Legal · Privacy

Privacy Policy.

The short version: we collect as little as possible, we don’t sell anything, and you can scan a label without telling us who you are. The long version is below.

Last updatedMay 2026
Questions?Contact us

01 / SUMMARYPlain-English summary.

TL;DR

Scan anonymously in your browser — no account required. We never sell your data, run third-party ad pixels, or share what you scanned with brands. Create an account only if you want scan history.

Sketchy Labels is an ingredient analysis tool. To deliver your result we send your label image to our AI, then discard it. We cache ingredient ratings so repeat lookups are fast — that cached data contains no personal information. We log your IP address only to enforce rate limits and prevent abuse.

We use a small number of third-party services to run the product (listed in full below). None of them receive personal data beyond what is strictly necessary to provide the service. We do not run advertising networks or social-media tracking pixels.

02 / DATAWhat we collect.

When you scan without an account

When you submit a label, the image is passed to our AI for ingredient extraction. The image is not stored permanently — it is processed in memory and discarded after the result is returned. The extracted ingredient names and their ratings are cached in our database to speed up future lookups; this cached data contains no personally identifiable information.

When you create an account

Account creation requires an email address and a password (stored as a hash — we never see the plaintext). If you sign up, we store your scan history and saved products so you can access them across devices. You can delete your account and all associated data at any time from your account settings.

Automatically collected

We record your IP address for rate-limiting purposes (10 scans per 3 minutes, 200 per day) and to detect abuse. We also collect standard server logs (user agent, timestamp, request path) for debugging and performance monitoring. IP addresses used for rate limiting are not linked to your account or scan history and are not shared with third parties.

03 / USEHow we use it.

Data is used only to operate the service. Specifically:

  • Ingredient ratings are cached so repeated lookups are instant and do not require additional AI calls.
  • IP addresses are checked against rolling rate limits to keep the service sustainable and abuse-free.
  • When you scan a barcode, it is looked up against public product databases — no personal data is sent.
  • Bot-protection tokens are verified server-side before each scan to prevent automated abuse.
  • Account scan history is stored only so you can access it — it is not analysed, sold, or shared.

We do not use your data for advertising, profiling, or any purpose beyond delivering your analysis result. We do not train third-party models on your scans.

04 / SHARINGWho we share with.

We use the following sub-processors to operate the service:

  • Convex — database and backend infrastructure. Stores ingredient ratings and, if you have an account, your scan history.
  • Anthropic Claude — AI ingredient analysis. Label images and ingredient text are sent to Anthropic’s API and are subject to Anthropic’s privacy policy.
  • Clerk — authentication provider. Manages account creation, login, and session tokens. Subject to Clerk’s privacy policy.
  • Cloudflare Turnstile — bot-protection challenge. Verifies you are human without invasive fingerprinting. Subject to Cloudflare’s privacy policy.
  • Vercel — hosting and edge infrastructure. Privacy-friendly aggregated analytics (no cookies, no cross-site tracking). Subject to Vercel’s privacy policy.

We do not share data with brands, advertisers, data brokers, or any party not listed above. We do not sell personal data. We disclose data to law enforcement only when required by law and where legally permitted will notify you before doing so.

05 / RETENTIONHow long we keep it.

  • Label images: not stored — discarded after processing.
  • Ingredient cache: indefinite, as it contains no personal data.
  • IP rate-limit records: rolling window, automatically purged after the window expires.
  • Server logs: up to 90 days, then automatically deleted.
  • Account data (email, scan history): retained until you delete your account. Deletion removes all associated personal data within 30 days.

06 / RIGHTSYour rights.

Depending on where you live, you may have rights including access, correction, deletion, portability, and the right to object to processing. Anonymous users have no stored personal data to request. Account holders can:

  • Download a copy of their scan history from account settings.
  • Correct their email address from account settings.
  • Delete their account and all associated data at any time.

To exercise any right, email us at the contact page or use your account settings directly. We will respond within 30 days. EU and UK residents may also lodge a complaint with their local data protection authority.

07 / COOKIESCookies & tracking.

We use only the cookies necessary to run the service:

  • Session cookies — set by Clerk to keep you signed in. Expire when you log out or close the browser.
  • Turnstile token — a short-lived token to verify bot-protection completion. Not used for tracking.

We do not run advertising cookies, social-media pixels (no Meta Pixel, no TikTok Pixel), or behavioural tracking. Vercel Analytics is cookieless and collects no personal data.

08 / CHILDRENChildren.

Sketchy Labels is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.

09 / TRANSFERSInternational transfers.

Sketchy Labels is hosted on Vercel infrastructure, which operates globally including in the United States. If you are accessing the service from outside the US, your data may be transferred to and processed in the US. We rely on sub-processors that maintain appropriate safeguards (including Standard Contractual Clauses where applicable) for cross-border data transfers.

10 / CHANGESChanges to this policy.

If we make material changes to this policy, we will update the “Last updated” date at the top of this page and, where appropriate, notify account holders by email at least 14 days before the change takes effect. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

11 / CONTACTContact.

For privacy-related questions, data requests, or to report a concern, please use our contact page. We aim to respond within 5 business days.