Privacy Policy

Privacy Policy & Medical/Travel Safety Disclaimer for AllergySpeak
Effective date: 10/1/2025
Last updated: 10/28/25
Summary

• AllergySpeak processes sensitive health data (your allergies) only with your explicit consent, to power translations, local‑language allergy cards, and barcode/label allergen alerts. You can withdraw consent anytime in Settings → Privacy.
  
• Camera/microphone/location access is optional and used only for the features you turn on. You can revoke location access in your device or browser settings.
  
• We do not sell your personal information. We share data only with the providers listed below to deliver core features.
  
• Your trip profiles are stored locally on your device (no cloud sync unless you enable it).
  
• Translations and barcode alerts can be wrong or outdated—always verify with staff and labels and carry your medication.
  

1) Who we are
MacroPath Corp, DBA AllergySpeak  (“we,” “us,” “our”) operates AllergySpeak (the “Service”).
Address: 8 THE GRN STE R 8 Dover, DE 19901
Contact: hello@allergyspeak.com
2) What we collect
2.1 Data you provide

• Account data: name or alias, email, password (hashed), preferred language(s).
  
• Allergy profile (special‑category data): allergens (e.g., peanut, tree nut, shellfish), severity notes, emergency instructions, medications (e.g., epinephrine). (Collected and used only with explicit consent.)
  
• Allergy card content: your statements and their local‑language versions you save/edit.
  
• Medical phrasebook: saved phrases (e.g., “I need a doctor,” “Where is the pharmacy?”).
  
• User content: photos of menus/labels, venue notes, barcodes you choose to save, reviews you post.
  
• Support/feedback: messages and metadata you send us.
  
• Payments (if applicable): processed by [App Store/Stripe]; we receive limited billing metadata (no full card numbers).
  

2.2 Data collected automatically

• Device & app data: device model, OS/app version, performance metrics, crash logs.
  
• Usage analytics (pseudonymized): screens used, feature events (e.g., “barcode scanned”), timestamps.
  

2.3 From features you enable (permissions)

• Camera/photos: for barcode/label/menu scanning and to add images to allergy cards.
  
• Microphone/speech (optional): voice input for translations; typically processed ephemerally.
  
• Approximate/precise location (optional): used to suggest nearby restaurants and set local language automatically. You can disable this in device/browser settings.
  

3) Why we process your data & legal bases

Purpose

Examples

Legal basis

Provide the Service

Translate allergy statements, generate local‑language cards, barcode/ingredient checks, medical phrase translations

Contract

Process allergy (health) data

Personalize warnings; insert allergens into cards/translations

Explicit consent (GDPR Art. 9(2)(a)); withdraw anytime

Improve, debug, secure

Crash reports, performance, abuse prevention

Legitimate interests

Customer support

Respond to tickets, troubleshoot

Contract / Legitimate interests

Communications

Service notices & policy updates; optional tips/news

Legitimate interests / Consent (for marketing)

Compliance

Record‑keeping, lawful requests

Legal obligation

If you withdraw consent for allergy data, features that rely on it (e.g., personalized alerts/cards) will stop working.

4) Sensitive health data safeguards

• Data minimization, role‑based access, and encryption in transit and at rest for stored allergy data and saved images.
  
• We do not use allergy data for targeted advertising and do not combine it with advertising IDs.
  
• Consent is granular where feasible (e.g., use barcode scanning without saving an allergy card).
  

5) Our service providers (what we send and why)
AllergySpeak uses the following third‑party services to provide core features. We share only the minimum data needed, and only for the feature you invoke.

