Receive your FREE guide today!

Sign-up to our newsletter and we'll also send you our free ebook on Navigating Social Situations.

Imagine confidently joining any dinner party, indulging in holiday feasts guilt-free, and making lasting memories, all while edging closer to your goals. Sign up now!

Privacy Notice

Last updated [October 15 2025]

Quick facts — TL;DR

We never sell your Personal Data for money.

Your in-app activity and data is NOT used for advertising purposes.

You control your data.

Use the app or contact us privacy@joincarbon.com to request, delete, or inquire about your data.

We use a few main partners to provide our services.

AWS (web hosting), Auth0 (account creation), Apple (app store, billing), Google (app store, billing), Stripe (web billing), RevenueCat (subscription management), Intercom (customer support). Data on their platforms are covered by their individual privacy policies.

Have questions? privacy@joincarbon.com

1. Who we are

Reform LLC ("Carbon", "Carbon Diet Coach", "we", "us")

3702 W Spruce St #1405, Tampa FL 33607, USA

Email: privacy@joincarbon.com

Data Protection Officer (DPO)

Email: dpo@joincarbon.com

Our DPO oversees data protection and privacy matters, including for users in the EU, UK, and Brazil. Please direct any questions or concerns related to your personal data or this Privacy Policy to the DPO at the email above.

2. Where and when this Notice applies

  • When you visit our websites
  • When you use our mobile application or sign-up and subscribe through our web portal
  • When you contact us for customer support
  • When you submit feedback or feature requests to us
  • When you subscribe to our newsletter or engage with us on social media
  • When you are referred to us by one of our referral partners
  • When you engage with our online advertisements

This Notice does not cover the data of our employees / contractors / business owners, or not personally identified data.

3. Types of data we may collect

  • Personal identifiers: This includes data such as your name, email address, user IDs, avatar, and more. 
  • Account & authentication data: This includes data such as hashed passwords (never seen by us), single sign-on & refresh tokens, sign-up / last sign-in / last seen timestamps, and subscription state (status, expiration, plan).
  • Profile & preference data: This includes data such as your gender, birthdate, and app preferences.
  • Sensitive health data: This includes data such as your body weight and body fat as entered by you or synced through Google Health Connect or AppleHealthKit (permissions must be granted by you).
  • Transaction & billing data: This includes data such as your transaction / charge history, currency, payment methods (card last 4, expiry), products, plan, referral tokens.
  • Device & technical data: This includes data about your device such as your IP address, browser user-agent / metadata / cookies, device model / OS / app version, detailed information such as device fingerprint / memory data / permissions, and crash logs / stacktraces
  • Usage & behavioral data: This includes data such as app opens, session durations, API calls, email opens / clicks, and message-history logs.
  • Location data: This includes your approximate location data like country, region, state, and city if available (IP-derived or device locale).
  • User content data: This includes data generated or provided by you such as food / diary logs, created foods / recipes, goals, check-in related data, diet preferences, form submissions, support tickets.
  • Referral & attribution data: This includes data such as UTM parameters, install/referral tokens, first-click, and conversion timestamps.
  • Connection metadata: This includes data such as request timestamps, referral URL, TLS/cipher details, Edge-Pop or datacenter identifiers.
  • Cookies & tracking identifiers: This includes first-party consent cookies, third-party / ad cookies (_fbp, _ga, _glu, etc.), and conversion / linker cookies.

4. Our legal bases for processing your data

When we process your data, we do it for a variety of valid reasons that the law allows. These reasons include the following:

  • Consent: For certain activities, we will only process your data after you have explicitly given consent to do so. For example: If you intentionally sign-up to our newsletter or agree to receive communications when you create an account. In regions (e.g. EU/UK/Brazil) where laws require it, we may present a cookie banner that lets you opt-in to marketing and analytics cookies. In these situations, you can withdraw your consent at any time.
  • Contract: We may process your data to fulfill our agreement with you. For example, in order to use our application you must create an account and start a subscription, or if you need customer support we must process your request in order to fulfill our obligations.
  • Legitimate interests: When there’s a clear, balanced benefit to you and to Carbon’s service operation—and it doesn’t override your rights—we rely on our legitimate interests. For example, we use device data and usage data to make the Carbon app more reliable and user-friendly. We may also measure conversions and remarketing performance to help us promote our services to a broader audience.
  • Legal obligations: We may be required to process and retain certain data in order to comply with legal and regulatory compliance. This may include keeping tax & accounting records for audit purposes or storing cookie-banner preferences and consent logs.

