Privacy Policy for Caloriva

This Privacy Policy governs the manner in which Caloriva collects, uses, maintains, and discloses information collected from users of the Caloriva mobile application (available on iOS and Android platforms).

1. ACCEPTANCE OF PRIVACY POLICY

By downloading, installing, accessing, or using the Caloriva Application, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must not use the Application.

2. INFORMATION WE COLLECT

2.1 Personal Information You Provide

Account Information:

• Email address
• User ID (Firebase UID)
• Password (encrypted and hashed)
• Authentication provider data (when using Google Sign-In or Apple Sign-In)

Health and Fitness Data:

• Food entries and meal descriptions
• Nutrition information (calories, protein, carbohydrates, fat, micronutrients)
• Exercise logs and workout data (exercise type, sets, reps, weight, duration, intensity)
• Body weight measurements
• Personal health goals (calorie targets, macronutrient goals)
• Journal entries and notes
• Meal quality scores and ratings

User-Generated Content:

• Photos of food items (processed and compressed before transmission)
• Barcode scans of food products
• Text inputs and natural language queries
• User preferences and settings

2.2 Information Automatically Collected

Device Information:

• Device type and model
• Operating system and version (iOS, Android)
• Device identifiers
• Screen resolution
• App version

Usage Data:

• App features accessed
• Time and date of app usage
• Session duration
• Pages and screens viewed
• User interactions and navigation patterns
• Error logs and crash reports

Technical Data:

• IP address (for general location and security purposes only)
• Time zone and locale settings
• Network connection type

Push Notification Data:

• Push notification tokens (Expo Push Tokens)
• Notification preferences
• Notification interaction data

2.3 Information from Third-Party Services

Food Database Information:

• Nutrition data from OpenFoodFacts database
• Barcode product information
• Food serving sizes and common names

Analytics Data:

• Usage analytics via PostHog
• Event tracking and user behavior patterns

2.4 Location Data

Precise Location: We DO NOT collect precise location data. The Application does not access, track, or store your GPS coordinates or precise geographic location.

Coarse Location: We collect your IP address, which may be used to determine your approximate location at the country or region level for security, fraud prevention, and service optimization purposes.

3. HOW WE USE YOUR INFORMATION

We use the collected information for the following purposes:

3.1 Core Functionality

• Provide personalized nutrition tracking and analysis
• Calculate and display calorie and macronutrient information
• Track exercise activities and fitness progress
• Store and retrieve your journal entries
• Sync your data across devices
• Generate weekly and monthly summaries

3.2 AI-Powered Features

• Process food descriptions using Google Gemini API to estimate nutrition values
• Analyze meal quality and provide personalized feedback
• Classify exercises and calculate intensity metrics
• Generate personalized suggestions based on your history
• Recognize food items from photos and barcodes

3.3 Service Improvement

• Analyze usage patterns to improve app functionality
• Debug errors and fix technical issues
• Optimize app performance
• Develop new features based on user needs
• Conduct A/B testing for feature improvements

3.4 Communication

• Send transactional emails (account verification, password resets)
• Deliver push notifications for reminders and updates
• Respond to your support requests
• Send important service announcements
• Provide subscription and billing information

3.5 Security and Fraud Prevention

• Detect and prevent fraudulent activities
• Protect against unauthorized access
• Enforce our Terms and Conditions
• Comply with legal obligations

4. ARTIFICIAL INTELLIGENCE (AI) USAGE

4.1 AI Technologies

The Application uses Artificial Intelligence (AI) technologies powered by Google Gemini to provide the following features:

• Nutrition Analysis: Your food descriptions are sent to Google Gemini API to estimate calorie and macronutrient content
• Exercise Classification: Exercise descriptions are analyzed to determine type, intensity, and muscle groups
• Meal Quality Scoring: AI evaluates nutritional balance and provides feedback
• Natural Language Processing: User inputs are processed to extract food items, quantities, and activities

4.2 AI Data Processing

• All AI processing is performed via secure API calls to Google Gemini
• Food descriptions and exercise logs are transmitted to Google Gemini servers for analysis
• Google Gemini processes data according to their own privacy policy and data usage policies
• AI-generated nutrition estimates may not be 100% accurate and should not replace professional medical advice

4.3 AI Data Retention

• According to Google Gemini API terms, API request data may be retained for up to 30 days for abuse monitoring purposes
• After 30 days, Google Gemini deletes API request data unless required by law
• We use the Google Gemini API service which is subject to Google's data processing terms

4.4 AI Model Training

Important: We use Google's paid Gemini API services, which do not use customer data for model training purposes. Your data submitted to Google Gemini API is NOT used to train or improve third-party Artificial Intelligence models.

5. THIRD-PARTY SERVICES

The Application uses the following third-party services that may collect, process, and store your information:

5.1 Authentication and Infrastructure

5.2 Database and Storage

5.3 AI and Data Processing

5.4 Analytics and Monitoring

5.5 Health Data Integration

Health Data Advertising Exclusion: We do not use data obtained through Apple HealthKit or Google Health Connect for advertising or similar services. Data from these frameworks is not sold to third parties.