• OpenAI (translations) – We send the text of your allergy statements/phrases (and language context) to generate local‑language translations. OpenAI states that API data is not used to train models unless you explicitly opt‑in; by default, API inputs/outputs may be retained up to ~30 days for abuse monitoring (provider‑specific/endpoint‑specific). We configure the API accordingly. OpenAI Platform+1
  
• Google Places API (nearby restaurants) – If you enable location, we send coarse or precise coordinates and query terms to suggest nearby venues; you can revoke location access in your device/browser. The Places API provides business details and requires proper attribution in the app UI; we follow Google’s Places API policies. Google for Developers+2Google for Developers+2
  
• Open Food Facts (barcode lookups) – When you scan a barcode, we query Open Food Facts with the barcode number to retrieve product/ingredient/allergen data. Reading the public database does not require a user account, and no personal identifiers are needed for lookups (accounts are used only for contributors). Open Food Facts+1
  
• Replit (hosting) – Our web services are hosted on Replit infrastructure. Replit reports SOC 2 Type II attestation and notes that services are primarily hosted in the United States and may also be hosted in other locations (e.g., India); we configure US hosting for AllergySpeak. Replit Docs+1

Your allergen selections and location are shared only with these services as needed to provide translations and recommendations. We do not sell your data. (Attributions and links for third‑party content are shown in‑app where required.)

6) How barcode/label scanning works (and its limits)

• We read barcodes (UPC/EAN) and/or perform OCR on labels/menus to surface potential allergens.
  
• Lookups query Open Food Facts; OCR/translation may use OpenAI for machine translation.
  
• Important limitations: ingredients/suppliers change; regional labeling rules differ; barcodes can map to multiple variants; cross‑contact is often undisclosed; OCR can misread text. Always read the current label and confirm with staff. Open Food Facts
  

7) Sharing your information (no sale)
We do not sell your personal information. We share it only with:

• Processors/service providers described above, under contracts that require confidentiality, security, and purpose limitation;
  
• Other users/public if you intentionally post reviews/photos (your display name and content may be visible);
  
• Legal/safety recipients to comply with law, enforce terms, or protect rights/safety;
  
• Business transfers (e.g., merger/acquisition); we’ll ensure equivalent protection or require deletion.
  

8) International data transfers
If data is transferred outside your region (e.g., EEA/UK to the U.S.), we use approved safeguards such as Standard Contractual Clauses (SCCs) and, where required, the UK IDTA/Addendum, plus transfer risk assessments. (Note: Replit indicates services are primarily hosted in the U.S. and may also be hosted in India.) Replit
9) Retention
We keep data only as long as needed for each purpose, then delete or de‑identify it.

• Account & allergy profile: life of account; delete within [30–60] days of closure.
  
• Trip profiles: stored locally on your device by default (no cloud copy unless you enable sync/backup).
  
• Saved allergy cards & phrasebook: until you delete or close your account.
  
• Barcode scans/images: processed ephemerally unless you save them; unsaved scans not retained beyond short‑term logs [≤30 days].
  
• Analytics/crash logs: [12–18] months (aggregated thereafter).
  
• Provider‑side: OpenAI API may retain inputs/outputs for up to ~30 days for abuse monitoring (endpoint‑specific); Google/Open Food Facts/Replit maintain their own service logs per their policies. OpenAI
  
• Backups: rolling [30–90] days.
  
• Support tickets: [2–3] years.
  

10) Your rights
Depending on your location, you may have rights to access, correct, delete, restrict or object, withdraw consent, and data portability.

• U.S. state privacy laws (e.g., California) may add rights to know/access, correct, delete, opt‑out of sale/share/targeted advertising, and appeal.
  Use Settings → Privacy or contact info@allergyspeak.com. We may verify your identity and will respond within required timeframes.
  

California disclosures (CPRA):

• We do / do not “sell” or “share” personal information for cross‑context behavioral advertising. (Choose one; if “do,” provide a “Do Not Sell or Share” toggle in‑app.)
  
• We honor device‑level ad‑limit settings (IDFA/AAID). Authorized agents may submit requests with proof.
  