5. What we collect, why, and for how long

Purpose Typical data Lawful basis* Retention criterion Main processors / location
Account creation & authentication Personal identifiers; Account & authentication data; Device data; Contract Logs retained for 5 days; User data permanently deleted when you delete your account or upon your request. Auth0 (US)
Billing & subscriptions Personal identifiers; Account data; Transaction & billing data; Device data; Location data Contract Retained until account deletion; transactional/financial records kept 6–7 years for legal compliance Apple (US); Google (US); Stripe (US); RevenueCat (US);
Mobile app & infrastructure All personal data; Sensitive health data Consent; Contract Data retained until account deletion; Logs retained for 7-30 days; Database backups retained for 10 years; AWS (US);
App analytics & quality Personal identifiers; Device & technical data; User data Contract; Legitimate interest Data retained for 90 days; Some non-identifying usage data may be retained for up to 14 months Sentry (US); Google (US)
Customer support & help center Personal identifiers; Account data; Profile data; Device data; Usage data; User data Contract; Legitimate interest Visitor data retained for 9 month; Other data retained until account deletion Intercom (US)
Communications & marketing Personal identifiers; Account data; Device data; Location data; Usage data; Cookies Consent; Legitimate interest Some data retained for up to 90 days; Other data retained until account deletion Constant Contact (US); Intercom (US); Manychat (US)
Website analytics & ads Device data & technical data; Location data; Referral & attribution data; Connection metadata; Cookies & tracking identifiers Consent; Legitimate interest Most data retained for up to 2 years; Audience data may be retained for as long as the audience exists Google (US); Meta (US)
Referral program Personal identifiers; Transaction & billing data; Location data; Referral & attribution data; Cookies & tracking identifiers Legitimate interest Retained until account deletion; transactional/financial records kept 6–7 years for legal compliance Rewardful (US); Stripe (US)
Website hosting Personal identifiers; Device data; Usage data; Location data; Cookies & tracking identifiers Legitimate interest Retained only for as long as needed to fulfill the obligations; Usage data typically not retained for long AWS (US); Webflow (US);
Web store Personal identifiers; Transaction & billing data; Referral & attribution data; Cookies & tracking identifiers Contract; Legitimate interest Retained until account deletion; transactional/financial records kept 6–7 years for legal compliance Shopify (Canada); Stripe (US)

* GDPR/LGPD legal bases. We assess legal basis under applicable law for each purpose. Some data may be processed under multiple bases depending on context.

6. Device permissions & sensitive health data

Depending on the User's specific device, this Application may request certain permissions that allow it to access the User's device Data as described below.

By default, these permissions must be granted by the User before the respective information can be accessed. Once the permission has been given, it can be revoked by the User at any time. In order to revoke these permissions, Users may refer to the device settings or contact the Owner for support at the contact details provided in the present document. The exact procedure for controlling app permissions may be dependent on the User's device and software.

Permission Why we ask Can you refuse?
Network / Internet Access to the internet is required to use the Application. The Application accesses the internet to interact with our backend API, authentication (Auth0), subscription management (RevenueCat), and more. The Application can function without network connectivity temporarily, but may not function as intended. All network activity is encrypted. No — required to use the Application.
Camera, Photo Library, and Storage We may request access to these permissions when you use features such as barcode scanning, label scanning, and photo uploads (avatar, recipes). We do not use these permissions for anything other than what is necessary to perform the function. Yes — related features disabled.
Approximate location (non-continuous) We may request an approximate location when you search for foods, so that we can select the food database region that corresponds to your current country. This helps us select the right country database when you travel. Yes — defaults to your device's language and region.
Apple HealthKit / Google Health Connect

Sensitive Health Data:
Body weight
Body fat
We may request access to sensitive health data through integration with Apple HealthKit or Google Health Connect. We access this data exclusively to support the core functionality of the application; we never use this data for advertising.

We will not use, disclose, or sell this sensitive health data to third parties for advertising, marketing or other use-based data mining purposes.
Yes — related features disabled.

