Calorie0 Privacy Policy

1. Scope
This Privacy Policy explains how Calorie0 ("we," "us," or "our") collects, uses, shares, stores, and protects personal information when you use our website and application (the "Platform"). It applies to all users globally, with specific sections addressing rights under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

2. Information We Collect
We collect the following categories of personal data:
— Account data: name, email address, password (hashed), authentication provider (e.g. Google OAuth).
— Profile data: fitness goal, experience level, workout frequency, body metrics (height, weight), gender, date of birth, location, occupation, dietary preferences.
— Device and timezone data: your local timezone (e.g. "America/New_York"), detected automatically from your browser when you use the Platform. This is used solely to schedule daily reminder emails at the correct local time (10 AM for meal reminders, 7 PM for workout reminders). It is not used for advertising, location tracking, or shared with third parties.
— Health and activity data: workout logs, exercise completions, nutrition logs, calorie intake, streaks, and badges. This may constitute sensitive health data under applicable laws.
— Usage data: pages visited, features used, timestamps, device type, browser, IP address, and referral source.
— Communications: emails or messages you send to us.
— Payment metadata: transaction identifiers and billing details processed by our payment provider. We do not store full card numbers.

3. How We Use Your Information
We use your data to:
— Create and manage your account and deliver Platform features.
— Personalise your workout plans, nutrition guidance, and dashboard.
— Send transactional emails (account verification, security alerts).
— Send optional product and reminder emails where you have consented or where we have a legitimate interest (e.g. daily meal and workout reminders — you can unsubscribe at any time or toggle them off in your profile settings).
— Schedule reminder emails at the appropriate local time using your stored timezone. You can update or clear your timezone preference at any time by contacting hello@calorie0.com.
— Improve and develop the Platform through aggregated analytics.
— Detect and prevent fraud, abuse, and security incidents.
— Comply with legal obligations.

4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) or UK, we process your data under the following lawful bases:
— Contract performance: to provide the services you signed up for.
— Consent: for health/sensitive data, marketing emails, and optional analytics. You may withdraw consent at any time by emailing hello@calorie0.com — withdrawal does not affect the lawfulness of processing before withdrawal.
— Legitimate interests: for fraud prevention, security, and product improvement, where these interests are not overridden by your rights.
— Legal obligation: where we are required to process data by law.

For health data (Article 9 GDPR), we rely on your explicit consent provided at account creation.

5. Third-Party Sub-Processors
We share data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) or equivalent contractual obligations. We do not sell your personal data. We do not share your data with advertisers.

Supabase — Purpose: database hosting, authentication, and row-level access control. Data shared: all user profile, health, activity, and nutrition data stored on the Platform. Location: United States (AWS us-east-1). Privacy: supabase.com/privacy

Vercel — Purpose: application hosting, serverless function execution, and edge delivery. Data shared: IP addresses and request metadata via server access logs (not linked to your account; retained up to 30 days). No personal profile or health data is shared with Vercel beyond what passes through standard HTTPS request headers. Location: United States (global edge network). Privacy: vercel.com/legal/privacy-policy

Google — Purpose: OAuth 2.0 sign-in (only if you choose "Sign in with Google"). Data shared: your Google email address, display name, and profile photo are received by Calorie0 from Google at sign-in. We do not send your Calorie0 data back to Google. Location: United States. Privacy: policies.google.com/privacy

Resend — Purpose: transactional email delivery (account verification, security notices) and reminder emails (meal and workout reminders). Data shared: your email address, first name, and email delivery metadata (send timestamp, delivery status). No email body content is stored by Resend after delivery. Location: United States. Privacy: resend.com/privacy

Cloudflare — Purpose: DDoS protection, bot detection, and Turnstile CAPTCHA on authentication forms. Data shared: IP address and browser fingerprint signals for security scoring. This data is processed by Cloudflare under their privacy policy and is not used for advertising. Location: United States (global edge). Privacy: cloudflare.com/privacypolicy

GitHub Actions — Purpose: scheduled execution of server-side cron jobs (daily meal and workout reminder triggers). Data shared: no personal user data is shared with GitHub. The workflow calls Calorie0's own API endpoints using a server-to-server secret; only a success/failure response is returned. Workflow logs are retained by GitHub for up to 90 days. Location: United States. Privacy: github.com/privacy

6. Health and Sensitive Data
Workout logs, nutrition data, body metrics, and related health information may be considered sensitive or consumer health data under applicable law (including GDPR Article 9 and US state health data laws). We process this data solely to deliver Platform features you have requested, based on your explicit consent. You may request deletion of this data at any time.

