validation when IAP launches |
| Apple / Google (when applicable) | Subscription transaction data | Required by App Store / Play Store payment processing |
| Data | Kept for | Deleted when |
|---|---|---|
| Health & profile data (weight, age, sex, BF%) | Until account deletion + 30-day grace period | You delete your account in Settings |
| Meal logs, weigh-ins, training records | Until account deletion + 30-day grace period | Same |
| Meal photos | Not retained by us — transient only | Cleared immediately after AI analysis. OpenRouter may retain inference inputs up to 30 business days. |
| Anonymous device ID | 18 months from last use | Automatic, or user-initiated reset |
| Encrypted state snapshots (beta) | Latest 5 per device (older ones auto-pruned) | Automatic pruning, or you exit the beta programme |
| Server logs (hashed device ID, request data) | 90 days | Automatic rolling deletion |
| PostHog analytics events (beta) | ~1 year per PostHog policy | Opt-out stops new events immediately; old events roll off per PostHog |
| Session recordings (beta testers) | ~30 days per PostHog policy | Opt-out or rolloff |
| IP addresses (rate limiting) | 24 hours | Automatic |
Account deletion is soft for 30 days (in case it was accidental), then permanent. After hard deletion the only thing we retain is a timestamped deletion record with no personal information — kept 7 years for compliance.
You have rights over your data. We honour all GDPR, CCPA, Philippine Data Privacy Act, and equivalent rights globally — we apply the highest standard, wherever you are.
Request a full export of your data any time via Settings → Account → Export My Data. You'll receive a ZIP file containing your profile, meals, weigh-ins, achievements, and history in open JSON format.
Use Settings → Account → Delete Account. For anonymous accounts (most users) this clears all local data immediately — there's nothing on our servers to erase. For authenticated accounts, deletion triggers a server-side wipe after a 30-day grace window.
Edit any field in Settings. If you can't reach something via the UI, email us and we'll correct it.
Via Settings → Privacy you can toggle: body fat % logging, anonymous analytics, session replay, and (when available) AI coaching.
We do not sell personal information. The "Do Not Sell" toggle is in Settings → Privacy as a disclosure requirement — it's a no-op in practice because there's nothing to stop.
Corvus AI coaching is available to Champion subscribers only. If you are on the Champion tier, Corvus advice is generated by a large language model — it is informational only and does not make decisions with legal or significant real-world effects on you. Champion subscribers can opt out via Settings → AI Coaching.
Mealborne is operated by Guild Development Corporation, a company registered in the Republic of the Philippines. We comply with all applicable data protection laws.
Guild Development Corporation acts as the Personal Information Controller under RA 10173. Health-related data is sensitive personal information under Philippine law. Our lawful basis for processing it is your explicit consent (given at first launch) and contractual necessity (your nutrition targets are required to run the game). Philippine users have the right to file complaints with the National Privacy Commission.
Our lawful basis by data type: weight/age/sex (legitimate interests + contractual necessity for BMR calculation); analytics (consent, which you can withdraw at any time). We use Standard Contractual Clauses for transfers of data from the EEA/UK to our US-based vendors.
Categories collected: Identifiers (anonymous device ID), Health & Fitness Data (weight, BF%, BMR), User Content (meal logs). Categories sold: none. Categories shared for cross-context behavioural advertising: none (in-app; see above for marketing site). Health data is sensitive PI under CPRA — we use it only for your nutrition targets and opt-in AI coaching.
Mealborne is for adults 18 and over. Our age gate refuses registration to anyone under 18. We do not knowingly collect data from minors. If you believe a child has used Mealborne, contact us and we'll delete their data immediately.
When the Mealborne mobile app launches with HealthKit integration, this section will become active. Until then, no HealthKit data is accessed.
Our planned posture: HealthKit data never leaves your device; we read it locally for convenience (auto-filling your daily weigh-in) but never sync it to our servers; it is never used for advertising and never shared with third parties, consistent with Apple's HealthKit policies.
Mealborne is for adults 18 and over. If you are under 18, do not use Mealborne. If you are a parent or guardian and believe your child has used the app, please contact us at team@mealborne.gg — we will delete their data immediately.
We protect your data with industry-standard technical measures:
In the event of a data breach involving sensitive personal information, we will notify affected users and the relevant supervisory authority within 72 hours of discovery.
Questions about your data, requests to exercise your rights, or concerns about this policy:
Guild Development Corporation / Mealborne
Email: team@mealborne.gg
Subject line: Privacy Request
For urgent matters (suspected data breach): subject line Privacy Urgent
We aim to respond to all privacy requests within 30 days.
We will update this policy as Mealborne evolves:
The current version is always at mealborne.gg/privacy.