CalPal AI LogoCalPal AIDownload on the App Store

CalPal Privacy Policy

Effective Date: 16 July 2025

1. Introduction

MOUNTAIN d.o.o., ("we," "us," or "our") operates the CalPal AI mobile application, its related services, and any associated platforms (collectively, the "Service"). This Privacy Policy outlines how we collect, use, store, share, and protect your information.

By downloading, installing, accessing, or using our Service, you confirm that you have read, understood, and agreed to the practices described in this Privacy Policy.

This Service is strictly for users aged 18 and older. We do not knowingly collect personal information from individuals under this age. If you do not agree with this Policy, please do not use our Service.

2. Information We Collect

We collect various types of information to provide, maintain, and improve the Service. The categories of information we collect include:

  • a) Account and Profile Information

    This is information you provide when you create an account, which is necessary for the Service to work. This includes:

    • Identifiers: Name, email address, username, and password (encrypted).
    • Demographics: Date of birth and sex (gender).
    • Profile Customization: Profile image or photo, and general location information (e.g., country/zip code).
  • b) Health, Food, and Activity Data (Sensitive Data)

    This is information you voluntarily provide through your use of the Service's features. This includes:

    • Body Metrics: Height, weight, BMI, and body measurements.
    • Goals & Lifestyle: Fitness level, activity goals (e.g., weekly habits), and lifestyle information (e.g., sleeping data).
    • Dietary Diary: Food, drink, and medications you consume (including as submitted via voice logging), calorie counts, dietary restrictions, and information from grocery integrations.
    • Medical Information: Information related to any physiological conditions you choose to share.
    • Visual & Reflective Data: Progress photos you may choose to provide and other information you submit in notes (e.g., observations and reflections).
    • AI-Processed Data: Images you upload for nutritional analysis. These are processed to provide estimated nutritional information and may be retained to improve our AI models.
    • Generated Insights: Estimated daily calorie targets, macronutrient breakdowns, and other analytics generated by our Service based on your data.
    • Health, Food, and Activity Data may include sensitive personal information when it indicates or allows someone to infer a health condition.
  • c) Communication Data

    When you communicate with us, we collect records of those interactions. This includes:

    • Information you provide when you contact us for customer support, provide feedback, or respond to surveys or questionnaires.
    • The content of your communications with us, including emails, in-app messages, and social media interactions.
  • d) Technical and Usage Data (Automatically Collected)
    • Device Information: Operating system, hardware model, device type, unique device identifiers (e.g., IDFA or Android Ad ID), IP address, network connection type, and battery level.
    • Usage Analytics: Information about how you interact with the Service, such as features accessed, buttons clicked, duration of sessions, pages viewed, crash reports, and performance data.
    • Cookies & Tracking Technologies: We use cookies and similar technologies for authentication, session management, personalization, and collecting usage data.
  • e) Third-Party Data (With Your Consent)
    • Integrated Services: If you connect third-party services (e.g., Apple HealthKit or Google Fit), we collect data from those services according to your permissions.
    • Social Media: If you link your account with social media platforms, we may collect profile data as authorized by you through that platform.

3. How We Use Your Information & Our Legal Bases

We use your information for the following purposes, based on the legal grounds specified:

  • To Provide Core Service Functionality (Legal Basis: Performance of a Contract):
    • Create and manage your user account and profile, including displaying your profile photo.
    • Calculate personalized health metrics (e.g., BMR, calorie targets) which require data like age, height, and weight.
    • Enable logging of workouts, nutrition, mood, sleep, and notes.
    • Analyze food images to provide nutritional estimates.
    • Deliver curated content and insights based on your data.
  • To Improve and Develop the Service (Legal Basis: Legitimate Interests; Consent for Sensitive Data):
    • Analyze usage patterns to enhance user experience and optimize features.
    • Train and validate our AI models using anonymized and aggregated data to improve accuracy and service capabilities. We will seek your explicit consent where sensitive data is used for significant new feature development.
    • Conduct research and development for new features.
  • To Communicate with You (Legal Basis: Performance of a Contract; Legitimate Interests; Consent):
    • Send essential service-related communications (e.g., account verification, security alerts, policy updates).
    • Respond to your support inquiries, feedback, and other communications.
    • Send marketing communications about our products, from which you can opt-out at any time.
  • For Legal Compliance and Protection (Legal Basis: Legal Obligation; Legitimate Interests):
    • Verify you meet the minimum age requirement (18+) using your date of birth.
    • Prevent fraud, enforce our Terms of Use, and protect our rights, property, and user safety.
    • Comply with legal obligations and respond to lawful requests from public authorities.

4. Data Sharing & Third-Party Disclosures

We share information only under limited circumstances with appropriate safeguards:

  • a) Service Providers

    We engage third-party companies to perform services on our behalf. They are obligated to protect your data and are restricted from using it for any other purpose.

