Privacy Policy

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

Personal Information

• Name and email address
• Profile information (age, weight, height, fitness goals)
• Food and exercise logs
• Health data from Android Health Connect and Apple HealthKit integration
• Payment information (processed securely by third-party providers)
• Google account information (when using Google OAuth login)
• Profile pictures and other uploaded content
• Photo uploads for AI-powered nutrition analysis

Health Data Collection

With your explicit permission, we may collect the following health data:

• Weight and Body Measurements: For nutrition and fitness tracking
• Activity Data: Steps, exercise duration, and physical activity
• Sleep Data: Sleep duration and quality metrics
• Heart Rate Data: Resting and active heart rate information
• Nutrition Data: Food intake and nutritional information
• Fitness Goals: Personal fitness and health objectives

Important: All health data collection requires your explicit consent and can be revoked at any time through your device settings.

Device Identifiers

We collect device identifiers for the following purposes:

Security & Fraud Prevention

We collect the following device identifiers and attestation signals to detect account abuse, prevent fraud, and enforce fair usage of our services:

• iOS: Identifier for Vendor (IDFV) and Keychain-based identifiers
• Android: Android ID, Google Services Framework ID, and MediaDRM ID
• Apple DeviceCheck: We use Apple's DeviceCheck API to query two per-device bits that persist across app reinstalls and account resets. These bits help us detect devices that have previously been associated with abuse.
• Android Play Integrity: We use Google's Play Integrity API with Device Recall to verify device integrity and maintain per-device recall bits that persist across reinstalls. These bits help us detect devices that have previously been associated with abuse.

These identifiers and attestation signals are stored on our servers and are not shared with third parties. They are used solely for security purposes.

Attribution & Campaign Measurement

To understand how users discover our app and to measure the effectiveness of our marketing campaigns, we collect advertising identifiers with your consent:

• iOS IDFA (Identifier for Advertisers): Collected only with your explicit consent via the App Tracking Transparency prompt. Used to match app installs to the advertising campaigns that led to them. Shared with our attribution partner (Airbridge) and subscription platform (RevenueCat).
• Android Advertising ID (GAID): Used for campaign attribution. Shared with Airbridge and RevenueCat. You can reset or disable this identifier in your Android device settings under "Ads".

These advertising identifiers are used solely for attribution analytics (understanding which campaigns bring users to the app) and subscription revenue measurement. They are not used to serve advertisements within the app. You can opt out of advertising identifier collection at any time through your device settings.

Usage Information

• Device information and identifiers
• Log data (IP address, browser type, pages visited)
• Cookies and similar technologies
• Authentication tokens and session data
• App usage patterns, feature interactions, and error logs
• Subscription and payment data

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send technical notices and support messages
• Respond to your comments and questions
• Personalize your experience, including AI-powered nutrition analysis of photos you upload
• Integrate with health platforms (Apple HealthKit, Android Health Connect) where you grant permission
• Process subscription payments and manage billing
• Measure product performance, debug errors, and improve features
• Prevent fraud, abuse, and enforce fair use of the service
• Comply with legal obligations

3. Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except:

• With service providers who assist us in operating our website and conducting our business
• When required by law or to protect our rights
• In connection with a merger, acquisition, or sale of assets

4. Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet is 100% secure.

5. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this privacy policy, unless a longer retention period is required by law.

Retention Periods

• Account Information: Retained until you delete your account or request deletion
• Usage Data: Retained for up to 2 years for analytics and service improvement
• Authentication Data: Retained for the duration of your account plus 30 days
• Error Logs: Retained for up to 90 days for debugging and service improvement
• Payment Information: Retained as required by law and payment processor requirements

6. Your Rights

You have the following rights regarding your personal information:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information and account
• Portability: Request a copy of your data in a structured, machine-readable format
• Restriction: Request restriction of processing of your personal information
• Objection: Object to processing of your personal information for certain purposes
• Withdrawal of Consent: Withdraw consent for data processing where consent is the legal basis

To exercise these rights, please contact us at privacy@calori.com. We will respond to your request within 30 days.

7. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to enhance your experience, analyze usage, and provide personalized content.

Types of Cookies We Use

• Essential Cookies: Required for basic website functionality, authentication, and security
• Analytics Cookies: Help us understand how visitors interact with our website (Google Analytics)
• Preference Cookies: Remember your settings and preferences
• Authentication Cookies: Keep you logged in and maintain your session

Third-Party Cookies and Services

• Google Analytics: We use Google Analytics to analyze website traffic and user behavior. This service may set cookies to track your interactions.
• Google OAuth: When you log in with Google, Google may set cookies for authentication purposes.
• Google Firebase: For authentication, analytics, and cloud services.
• RevenueCat: For subscription management and payment processing.
• Statsig: For A/B testing, feature flags, and analytics.
• Sentry: For error tracking and performance monitoring.
• Airbridge: For mobile attribution and campaign measurement.
• OpenRouter / OpenAI / Anthropic / Grok (xAI) / Groq / Google Gemini: For AI-powered nutrition analysis and content generation.

