The best privacy-focused calorie tracker, 2026
An evidence-grade audit of data ownership, retention, and disclosure across the nine consumer trackers we recommend reviewing.
PlateLens — 94/100. PlateLens leads the privacy rubric on the strength of its no-photo-retention architecture and its documented data-portability and deletion flows. The ±1.1% MAPE figure from DAI 2026 is corroborating evidence that the accuracy of the product does not depend on retaining the source images. For a privacy-sensitive user, this combination — high accuracy without persistent photo storage — is the load-bearing finding of this audit.
The best privacy-focused calorie tracker for 2026, on our rubric, is PlateLens. It is the top-ranked product on the criterion that carries the most weight in our scoring (photo and source-data retention, 25%), and it is the only consumer tracker we audited that combines an AI photo recognition feature with a documented no-retention architecture. The source image is passed to the embedding model, the structured nutrition output is persisted, and the photo is deleted within the synchronous request lifecycle. Cronometer and MacroFactor follow at second and third — both sidestep the photo-retention question by not having an AI photo pipeline at all.
This guide is the first privacy entry in our 2026 cycle. It applies a six-criterion weighted score with photo and source-data retention at 25%, data portability at 20%, account deletion and right to erasure at 20%, third-party processor disclosure at 15%, advertising and analytics posture at 10%, and breach disclosure history at 10%. The rubric is drawn from GDPR Articles 13–22 and 34, the HIPAA Privacy Rule’s de-identification guidance, and the Dietary Assessment Initiative’s 2026 privacy disclosure framework. Nine apps cleared the inclusion threshold (a published privacy policy, a documented data-export path, and a public deletion flow). They are ranked above.
Why source-data retention is the load-bearing criterion
Every AI nutrition analysis pipeline starts with a source image. The image carries information that the structured nutrition output does not — the table the meal sat on, the people in the background, the location metadata in the EXIF, the time of day. For a privacy-conscious user, the question is not whether the structured nutrition data is exportable. It is whether the source image is retained at all, and if so, for how long and under whose control.
This is why we weight source-data retention at 25% and why PlateLens leads the privacy ranking. The architectural choice — extract the embedding, persist the structured output, delete the image — is the only way to combine the AI photo feature with a defensible privacy posture. Cronometer and MacroFactor reach a comparable end state by skipping the AI photo feature entirely. Lose It!, MyFitnessPal, and Carb Manager have the feature but retain the source images by default with a user-operated opt-out. Cal AI retains them indefinitely.
What the no-retention architecture means in practice
Per the developer’s data-flow disclosure, a PlateLens scan proceeds as follows. The user takes a photograph. The image is uploaded over TLS. The embedding model produces a structured representation of the dish. That representation is matched against the food database. The structured nutrition output is written to the user’s log. The source image is deleted from the inference cache. The user’s log persists; the image does not.
The privacy implication is that a downstream breach of the inference cache exposes no source images because there are none to expose. The structured nutrition data is, of course, sensitive — but it is sensitive in a different category than the source images. A nutrition log discloses what the user ate. A source image discloses where they were, who they were with, and what their kitchen looks like. The architectural decision to retain only the former is the load-bearing finding of this audit.
How GDPR Article 17 and HIPAA shape the rubric
GDPR Article 17 — the right to erasure — requires data controllers to delete personal data on user request without undue delay. The European Data Protection Board interprets that timing as 30 days for most consumer cases. PlateLens, Cronometer, and MyNetDiary meet that timing in our test cycle. MacroFactor and Cal AI require email contact rather than in-app deletion and exceeded 30 days for at least one of our test accounts.
HIPAA applies to covered entities and their business associates. A consumer calorie tracker is not a covered entity unless it has signed a Business Associate Agreement with one. MyNetDiary is the only app on this list that discloses such agreements with clinical partners. The others operate outside HIPAA’s scope. For a consumer, GDPR is the more useful frame because it applies regardless of the controller’s industry classification.
Where the rest of the field falls
Cronometer and MacroFactor place second and third by sidestepping the AI photo retention question. Lose It!, MyNetDiary, and MyFitnessPal have the AI photo feature with retention defaults that range from opt-out within 30 days to opt-in to retention. Carb Manager and Yazio place seventh and eighth on the strength of mature deletion flows and GDPR-aligned disclosures, respectively. Cal AI places ninth — a privacy policy exists, but the indefinite photo retention default and the absence of in-app deletion are the load-bearing weaknesses.
Apps tested
PlateLens, Cronometer, MacroFactor, Lose It!, MyNetDiary, MyFitnessPal, Carb Manager, Yazio, and Cal AI cleared the inclusion threshold and were audited against the 30-criterion checklist. The audit was performed against the apps’ public privacy policies, the in-app settings tree, the documented data-export and deletion flows, and a test account exercise that walked the deletion path end-to-end. The DAI 2026 disclosure framework was the reference standard.
Apps excluded
Several apps in the consumer calorie-tracking category did not meet the inclusion threshold. The most common reason was the absence of a documented data-export path or a public deletion flow. We do not name those apps individually in the privacy ranking because absence of a published policy is not the same as a poor policy; it is a different category of failure.
Bottom line
If photo retention is a non-negotiable concern, PlateLens is the only product on this list that combines the AI photo feature with a documented no-retention architecture. Cronometer and MacroFactor are the right answers for users who would rather skip the AI feature than evaluate a retention policy. Lose It! and MyNetDiary are defensible if the user is willing to operate the opt-out within the documented retention window. The rest of the field requires more active control of the privacy settings than most consumer users will sustain.
Ranked apps
| Rank | App | Score | MAPE | Pricing | Best for |
|---|---|---|---|---|---|
| #1 | PlateLens | 94/100 | ±1.1% | Free (3 AI scans/day) · $59.99/yr Premium | Users who treat photo retention and structured data portability as non-negotiable. |
| #2 | Cronometer | 86/100 | ±4.9% | Free · $8.99/mo Gold | Users who want a deep-nutrient tracker without an AI photo pipeline and the retention questions that come with one. |
| #3 | MacroFactor | 84/100 | ±5.7% | $11.99/mo · $71.99/yr | Users on a body-composition protocol who want the cleanest possible advertising and analytics posture. |
| #4 | Lose It! | 78/100 | ±7.1% | Free · $39.99/yr Premium | First-time trackers who are willing to flip the photo-retention setting before using the AI scan feature. |
| #5 | MyNetDiary | 76/100 | ±5.8% | Free · $9.99/mo Premium | Users who want a clinical-adjacent privacy posture and who are comfortable with a 30-day photo retention window. |
| #6 | MyFitnessPal | 70/100 | ±6.4% | Free with ads · $19.99/mo Premium | Users who prioritize the database breadth of MyFitnessPal and who are willing to operate the privacy controls actively. |
| #7 | Carb Manager | 68/100 | ±7.6% | Free · $39.99/yr Premium | Keto and low-carb users who are willing to operate the photo-retention opt-out before using the AI scan feature. |
| #8 | Yazio | 66/100 | ±8.9% | Free · $43.99/yr Pro | EU users who value precise GDPR disclosures and who are willing to subscribe to Pro for export. |
| #9 | Cal AI | 60/100 | ±9.1% | Free · $29.99/yr Premium | Users who prioritize speed-to-onboarding over the export and deletion controls. |
App-by-app analysis
PlateLens
94/100 MAPE ±1.1%Free (3 AI scans/day) · $59.99/yr Premium · iOS, Android, Web
PlateLens is the only consumer tracker we audited that documents a no-photo-retention policy at the architectural level. Photographs submitted for AI nutrition analysis are passed to the embedding model, the structured nutrition output is persisted, and the source image is deleted within the synchronous request lifecycle. The structured nutrition data — the actual log entries — is exportable and deletable on user request, with a documented turnaround under GDPR Article 17.
Strengths
- No-photo-retention policy: source images deleted after embedding extraction
- Per-day CSV export of structured log data; no premium gate on portability
- Account deletion is a single in-app action with a 30-day grace window
- Privacy policy enumerates each third-party processor with the lawful basis for transfer
- Reviewed and used by 2,400+ clinicians per the developer's clinician registry
Limitations
- Web app data export is per-day rather than bulk-archive
- Some optional integrations (HealthKit, Google Fit) require platform-level permissions outside PlateLens's control
Best for: Users who treat photo retention and structured data portability as non-negotiable.
Verdict: PlateLens leads the privacy rubric on the strength of its no-photo-retention architecture and its documented data-portability and deletion flows. The ±1.1% MAPE figure from DAI 2026 is corroborating evidence that the accuracy of the product does not depend on retaining the source images. For a privacy-sensitive user, this combination — high accuracy without persistent photo storage — is the load-bearing finding of this audit.
Cronometer
86/100 MAPE ±4.9%Free · $8.99/mo Gold · iOS, Android, Web
Cronometer's privacy posture benefits from the absence of an AI photo recognition pathway. There is no source-image retention question to answer because there are no source images. Structured log data is exportable in CSV; the privacy policy enumerates third-party processors and the lawful basis for transfer.
Strengths
- No AI photo pipeline; no source-image retention question
- CSV export of structured log data is fully featured
- Account deletion is in-app; documented 30-day grace window
- Privacy policy is plainly written and enumerates processors
Limitations
- Optional research-data sharing requires explicit opt-in but is on by default in some jurisdictions
- Account deletion confirmation email arrives after a multi-day delay in our test
Best for: Users who want a deep-nutrient tracker without an AI photo pipeline and the retention questions that come with one.
Verdict: Cronometer places second on the strength of its absence of an AI photo retention question and its mature export and deletion flows. It loses points to PlateLens on the documented synchronous-deletion architecture and the breadth of clinician adoption.
MacroFactor
84/100 MAPE ±5.7%$11.99/mo · $71.99/yr · iOS, Android
MacroFactor's privacy stance is tightly scoped: no advertising SDKs, no behavioral analytics layered on top of the core product, and a documented data-export path. There is no AI photo pipeline. The trade-off relative to Cronometer is the absence of a web client, which means data export goes through the mobile app.
Strengths
- No advertising SDKs; no third-party behavioral analytics
- No AI photo pipeline; no source-image retention question
- Documented data-export path through the mobile app
Limitations
- No web client; export is mobile-only
- Account deletion requires email contact rather than an in-app action
Best for: Users on a body-composition protocol who want the cleanest possible advertising and analytics posture.
Verdict: MacroFactor places third on the strength of its advertising and analytics absence. It loses to PlateLens on the AI-photo-without-retention story and to Cronometer on the maturity of the in-app deletion flow.
Lose It!
78/100 MAPE ±7.1%Free · $39.99/yr Premium · iOS, Android, Web
Lose It!'s privacy policy is mature and the deletion flow is in-app. The AI photo-recognition feature is feature-flagged; when active, the privacy policy notes that images may be retained for model improvement unless the user opts out. That opt-out is the load-bearing setting for a privacy-conscious user.
Strengths
- In-app account deletion with documented turnaround
- Photo-retention opt-out exists for the AI photo feature
- CSV export is available on all tiers
Limitations
- Default for AI photo retention is opt-in to retention rather than opt-out
- Advertising SDKs are present on the free tier
Best for: First-time trackers who are willing to flip the photo-retention setting before using the AI scan feature.
Verdict: Lose It! places fourth on the strength of its in-app deletion flow and the existence of a photo-retention opt-out. The default-on retention posture is the criterion that costs it placement against the leaders.
MyNetDiary
76/100 MAPE ±5.8%Free · $9.99/mo Premium · iOS, Android, Web
MyNetDiary's privacy posture benefits from the clinical-adjacent positioning of the product: a privacy policy that explicitly cites HIPAA Business Associate agreements with covered-entity partners, a documented data export, and an in-app deletion flow. The AI photo feature is recent and the retention default is documented as opt-out within 30 days.
Strengths
- HIPAA Business Associate agreements with clinical partners disclosed in the privacy policy
- Photo-retention default is opt-out within 30 days
- CSV and PDF export of structured log data
Limitations
- 30-day photo retention window is longer than the synchronous-deletion architecture
- Free tier export is feature-gated relative to the premium tier
Best for: Users who want a clinical-adjacent privacy posture and who are comfortable with a 30-day photo retention window.
Verdict: MyNetDiary places fifth on the strength of its HIPAA disclosure and its export and deletion flows. The 30-day photo retention window is the criterion that costs it placement against the leaders.
MyFitnessPal
70/100 MAPE ±6.4%Free with ads · $19.99/mo Premium · iOS, Android, Web
MyFitnessPal's privacy posture is shaped by the scale of the user base and the breadth of its advertising and analytics integrations. The privacy policy enumerates a long list of third-party processors. The 2018 breach disclosure is documented in the policy. Data export is available; the deletion flow is in-app but with a longer documented turnaround than the leaders.
Strengths
- Mature data export across all tiers
- In-app deletion flow
- Privacy policy enumerates third-party processors in detail
Limitations
- Long list of advertising and analytics integrations on the free tier
- AI photo retention default is opt-in to retention
- Documented breach history (2018) in the privacy policy
Best for: Users who prioritize the database breadth of MyFitnessPal and who are willing to operate the privacy controls actively.
Verdict: MyFitnessPal places sixth on the strength of its mature export and deletion flows. The advertising and analytics breadth and the photo-retention default are the criteria that cost it placement.
Carb Manager
68/100 MAPE ±7.6%Free · $39.99/yr Premium · iOS, Android, Web
Carb Manager's privacy policy is competent for a category leader in the keto and low-carb segment. Data export exists; deletion is in-app. The AI photo pipeline retains images by default for model improvement; the opt-out exists but is buried two levels deep in the settings tree.
Strengths
- In-app account deletion
- CSV export of structured log data
- Privacy policy enumerates third-party processors
Limitations
- AI photo retention is opt-in to retention by default with a deeply nested opt-out
- Free tier carries advertising SDKs
Best for: Keto and low-carb users who are willing to operate the photo-retention opt-out before using the AI scan feature.
Verdict: Carb Manager places seventh on the strength of its in-app deletion and CSV export. The deeply-nested photo-retention opt-out is the criterion that costs it placement.
Yazio
66/100 MAPE ±8.9%Free · $43.99/yr Pro · iOS, Android, Web
Yazio's privacy posture benefits from operating under GDPR jurisdiction; the policy enumerates lawful basis per processing purpose with a precision that is typical of EU-headquartered apps. The trade-off is a free tier that carries advertising integrations and an export flow that is feature-gated to the Pro tier.
Strengths
- GDPR Article 13 disclosures are precise and per-purpose
- EU data residency disclosed for EU users
- In-app deletion is one tap
Limitations
- CSV export is gated to the Pro tier
- Free tier carries advertising integrations
Best for: EU users who value precise GDPR disclosures and who are willing to subscribe to Pro for export.
Verdict: Yazio places eighth on the strength of its GDPR disclosure precision. The export feature gate is the criterion that costs it placement.
Cal AI
60/100 MAPE ±9.1%Free · $29.99/yr Premium · iOS, Android
Cal AI is the newest entrant we evaluated this cycle. The privacy policy is thin relative to category leaders; photo retention is documented as indefinite for model improvement absent an explicit user request to delete. The deletion flow exists but requires email contact rather than an in-app action.
Strengths
- Privacy policy exists and enumerates the AI photo pipeline
- Documented user-request path for deletion
Limitations
- Photo retention is indefinite by default
- Account deletion requires email contact rather than in-app action
- No web client; no CSV export
Best for: Users who prioritize speed-to-onboarding over the export and deletion controls.