    • Cloud Hosting & Infrastructure: Providers for secure data storage, database management, and backend infrastructure, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Supabase.
    • AI Vendors: Third-party AI providers, including Google, for tasks like image recognition and nutritional analysis.
    • Analytics Providers: Tools for analyzing usage data to understand app performance.
    • Payment Processors: For managing subscriptions and payments securely.
    • Customer Support & Communication Tools: Platforms for managing user inquiries and sending communications.
  • b) Legal & Safety Disclosures

    We may disclose your information if required by law or if we believe in good faith that it is necessary to protect our rights, our users' safety, or to comply with a legal process.

  • c) Business Transfers

    In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will provide notice and ensure the protection of your data.

  • d) Anonymized or Aggregated Data

    We may share anonymized or aggregated data that cannot be used to identify you for purposes like research, analytics, or industry reports.

5. International Data Transfers

Your personal data may be processed in countries outside of your residence, including outside the European Economic Area (EEA). We ensure such transfers are lawful and protected by relying on mechanisms like the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions.

6. Data Ownership, Retention & Your Rights

  • a) Ownership of Your Data
    • Your Identifiable Personal Data: You retain all rights and ownership of your identifiable personal data. You grant us a non-exclusive, non-transferable, revocable license to use, store, process, and display your identifiable personal data solely for the purposes of operating, providing, and improving the Service as outlined in this Privacy Policy, and for the duration of your use of the Service.
    • Derived Data & AI Models: We own all anonymized, aggregated, or de-identified data, including our AI models, algorithms, and insights derived from user-generated content (like food entries, notes, images) and other data. This data, once stripped of personal identifiers, is no longer personal data and may be used for any legitimate business purpose, including product development, research, and analytics, and may be retained indefinitely.
  • b) Data Retention
    • Active Accounts: Personal data associated with your active account is retained until you request account deletion.
    • Inactive Accounts: For accounts that remain inactive for a period exceeding 24 months, we may anonymize or delete associated personal data.
    • Legal Requirements & Audits: Certain data, such as transaction records, may be retained for up to 7 years or as required by applicable law for tax, fraud prevention, or auditing purposes, even after account deletion.
    • Backups: Encrypted backups of data may be retained for up to 90 days for disaster recovery purposes, after which they are securely overwritten or deleted.
    • AI Training Data: Data used for AI model training, once anonymized or de-identified, may be retained indefinitely to ensure continuous model improvement and validation.
  • c) Your Rights (Global Compliance)
    • Right to Access/Portability: Request a copy of your personal data we hold and/or request to transfer it to another service.
    • Right to Rectification: Request correction of inaccurate or incomplete personal data.
    • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and personal data, subject to certain legal obligations or legitimate reasons for retention (e.g., legal hold, financial records). The process for this is described in our Terms of Use, Section 13.3.
    • Right to Object to Processing: Object to processing where we rely on legitimate interests or direct marketing.
    • Right to Restriction of Processing: Request us to limit the way we use your personal data.
    • Right to Withdraw Consent: Where we rely on your consent for processing, you have the right to withdraw it at any time. This will not affect the lawfulness of processing before your withdrawal.
    • Rights related to Automated Decision-Making/Profiling: Request human intervention, express your point of view, and contest automated decisions.
    • Right to Lodge a Complaint: Lodge a complaint with a supervisory authority for data protection (e.g., your national data protection authority if you are in the EU).

    To exercise any of these rights, please contact us at privacy@aicalpal.com. We will respond to your request free of charge within 30 days, or a legally specified timeframe, following identity verification.

7. Data Security

We implement appropriate technical and organizational safeguards designed to protect your personal data from unauthorized access, use, alteration, and disclosure. These measures include:

  • Access Controls: Implementing strict access controls to limit who can access sensitive data.
  • Backup and Recovery: Maintaining appropriate backup and recovery procedures to prevent data loss.
  • Incident Response: Maintaining a data breach protocol for managing and responding to security incidents.
  • Encryption: We use encryption to protect sensitive data both when it is stored (data at rest) and when it is transmitted (data in transit).

While we implement appropriate security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

8. Age Restriction & Children

Our Service is designed for and intended for use by individuals who are 18 years of age or older.

  • Strict Policy: No exceptions are made to the 18+ age restriction.
  • Proactive Measures: We implement age gates at the sign-up process and ensure our marketing is not targeted at children.
  • Child Data Discovery: If we become aware that we have collected personal data from anyone under the age of 18 without parental consent, we will take immediate steps to delete such information and terminate the associated account. Please contact us if you believe we may have collected information from a child.

9. Governing Law & Disputes

This Privacy Policy is an integral part of our Terms of Use. The governing law and dispute resolution procedures for any disputes arising from or related to your use of the Service, including those concerning your privacy, are set forth in detail in our Terms of Use, Sections 14 (Dispute Resolution & Arbitration) and 15 (Governing Law & Jurisdiction). Please refer to those sections for comprehensive information.

10. Contact Us

  • Email: privacy@aicalpal.com
  • Address: Fiserova 1, 10000 Zagreb, Croatia