7. Cookies and Tracking
We use the following categories of cookies and similar technologies:
— Essential cookies: required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
— Analytics cookies: used to understand aggregate usage patterns and improve the Platform. Where required by law, these are only set with your consent.
— Security cookies: used by Cloudflare Turnstile for bot detection.

You may manage cookies via your browser settings. Disabling essential cookies will prevent you from logging in.

8. Data Retention
We retain personal data for the following periods:
— Account and profile data: retained for the life of your account. When you delete your account, your profile and all associated personal data are permanently and immediately deleted from our active systems. This action is irreversible — we do not offer account recovery after deletion.
— Workout logs, nutrition logs, saved meals, and weight history: deleted immediately and permanently when you delete your account.
— Infrastructure backups: our database hosting provider (Supabase) maintains automated infrastructure backups for operational continuity. These backups may retain a copy of your data for up to 7 days after account deletion, after which they are automatically purged. We cannot restore your data from these backups on request — they exist solely for system recovery purposes.
— Server and edge logs: Vercel (our hosting provider) may retain server access logs — including IP addresses and request metadata — for up to 30 days for security and debugging purposes. These logs are not linked to your account after deletion.
— Email delivery logs: Resend (our email provider) may retain email delivery metadata (recipient address, send timestamp, delivery status) for up to 30 days. No email body content is retained after delivery.
— Payment metadata: up to 7 years, as required by financial and tax regulations.
— De-identified or aggregated data (e.g. aggregate usage statistics with no link to any individual) may be retained indefinitely for product improvement.

9. Your Privacy Rights
Depending on your jurisdiction, you have the right to:
— Access the personal data we hold about you.
— Correct inaccurate or incomplete data.
— Delete your data ("right to erasure").
— Portability — receive your data in a structured, machine-readable format (JSON or CSV).
— Restrict or object to certain processing activities.
— Withdraw consent at any time, without affecting prior lawful processing.

How to request data portability: Email hello@calorie0.com with the subject line "Data Export Request." We will prepare and deliver a copy of your personal data — including your profile, workout logs, nutrition logs, and streak history — within 30 days. The export will be provided as a downloadable JSON file. We may ask you to verify your identity before fulfilling the request.

To exercise any other rights, email hello@calorie0.com with the subject line "Privacy Request" and describe what you are requesting. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your EEA national supervisory authority — see Section 12).

10. Profiling, Automated Decision-Making, and Do Not Track (GDPR Article 22)
Profiling: Calorie0 builds a profile of your fitness behaviour — including your goal, experience level, workout frequency, body metrics, and activity history — to personalise your experience. This profiling drives features such as suggested workout plans, personalised macro and calorie targets, streak tracking, and badge progress. We profile you only for the purpose of delivering the services you signed up for, not for advertising or third-party commercial purposes.

Automated decisions: Some personalisation on Calorie0 is generated automatically without human review in each instance (e.g. daily macro targets, workout plan suggestions). These automated outputs are recommendations — you are always free to ignore or override them. Where automated processing has a significant effect on you, you have the right to:
— Request human review of any automated decision.
— Express your point of view regarding the decision.
— Contest a decision you believe is inaccurate or unfair.

To exercise these rights, email hello@calorie0.com with the subject line "Automated Decision Review." We will respond within 30 days. We do not use solely automated decision-making for decisions that produce legal or similarly significant effects without human oversight.

