Nibble - Household Safety Recall Alerts
Last Updated: April 2026
Nibble ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.
Please read this Privacy Policy carefully. By using Nibble, you agree to the collection and use of information in accordance with this policy.
| Data Type | Purpose | Required? |
|---|---|---|
| Email address | Account creation, login, notifications | Yes |
| Name | Personalization, profile display | Optional |
| Allergy information | Personalized recall alerts | Optional |
| Dietary restrictions | Personalized recall alerts | Optional |
| Medical conditions (e.g., diabetes, pregnancy, heart conditions) | Personalized recall and drug alerts | Optional |
| Medication list | Drug recall alerts | Optional |
| Pet information | Pet food recall alerts | Optional |
| Vehicle information | Vehicle recall alerts (make, model, year) | Optional |
| Household member profiles | Family recall alerts | Optional |
| Children's profiles (created by parent) | Age-appropriate recall alerts for your children | Optional |
| Scanned product barcodes | Recall checking and product tracking | Optional |
| Location (country/state) | Regional recall filtering | Optional |
Some of the information you provide may be considered Sensitive Personal Information under applicable privacy laws, including the California Consumer Privacy Act (CCPA). This includes:
Purpose limitation: We collect this health-related information solely for the purpose of personalizing your recall alerts. This data is never used for profiling, targeted advertising, or any secondary purpose. It is not shared with advertisers, analytics providers, or any third party except our database provider (Supabase) as necessary to store and retrieve your profile.
Consent: During onboarding, you choose between "Personalised Alerts" (which stores health data) or "Basic Alerts" (which stores no health data). You can change this choice at any time in Settings. For detailed information about how we handle consumer health data, see our Consumer Health Data Privacy Policy.
| Data Type | Purpose |
|---|---|
| Device information | App functionality, troubleshooting |
| Usage data | Improve app experience |
| Push notification tokens | Deliver recall alerts |
| Crash reports and error logs | Fix bugs and improve stability (via Sentry) |
| Session replay data | Diagnose app errors (all text is masked; no health data is captured) |
| Camera access (native app) | Barcode scanning (on-device only) |
If you use Nibble without an account, we store the following data locally on your device:
This data is stored in your browser's localStorage and is not transmitted to our servers. When you create an account, locally saved recalls are synced to your account and removed from local storage.
| Source | Data | Purpose |
|---|---|---|
| Supabase | Authentication data | Account management |
| RevenueCat | Subscription status | Premium features |
| Google Play / App Store | Purchase verification | Subscription validation |
| Sentry | Error reports | Bug fixes and stability |
| Firebase / FCM (Google) | Push notification tokens | Deliver recall alert notifications |
We use your information to:
Nibble uses a rule-based inference system to suggest additional recall alert subscriptions based on information you provide. For example, if you indicate a medical condition such as diabetes, we may automatically enable drug recall alerts for diabetes-related medications. These inferred subscriptions are clearly labeled and you can review, modify, or remove them at any time in your profile settings. No profiling is performed for advertising purposes.
Nibble aggregates publicly available recall data from government agencies across 13 countries:
United States:
Canada:
Australia:
United Kingdom:
Additional coverage: France (RappelConso), Germany (BVL), South Korea (KATS), Netherlands, Taiwan, New Zealand, Costa Rica, UAE, and EU-wide Safety Gate data.
This is public government data published under open licences. We do not modify or verify this information beyond what is provided by these agencies.
We do not sell or share your personal information for cross-context behavioral advertising. We do not sell or share Sensitive Personal Information (health data, allergies, medical conditions, medications) with any third party for advertising or profiling purposes.
We share your information with the following service providers, solely to operate the app:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account data, all profile data (including health information), authentication tokens |
| Firebase / FCM (Google) | Push notification delivery | Device push tokens, notification content (recall titles only, no health data) |
| Stripe | Payment processing (web) | Email, transaction data, billing information |
| RevenueCat | Subscription management | User ID, purchase data |
| Google Play / App Store | Payment processing (mobile) | Transaction data |
| Sentry | Error monitoring and session replay | Device info, error logs, masked session recordings (all text is masked; health data is not captured) |
| AdMob (free users only) | Advertising | Device advertising ID, ad interactions, general location (country/region). Google may use this data for ad personalization per its own privacy policy. No health data is shared with AdMob. |
| Resend | Transactional and digest email delivery | Email address, email content (recall alerts, digest summaries). No health data is included in email content beyond recall titles. |
Each service provider has its own privacy policy governing their use of your data. We encourage you to review them. We may also disclose information if required by law or to protect our rights.
We retain your data for as long as your account is active. If you delete your account:
We do not retain health-related data (allergies, medical conditions, medications) for any purpose after your account is deleted and backups have expired.
We implement appropriate security measures including:
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
Depending on your location, you may have the right to:
How to exercise your rights: You can delete your account and export your data directly within the app (Settings). For all other requests, contact us at support@trynibble.app. You may also designate an authorized agent to make a request on your behalf.
