Privacy Policy
Version 1.2 · Last updated: 2026-06-23 · Terms of Service
Preamble
This Privacy Policy sets out the rules for the processing of personal data of Users of the Kalorka.app Application and Guest Users using the accountless mode. The Policy fulfills the information obligation under Article 13 of the GDPR.
This document is consistent with the Terms of Service of the Application.
I. Personal data Controller
The Controller of Users’ personal data is:
TFB Group sp. z o.o.
ul. św. Filipa 23/4, 31-150 Kraków
KRS: 0000499144 · NIP: 6762474679 · REGON: 123048916
Contact email for GDPR matters: info@kalorka.app, info@tfbgroup.pl
The Controller is not obliged to appoint a data protection officer (DPO) pursuant to Article 37 of the GDPR — the scale and nature of processing do not meet the conditions for mandatory appointment.
II. Purposes of data processing
- Performance of the service — analysis of food photos using AI, saving results, Account management, referral system.
- Account authorization — handling sessions, email magic links, OAuth (Google, Apple), referral tokens.
- Transactional communication — magic links, notifications about Account changes, retention nudges (reminders to return to the Application), operator alerts.
- Security — rate limiting, protection against abuse, cost capping of the Guest Application, audit trail of inbound emails.
- Statistics and service improvement — anonymous event telemetry (hashed IP, categorized User-Agent), without identifying individuals.
- Newsletter / marketing — only after consent is given (opt-in). Currently, the Application does not send a newsletter.
- Daily goal (nutritional profile) — calculation of the estimated daily caloric requirement (TDEE) and macronutrient goals based on data provided voluntarily by the User (weight, height, year of birth, sex, activity level). The function is optional — launched only when the User decides to set a goal in the Account settings.
III. Legal bases (GDPR Article 6)
- Article 6(1)(b) — performance of a contract (Terms of Service of the Application) — for purposes II.a) Performance of the service, II.b) Account authorization and II.g) Daily goal (nutritional profile data provided voluntarily by the User as part of an optional function);
- Article 6(1)(f) — legitimate interest of the Controller — for purposes II.c) Transactional communication (retention nudges), II.d) Security, II.e) Statistics;
- Article 6(1)(a) — User consent — for purpose II.f) Newsletter / marketing;
- Article 6(1)(c) — legal obligation — for designated cases arising from regulations (e.g. responses to requests from law enforcement authorities).
IV. What data we process
A. Account data
- email address
- user_id (UUID generated by Supabase)
- registration provider (Google / Apple / Email magic link)
- registration date + last login date
- avatar URL (if returned by OAuth)
B. Functional data
- food photos (Supabase Storage, private bucket, signed URLs TTL 300s)
- AI Analysis Results (ingredients, calories, macronutrients, raw_response JSON)
- edits to results (meal_user_edited)
- history of Scans + Credits
C. Technical data
- anonymous_id cookie (Guest mode)
- referral tokens (cookie + database)
- Supabase session cookie (httpOnly + secure + SameSite)
- analytics logs (hashed IP — SHA-256 + salt, categorized User-Agent)
D. Behavioral data
- number and frequency of Scans performed
- retention nudges subscription status (subscribed / unsubscribed)
- click-through on links in emails (marked by UTM parameters)
E. Nutritional profile data (optional — “Daily goal” function)
- weight (kg), height (cm), year of birth, sex
- physical activity level
- daily caloric goal and macronutrient goals (protein / carbs / fat)
These data are provided voluntarily by the User and processed only when the User uses the optional “Daily goal” function. They are used solely to calculate an estimated daily caloric and macronutrient goal. The calculations are indicative and do not constitute medical advice nor do they replace consultation with a doctor or dietitian. The User may change or delete these data at any time in the Account settings; deletion of the Account deletes them together with the remaining data.
