Legal
Privacy Policy
Last updated: July 6, 2026
This Privacy Policy explains what personal data we collect through the Forkbit nutrition data API and dashboard (the "Service"), how we use it, and who we share it with. The Service is operated by Daniel de Almeida Cruz da Cunha, a Brazilian sole proprietor (Empresário Individual) registered under CNPJ 41.170.091/0001-90 ("we", "us"), doing business as Forkbit at forkbit.io. As a Brazilian data controller, we process personal data in accordance with the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018).
1. Data we collect
We collect the following categories of data:
- Account data — email address, name, and profile image, either entered directly or provided by an OAuth sign-in provider (Google or GitHub).
- Authentication metadata — session tokens, IP address, and user-agent string, used to keep you signed in and to detect suspicious activity.
- API keys — we store a name and a hash of each key you create, plus when it was last used. We never store your API key in plain text after it is first shown to you.
- Usage data — for each API request: the endpoint called, response status, response time, and credits consumed. Used for billing, rate limiting, and abuse detection.
- Billing data — your subscription plan, status, and billing interval, and a Stripe customer identifier. We do not store your payment card details; these are handled entirely by Stripe.
- Request content — free-text food descriptions you submit to endpoints like
POST /v1/parseare sent to our language-model provider to generate a response. This text is not stored as content or associated with your account beyond what is needed to serve the request and to log usage for billing purposes.
2. How we use your data
We use the data described above to:
- Provide, operate, and maintain the Service, including authenticating requests.
- Meter usage against your plan and enforce rate limits and credit quotas.
- Process payments and manage subscriptions.
- Detect, investigate, and prevent abuse, fraud, or security incidents.
- Respond to support requests you send us.
We do not sell your personal data, and we do not use your account data or request content to train models.
3. Third parties we share data with
We use a small number of third-party service providers ("subprocessors") to operate the Service. We share only the data each provider needs to perform its function.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing and subscription billing | Email, billing identifiers, payment method (held by Stripe) |
| OpenAI | Powers POST /v1/parse natural-language food parsing | Free-text input submitted to that endpoint |
| Google / GitHub | Optional OAuth sign-in | Email, name, profile image (received from the provider) |
| Railway | Application hosting and database (Postgres, Redis) infrastructure | All data described in Section 1, at rest |
We do not share your personal data with third parties for their own marketing purposes.
4. International data transfers
Our hosting provider, Railway, processes data primarily in the United States. This means your personal data may be transferred outside Brazil. Where this occurs, we rely on contractual safeguards (such as standard contractual clauses) required under LGPD Art. 33 to ensure your data receives an adequate level of protection.
5. Cookies
The dashboard uses a single, essential session cookie to keep you signed in. We do not use advertising or analytics tracking cookies.
6. Data retention
We retain account and billing data for as long as your account is active. Usage logs are retained for 12 months for billing, abuse prevention, and support purposes. If you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or tax purposes.
7. Your rights
Under LGPD, you have the right to: confirmation that we process your data; access to your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; portability of your data to another provider; deletion of personal data processed with your consent; information about the public and private entities with which we share your data; information about the possibility of withholding consent; and revocation of consent. You can exercise most of these directly from the dashboard, or by contacting us using the details below. If you are located outside Brazil, additional rights may apply under your local law (for example GDPR in the EU/UK, or the CCPA in California); contact us and we will address your request under the applicable regime. You may also lodge a complaint with Brazil's data protection authority, the ANPD (Autoridade Nacional de Proteção de Dados).
8. Security
API keys are stored as one-way hashes, not in plain text. Data is encrypted in transit using TLS. Access to production data is restricted to those who need it to operate the Service.
9. Children's privacy
The Service is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the dashboard.
11. Contact
Questions about this Privacy Policy, LGPD data subject requests, or any other matter relating to your personal data, can be sent to [email protected], which serves as our point of contact for data protection matters.