Response time: We will respond to verifiable consumer requests within 45 days. If we need additional time, we will notify you of the extension (up to 90 days total). We verify your identity by confirming ownership of the email address associated with your account.
Nibble is not intended for use by children under 13. Children do not create accounts or interact with the app directly. We do not knowingly collect personal information directly from children under 13.
Children's profiles: Parents and guardians may create profiles for their children within their own account to receive age-appropriate recall alerts. In this case:
If you believe we have inadvertently collected information from a child under 13 without parental consent, please contact us immediately at support@trynibble.app.
We send push notifications for:
You can configure notification preferences in Settings, including quiet hours and per-profile controls. Notifications can also be disabled entirely in your device settings.
The free version of Nibble displays advertisements through Google AdMob. AdMob may collect:
Health data is never shared with AdMob. Your allergies, medical conditions, medications, and dietary restrictions are not transmitted to any advertising service. Ad targeting is based only on general device and location information, not your health profile.
Google may use data collected through AdMob in accordance with Google's Privacy Policy, including for ad personalization across Google services.
You can opt out of personalized ads in your device settings (Settings > Google > Ads).
Premium subscribers receive an ad-free experience and no data is shared with AdMob.
Nibble may contain links to government websites (FDA, USDA, etc.) and other third-party sites. We are not responsible for the privacy practices of these sites.
We may update this Privacy Policy from time to time. We will notify you of changes by:
If you have questions about this Privacy Policy, contact us at:
Email: support@trynibble.app
California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Nibble does not sell personal information for monetary consideration. However, our free tier displays ads through Google AdMob, which receives device advertising identifiers and general location data. Under the CCPA's broad definition, sharing device identifiers with an advertising network may constitute "sharing" of personal information for cross-context behavioral advertising purposes.
To opt out of this sharing:
If you have previously opted out, you do not need to opt out again. Your preference is retained.
Sensitive Personal Information (health data, allergies, medical conditions, medications) is never shared with AdMob or any advertising service.
Under the CCPA/CPRA, we collect the following categories of Sensitive Personal Information:
Right to limit use: You may request that we limit our use and disclosure of your Sensitive Personal Information to purposes necessary to provide the services you requested. We already limit our use of this data to personalizing recall alerts. We do not use health data for advertising, profiling, or any secondary purpose. To formally exercise this right, contact us at support@trynibble.app.
The following table lists the categories of personal information we have collected in the preceding 12 months, as defined by CCPA Section 1798.140(o):
| CCPA Category | Examples We Collect | Business Purpose | Retention |
|---|---|---|---|
| A. Identifiers | Email address, name, device ID | Account operation | Until account deletion + 90 days |
| B. Customer records (Cal. Civ. Code 1798.80(e)) | Billing information (processed by Stripe) | Payment processing | Per Stripe retention policy |
| D. Commercial information | Subscription purchases, transaction history | Service delivery | Until account deletion |
| F. Internet or other electronic network activity | Device info, usage data, pages viewed | Analytics and error monitoring | 26 months (GA4) / 90 days (Sentry) |
| G. Geolocation data | Country, state/region (not precise location) | Recall matching | Until account deletion |
| H. Sensory data | None collected | N/A | N/A |
| I. Professional or employment information | None collected | N/A | N/A |
| J. Education information | None collected | N/A | N/A |
| K. Inferences | Allergen-based recall matching inferences | Personalized alerts | Until account deletion |
| L. Sensitive personal information | Allergies, medical conditions, medications, dietary restrictions | Recall alert personalization | Until account deletion |
Sources of personal information: directly from you (account creation, profile setup, search queries); automatically from your device (device info, usage data via analytics); from third-party services (payment confirmation from Stripe/RevenueCat, push token from Firebase).
We do not sell personal information for monetary consideration. The only category of personal information "shared" (as defined by the CCPA) is Category A identifiers (device advertising identifiers) shared with Google AdMob for ad personalization on the free tier. See the Do Not Sell or Share section above for opt-out instructions.
When you delete your account, we also direct our service providers (Supabase, RevenueCat, Sentry) to delete the personal information they hold on our behalf. AdMob data is controlled by Google per their retention policies. You can request deletion from Google directly via your Google Account settings.
Nibble offers a rewarded ads feature where free-tier users may optionally watch a video advertisement in exchange for bonus barcode scans. This constitutes a financial incentive program under the CCPA. The value of the incentive (additional scans) is reasonably related to the value of the data involved (ad interaction and device identifiers shared with AdMob during the ad view). You may opt out of this program at any time by simply not watching rewarded ads. Participation is always voluntary. Premium subscribers do not see ads and are not part of this program.
Nibble requires users to be at least 13 years old to create an account. We do not knowingly sell or share the personal information of consumers under 16. If we become aware that a user is under 16, we will not sell or share their personal information unless we receive affirmative authorization (opt-in consent from the minor aged 13-15, or from a parent/guardian for children under 13). Parents may create child dependent profiles within their own account. See our Children's Privacy section above.
You may designate an authorized agent to submit CCPA requests on your behalf. To do so, provide the agent with signed, written permission and have the agent email support@trynibble.app with the authorization letter attached. We may also require you to verify your own identity directly with us and confirm that you authorized the agent.
