CalPal AI LogoCalPal AIDownload on the App Store

Privacy Policy

Last updated: 03 July 2025

1. Introduction

MOUNTAIN d.o.o., ("we," "us," or "our") operates the CalPal AI mobile application, its related services, and any associated platforms (collectively, the "Service"). This Privacy Policy outlines how we collect, use, store, share, and protect your information.

By downloading, installing, accessing, or using our Service, you confirm that you have read, understood, and agreed to the practices described in this Privacy Policy.

This Service is strictly for users aged 18 and older. We do not knowingly collect personal information from individuals under this age. If you do not agree with this Policy, please do not use our Service.

2. Information We Collect

We collect various types of information to provide, maintain, and improve the Service. The categories of information we collect include:

  • a) Personal Information (Directly Provided & Automated)
    • Identifiers: Name, email address, username, password (encrypted), IP address, device ID, mobile ad ID (e.g., IDFA or Android Ad ID).
    • Demographics: Age, gender, country/region (derived from IP address or explicitly provided).
    • Contact Data: Email address (for communication and account management).
  • b) Health & Fitness Information (Sensitive Data)
    • Body Metrics: Weight, height, goals (e.g., fitness, weight, health), activity level.
    • Activity Logs: Detailed records of workouts, nutrition intake (specific food items, estimated calories, macronutrients, water consumption), mood logs, sleep logs, and notes you input into the Service.
    • Health Preferences: Information about your dietary preferences or restrictions.
    • AI-Processed Data: Images you upload for nutritional analysis (e.g., food photos). These images are processed by our AI models to provide estimated nutritional information. The original images may be retained for a limited period to refine AI model accuracy, as detailed in our Data Retention policy.
    • Generated Insights: Estimated daily calorie targets, macronutrient breakdowns, nutrition reports, and progress analytics generated by our Service based on your inputted and AI-processed data.
  • c) Technical & Usage Data (Automatically Collected)
    • Device Information: Operating system version, hardware model, device type, unique device identifiers, battery level, network connection type.
    • Usage Analytics: Information about how you interact with the Service, such as features accessed, buttons clicked, duration of sessions, pages viewed, crash reports, and performance data. This helps us understand user behavior and optimize the Service.
    • Cookies & Tracking Technologies: We use cookies, pixels, and similar technologies for authentication, maintaining user sessions, personalization, and collecting usage data. Where technically feasible and legally required, you will be given options to manage these settings.
  • d) Third-Party Data (With Your Consent)
    • Integrated Services: If you choose to connect third-party health tracking services (e.g., Apple HealthKit or Google Fit), we will collect data from these services according to your permissions.
    • Social Media: If you choose to link your account with social media platforms (e.g., for login or sharing), we may collect profile data as authorized by you through that platform's settings.

3. How We Use Your Information & Our Legal Bases

  • To Provide Core Service Functionality (Legal Basis: Performance of a Contract):
    • Enable workout logging, nutrition tracking, mood logging, sleep logging, and notes.
    • Provide estimated calorie and macronutrient insights.
    • Process and analyze food images to provide nutritional analysis.
    • Deliver curated nutritional content (Feed).
    • Manage your user account and profile settings.
  • To Improve and Develop the Service (Legal Basis: Legitimate Interests; Consent for Sensitive Data):
    • Analyze usage patterns and trends to enhance user experience and optimize app features.
    • Train and validate our AI models and algorithms using anonymized and aggregated data. For this purpose, original images or sensitive personal data may be processed in a pseudonymous form. We use your data and food images for AI training and providing analytics. Where sensitive data is used for AI model training or significant new feature development that falls outside the original contract scope, we seek your explicit consent.
    • Conduct research and development to create new features and improve existing ones.
  • To Communicate with You (Legal Basis: Performance of a Contract; Legitimate Interests; Consent):
    • Send essential service-related communications (e.g., account verification, technical notices, security alerts, updates to Terms/Privacy Policy).
    • Respond to your support inquiries and feedback.
    • Send you marketing and promotional communications about our products and services (Legal Basis: Consent, where required, or Legitimate Interests if we have an existing customer relationship and it's for similar products/services). You can opt-out at any time.
  • For Legal Compliance and Protection (Legal Basis: Legal Obligation; Legitimate Interests):
    • Prevent fraud, enforce our Terms of Use, and protect our rights, property, and user safety.
    • Comply with legal obligations, respond to lawful requests from public authorities, and resolve disputes.
    • Protect our vital interests or the vital interests of another person.
  • For Business Operations and Analytics (Legal Basis: Legitimate Interests):
    • Perform data analysis, audits, usage trend analysis, and business planning.
    • Monitor the performance and stability of the Service.
  • For Aggregation and Anonymization (Not Personal Data):
    • We aggregate and anonymize personal information so that it can no longer be used to identify an individual. This de-identified data is not classified as personal data and may be used for any legitimate business purpose, including research, industry reports, or partnerships.

4. Data Sharing & Third-Party Disclosures

We take your privacy seriously and share information only under limited circumstances, always ensuring appropriate safeguards are in place.