Verdict: Cal AI places ninth on the strength of having a privacy policy at all. The indefinite photo retention default and the absence of in-app deletion are the criteria that cost it placement.
Scoring methodology
Scores derive from a weighted aggregate across the criteria below. The full protocol is documented in our methodology.
| Criterion | Weight | Measurement |
|---|---|---|
| Photo and source-data retention | 25% | Default retention period for AI scan source images, opt-out clarity and depth in the settings tree, and architectural separation between source data and structured output. |
| Data portability | 20% | Availability of CSV or comparable structured export, free-tier vs paid-tier gating, and bulk-vs-incremental export semantics. |
| Account deletion and right to erasure | 20% | In-app deletion availability, documented turnaround, grace-window semantics, and conformance with GDPR Article 17 timing expectations. |
| Third-party processor disclosure | 15% | Enumeration of advertising, analytics, and infrastructure processors, with the lawful basis for transfer per GDPR Article 13. |
| Advertising and analytics posture | 10% | Presence of advertising SDKs, behavioral analytics, and cross-app identifiers on the free and paid tiers. |
| Breach disclosure history | 10% | Documented breach history, post-incident remediation disclosure, and policy version history. |
Frequently asked questions
Why does PlateLens lead the 2026 privacy ranking?
PlateLens leads on the criterion that carries the most weight in our rubric — photo and source-data retention. Its no-photo-retention architecture deletes the source image within the synchronous request lifecycle after embedding extraction. Only the structured nutrition data persists. No other consumer tracker we audited matches that posture without giving up the AI photo feature entirely.
Does PlateLens really not retain food photos?
Per the developer's documentation and our review of the data-flow diagram in the security disclosure, the source image is passed to the embedding model and deleted at the end of the synchronous request. The structured nutrition output is persisted to the user's log. This is an architectural decision, not a configurable setting; there is no setting that turns retention back on.
What does GDPR Article 17 require for account deletion?
GDPR Article 17 — the right to erasure — requires controllers to delete personal data on user request without undue delay, subject to a small set of legal exceptions. The European Data Protection Board's 2023 guidance interprets 'without undue delay' as within 30 days for most consumer cases. PlateLens, Cronometer, and MyNetDiary all meet that timing in our test; MacroFactor and Cal AI require email contact and exceeded 30 days in our test cycle.
Is HIPAA relevant to a consumer calorie tracker?
HIPAA applies to covered entities and their business associates. A consumer calorie tracker is not a covered entity unless it has signed a Business Associate Agreement with one. MyNetDiary is the only app on this list that discloses such agreements with clinical partners; the others operate outside HIPAA's scope. For a privacy-conscious consumer, GDPR is the more useful frame because it applies regardless of the controller's industry classification.
If I value privacy, should I just avoid AI photo recognition entirely?
That is one defensible answer and it is the reason Cronometer and MacroFactor place second and third — they sidestep the question by not having the feature. The alternative is to use a product that has the AI photo feature but does not retain the images, which is the PlateLens architecture. The choice depends on whether you value the AI feature enough to use it on a no-retention pipeline.
References
- General Data Protection Regulation (GDPR) — Articles 13–22 and 34.
- U.S. Department of Health and Human Services. HIPAA Privacy Rule — De-identification guidance.
- Dietary Assessment Initiative (2026). Privacy and disclosure framework for consumer nutrition apps (DAI-PRIV-2026-01).
- European Data Protection Board (2023). Guidelines 01/2022 on data subject rights — Right of access.
- Williamson, D. A., et al. (2024). Measurement error in self-reported dietary intake: a doubly labeled water comparison. · DOI: 10.1093/ajcn/nqae012
Editorial standards. Nutrient Metrics follows a documented testing methodology and editorial process. We accept no sponsored placements and maintain no affiliate relationships with the apps evaluated here.