If you are an authorized agent submitting a request, please include:
You can exercise your CCPA rights through:
We will acknowledge receipt within 10 business days and respond substantively within 45 calendar days. If we need additional time, we will notify you of an extension (up to 90 days total). We verify your identity by confirming ownership of the email address associated with your account.
If you are in the European Economic Area, our legal basis for processing is:
You may contact your local data protection authority if you have concerns.
If you are located in Australia, your personal information is protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This section supplements the general privacy policy above with information specific to your rights.
Allergen profiles, dietary restrictions, medical conditions, and medication lists are classified as "sensitive information" under the Privacy Act. We collect this information only with your express consent, which you provide when creating a household profile. You may withdraw consent at any time by deleting your profile data.
Your data is stored in the United States via our infrastructure providers (Supabase for database hosting, Railway for application hosting). By using Nibble, you consent to the transfer of your personal information to the United States. We take reasonable steps to ensure these providers comply with obligations substantially similar to the APPs.
You have the right to access and correct the personal information we hold about you. You can view and update your profile data directly in the app at any time. For other access or correction requests, contact us at the email address below.
If you believe we have breached the APPs, you may lodge a complaint with us first. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This section supplements the general privacy policy above.
We process your personal data under the following lawful bases:
If you choose to create a personalised profile with allergen preferences, dietary restrictions, or medical conditions, this constitutes special category health data under Article 9 of UK GDPR. We process this data under Article 9(2)(a), your explicit consent, obtained during onboarding when you choose "Personalised Alerts" and confirmed when you voluntarily enter health information. You may withdraw consent at any time by switching to a Basic Alert Profile or deleting the relevant profile data in Settings.
Basic Alert Profiles: If you choose "Basic Alerts" during onboarding or create an Alert Profile (country and category-level alerts only, with no allergen, dietary, or medical data), no special category data is processed. Basic Alert Profiles are processed under legitimate interest only.
We have conducted a Data Protection Impact Assessment (DPIA) for our processing of health data, as required under Article 35 of UK GDPR.
Under UK GDPR, you have the right to:
To exercise your rights, contact us at support@trynibble.app. We will respond within one month.
Your data is stored in the United States via our infrastructure providers (Supabase for database hosting, Railway for application hosting). These transfers are made under standard contractual clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) where applicable. By using Nibble, you acknowledge this cross-border transfer.
Recall data for the United Kingdom is sourced from the following government agencies, published under the Open Government Licence v3.0:
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Under Japan's Act on the Protection of Personal Information (APPI), allergy and health-related data is classified as “special care-required personal information” requiring your prior consent for collection. Your data is stored in the United States via Supabase (database hosting) and Railway (application hosting). Japan's PPC does not currently recognize the United States under its adequacy framework; by using Nibble with personalized alerts, you consent to this cross-border transfer. You may request access to, correction, or deletion of your personal data at any time via Settings or by contacting us. For complaints, contact Japan's Personal Information Protection Commission (PPC) at www.ppc.go.jp.
Under South Korea's Personal Information Protection Act (PIPA), health data is classified as sensitive information requiring separate, explicit consent. Your personal data is transferred to and processed in the United States via Supabase (database) and Railway (application hosting). This transfer is made with your separate consent as required by PIPA. You have the right to request access, correction, deletion, or suspension of processing of your personal data. For complaints, contact the Personal Information Protection Commission (PIPC) at www.pipc.go.kr.
Under Taiwan's Personal Data Protection Act (PDPA), health and medical data is a special category requiring written consent for collection and processing. Your data is stored in the United States. You may request access to, correction, or deletion of your personal data at any time. For complaints, contact the Personal Data Protection Commission (PDPC).
Under New Zealand's Privacy Act 2020, we collect and use your personal information in accordance with the Information Privacy Principles (IPPs). Your data is transferred to the United States for storage and processing. We take reasonable steps to ensure our overseas providers comply with privacy protections comparable to New Zealand law (IPP 12). You have the right to access and request correction of your personal information. For complaints, contact the Office of the Privacy Commissioner at www.privacy.org.nz.
Under Costa Rica's Law for the Protection of People Against the Treatment of Their Personal Data (Ley 8968), health data is sensitive information requiring written consent. Your data is transferred to and stored in the United States. You have the right to access, correct, and delete your personal data. For complaints, contact PRODHAB (Agencia de Protección de Datos de los Habitantes) at www.prodhab.go.cr.
Under the UAE's Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law), health data is sensitive personal data requiring explicit consent. Your data is transferred to the United States for storage and processing. You have the right to request access, correction, or erasure of your personal data. For complaints, contact the UAE Data Office.
Nibble uses browser local storage and similar technologies for essential functionality (authentication, preferences, offline access) and optional analytics (Google Analytics, Sentry error monitoring). Analytics technologies are only loaded after you give explicit consent via our cookie banner. For full details on what technologies we use, how to control them, and how to withdraw consent, see our Cookie & Local Storage Policy.