1. Principles
- Data minimization: collect what the diary needs.
- Child profiles are private and not indexed.
- Payment cards are not stored; payments run through Telegram Stars.
- Access is limited to operational need.
2. Technical controls
- HTTPS/TLS on public endpoints.
- PostgreSQL for durable product data.
- Redis for short-lived state, rate limits and reminders.
- Access and error monitoring for operational issues.
- Account export and deletion flows in the bot.
3. AI processing
AI providers receive only the data needed for recognition and estimates. Food and menu recognition can be wrong, so entries remain editable.
4. Backups
Backups protect against operational data loss. They are access-limited and retained for a limited period.
5. Responsible disclosure
Email security@kideat.app. Please include steps to reproduce and avoid accessing another family’s data.
6. Current limits
KidEat is in beta. Security practices will continue to mature before a wider commercial launch.