Privacy | Alc AI

1. Scope

This policy applies to the Alc AI mobile application and support channels linked from this site.
This policy does not govern third-party services that have separate privacy terms.
By using Alc AI, you acknowledge this Privacy Policy and our Terms of Service.

Account data: user ID and email address when you sign in with Apple through Supabase.
Product analytics data: app usage events, screen views, onboarding progress, and drink-log event metadata through Mixpanel.
Subscription data: entitlement and purchase status through RevenueCat and Apple billing systems.
Scan input data: photo/image payloads you submit for drink analysis.
Scan output data: derived drink fields such as name, ml, ABV, calories, and sugar.
Security and abuse-control metadata: request bytes, hashed network identifiers, optional hashed device fingerprint data, request decisions, and operational telemetry for scan abuse protection.

Profile inputs such as age/date of birth, sex, height, weight, and drinking-experience preferences are stored locally.
Drink logs, BAC calculations, and recovery timeline data are stored locally in app storage/Core Data.
If you grant access, step-count data is read from Apple Health for in-app comparisons.
In the current app code path, HealthKit step data is used for on-device insights and is not sent to your backend by default.

Provide account authentication, session continuity, and purchase restoration.
Run core app functions such as drink tracking, BAC estimation, and recovery insights.
Process drink-photo scans and return structured drink estimates.
Measure app usage, onboarding performance, and feature adoption.
Detect abuse, enforce scan limits, and maintain service reliability and security.
Respond to support requests and service-related communications.

Supabase: authentication, token/session handling, and edge-function infrastructure.
OpenAI: image analysis of drink photos via the Supabase edge function.
Mixpanel: product analytics and event measurement.
RevenueCat: subscription entitlement and purchase-state management.
Apple: Sign in with Apple, push notification permissions, HealthKit permissions, and App Store billing flows.

On-device data remains until you remove it in-app, uninstall the app, or clear device storage.
Server-side data retention depends on operational, security, legal, and processor requirements.
Scan abuse-control logs may be retained to enforce quotas, dedupe checks, and anomaly monitoring.

You can continue onboarding without creating an authenticated account.
You can disable camera, notifications, and Health permissions in iOS Settings.
You can use the in-app "Delete All Data" action to clear local app data and sign out locally.
For account-level/privacy requests, contact support at support@alcai.app.

Session tokens are stored using device keychain protections in the app.
Reasonable administrative and technical safeguards are used, but no system is absolutely secure.
When required, incidents are handled and disclosed consistent with applicable law.

Alc AI is not intended for children under 13.
If data is discovered to have been submitted by a child under 13, we will take appropriate removal steps.

We may update this Privacy Policy to reflect legal, product, or operational changes.
The “Last updated” date reflects the current version.

Email: support@alcai.app
For privacy/account requests, include the email associated with your app account when possible.