5.5 Subscription Management

5.6 Push Notifications

6. DATA SHARING AND DISCLOSURE

6.1 We Do NOT Sell Your Data

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

6.2 Service Providers

We share your information with trusted third-party service providers who assist us in operating the Application:

• Cloud hosting providers (MongoDB Atlas)
• AI processing services (Google Gemini)
• Analytics providers (PostHog, Firebase)
• Subscription management (RevenueCat)
• Push notification services (Expo)

These service providers are contractually obligated to use your information only for the purposes we specify and to protect your data.

6.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or subpoenas
• Government or regulatory requests
• Legal processes or investigations
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activities
• Enforcement of our Terms and Conditions

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you personally for:

• Research and analytics purposes
• Industry reports and benchmarking
• Service improvement and optimization

7. DATA SECURITY

7.1 Security Measures

We implement industry-standard security measures to protect your information:

Technical Safeguards:

• Encryption in transit (HTTPS/TLS)
• Encrypted password storage (Firebase Authentication)
• Secure API authentication with tokens
• Regular security audits and updates

Organizational Safeguards:

• Access controls and authentication
• Employee training on data protection
• Incident response procedures
• Regular security assessments

Physical Safeguards:

• Secure cloud infrastructure (MongoDB Atlas, Firebase)
• Data center security and redundancy
• Backup and disaster recovery systems

7.2 Image Security

• Photos are compressed to maximum 700KB before transmission
• Images are converted to base64 format for secure transfer
• Images are temporarily cached on device and deleted after processing
• We do not permanently store raw photo files

7.3 Security Limitations

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

7.4 Your Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using a strong, unique password
• Not sharing your account with others
• Logging out of shared devices
• Reporting any unauthorized access immediately

8. DATA RETENTION

8.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide you services.

8.2 Account Deletion

When you delete your account:

• All personal data is permanently deleted from our servers within 30 days
• Cached data on your device is immediately cleared
• Backup copies are deleted within 90 days
• Some data may be retained for legal compliance (e.g., transaction records for tax purposes)

8.3 Analytics Data

• PostHog analytics data is retained according to their retention policy
• Aggregated, anonymized data may be retained indefinitely

8.4 Legal Retention

We may retain certain information as required by law, including:

• Transaction records for tax and accounting purposes (7 years)
• Legal dispute records until resolution
• Fraud prevention records

9. YOUR RIGHTS AND CHOICES

9.1 Access and Portability

You have the right to:

• Access all personal data we hold about you
• Request a copy of your data in a portable format (JSON/CSV)
• Review your health and fitness data within the app

How to Exercise: Contact us at support@caloriva.app

9.2 Correction and Update

You have the right to:

• Correct inaccurate personal information
• Update your profile and preferences
• Modify your health goals and settings

How to Exercise: Update information directly in the app or contact support@caloriva.app

9.3 Deletion

You have the right to:

• Delete your account and all associated data
• Request deletion of specific data entries
• Withdraw consent for data processing

How to Exercise:

• Use the "Delete Account" option in app settings
• Send an email to support@caloriva.app with the subject "Delete Account Request"
• Contact support@caloriva.app

Note: Email-based account deletion is available for users who cannot access the app (e.g., lost phone, device issues). We will verify your identity before processing the deletion request.

9.4 Opt-Out Rights

Analytics:

• Basic analytics are necessary for app functionality and security
• You can manage analytics preferences in the app settings under "Privacy & Data"
• Disabling analytics may limit some app features

Session Recording:

• Session recording is currently DISABLED for all users
• We do not record, capture, or replay your screen activity
• Only event-based analytics (e.g., "button clicked", "screen viewed") are collected

Complete Data Collection Stop:

• To completely stop all data collection, delete your account via app settings
• After account deletion, uninstall the app to remove all local data
• For GDPR/CCPA users: Account deletion is your right and stops all future data processing

Marketing Communications:

• Opt out of promotional emails via unsubscribe links
• Disable push notifications in device settings

9.5 Data Portability

Request an export of your data in machine-readable format by contacting support@caloriva.app. We will provide your data within 30 days.

9.6 Complaints

If you believe we have violated your privacy rights, you have the right to:

• File a complaint with us at support@caloriva.app
• Lodge a complaint with your local data protection authority
• Seek legal remedies under applicable law

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Storage Locations

Your data is stored and processed in the following locations:

• MongoDB Atlas: United States and European Union servers
• Firebase: United States servers
• Google Gemini: United States servers
• PostHog: United States servers
• RevenueCat: United States servers

10.2 Cross-Border Transfers

If you are located outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate.

10.3 Data Protection Standards

We ensure that all international data transfers comply with applicable data protection laws through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Service provider contractual obligations

10.4 European Users

For users in the European Economic Area (EEA), United Kingdom, and Switzerland:

• We comply with GDPR requirements
• Data transfers are protected by appropriate safeguards
• You have additional rights under GDPR (see Section 9)

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

The Application is not intended for children under 13 (or the age of digital consent in your jurisdiction, e.g., 16 in certain EU countries). We do not knowingly collect personal information from children under the applicable age. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

11.2 Parental Consent

If you are between 13 and 18 years of age, you must have parental or guardian consent to use the Application.

11.3 Discovery of Child Data

If we discover that we have collected personal information from a child under 13 without parental consent:

• We will delete the information immediately
• We will terminate the account
• We will notify the parent or guardian if contact information is available

11.4 Parental Rights

Parents or guardians may:

• Request access to their child's information
• Request deletion of their child's information
• Refuse further collection of their child's information

Contact: support@caloriva.app

12. CALIFORNIA PRIVACY RIGHTS (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You have the right to request:

• Categories of personal information collected
• Sources of personal information
• Business purposes for collecting information
• Categories of third parties with whom we share information
• Specific pieces of personal information we hold about you

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out

You have the right to opt out of the sale of personal information. We do not sell personal information.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

12.5 Exercising CCPA Rights

To exercise your CCPA rights, contact us at support@caloriva.app. We will verify your identity and respond within 45 days.

13. EUROPEAN PRIVACY RIGHTS (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

13.1 Legal Basis for Processing

We process your personal data based on:

• Consent: You have given explicit consent for specific purposes
• Contract: Processing is necessary to fulfill our contract with you
• Legal Obligation: Processing is required by law
• Legitimate Interests: Processing is necessary for our legitimate business interests

13.2 GDPR Rights

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data (right to be forgotten) by deleting your account
• Restrict processing - manage analytics and session recording preferences in app settings
• Data portability - request an export of your data
• Object to processing - opt out of session recording and non-essential analytics in app settings
• Lodge a complaint with a supervisory authority

Important: You can manage your data processing preferences in the app settings under "Privacy & Data." Session recording is currently disabled. To completely stop all data processing, delete your account via app settings.

13.3 Data Protection Officer

For GDPR-related inquiries, contact: support@caloriva.app

13.4 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority.

14. TRACKING TECHNOLOGIES

14.1 Mobile App Technologies

The mobile application does not use browser cookies. However, we use:

• Local Storage: AsyncStorage for caching data on your device
• Session Tokens: For authentication and API access
• Analytics SDKs: PostHog for usage tracking
• Device Identifiers: For analytics and crash reporting

14.2 Third-Party Tracking

Third-party services (Firebase, PostHog) may use their own tracking technologies. Refer to their privacy policies for details.

15. DATA COLLECTION CONTROL

As a mobile application, we do not respond to browser-based Do Not Track (DNT) signals. To stop all data collection, you must delete your account and uninstall the app from your device.

16. CHANGES TO THIS PRIVACY POLICY

16.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• User feedback

16.2 Notification

We will notify you of material changes by:

• Posting the updated policy in the app
• Sending an email notification (if you have an account)
• Displaying an in-app notification
• Updating the "Last Updated" date at the top of this policy

16.3 Continued Use

Your continued use of the Application after changes to this Privacy Policy constitutes acceptance of the updated policy.

16.4 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17. DISCLAIMER AND LIMITATIONS

17.1 Medical Disclaimer

Caloriva is NOT a medical device or medical advice service.

• Caloriva is NOT a medical device or medical advice service.
• The Application provides general nutrition and fitness tracking
• AI-generated nutrition estimates may not be 100% accurate
• Do not rely solely on the app for medical decisions
• Consult healthcare professionals for medical advice
• The app is not a substitute for professional medical care

17.2 Accuracy Disclaimer

• Nutrition data is estimated and may not be 100% accurate
• Food database information may be incomplete or outdated
• User-entered data may contain errors
• We are not responsible for inaccurate nutrition information

17.3 Third-Party Services

We are not responsible for:

• Privacy practices of third-party services
• Accuracy of third-party data (OpenFoodFacts, Google Gemini)
• Security breaches at third-party providers
• Changes to third-party terms or policies

18. DATA CONTROLLER AND CONTACT INFORMATION

18.1 Data Controller

For purposes of GDPR and other data protection laws, the data controller for your personal information is:

18.2 Privacy Questions

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

18.3 Data Subject Requests

To exercise your privacy rights (access, deletion, correction):

18.4 Security Incidents

To report a security vulnerability or data breach:

19. CONSENT

By downloading, installing, accessing, or using the Caloriva Application, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

19.1 Health Data Consent

GDPR Special Category Data: We process your health data (calories, weight, nutrition information) based on your explicit consent obtained during account creation. For users in the EEA, a separate checkbox is provided for explicit consent to process health data for nutrition tracking purposes.

If you do not agree with any part of this Privacy Policy, you must not use the Application.

20. GOVERNING LAW

This Privacy Policy shall be governed by the laws of India, except where local mandatory consumer protection laws (such as GDPR or CCPA) require otherwise.

End of Privacy Policy