How it works Privacy Terms of Service Medical disclaimer Get the app
Home chevron_right Legal chevron_right Privacy Policy

Privacy Policy

event_available Effective date: June 6, 2026 update Last updated: June 6, 2026

This Privacy Policy explains how Xruseon, Inc. (“AllerTrac”, “we”, “us”, or “our”) collects, uses, shares, and protects information when you use the AllerTrac mobile application and the website at https://www.allertrac.com (together, the “Service”).

lightbulb

Plain-language summary (not a substitute for the full policy):

AllerTrac helps you organise allergy/sensitivity information and cross-check product ingredients. Your profiles, avoid-lists, scans, and lists are stored in your own account and are readable only by you. We process ingredient-label photos on your device. Our analytics are deliberately limited and never include allergy names, profile or child names, the text read from labels, barcodes, or ingredient text. You can delete your account and all of its data at any time.

1 Who we are and how to contact us

AllerTrac is operated by Xruseon, Inc., 1621 Central Ave #6094, Cheyenne, WY 82001.

For privacy questions or to exercise your rights:

2 Scope

This policy covers the AllerTrac app (iOS and Android) and our website. It does not cover third-party services we link to or rely on, which have their own policies (see Section 8).

3 Information we collect

We collect only what the Service needs to function.

3.1 Information you provide

  • Account information: your email address and authentication credentials (managed by Firebase Authentication; we do not store your raw password).
  • Profiles you create: for yourself and household members you choose to add, which may include a display name, relationship label (e.g. “child”, “self”), and the allergies/sensitivities (“avoid-list”) you configure, along with matching strictness preferences. These avoid-lists may reveal health-related information (see Section 4 on sensitive data).
  • Activity content: scan history, pantry items, shopping lists, emergency cards, and product-correction reports you submit.
  • Uploaded files (optional): if you explicitly choose to save a label photo, profile image, or document, it is uploaded to your private storage area. Label photos used only for scanning are processed on your device and are not uploaded unless you save them.
  • Support communications: information you include when you contact us.

3.2 Information collected automatically

  • App usage analytics: a limited set of low-cardinality events (for example, “scan started”, “scan completed”, a result-state label, “profile created”). These events do not include allergy names, profile or child names, the text read from labels (OCR), barcode values, or raw ingredient text.
  • Diagnostics / crash data: technical error and crash information (via Firebase Crashlytics) used to fix stability problems. This is limited to framework/diagnostic data and does not include your health or label data. Crash and analytics collection are disabled in development/emulator builds.
  • Device & technical data: standard data needed to deliver the Service and protect it from abuse (e.g. app version, OS version, device type, IP address for security/anti-abuse via Firebase App Check / Google infrastructure).
  • Website data: see the Cookie Policy.

3.3 Information we do not want or intentionally collect

We do not sell your data, we do not use it for third-party advertising, and we do not track you across other apps or websites. We instruct our analytics to exclude health-related and label-derived content.

4 Sensitive / special-category information

Allergy and sensitivity avoid-lists can constitute health-related information (“special category data” under GDPR; “sensitive personal information” under CCPA/CPRA and similar laws). We handle this data as follows:

  • It is stored only within your account, protected by access rules that make it readable only by you.
  • It is never transmitted to analytics or advertising systems.
  • We process it solely to provide the Service's core function — matching your configured avoid-list against product ingredient text on your behalf.
  • Where the law requires a lawful basis or your consent to process such data, your creation and use of profiles/avoid-lists constitutes your explicit consent to this limited processing, which you can withdraw by deleting the data or your account.

5 How we use information

We use information to:

  1. Provide the Service — authenticate you, store your profiles and lists, resolve products, and run the deterministic ingredient-matching rule engine.
  2. Look up product data — send a scanned barcode or a search term to our servers, which query a third-party product database on your behalf (see Section 8). We do not send your identity, profiles, or avoid-lists to that database.
  3. Improve reliability — diagnose crashes and understand high-level, non-sensitive usage patterns.
  4. Protect the Service — prevent abuse and secure our systems (e.g. App Check attestation).
  5. Communicate with you — respond to support requests and send essential service notices.
  6. Comply with law — meet legal obligations and enforce our Terms.

6 Legal bases for processing (EEA/UK users)

Where GDPR/UK GDPR applies, we rely on:

  • Performance of a contract — to provide the Service you request.
  • Consent — for processing health-related avoid-lists and for any optional features; you may withdraw consent at any time.
  • Legitimate interests — to secure, debug, and improve the Service, balanced against your rights.
  • Legal obligation — where we must process data to comply with law.

