Privacy Policy

Last Updated: May 4, 2026

Contents

1. Introduction

Welcome to Cherry. We are committed to protecting your privacy and ensuring you understand how your personal information is collected, used, and safeguarded when you use our services.

This Privacy Policy applies to all Cherry services, including:

  • Web Dashboard — accessible at scorecherry.com
  • Mobile Application — available on iOS and Android
  • Browser Extension — available for Chrome and Chromium-based browsers

By using Cherry, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

  • Email address — required for account creation and communication
  • Password — securely hashed; we never store passwords in plain text
  • Display name — optional, used for personalization
  • Account timestamps — when your account was created and last accessed

2.2 Product Scanning Data

  • Product information — names, URLs, images, and barcodes of products you scan
  • Product categories — food, cleaning products, hygiene products, or alcohol
  • Scoring history — your complete history of scanned products and their scores

2.3 Health Personalization Data

To provide personalized health insights, you may optionally provide:

  • Flagged ingredients — ingredients you want to avoid
  • Allergies — with severity levels (mild, moderate, or severe)
  • Dietary restrictions — vegan, keto, halal, gluten-free, etc.
  • Health conditions — diabetes, high blood pressure, etc.

2.4 User Preferences

  • Anonymous telemetry — opt-in only (default: OFF)
  • Cross-device sync — opt-in only (default: OFF)
  • Ingredient sensitivity level — how strictly to flag ingredients

3. How We Use Your Information

  • Providing product health scores — analyzing products based on nutritional data, ingredients, and safety information
  • Personalizing your experience — showing allergen warnings and recommendations based on your health profile
  • Improving our algorithms — using aggregated, anonymized data
  • Communicating with you — sending service updates and security alerts

We do NOT:

  • Sell your personal information to third parties
  • Use your data for targeted advertising
  • Share your health information with insurance companies or employers
  • Allow brands to influence product scores

4. Third-Party Services

We use vendors (“sub-processors”) to host Cherry, run AI features, send email, take payments, and operate the product. The table below lists categories we may use; not every sub-processor receives personal data for every user or feature.

4.1 Sub-processors

ServicePurposeTypical data
SupabaseAuthentication, database, file storageAccount profile, app content you store with us
VercelWeb dashboard hosting & previewsHTTP requests, IP (server logs)
RailwayAPI & backend hostingAPI traffic tied to sessions / accounts as needed to serve requests
CloudflareDNS, CDN, WAF, DDoS protectionHTTP metadata (e.g. IP) for security and delivery
Anthropic (Claude)AI chat & vision featuresPrompts, product text or images you submit to those features
OpenAIAI features where configuredPrompts and content you submit
GroqAI inference where configuredPrompts and content you submit
StripeWeb payments & billingBilling contact, payment metadata (Stripe handles card data)
RevenueCatMobile subscription statusApp account identifiers, subscription events
PostmarkTransactional emailEmail address, message content
SentryError monitoring & diagnosticsTechnical diagnostics, limited request context
PostHogProduct analytics (if enabled for your workspace)Usage events; configured per environment
OpenFoodFactsOpen product database lookupProduct identifiers / queries
USDA FoodData CentralReference nutrition dataProduct or nutrient queries

For the full inventory including processing location and each vendor's DPA link, see our sub-processor disclosure. It is reviewed quarterly and updated whenever a vendor is added, removed, or materially changed.

5. Data Storage & Security

  • Database Security — PostgreSQL with Row-Level Security (RLS)
  • Authentication — JWT with secure token handling
  • Encryption — HTTPS enforced for all communications
  • Rate Limiting — Protection against brute-force attacks

Local Storage:

  • Browser Extension — Chrome.storage.local (local only)
  • Mobile App — Encrypted AsyncStorage (local only)

We don't use: Tracking cookies, browser fingerprinting, or third-party advertising trackers.

5.1 Cookies & preferences (web dashboard)

On the scorecherry.com dashboard we may show a short banner asking whether you want optional analytics (for example to understand which features are used). Required cookies and similar technologies for sign-in, fraud prevention, and core site function always apply, regardless of what you pick on the banner.

If you decline optional analytics, we store that preference in your browser so we don't keep asking on every visit. If you accept optional analytics, we store that choice instead. In production today, that mainly means the banner closes and your choice is remembered on this browser. When we turn on optional measurement tools (such as product analytics vendors listed in the sub-processor table above), we will only initialize them for browsers where you accepted optional analytics.

Clearing site data for scorecherry.com may show the banner again. This is different from your browser's global privacy or third-party cookie settings, which apply across all websites you visit.

6. Your Rights

All users have the right to:

  • Access — View all personal information we've collected
  • Correct — Update any inaccurate information
  • Delete — Permanently delete your account and data
  • Export — Download your data in a portable format (signed-in users may use GET /v1/users/me/export on the Cherry API)

GDPR (EU/EEA): Right to object, restrict processing, withdraw consent, and lodge complaints.

CCPA (California): Right to know what data is collected. We do NOT sell personal information.

7. Data Retention

  • Account data — Retained until you delete your account
  • Scanning history — Retained until you clear it or delete your account
  • Backups — Deleted within 30 days of account deletion

8. Children's Privacy

Cherry is not intended for users under 13 (or 16 in EU/EEA). We do not knowingly collect data from children. Contact us if you believe we have inadvertently collected such information.

9. International Data Transfers

Cherry is operated from the United States. For EU/EEA users, we rely on Standard Contractual Clauses to ensure adequate protection for international data transfers.

10. Changes to This Policy

We may update this policy periodically. For material changes, we will notify you via email and/or in-app notification. Continued use after changes constitutes acceptance.

11. Contact Us

For questions about this Privacy Policy:

Email: support@scorecherry.com

Include "Privacy" in the subject line for privacy inquiries.

Privacy Policy — Cherry | Cherry Labs