Privacy Policy

Last updated: April 2026

1. What We Collect

We collect only what's necessary to provide the service:

  • Account info: Email address and hashed password
  • Body stats: Height, weight, age, and gender — only if you provide them for calibration
  • Scan results: Body fat %, muscle mass %, AI commentary, and confidence level

2. Your Photos

This is the part you care about most:

  • Photos are processed entirely in memory — they are never saved to disk or any database
  • All EXIF metadata (GPS location, camera info, timestamps) is stripped before analysis
  • Photos are sent to AI providers (OpenAI or Anthropic) for analysis, then immediately discarded
  • We have no ability to retrieve your photos after analysis is complete

3. How We Use Your Data

  • To provide body composition analysis
  • To track your scan history and remaining scans
  • To send you service-related emails (see section 3a below)
  • To improve the service (aggregated, anonymized data only)

3a. Email Communications

By creating an account, you agree to receive the following types of emails:

  • Transactional emails: Password reset, account security notifications — these cannot be opted out of
  • Onboarding emails: Tips for using the service, photo guidelines, and getting started — sent during your first week
  • Product emails: Scan reminders, progress updates, new feature announcements, and personalized recommendations based on your scan results
  • Marketing emails: Blog content, pricing updates, and promotional offers

You can unsubscribe from all non-transactional emails at any time by clicking the "Unsubscribe" link at the bottom of any email. Unsubscribing is instant and permanent — you will not receive further marketing or product emails from us.

We use Resend as our email delivery service. Emails are sent from noreply@fatscan.top.

4. Cookies & Tracking

We use cookies and similar technologies:

  • Essential cookies: Authentication tokens (httpOnly) to keep you signed in
  • Google Analytics: We use Google Analytics to understand how visitors interact with the site (pages visited, session duration, traffic sources). Google may collect IP addresses and use cookies. See Google's Privacy Policy
  • Meta (Facebook) Pixel: We use Meta Pixel to measure ad effectiveness and understand user behavior. Meta may collect browsing activity and use cookies. See Meta's Privacy Policy
  • Microsoft Clarity: We use Microsoft Clarity to understand how visitors interact with the site through session recordings and heatmaps. Clarity may collect browsing activity, mouse movements, clicks, and scrolls. See Microsoft's Privacy Statement

You can disable tracking cookies through your browser settings or by using an ad blocker.

5. Third-Party Services

We use the following third-party services:

  • OpenAI / Anthropic: AI analysis of your photos (subject to their privacy policies)
  • Google Analytics: Website analytics and traffic analysis
  • Meta (Facebook) Pixel: Advertising measurement and optimization
  • Microsoft Clarity: Session recordings and heatmaps for UX analysis
  • Sentry: Error monitoring (no personal data)
  • Resend: Email delivery service for transactional and marketing emails

6. Data Retention

  • Account data is retained while your account is active
  • Scan results are retained for your history
  • Photos are not retained at all
  • You can request deletion of your account and all associated data by contacting us

7. Your Rights

You have the following rights regarding your personal data:

  • Right to access: You can view your account data and scan history through your dashboard
  • Right to deletion: You can request complete deletion of your account and all associated data
  • Right to rectification: You can update your personal information through your account settings
  • Right to data portability: You can request an export of your data

To exercise these rights, use the feedback form in your account dashboard or contact us through our website.

8. Security

  • Passwords are hashed with bcrypt
  • All connections are encrypted via HTTPS
  • JWT tokens expire after 15 minutes
  • Refresh tokens are rotated on each use
  • Authentication tokens are stored in httpOnly cookies for enhanced security

9. Contact

Questions about privacy? Use the feedback form available in your account dashboard, or reach us through the contact form on our website.