7. International transfers

We're a U.S.-based company. When data from users in the EU, UK, or Brazil is transferred to the United States or other countries that may not offer the same level of data protection, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and UK authorities as appropriate safeguards for data transfers;
  • Participation in the EU-U.S. and UK-U.S. Data Privacy Frameworks for certified vendors.

8. Your privacy rights

You may exercise certain rights regarding your Personal Information. In particular, to the extent permitted by applicable law, you have:

  • Access / Know, Rectify, Delete, Export
  • Restrict / Object / Withdraw consent
  • "Do Not Sell/Share" & "Limit Sensitive PI" (CPRA)
  • Lodge a complaint with an EU DPA, UK ICO, Brazil ANPD, or Canada OPC

To exercise the rights described above, you need to submit your request to us by contacting us in-app (Settings -> Support) or via the contact details provided in this document.

For us to respond to your request, we must know who you are. We will not respond to any request if we are unable to verify your identity and therefore confirm the Personal Information in our possession relates to you.

How we will handle requests

We will respond to your request without undue delay, but in all cases within the timeframe required by applicable law. Should we need more time, we will explain to you the reasons why, and how much more time we need.

Should we deny your request, we will explain to you the reasons behind our denial (where envisaged by applicable law you may then contact the relevant authority to submit a complaint).

We do not charge a fee to process or respond to your request unless such request is manifestly unfounded or excessive and in all other cases where it is permitted by the applicable law. In such cases, we may charge a reasonable fee or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind them.

9. Cookies & similar Technologies

We use cookies and similar technologies to operate our websites, enhance user experience, analyze usage, and support marketing efforts. Some cookies are essential for functionality; others help us understand user behavior or deliver relevant ads.

Where legally required, we ask for your consent before using certain types of cookies.

To learn more about how we use cookies, what types we use, and how to manage your preferences, please see our Cookie Notice.

10. Security

Encryption in transit & at rest, least-privilege access, 24×7 monitoring, periodic penetration tests. Running an outdated app can weaken these protections—please stay updated.

11. Minors

Users declare themselves to be adults according to their applicable legislation. Minors may not use Carbon’s services. If we discover we hold data from a child, we will delete it.

12. Equal protection of user data

We only share information with vendors that contractually commit to privacy and security safeguards that are the same as—or stronger than—those described in this Notice.

13. Key service partners

By interacting with our websites, mobile apps, or other ways, your data may be processed by one or more of these external processors. Please refer to their websites for additional information.

  • Amazon Web Services, Inc. (“AWS”) https://aws.amazon.com/privacy
  • Auth0, Inc (“Auth0”) https://auth0.com/docs/secure/data-privacy-and-compliance
  • Apple Inc. (“Apple”) https://www.apple.com/legal/privacy/
  • Constant Contact, Inc. (“Constant Contact”) https://www.constantcontact.com/legal/privacy-notice
  • Cloudflare, Inc. (“unpkg”) https://www.cloudflare.com/privacypolicy
  • Google LLC. (“Google”) https://policies.google.com/privacy
  • Fastly, Inc. (“Fastly CDN”) https://www.fastly.com/privacy
  • Functional Software, Inc. (“Sentry”) https://sentry.io/privacy/
  • Intercom Inc. (“Intercom”) https://www.intercom.com/legal/terms-and-policies
  • Manychat, Inc. (“Manychat”) https://manychat.com/legal/privacy
  • Meta Platforms, Inc. (“Meta”) https://www.facebook.com/privacy/policy/
  • Prospect One Sp. z o.o. sp. k. (“jsDelivr”) https://www.jsdelivr.com/terms/privacy-policy
  • Rewardful Inc. (“Rewardful”) https://www.rewardful.com/privacy
  • RevenueCat, Inc. (“RevenueCat”) https://www.revenuecat.com/privacy
  • Shopify Inc. “(Shopify”) https://www.shopify.com/legal/privacy
  • Stripe, Inc. (“Stripe”) https://stripe.com/privacy
  • Webflow, Inc. (“Webflow”) https://webflow.com/legal/privacy

We review this list and update it periodically.

14. Changes

We'll post updates here and update the "Last updated" date. For significant changes we'll email you if you have an active subscription. If you do not have an active subscription, we recommend that you review the policy prior to resubscribing.

Contact

Email: privacy@joincarbon.com (global)

Information for California Residents / Your California Privacy Rights

Under the California Consumer Privacy Act of 2018 (“CCPA”), California residents have certain rights to understand and request that we disclose details about how we handle your Personal Data. To learn more about how we collect, use, disclose, and share your Personal Data, please see below.

