Legal document

Privacy Policy

Version 1.2 · Last updated: 2026-06-23 · Terms of Service

Preamble

This Privacy Policy sets out the rules for the processing of personal data of Users of the Kalorka.app Application and Guest Users using the accountless mode. The Policy fulfills the information obligation under Article 13 of the GDPR.

This document is consistent with the Terms of Service of the Application.

I. Personal data Controller

The Controller of Users’ personal data is:

TFB Group sp. z o.o.
ul. św. Filipa 23/4, 31-150 Kraków
KRS: 0000499144 · NIP: 6762474679 · REGON: 123048916

Contact email for GDPR matters: info@kalorka.app, info@tfbgroup.pl

The Controller is not obliged to appoint a data protection officer (DPO) pursuant to Article 37 of the GDPR — the scale and nature of processing do not meet the conditions for mandatory appointment.

II. Purposes of data processing

  1. Performance of the service — analysis of food photos using AI, saving results, Account management, referral system.
  2. Account authorization — handling sessions, email magic links, OAuth (Google, Apple), referral tokens.
  3. Transactional communication — magic links, notifications about Account changes, retention nudges (reminders to return to the Application), operator alerts.
  4. Security — rate limiting, protection against abuse, cost capping of the Guest Application, audit trail of inbound emails.
  5. Statistics and service improvement — anonymous event telemetry (hashed IP, categorized User-Agent), without identifying individuals.
  6. Newsletter / marketing — only after consent is given (opt-in). Currently, the Application does not send a newsletter.
  7. Daily goal (nutritional profile) — calculation of the estimated daily caloric requirement (TDEE) and macronutrient goals based on data provided voluntarily by the User (weight, height, year of birth, sex, activity level). The function is optional — launched only when the User decides to set a goal in the Account settings.

III. Legal bases (GDPR Article 6)

  • Article 6(1)(b) — performance of a contract (Terms of Service of the Application) — for purposes II.a) Performance of the service, II.b) Account authorization and II.g) Daily goal (nutritional profile data provided voluntarily by the User as part of an optional function);
  • Article 6(1)(f) — legitimate interest of the Controller — for purposes II.c) Transactional communication (retention nudges), II.d) Security, II.e) Statistics;
  • Article 6(1)(a) — User consent — for purpose II.f) Newsletter / marketing;
  • Article 6(1)(c) — legal obligation — for designated cases arising from regulations (e.g. responses to requests from law enforcement authorities).

IV. What data we process

A. Account data

  • email address
  • user_id (UUID generated by Supabase)
  • registration provider (Google / Apple / Email magic link)
  • registration date + last login date
  • avatar URL (if returned by OAuth)

B. Functional data

  • food photos (Supabase Storage, private bucket, signed URLs TTL 300s)
  • AI Analysis Results (ingredients, calories, macronutrients, raw_response JSON)
  • edits to results (meal_user_edited)
  • history of Scans + Credits

C. Technical data

  • anonymous_id cookie (Guest mode)
  • referral tokens (cookie + database)
  • Supabase session cookie (httpOnly + secure + SameSite)
  • analytics logs (hashed IP — SHA-256 + salt, categorized User-Agent)

D. Behavioral data

  • number and frequency of Scans performed
  • retention nudges subscription status (subscribed / unsubscribed)
  • click-through on links in emails (marked by UTM parameters)

E. Nutritional profile data (optional — “Daily goal” function)

  • weight (kg), height (cm), year of birth, sex
  • physical activity level
  • daily caloric goal and macronutrient goals (protein / carbs / fat)

These data are provided voluntarily by the User and processed only when the User uses the optional “Daily goal” function. They are used solely to calculate an estimated daily caloric and macronutrient goal. The calculations are indicative and do not constitute medical advice nor do they replace consultation with a doctor or dietitian. The User may change or delete these data at any time in the Account settings; deletion of the Account deletes them together with the remaining data.

V. Data processors (3rd parties)

The Controller uses the following data processors (entities processing on behalf of the Controller — Article 28 of the GDPR):

ProcessorScopeRegionTransfer mechanism
Supabase Inc.Database + Auth + photo StorageEU (eu-central-1)DPA + SCC
Vercel Inc.Application hosting + Serverless FunctionsMulti-region EU (fra1)DPA + SCC
Resend Inc.Email (outgoing + incoming)EU (eu-west-1)DPA + SCC
Anthropic PBCAI photo analysis (Claude Sonnet + Haiku)Multi-region USADPA + SCC + NO training
Google LLCOAuth login (optional)Multi-regionDPF (Data Privacy Framework)
Apple Inc.Sign in with Apple (optional)Multi-regionDPF
Upstash Inc.Redis (rate limiting + cost cap)EUDPA + SCC
Zendesk Inc. + TFB GroupHelpdesk (after /api/inbound/email forward)Multi-regionDPA + SCC

DPA = Data Processing Agreement · SCC = Standard Contractual Clauses · DPF = EU-US Data Privacy Framework

Additional recipients / data processors (subscriptions and payments)

  • RevenueCat, Inc. — provider of infrastructure for handling and synchronizing subscription status and user entitlements between the mobile application, Apple App Store / Google Play stores and Kalorka systems. It may process the user or application identifier, information about the subscription product, subscription status, purchase/renewal/expiration dates, token or purchase confirmation provided by the store and technical metadata for entitlement verification. Purpose: verification of active paid access and granting entitlements.
  • Stripe, Inc. — historical provider of web payment processing. Since June 2026, Kalorka has not initiated new payments via Stripe nor provided a new purchase path via Stripe. Data of historical transactions (payment identifiers, amounts, dates, granted credits, billing metadata) may be stored for accounting, evidentiary, tax, security and complaint-handling purposes.

