Privacy Policy

Last updated: March 22, 2026

Fuel is a personal health tracking app built by BreakPoint Labs. Your privacy matters. This policy explains what data we collect, how it is stored, and who can access it.

What We Collect

  • Account information (name and email address)
  • Nutrition logs (foods, macros, calories)
  • Water intake records
  • Medication records (names, doses, injection sites)
  • Wellness check-ins (rating, side effects, notes)
  • Journal entries
  • Weight history and body composition data
  • Goals and settings preferences

Where Data Is Stored

All data is stored in AWS DynamoDB with server-managed encryption at rest (AWS holds the encryption keys), hosted in the United States. Data is transmitted over HTTPS with TLS encryption. This means your data is encrypted in transit and at rest, but is accessible to the application server for processing features like daily stats and food search.

Encryption

Journal entries can optionally be end-to-end encrypted with a password you choose. When enabled, entries are encrypted on your device before being sent to our servers using AES-256-GCM. The encryption keys never leave your device. We cannot read encrypted journal entries.

Other health data (nutrition logs, medication records, wellness check-ins, weight history) is stored with server-managed encryption at rest but is not end-to-end encrypted. This data is accessible to the application for computing daily stats, generating AI recaps, and powering search features.

Third-Party Services

Anthropic Claude API

Food descriptions you enter may be sent to the Claude API for nutrition estimation. Daily summaries (calories, macros, water, wellness rating — without medication names, side effects, or specific health conditions) may be sent for AI-generated recaps. Requires authentication. Rate limited to 30 requests per day.

USDA FoodData Central

Food search queries are proxied through our servers to the USDA FoodData Central database. Only the search text is sent; no user identity is included.

Resend

Your email address is shared with Resend (our transactional email provider) to send account verification codes and password reset emails. No health data is included in these emails.

Amazon Web Services (AWS)

AWS provides infrastructure hosting including compute, database storage, and content delivery.

What Is NOT Shared

The following data is never sent to third parties: medication names, dosages, injection site data, side effect details, and wellness ratings. This sensitive health information stays on our servers and is only accessible to you through authenticated API calls.

Analytics

Fuel uses Plausible Analytics, a privacy-friendly, cookieless analytics service. Plausible does not use cookies, does not collect personal data, and does not track users across sites. It collects only aggregate page view counts. No health data, user identifiers, or personally identifiable information is sent to Plausible.

Server Logs

API request logs are retained for 30 days and include request timestamps, HTTP methods, and response status codes. IP addresses are not logged in API request logs.

Content delivery logs (for static assets) are retained for 90 days and may include IP addresses as part of standard CDN operation.

IP addresses used for rate limiting are stored as one-way hashes (not in plaintext) and expire automatically.

Data Retention & Deletion

Your data is retained for as long as your account exists. You can delete your account at any time from the Settings page. Account deletion permanently removes all of your data from our servers, including all health records, journal entries, and settings. This action is irreversible.

Contact

If you have questions about this privacy policy or your data, contact us at noreply@codyjo.com.

BreakPoint Labs