CalBurndown is local-first by design. Most data — meals, activities, body snapshots, location-derived meal hints — lives in IndexedDB on your device. Cloud sync is opt-in. AI requests strip identifying metadata. Here's the honest map of what goes where.
What stays on your device
- All meals, including the full item breakdown
- All activities, including step counts and routes
- Body snapshots (weight, body fat estimates)
- Background location history — never uploaded
- AI parser inputs — text and photo go to the AI service for a single request, then are not retained
If you wipe your local data (Settings → Danger zone → Wipe local data) without syncing, that data is gone. Use Backup → Export first if you want to keep it.
What we send to our server
When you're signed in, cloud sync is on by default. We upload:
- Meal logs (kcal, macros, item names, timestamps — no photos)
- Activity logs (kind, duration, distance, kcal, timestamps)
- Body snapshots (weight, recorded_at)
- Goals and preferences (cadence, target deficit, reminder hours, push tokens)
- Email address and Google ID if you signed in via Google
We do not upload:
- Meal photos themselves (they stay on your device by default; opt-in for sync)
- GPS coordinates or background location
- Voice recordings (transcribed on-device when possible)
- IP addresses beyond what Cloudflare sees for the HTTP request
What we send to the AI
When you log a meal via text, voice, or photo:
- The text or photo is sent to Google Gemini via Cloudflare AI Gateway
- EXIF and GPS metadata are stripped from photos before the API call
- The request is logged on Cloudflare for billing only; we don't retain content
- Google Gemini's data retention applies — currently 30 days for abuse review
If you don't want any AI involvement, log meals manually via search.
What we send to PushMail (email reminders)
We use PushMail as our email service for magic-link sign-in, newsletter, and reminder emails. They receive:
- Your email address
- The text of the email we're sending
- Open and click events if you have email opens enabled
You can opt out of marketing emails (newsletter) via the unsubscribe link in any newsletter email. Transactional emails (sign-in links, weigh-in reminders if you've explicitly enabled them) can't be unsubscribed because they're triggered by your actions.
Cloudflare's role
Our infrastructure runs on Cloudflare:
- Workers — the API server
- D1 — the SQL database (small, structured data)
- R2 — photo storage (when you opt in to photo sync)
- KV — short-lived cache
- AI Gateway — routes Gemini calls (gives us cost control and a request log)
Cloudflare's privacy policy applies to anything that touches their infrastructure.
How to export everything
Settings → Backup → Export all data downloads a JSON file with:
- Every meal you've logged
- Every activity
- Every body snapshot
- Your goals and preferences
You can re-import it on another device via Settings → Backup → Import, or feed it into your own tooling. The schema is documented in the export header.
How to delete everything
Two scopes:
Local only — Settings → Danger zone → Wipe local data. Clears IndexedDB on this device. Does not touch the cloud copy.
Local + cloud — sign in, Settings → Account → Delete account. Removes your user row, all meals, all activities, all snapshots, all preferences, all push subscriptions, all reminder logs. Cloudflare's standard retention (logs, etc.) may persist briefly.
We do not have a "delete my AI request history from Google" button — that's outside our control. The Gemini retention window is 30 days.
What we'll never do
- Sell your data to brokers
- Target you with food ads based on what you ate
- Mine your meal logs for any commercial use
- Show ads in CalBurndown, ever (no "Pro removes ads" — there aren't any)
We're a paid product. Your subscription is how we stay independent.