VI. Transfer of data outside the EEA

Some of the Controller’s processors are established outside the European Economic Area (mainly the USA — Anthropic, Google, Apple, Zendesk). Transfer of data to these entities takes place on the basis of:

  • Standard Contractual Clauses (SCC) — approved by the European Commission (Decision 2021/914);
  • Data Privacy Framework (DPF) — EU-US data protection framework (European Commission decision of 10 July 2023) — for entities that have self-certified.

The Controller DOES NOT transfer data to countries without an adequate level of personal data protection.

VII. Data retention period

Data categoryRetention period
Account data (email, user_id, provider)until Account deletion + 30 days backup
Food photos (Storage)until Account deletion + 30 days backup
AI Analysis Results (parsed_result)until Account deletion + 30 days backup
Nutritional profile (daily goal: weight, height, year of birth, sex, activity + kcal/macro goal)until Account deletion + 30 days backup
Guest data (anonymous_id cookie)30 days from the last activity
Technical logs (analytics, IP hash)12 months
Inbound email logs (forward audit)6 months
Rate-limit logs (Upstash Redis)24 hours (rolling window)
Retention nudges subscription (opt-out)until unsubscribe or Account deletion

Billing data and data concerning historical payments are stored for the period required by tax and accounting law — at least 5 years, counted from the end of the calendar year in which the obligation arose. In this respect, the right to erasure of data (Article 17 of the GDPR) is limited by the legal obligation incumbent on the controller (Article 17(3)(b) of the GDPR).

VIII. User rights (GDPR Articles 15-22)

Each User has the right to:

  • Access their data (Article 15 of the GDPR);
  • Rectification of incorrect data (Article 16);
  • Erasure of data (“right to be forgotten”, Article 17);
  • Restriction of processing (Article 18);
  • Data portability (Article 20);
  • Objection to processing based on legitimate interest (Article 21);
  • Withdrawal of consent at any time (Article 7(3)).

Exercise of rights: contact by email at info@kalorka.app. Response within up to 30 days of receipt of the request (in accordance with Article 12(3) of the GDPR).

The User also has the right to lodge a complaint with the supervisory authority — President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

IX. Cookies and similar technologies

The Application uses cookies and browser localStorage mechanisms for the following purposes:

A. Necessary cookies (functioning of the Application)

  • Supabase Auth session cookie (httpOnly + secure + SameSite=Lax)
  • Anonymous_id cookie (Guest mode — 30 days)
  • Referral token cookie (kalorka_referral_token — 30 days)
  • CSRF token (httpOnly, session)

B. Functional localStorage

  • UI preferences (intro pool quick-look rotation)
  • Session flags (e.g. has_seen_pwa_install_prompt)

C. Analytics cookies

The Application uses only server-side anonymous telemetry (hashed IP + categorized User-Agent). The Application DOES NOT use Google Analytics, Facebook Pixel or other external cross-site trackers.

D. Marketing cookies

The Application DOES NOT use marketing cookies or advertising trackers.

Cookie consent banner: The Application currently DOES NOT require a cookie consent banner — it uses only necessary and functional cookies (in accordance with Article 173(1)(1) and Article 173(2) of the Telecommunications Law Act, for cookies that are solely technical, User consent is not required).

The banner will be implemented if/when the Application adds external analytics mechanisms or marketing tracking in the future.

X. Data security

  • All data transmissions are secured by the HTTPS (TLS 1.3) protocol — certificate managed by Vercel.
  • User passwords are NOT stored — the Application uses only email magic links and OAuth (Google / Apple).
  • Food photos are stored in a private Supabase Storage bucket with access via a signed URL with a lifetime of 300 seconds.
  • The Postgres database is protected by the RLS (Row Level Security) mechanism — each record requires authentication and is isolated per User.
  • Rate limiting mechanisms (Upstash Redis) and cost capping (daily AI API usage limits) protect the Application against abuse.
  • Automatic backups — daily database snapshots by Supabase (7-day retention Pro plan).

XI. Final provisions

  1. Version of the Privacy Policy: 1.2. Last updated: 2026-06-23.
  2. Changes to the Privacy Policy require notifying Users 14 days in advance (analogously to the Terms of Service — §XIII).
  3. Please direct questions concerning the Privacy Policy to email info@kalorka.app.
  4. This Policy constitutes an integral part of the Terms of Service of the Application.