Categories of Personal Data Collected

In the preceding 12 months, we have collected the following categories of Personal Data about California consumers. We may collect this Personal Data directly from you, from third parties, and from your interactions with us. For additional detail about the Personal Data that we collect and the sources from which we collect this Personal Data, please review Section III above.

We may retain this Personal Data for as long as is needed for the purpose(s) for which it was collected and no longer than is relevant and reasonably necessary. Our retention periods vary based on business, legal and regulatory needs. We securely retain records of data requests for at least 24 months as required under the CCPA

Business and Commercial Purposes for Collection; Disclosures for a Business Purpose

We may collect all of the above categories of Personal Data to run our business and carry out our day-to-day activities.. We have disclosed each of these categories of Personal Data with our service providers for various business purposes in the preceding 12 months.

Categories of Personal Data Sold or Shared for Cross-Context Behavioral Advertising

In the preceding 12 months, we have disclosed the above categories of Personal Data to third-party advertising partners, such as in connection with our use of tracking technologies for cross-context behavioral advertising or by providing lists of email addresses for potential customers, so that we can reach you across the web with advertisements for our products and services. This may be considered “sharing” or a “sale” under the CCPA. You can read more about our sharing and sales activities above. We do not have actual knowledge that it sells or shares the personal data of consumers under 16 years of age.

Sensitive Personal Data

In addition to the categories of Personal Data listed above, we may collect certain categories of Sensitive Personal Data from you as that term is defined under CCPA, if you choose to provide it. In the preceding 12 months, we may have collected the following categories of Sensitive Personal Data from California consumers as outlined in Section III above.

Categories of Sensitive Personal Data Disclosed

In the preceding 12 months we have not sold or shared any Sensitive Personal Data; however, we may have disclosed your Sensitive Personal Data to service providers for business purposes as further described above and as set forth below.

Business Purposes For Which Sensitive Personal Data will be Used or Disclosed

We may collect the categories of Sensitive Personal Data listed to further our legitimate business purposes as outlined under the CCPA:

  • performing services, including maintaining or servicing accounts;
  • detection and prevention of security incidents;
  • protecting against malicious, deceptive, fraudulent or illegal actions and prosecuting those responsible;
  • auditing related to consumer interactions;
  • short-term, transient use;
  • quality and safety maintenance or verification;
  • to enhance the function of the website and our services (i.e., cookies, chatbots, session replay, etc.);   
  • internal research for technological development; and
  • debugging to identify and repair functionality.

Your Rights

The CCPA gives you certain rights regarding the Personal Data we collect about you:

  • Right to Know About Personal Data Collected, Disclosed, or Sold. You have the right to request to know what Personal Data we collect, use, disclose, share and sell about you.
  • Right to Request Deletion of Personal Data. You have the right to request the deletion of your Personal Data collected or maintained by us as a business.
  • Right to Opt-Out of the Sale or Sharing of Personal Data. You have the right to opt-out of the sale of your Personal Data by us as a business. Okta shares Personal Data as described above, which may be considered a “sale” of Personal Data under the CCPA.

You may opt out by contacting us. We will attempt to honor opt out preferences if You broadcast an opt-out preference signal like the Global Privacy Control (GPC), but please note that this signal will be linked to your browser only.

Right to Limit the Use and Disclosure of Sensitive Personal Data. In some instances, we may use or disclose your Sensitive Personal Data for the legitimate business purposes as outlined under the CCPA, and for any other purposes as set forth above.  If we ever use or disclose your Sensitive Personal Data for a reason other than the legitimate business purposes as outlined under the CCPA and for any other purposes other than those described herein, we will update this Privacy Policy and provide you with instructions to limit the use and disclosure of your Sensitive Personal Data.

Right to Correct Inaccurate Personal Data. You have the right to request the correction of your Personal Data if it is inaccurate and you may submit a request as further described below.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf. We may require the agent to demonstrate proof of their authorization by providing us with a signed permission from you or a copy of your power-of-attorney document granting that right. In the case of the former, we may still request that you verify your own identity as described above or directly confirm that you have provided such permission.

Financial Incentives. We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data.

If you would like to make a request and exercise your rights described above, please contact us.