You can control cookie settings through your browser preferences. However, disabling certain cookies may affect the functionality of our services.

8. Third-Party Services and Data Sharing

We integrate with several third-party services to provide you with the best experience. Here's how we share data with these services:

Google Services

• Google Analytics: We share anonymous usage data to understand how our website is used and improve user experience.
• Google OAuth: When you log in with Google, we receive your basic profile information (name, email, profile picture) as permitted by your Google account settings.
• Google Firebase: We share authentication data and app usage analytics for user management and service improvement.
• Google Cloud Storage: We store uploaded photos and processed images in secure cloud storage.

Payment and Subscription Services

• RevenueCat: We share subscription and payment information to process transactions and manage your subscription status. RevenueCat also receives advertising identifiers (IDFA with consent, GAID) to attribute subscription revenue to marketing campaigns via its server-side integration with Airbridge.

AI and Machine Learning Services

• OpenRouter: We route requests through OpenRouter to access multiple AI providers for nutrition analysis and content generation.
• OpenAI: We share uploaded photos and text data for AI-powered nutrition analysis and content generation.
• Anthropic: We share uploaded photos and text data for AI-powered nutrition analysis and content generation.
• Grok (xAI): We share uploaded photos and text data for AI-powered nutrition analysis and content generation.
• Groq: We share text data for AI-powered content generation and analysis.
• Google Gemini: We share uploaded photos and text data for AI-powered features and content generation.

Attribution and Campaign Measurement

• Airbridge: We share advertising identifiers (IDFA with consent, GAID) and subscription lifecycle events with Airbridge to measure which advertising campaigns drive app installs and subscriptions. Airbridge does not use this data to serve ads or build advertising profiles.

Analytics and Experimentation

• Google Analytics: We share anonymous usage data to understand how our app is used and improve user experience.
• Firebase Analytics: We share app usage data, user engagement metrics, and performance data for app optimization.
• Statsig: We share user behavior data for A/B testing, feature flags, and product experimentation.
• Sentry: We share error logs and performance data to monitor and improve our service reliability.

Health Data Integration

• Apple HealthKit / Android Health Connect: We access health data from your device only with your explicit permission, for fitness tracking and nutrition analysis.

All third-party services are required to maintain appropriate security measures and are prohibited from using your personal information for any purpose other than providing services to us.

9. International Data Transfers

Our service is operated globally. Your personal data may be transferred to and processed on servers outside your country or jurisdiction, including in the European Union and the United States, where data protection laws may differ from those in your country. We implement appropriate safeguards — such as Standard Contractual Clauses and vetted sub-processors — to protect your information when it is transferred internationally. By using the service, you consent to this international data transfer.

10. Compliance with Data Protection Laws

We comply with applicable data protection laws, including:

• GDPR (General Data Protection Regulation): For users in the European Union
• CCPA / CPRA (California Consumer Privacy Act): For users in California, USA
• PIPEDA (Personal Information Protection and Electronic Documents Act): For users in Canada
• Other applicable local data protection laws

11. Data Deletion and Account Management

You have the right to delete your account and all associated personal data at any time. We provide multiple ways to request data deletion:

Self-Service Data Deletion

• Account Settings: Logged-in users can delete their account directly through the app settings
• Data Deletion Page: Visit https://dev.calori.com/delete to request account deletion
• Email Request: Send a deletion request to support@calori.com

What Gets Deleted

• Your profile and personal information
• All food entries and health data
• Your preferences and settings
• Your subscription and payment history
• Uploaded photos and processed images
• Analytics data associated with your account

Processing Time

Data deletion requests are processed within 1-3 business days. You will receive a confirmation email once your data has been permanently deleted.

12. App Store and Device Permissions

Our app complies with Apple App Store and Google Play Store policies, including their data safety, health data, and privacy requirements. The app may request the following device permissions to provide full functionality:

• Camera and Photo Library: for photo-based nutrition analysis
• HealthKit / Health Connect: to read and write nutrition, activity, weight, and sleep data
• App Tracking Transparency (iOS) / Advertising ID (Android): for campaign attribution, with your consent

All permissions are optional and can be revoked at any time through your device settings. The app will continue to function with limited features if permissions are not granted.

13. Children's Privacy

Our service is not intended for, and is not available to, children under 13. We do not knowingly collect personal information from anyone under 13. If you believe that a child under 13 has provided us with personal information, please contact us so we can delete it.

14. Third-Party Links and Services

Our service may contain links to, or integrations with, third-party websites, apps, or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their content, privacy practices, or how they handle your information. Please review the privacy policies of any third party before providing information to them.

15. Changes to This Policy

We may update this privacy policy from time to time. Updates will be posted on this page with a revised effective date. If the changes are material, we will notify you through a notice within the service or by email, where applicable. Your continued use of the service after the effective date constitutes your acceptance of the updated policy.