Roxxi Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains how Roxxi ("Roxxi," "we," "us," or "our"), operated by Saul Diaz, collects, uses, and shares information in connection with the Roxxi mobile application (the "App") and the website at roxxi.ai (the "Site," together with the App, the "Service").

Roxxi is an informational tool. It describes what stands out about packaged grocery products. It does not provide medical, nutritional, dietary, or other professional advice, and it does not tell you what to buy or avoid. Please also read our Terms of Use.

1. Who this Service is for

The Service is intended for users in the United States who are 18 years of age or older. The Service is not directed to children. We do not knowingly collect personal information from anyone under 13 years of age. If you believe a child under 13 has provided us personal information, please contact us at privacy@roxxi.ai and we will take reasonable steps to delete it.

2. Information we collect

If you use Roxxi as a guest

An anonymous device identifier. We generate or store a random identifier on your device that is not tied to your name, email, or other personal details. We use it only to prevent abuse and to apply rate limits (for example, on "unfound product" reports).
On-device scan history. As a guest, your scan history is stored locally on your device. We do not receive or store it on our servers. Clearing the App's data or uninstalling the App removes it.

If you create an account

Account details: your email address and a display name, managed through our authentication provider (Amazon Cognito).
Sign in with Apple: if you choose this option, Apple shares a unique identifier and the email address you authorize. Apple may provide a private relay email rather than your personal address; we store whatever Apple provides.
Saved products and synced scan history: the products you save and your scan history, stored on our servers so they sync across your sessions.

Information collected automatically

Barcode and product look-ups. When you scan or search, we process the barcode number or search term to look up product information. The camera is used on your device to read the barcode; product images are not uploaded to or stored by us. Roxxi does not allow user photo uploads.
"Unfound product" reports. If you ask Roxxi to look into a product it can't find, we record the barcode, any product name or brand you optionally type, and your anonymous device identifier. These reports do not require personal information.
Technical and diagnostic data. Like most apps and websites, our infrastructure (Amazon Web Services, Cloudflare) automatically logs technical data such as IP address, device and operating-system type, app version, timestamps, and request details. Our error-monitoring provider (Sentry) collects crash reports and diagnostic data to help us fix problems and keep the Service working.

3. How we use information

To resolve your scans and searches and return product information.
To generate the "Roxxi Take," a short neutral summary, and the "Ingredient Notes" and recall-check sections of a product result.
To provide account features such as saved products and synced scan history.
To prevent abuse, apply rate limits, secure the Service, debug, and improve reliability.
To comply with law and enforce our Terms of Use.

How the "Roxxi Take" is generated

The Roxxi Take is generated using Amazon Bedrock, an AI service operated within Amazon Web Services. The model is given product information only (such as ingredients, nutrition facts as reported, and Roxxi's own neutral notes). We do not send your personal information to generate a Roxxi Take. Our AI provider does not use these inputs to train its models. Generated Takes are cached and reused, so the same product does not need to be regenerated for each user.

4. How we share information

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under the California Consumer Privacy Act). We do not show third-party advertising in the Service.

We disclose information only as follows:

Service providers (subprocessors) that operate the Service on our behalf, under contracts limiting their use of the information. These currently include:
- Amazon Web Services — hosting, database, authentication (Amazon Cognito), and AI processing (Amazon Bedrock).
- Apple — Sign in with Apple, and App Store / TestFlight distribution.
- Expo (EAS) — mobile app builds and updates.
- Sentry — error and crash monitoring.
- Cloudflare — DNS and content delivery for the Site.
Legal and safety: when reasonably necessary to comply with law, respond to lawful requests, or protect the rights, property, or safety of users, the public, or Roxxi.
Business transfers: in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy or notify you of any material change.

Note on data sources: Roxxi looks up product information from Open Food Facts and recall information from openFDA and USDA/FSIS. These are sources we read from; we do not send your personal information to them.

5. Data retention

Account information is retained while your account is active and for a reasonable period afterward, then deleted or de-identified, unless a longer period is required by law.
The anonymous guest device identifier is retained only as long as needed for abuse prevention and rate limiting.
Technical logs and diagnostic data are retained for a limited period for security and troubleshooting.
Cached product, ingredient, and recall data is not personal information; it is retained and refreshed as part of operating the Service.

6. Your choices and rights

You can:

Access, correct, or delete your account information, and delete your account, from within the App or by emailing privacy@roxxi.ai.
Clear on-device guest history by clearing the App's data or uninstalling the App.
Control camera access through your device settings (the App needs camera access to scan barcodes).

California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it; to request correction or deletion of your personal information; and to not be discriminated against for exercising these rights. Because we do not sell or share personal information, no opt-out of sale or sharing is necessary.

The categories of personal information we may collect are: identifiers (such as email, device identifier, and IP address) and internet or other electronic activity (such as app usage, scan/search requests, and diagnostic data). We collect these for the purposes described in Section 3, disclose them only to the service providers in Section 4, and do not sell or share them.

To exercise a request, email privacy@roxxi.ai. We may need to verify your identity before responding. You may use an authorized agent, subject to verification.

Users outside the United States

The Service is designed for users in the United States, and information is processed in the United States. If you access the Service from elsewhere, you do so on your own initiative and are responsible for compliance with local law.

7. Security

We use reasonable administrative, technical, and organizational measures to protect information, including encryption in transit, least-privilege access controls, and secure secret storage. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised Policy.

9. Contact us

Questions about this Policy or your information: privacy@roxxi.ai.