Privacy Policy

Chat Calories ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service at chatcalories.com.

This policy is designed to align with applicable data protection principles, including those outlined in the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We are committed to handling your data responsibly and transparently.

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

2.1 Information You Provide Directly

• Account information: Name, email address, password
• Health profile: Age, gender, height, weight, activity level, sleep goals
• Food logs: Food items, calories, macronutrients you track
• Food photos: Images you upload for AI analysis
• Chat messages: Conversations with our AI nutrition coach
• Weight entries: Body weight measurements over time
• Diet preferences: Your selected diet plan (Keto, Vegan, etc.)
• Notification preferences: Email and communication preferences

2.2 Information Collected Automatically

• Device information: Device type, operating system, browser type
• Usage data: Pages visited, features used, time spent, click patterns
• Log data: IP address, access times, error logs
• Cookies and similar technologies: Session cookies, preference cookies

2.3 Location and Sensor Data (with your permission)

• GPS location: Used to calculate walking/running distance (only when you grant permission)
• Motion/accelerometer data: Used for step counting (only when you grant permission)
• Location data is processed locally on your device and is not stored on our servers

We use your information to: provide and improve the Service; personalize your experience; send nutritional summaries and reports you request; respond to your inquiries; ensure security and prevent fraud; comply with legal obligations.

We do NOT: sell your personal data to third parties; use your health data for advertising; share your food photos without consent; use your data to train AI models without explicit consent.

For users in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you signed up for
• Legitimate interests: Service improvement, security, fraud prevention
• Consent: Health data processing, marketing communications, location tracking
• Legal obligation: Compliance with applicable laws

Health data (body metrics, food logs, weight) is special category data under GDPR Article 9. We process this data only with your explicit consent, which you provide when creating your health profile.

We use the following types of cookies:

• Essential cookies: Required for authentication and core functionality. Cannot be disabled.
• Preference cookies: Remember your settings and preferences.
• Analytics cookies: Help us understand how users interact with the Service (anonymized).

You can control non-essential cookies through our cookie consent banner. Disabling analytics cookies will not affect Service functionality.

We share your information only in the following circumstances:

• AI providers (Google Gemini): Food photos and chat messages are processed by Google's AI to generate responses. Google processes this data under their privacy policy and data processing agreements.
• Payment processors (Stripe): Payment information is processed by Stripe. We do not store credit card numbers.
• Email services: Your email address is used to send summaries you request.
• Legal requirements: We may disclose data if required by law, court order, or government authority.
• Business transfers: In the event of a merger or acquisition, your data may be transferred to the new entity.
• With your consent: Any other sharing will only occur with your explicit consent.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We implement industry-standard security measures to protect your personal information:

• All data transmission is encrypted using TLS/SSL
• Passwords are hashed using bcrypt with salt rounds
• Database access is restricted and monitored
• Regular security audits and vulnerability assessments
• Employee access to personal data is limited to those who need it

Despite our efforts, no security system is impenetrable. In the event of a data breach that affects your rights, we will endeavour to notify affected users promptly.

Depending on your location, you have the following rights regarding your personal data:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data
• Right to data portability: Receive your data in a machine-readable format
• Right to restrict processing: Limit how we use your data
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time without affecting prior processing
• Right to lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to delete: Request deletion of personal information
• Right to opt-out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at [email protected] or call our toll-free number. We will verify your identity before processing requests.

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected] and we will delete such information.

Users between 13 and 17 years of age must have parental or guardian consent to use the Service. Health tracking features are not appropriate for minors without medical supervision.

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your country.

For transfers from the EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection of your personal data.

We retain your personal data for as long as necessary to provide the Service and comply with legal obligations:

• Account data: Until account deletion + 30 days grace period
• Food and health logs: Until account deletion
• Chat messages: 90 days rolling window
• Payment records: 7 years (legal requirement)
• Usage analytics: 12 months (anonymized after 30 days)
• Backup data: Deleted within 90 days of primary deletion

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Effective Date," and, for significant changes, sending you an email notification.

Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

For privacy-related questions, requests, or complaints, please contact our Data Protection Officer: