Legal
Privacy Policy
Last updated: 9 July 2026
Knowbite ("Knowbite", "we", "us") provides a barcode scanner that gives you gluten and lactose safety information about packaged food products. This policy explains what personal data we collect, why, and what rights you have over it. Knowbite is operated from Georgia. If you have questions about this policy or want to exercise any of the rights below, contact us at privacy@knowbite.app.
What we collect
Account data.If you create an account, we (via our authentication provider, Clerk) store your email address and a unique account ID. We don't require or store a password — sign-in is passwordless.
Scan data.When you scan a barcode, we store the barcode, the product information we retrieved for it, and a timestamp, linked to your account, so we can show you your scan history. If you're not signed in, we don't link scans to any personal identifier — we only track how many free scans you've used, against a hashed (not raw) version of your IP address, for a rolling 7-day window.
Subscription data.If you subscribe, our payment provider Paddle handles your payment details directly — we never see or store your card number. We store the subscription status, plan, and Paddle's own subscription/customer identifiers, so we know what you're entitled to and can let you manage your subscription.
Technical data. Our hosting provider (Vercel) and infrastructure providers may log IP addresses and basic request metadata as part of normal operation and security monitoring, in line with their own privacy practices.
Why we process it, and on what legal basis
- Looking up a scanned barcode and showing you the result — necessary to perform our contract with you (this happens the same way whether or not you're signed in).
- Linking that scan to your account, so we can show your scan history — your explicit consent, given separately when you create an account. See "Special category data" below for why this needs its own consent rather than being covered by contract necessity.
- To enforce free-scan limits and prevent abuse — our legitimate interest in keeping the service usable and sustainable.
- To process payments and manage subscriptions — necessary to perform our contract with you.
- To keep the service secure and diagnose problems — our legitimate interest in operating a reliable service.
Special category data (health-related information)
Gluten and lactose information about products you've scanned, once linked to your account, reveals something about your health — most people scanning for gluten or lactose are managing celiac disease, a lactose intolerance, or a similar condition. Under GDPR Article 9, that makes your scan history special category data, which needs a stronger legal basis than ordinary personal data. We rely on your explicit consent for this, given through a separate, specific checkbox when you create an account — not bundled into agreeing to our Terms generally. You can withdraw this consent at any time by deleting your account from the Accountpage, which deletes your scan history along with it. If you're not signed in, we don't link scans to any personal identifier at all — see "Scan data" above.
Who we share data with
We use a small number of infrastructure providers to run Knowbite, each acting as a processor on our behalf: Clerk (authentication), Neon (database hosting), Upstash (caching and rate limiting), Paddle (payments — acting as Merchant of Record, meaning Paddle is the seller of record for your subscription and independently responsible for payment data under its own privacy policy), and Vercel (application hosting). When you scan a barcode, we query Open Food Facts' public product database by barcode only — we don't send any personal data to Open Food Facts. We don't sell your data, and we don't share it with advertisers.
International transfers
Knowbite is operated from Georgia. If you're located in the EU/EEA, this means your data may be processed outside the EU/EEA — both by our infrastructure providers, and directly by us when we access it from Georgia (for example, to provide support). Our infrastructure providers are established companies with their own data-protection commitments; we rely on the safeguards each of them provides (such as standard contractual clauses, where applicable) for transfers out of the EU/EEA, and we apply the same standard to our own access.
Security and breach notification
We use industry-standard security practices (encryption in transit, access controls, and the security practices of our infrastructure providers) to protect your data. No system is perfectly secure. If a breach occurs that's likely to put your rights or freedoms at risk, we'll notify the relevant data-protection authority within 72 hours of becoming aware of it, as required by GDPR, and notify you directly where the law requires it.
How long we keep it
We keep your account and scan history for as long as your account is active, or until you delete it. Anonymous (pre-registration) scan-count data tied to a hashed IP is kept for a rolling 7-day window, then reset. Subscription records are kept for as long as needed for accounting and legal purposes after a subscription ends.
Your rights
If you're in the EU/EEA (or wherever data-protection law gives you these rights), you can:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data — you can do this yourself from the Account page, or by emailing us.
- Export your data in a portable format.
- Object to, or ask us to restrict, certain processing.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@knowbite.app. Account and scan-history deletion is also available directly from your Account page.
Cookies
We use a small number of strictly necessary cookies to keep you signed in and to remember your cookie preference. We don't use advertising or cross-site tracking cookies. See the cookie banner shown on your first visit for details and to change your preference at any time.
Children
Knowbite isn't directed at children, and we don't knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we'll delete it.
Changes to this policy
If we make material changes to this policy, we'll update the date at the top of this page. Continued use of Knowbite after a change means you accept the updated policy.