7 How information is stored and protected

  • Data is stored using Google Firebase (Authentication, Cloud Firestore, Cloud Storage, Cloud Functions) and processed on Google Cloud infrastructure.
  • Per-user security rules restrict access so each account can read and write only its own data; public product-reference data is read-only to clients.
  • Data is encrypted in transit (TLS) and at rest by the underlying platform.
  • On-device label OCR is performed locally; images are uploaded only if you save them.
  • No security measure is perfect; we cannot guarantee absolute security.

8 Sharing and disclosure

We share information only as described here:

  • Service providers / processors: Google (Firebase / Google Cloud) hosts and processes data on our behalf under their terms. Other sub-processors, if added, will be listed here.
  • Third-party product-data sources: to resolve a product, our servers query Open Food Facts (and may, in future, query USDA FoodData Central, GS1, or a commercial vendor). We send only the barcode or search query — never your account, profiles, or avoid-lists. Data returned about products is public reference data. Open Food Facts data is provided under the Open Database License; see Section 8.1.
  • Legal/compliance: we may disclose information if required by law, legal process, or to protect rights, safety, and the integrity of the Service.
  • Business transfers: if we are involved in a merger, acquisition, or asset sale, information may be transferred, subject to this policy.

We do not sell or “share” personal information for cross-context behavioural advertising (as those terms are defined under CCPA/CPRA).

8.1 Third-party product-data attribution

Product information may originate from Open Food Facts, made available under the Open Database License (ODbL). AllerTrac is not affiliated with or endorsed by Open Food Facts. Product data may be incomplete, outdated, or inaccurate; always read the printed package label.

9 International data transfers

We and our providers are based in / process data in the United States (Firestore region: US multi-region). If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries that may have different data-protection laws. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) offered by our providers.

10 Data retention

  • We keep your account data for as long as your account is active.
  • When you delete your account, we delete your profiles, scan history, audits, pantry, lists, emergency cards, share permissions, uploaded files, and your authentication record (see Section 13 and Account Deletion).
  • Cached public product data (keyed by barcode, not to you) and aggregated, non-identifying analytics may persist after account deletion.
  • We may retain limited records where necessary to comply with legal obligations, resolve disputes, or enforce agreements.

11 Your rights and choices

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information (available in-app: Settings → Delete account).
  • Port a copy of your information.
  • Object to or restrict certain processing.
  • Withdraw consent at any time (e.g. by deleting profiles/avoid-lists).
  • Opt out of “sale”/“sharing” — we do not sell or share for ads, so there is nothing to opt out of, but you may still contact us.
  • Non-discrimination for exercising your rights.

To exercise rights, email privacy@allertrac.com. We will verify your request (typically by confirming control of the account email) and respond within the time required by applicable law. You may also lodge a complaint with your local data-protection authority.

12 Children's privacy

AllerTrac is intended for use by adults (18+) managing allergy information for themselves and their household, which may include profiles describing children. Those child profiles are created and controlled by the adult account holder; AllerTrac is not directed to children for independent sign-up or use, and we do not knowingly allow children to create their own accounts.

We do not knowingly collect personal information directly from children under 13 (or the applicable age in your country). Information about a child contained in a profile is provided by the responsible adult account holder. If you believe a child has provided us information directly, contact privacy@allertrac.com and we will delete it. See the dedicated Children's Privacy note for more detail.

13 Deleting your data

You can permanently delete your account and all associated data at any time:

  • In the app: Settings → Delete account (you may be asked to re-enter your password to confirm).
  • This erases your profiles, scan history and audits, pantry, shopping lists, emergency cards, share permissions, uploaded files, product-correction reports, and your sign-in record.
  • If you cannot access the app, email support@allertrac.com or use https://www.allertrac.com/delete-account and we will delete it for you.

See Account Deletion for full details.

14 Analytics and tracking technologies

  • In the app, we use Firebase Analytics for the limited events described in Section 3.2 and Firebase Crashlytics for diagnostics. Both are disabled in non-production builds.
  • On the website, see the Cookie Policy.
  • We honour applicable browser/OS privacy signals where required by law.

15 Changes to this policy

We may update this policy from time to time. Material changes will be posted at https://www.allertrac.com/privacy with an updated “Last updated” date and, where appropriate, in-app notice. Your continued use after changes take effect constitutes acceptance.

16 Contact

Questions or requests: privacy@allertrac.com · 1621 Central Ave #6094, Cheyenne, WY 82001

Related
description Terms of Service health_and_safety Medical Disclaimer cookie Cookie Policy family_restroom Children's Privacy delete Delete your data