  • a) Service Providers
    • AI Vendors: Third-party AI model providers for specialized tasks like image recognition and nutritional analysis. We may share data and food images with third parties such as Google for analysis related to our Service functionality.
    • Cloud Hosting: Providers like Amazon Web Services (AWS) and Supabase for secure data storage and infrastructure.
    • Analytics Providers: Tools for collecting and analyzing usage data to understand user behavior and app performance.
    • Payment Processors: For managing subscriptions and payments securely.
    • Customer Support Platforms: For managing user inquiries and feedback.
    • Marketing & Communication Tools: Platforms for sending communications and managing ad campaigns.
  • b) Legal & Safety Disclosures
    • We may disclose your information if required by law, subpoena, or valid governmental request, or if we believe such action is necessary to:
    • Comply with a legal obligation or lawful process.
    • Enforce our Terms of Use and other agreements.
    • Protect our rights, property, or safety, and the rights, property, or safety of our users or the public.
    • Protect the vital interests of any individual.
  • c) Business Transfers
    • In connection with, or during negotiations of, any merger, acquisition, financing, reorganization, bankruptcy, liquidation, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will ensure appropriate safeguards are maintained.
  • d) Anonymized or Aggregated Data
    • We may share anonymized or aggregated data that cannot reasonably be used to identify you with third parties for various purposes, such as research, analytics, industry insights, or business development (e.g., "average calorie intake for users in Country X").

5. International Data Transfers

Your personal data may be processed, stored, and transferred to countries outside of your country of residence, including to countries outside the European Economic Area (EEA) and the United Kingdom, for the purposes outlined in this Privacy Policy. We may share data between our facilities and data centers within the EU and other data centers globally.

  • Standard Contractual Clauses (SCCs): We primarily rely on the European Commission's and/or UK's approved Standard Contractual Clauses for transfers to countries without an adequacy decision.
  • Adequacy Decisions: Transfers may occur to countries recognized by the European Commission or UK as providing an adequate level of data protection.

6. Data Ownership, Retention & Your Rights

  • a) Ownership of Your Data
    • Your Identifiable Personal Data: You retain all rights and ownership of your identifiable personal data. You grant us a non-exclusive, non-transferable, revocable license to use, store, process, and display your identifiable personal data solely for the purposes of operating, providing, and improving the Service as outlined in this Privacy Policy, and for the duration of your use of the Service.
    • Derived Data & AI Models: We own all anonymized, aggregated, or de-identified data, including our AI models, algorithms, and insights derived from user-generated content (like food entries, notes, images) and other data. This data, once stripped of personal identifiers, is no longer personal data and may be used for any legitimate business purpose, including product development, research, and analytics, and may be retained indefinitely.
  • b) Data Retention
    • Active Accounts: Personal data associated with your active account is retained until you request account deletion.
    • Inactive Accounts: For accounts that remain inactive for a period exceeding 24 months, we may anonymize or delete associated personal data.
    • Legal Requirements & Audits: Certain data, such as transaction records, may be retained for up to 7 years or as required by applicable law for tax, fraud prevention, or auditing purposes, even after account deletion.
    • Backups: Encrypted backups of data may be retained for up to 90 days for disaster recovery purposes, after which they are securely overwritten or deleted.
    • AI Training Data: Data used for AI model training, once anonymized or de-identified, may be retained indefinitely to ensure continuous model improvement and validation.
  • c) Your Rights (Global Compliance)
    • Right to Access/Portability: Request a copy of your personal data we hold and/or request to transfer it to another service.
    • Right to Rectification: Request correction of inaccurate or incomplete personal data.
    • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and personal data, subject to certain legal obligations or legitimate reasons for retention (e.g., legal hold, financial records).
    • Right to Object to Processing: Object to processing where we rely on legitimate interests or direct marketing.
    • Right to Restriction of Processing: Request us to limit the way we use your personal data.
    • Right to Withdraw Consent: Where we rely on your consent for processing, you have the right to withdraw it at any time. This will not affect the lawfulness of processing before your withdrawal.
    • Rights related to Automated Decision-Making/Profiling: Request human intervention, express your point of view, and contest automated decisions.
    • Right to Lodge a Complaint: Lodge a complaint with a supervisory authority for data protection (e.g., your national data protection authority if you are in the EU).
    • To exercise any of these rights, please contact us at legal@mountain.hr. We will respond to your request free of charge within 30 days, or a legally specified timeframe, following identity verification.

7. Data Security

  • We implement appropriate technical and organizational safeguards designed to protect your personal data from unauthorized access, use, alteration, and disclosure. These measures include:
  • Access Controls: Implementing strict access controls to limit who can access sensitive data.
  • Backup and Recovery: Maintaining appropriate backup and recovery procedures to prevent data loss.
  • Incident Response: Maintaining a data breach protocol for managing and responding to security incidents.
  • Encryption: We use encryption to protect sensitive data both when it is stored (data at rest) and when it is transmitted (data in transit).
  • While we implement appropriate security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

8. Age Restriction & Children

  • Our Service is designed for and intended for use by individuals who are 18 years of age or older.
  • Strict Policy: No exceptions are made to the 18+ age restriction.
  • Proactive Measures: We implement age gates at the sign-up process and ensure our marketing is not targeted at children.
  • Child Data Discovery: If we become aware that we have collected personal data from anyone under the age of 18 without parental consent, we will take immediate steps to delete such information and terminate the associated account. Please contact us if you believe we may have collected information from a child.

9. Policy Updates

  • We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
  • Notification: We will notify you of any material changes via email or an in-App banner at least 30 days before they take effect.
  • Acceptance: Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms. Your consent to these terms applies to any changes in the policy.

10. Governing Law & Disputes

This Privacy Policy is an integral part of our Terms of Use. The governing law and dispute resolution procedures for any disputes arising from or related to your use of the Service, including those concerning your privacy, are set forth in detail in our Terms of Use, Sections 13 (Dispute Resolution & Arbitration) and 14 (Governing Law & Jurisdiction). Please refer to those sections for comprehensive information.

11. Contact Us

  • Email: legal@mountain.hr
  • Address: Zagreb, Croatia