Do Not Track (DNT): Some browsers offer a "Do Not Track" signal. Calorie0 does not currently alter its data collection practices in response to DNT signals, as no legally recognised standard for responding to DNT exists. We disclose our full data practices in this Privacy Policy regardless of DNT status.

11. Your Right to Object to Legitimate Interests Processing
Where we rely on legitimate interests as our lawful basis for processing (such as fraud prevention, security monitoring, or product analytics), you have the right to object to that processing at any time. To do so, email hello@calorie0.com with the subject line "Object to Processing." We will assess your request and either cease that processing or explain our compelling legitimate grounds for continuing. This right is separate from withdrawing consent and applies even where consent is not the lawful basis.

12. Supervisory Authorities
If you are located in the European Economic Area (EEA) or the United Kingdom and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority:
— United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
— Ireland / EU lead authority: Data Protection Commission (DPC) — dataprotection.ie
— Other EEA countries: contact your national supervisory authority. A full list is available at edpb.europa.eu.

We would appreciate the opportunity to address your concern directly before you contact a supervisory authority — please reach out to hello@calorie0.com first.

13. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
— Right to know what personal information we collect, use, and share.
— Right to delete your personal information.
— Right to correct inaccurate personal information.
— Right to opt out of the sale or sharing of personal information.
— Right to limit use of Sensitive Personal Information (SPI).

Sensitive Personal Information we collect includes health and fitness data (workout logs, nutrition data, body metrics), precise geolocation (if provided), and account credentials. We use SPI only to deliver core Platform features — we do not use it for inferring characteristics unrelated to the services you requested.

We do not sell or share your personal information for cross-context behavioural advertising. To submit a California privacy request, email hello@calorie0.com with the subject line "California Privacy Request." We will respond within 45 days (extendable by a further 45 days where reasonably necessary). We do not discriminate against users who exercise their privacy rights.

14. Washington My Health MY Data Act (MHMDA)
If you are a Washington State resident, the Washington My Health MY Data Act provides additional protections for your consumer health data. Calorie0 collects and processes consumer health data — including workout logs, nutrition logs, body metrics (weight, height), and fitness goal information — solely to provide the services you have requested.

Under the MHMDA, you have the right to:
— Know what consumer health data we collect and with whom it is shared.
— Access your consumer health data.
— Delete your consumer health data.
— Withdraw consent to our collection or sharing of your consumer health data.

We do not sell consumer health data. We do not share consumer health data with third parties except with service providers necessary to operate the Platform (listed in Section 5), under contractual obligations that prohibit them from using the data for any other purpose.

To exercise your MHMDA rights, email hello@calorie0.com with the subject line "Washington Health Data Request." We will respond within 45 days.

16. International Data Transfers
Calorie0 is operated from the United States. If you access the Platform from the EEA, UK, or other regions with data transfer restrictions, your data may be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognised transfer mechanisms, to protect your data during international transfers.

17. Security
We implement reasonable administrative, technical, and organisational safeguards to protect your data — including encrypted storage, hashed passwords, row-level security on our database, and HTTPS-only access. No transmission or storage method is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify relevant supervisory authorities within 72 hours (as required by GDPR) and affected users without undue delay.

18. Children
Calorie0 is not directed at children under 13 (or a higher age where required by local law). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact hello@calorie0.com and we will delete it promptly.

19. Email Communications
We may send you transactional emails (account verification, security notices) and, where permitted, product emails (feature updates, daily reminders). Daily reminder emails are scheduled using your stored timezone to ensure delivery at the appropriate local time — 10 AM for meal reminders and 7 PM for workout reminders. These are only sent on days when you have not already logged the relevant activity. You can disable reminder emails at any time via the unsubscribe link in any email, or by toggling off reminders in your profile under Settings. Disabling reminders does not affect transactional emails necessary to operate your account.

20. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and notify you via email or in-app notice where required. We encourage you to review this page periodically.

21. Contact
For any privacy questions, requests, or concerns, contact us at hello@calorie0.com. Please include "Privacy Request" in the subject line for data rights requests.