V. Data processors (3rd parties)
The Controller uses the following data processors (entities processing on behalf of the Controller — Article 28 of the GDPR):
| Processor | Scope | Region | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database + Auth + photo Storage | EU (eu-central-1) | DPA + SCC |
| Vercel Inc. | Application hosting + Serverless Functions | Multi-region EU (fra1) | DPA + SCC |
| Resend Inc. | Email (outgoing + incoming) | EU (eu-west-1) | DPA + SCC |
| Anthropic PBC | AI photo analysis (Claude Sonnet + Haiku) | Multi-region USA | DPA + SCC + NO training |
| Google LLC | OAuth login (optional) | Multi-region | DPF (Data Privacy Framework) |
| Apple Inc. | Sign in with Apple (optional) | Multi-region | DPF |
| Upstash Inc. | Redis (rate limiting + cost cap) | EU | DPA + SCC |
| Zendesk Inc. + TFB Group | Helpdesk (after /api/inbound/email forward) | Multi-region | DPA + SCC |
DPA = Data Processing Agreement · SCC = Standard Contractual Clauses · DPF = EU-US Data Privacy Framework
Additional recipients / data processors (subscriptions and payments)
- RevenueCat, Inc. — provider of infrastructure for handling and synchronizing subscription status and user entitlements between the mobile application, Apple App Store / Google Play stores and Kalorka systems. It may process the user or application identifier, information about the subscription product, subscription status, purchase/renewal/expiration dates, token or purchase confirmation provided by the store and technical metadata for entitlement verification. Purpose: verification of active paid access and granting entitlements.
- Stripe, Inc. — historical provider of web payment processing. Since June 2026, Kalorka has not initiated new payments via Stripe nor provided a new purchase path via Stripe. Data of historical transactions (payment identifiers, amounts, dates, granted credits, billing metadata) may be stored for accounting, evidentiary, tax, security and complaint-handling purposes.
VI. Transfer of data outside the EEA
Some of the Controller’s processors are established outside the European Economic Area (mainly the USA — Anthropic, Google, Apple, Zendesk). Transfer of data to these entities takes place on the basis of:
- Standard Contractual Clauses (SCC) — approved by the European Commission (Decision 2021/914);
- Data Privacy Framework (DPF) — EU-US data protection framework (European Commission decision of 10 July 2023) — for entities that have self-certified.
The Controller DOES NOT transfer data to countries without an adequate level of personal data protection.
VII. Data retention period
| Data category | Retention period |
|---|---|
| Account data (email, user_id, provider) | until Account deletion + 30 days backup |
| Food photos (Storage) | until Account deletion + 30 days backup |
| AI Analysis Results (parsed_result) | until Account deletion + 30 days backup |
| Nutritional profile (daily goal: weight, height, year of birth, sex, activity + kcal/macro goal) | until Account deletion + 30 days backup |
| Guest data (anonymous_id cookie) | 30 days from the last activity |
| Technical logs (analytics, IP hash) | 12 months |
| Inbound email logs (forward audit) | 6 months |
| Rate-limit logs (Upstash Redis) | 24 hours (rolling window) |
| Retention nudges subscription (opt-out) | until unsubscribe or Account deletion |
Billing data and data concerning historical payments are stored for the period required by tax and accounting law — at least 5 years, counted from the end of the calendar year in which the obligation arose. In this respect, the right to erasure of data (Article 17 of the GDPR) is limited by the legal obligation incumbent on the controller (Article 17(3)(b) of the GDPR).
VIII. User rights (GDPR Articles 15-22)
Each User has the right to:
- Access their data (Article 15 of the GDPR);
- Rectification of incorrect data (Article 16);
- Erasure of data (“right to be forgotten”, Article 17);
- Restriction of processing (Article 18);
- Data portability (Article 20);
- Objection to processing based on legitimate interest (Article 21);
- Withdrawal of consent at any time (Article 7(3)).
Exercise of rights: contact by email at info@kalorka.app. Response within up to 30 days of receipt of the request (in accordance with Article 12(3) of the GDPR).
The User also has the right to lodge a complaint with the supervisory authority — President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.
X. Data security
- All data transmissions are secured by the HTTPS (TLS 1.3) protocol — certificate managed by Vercel.
- User passwords are NOT stored — the Application uses only email magic links and OAuth (Google / Apple).
- Food photos are stored in a private Supabase Storage bucket with access via a signed URL with a lifetime of 300 seconds.
- The Postgres database is protected by the RLS (Row Level Security) mechanism — each record requires authentication and is isolated per User.
- Rate limiting mechanisms (Upstash Redis) and cost capping (daily AI API usage limits) protect the Application against abuse.
- Automatic backups — daily database snapshots by Supabase (7-day retention Pro plan).
XI. Final provisions
- Version of the Privacy Policy: 1.2. Last updated: 2026-06-23.
- Changes to the Privacy Policy require notifying Users 14 days in advance (analogously to the Terms of Service — §XIII).
- Please direct questions concerning the Privacy Policy to email info@kalorka.app.
- This Policy constitutes an integral part of the Terms of Service of the Application.