11) Children’s privacy
AllergySpeak is not directed to children under [13/16 in EEA]. We do not knowingly collect personal data from children without appropriate consent. If you believe a child has provided data, contact us for deletion.
12) Security
We use administrative, technical, and physical safeguards, including encryption, access controls, and regular security reviews. Replit reports SOC 2 Type II attestation for its platform. No method is 100% secure; we will notify users and/or regulators of a breach as required by law. Replit Docs
13) SDKs, cookies & telemetry
Our app and site may use first‑party storage and third‑party SDKs for analytics, crash reporting, and performance. Manage preferences in Settings → Privacy and via device/browser privacy controls.
14) Automated processing, OCR & translation specifics

• Text/images you submit for OCR/translation may be sent to OpenAI to return results. OpenAI’s API does not use your data to train models unless you opt in; API data may be retained for up to ~30 days for abuse monitoring (endpoint‑specific). We configure the API accordingly. OpenAI Platform+1
  
• Machine translations/OCR can be inaccurate. Always verify with staff and labels.
  

15) Third‑party links
Links to restaurants, retailers, or resources are governed by their own terms and privacy policies (e.g., Google/Maps content attribution where displayed). Google for Developers
16) Changes to this policy
We’ll post updates here and change the “Last updated” date. For material changes, we’ll notify you in‑app or by email.
17) Contact
Privacy questions and requests: info@allergyspeak.com
Security reports: [security@allergyspeak.com]
Medical & Travel Safety Disclaimer (for AllergySpeak)
AllergySpeak helps you communicate allergies to restaurant staff, generate a local‑language allergy card, scan barcodes/labels for allergens, and translate common medical phrases. However:

1. No medical advice; no clinician relationship
   AllergySpeak provides general information and communication support only. It does not provide medical advice, diagnosis, or treatment, and does not create a doctor‑patient relationship. Consult a qualified clinician about your specific condition.
   
2. Not for emergencies
   AllergySpeak is not an emergency service. In a medical emergency, call local numbers immediately (e.g., 112, 911, 999) or seek in‑person care. Always carry your prescribed medications (e.g., epinephrine auto‑injector).
   
3. Translations and cards can be wrong or misunderstood
   

• Machine translations may contain errors, vary by dialect/region, or miss nuance important for safety.
  
• Staff may misread or be unable to read your device/card. Show your card and confirm verbally whenever possible.
  

1. Barcode/label limitations
   

• Barcodes can map to multiple product versions; ingredients and suppliers change; regional labeling rules differ; cross‑contact is often undisclosed.
  
• OCR can misread text or miss small print. Always read the label and ask staff.
  

1. Restaurant and kitchen practices change
   Recipes, suppliers, and prep areas change frequently; cross‑contact can occur even when an allergen is not an ingredient.
   
2. Individual risk varies
   Severity depends on personal factors and context. AllergySpeak cannot assess co‑factors (exercise, alcohol, illness). Follow your clinician’s personal emergency action plan.
   
3. Airlines/transport
   Special meals, buffer zones, and cleaning are not guarantees of an allergen‑free environment. Confirm policies directly with operators before travel.
   
4. No warranties; limitation of liability
   The Service is provided “as is” and “as available.” We make no warranties of accuracy, completeness, or suitability. To the maximum extent permitted by law, AllergySpeak LLC and its officers, employees, and partners are not liable for indirect, incidental, special, consequential, or punitive damages, or for loss of data, personal injury, or death arising from or related to your use of or reliance on the Service. This clause does not limit liability that cannot be limited by law.
   Optional cap (jurisdiction‑dependent): If liability is found, our total liability shall not exceed [the greater of $100 or fees paid in the past 12 months].
   
5. Indemnity (optional)
   You agree to indemnify and hold harmless AllergySpeak LLC from claims arising out of misuse of the Service or violation of this disclaimer.
   
6. Governing law & venue
   These terms are governed by Delaware, and disputes will be resolved in the courts of Delaware unless mandatory law provides otherwise).
   

IMPORTANT

• Carry your epinephrine and medications at all times.
  
• Confirm twice: show your allergy card and ask staff to read back your allergens in the local language.
  
• Ask about cross‑contact (shared oil, grills, utensils).
  
• Read the label every time; formulations change.
  
• When in doubt, do not consume.