Privacy Policy

Effective Date: January 1, 2026

CalorieCount ("we," "us," or "our") operates the CalorieCount health tracking application. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable laws.

Data Controller: CalorieCount Team | support@calo-circle.yisoapp.com

1. Data We Collect

Account Data: name, email address, profile photo (optional), third-party OAuth tokens (Google, Facebook, LINE)
Health & Nutrition Data: food logs (name, portion, calories, macronutrients), weight records, BMI, exercise logs, daily water intake, health goals
Food Photos: images you upload for AI recognition — stored in secure cloud storage after analysis
Usage Data (automatic): IP address, browser type, device info, feature usage timestamps, error logs

2. How We Use Your Data (Lawful Basis — GDPR Art. 6)

Purpose	Lawful Basis
Providing core food tracking features	Contract performance (Art. 6(1)(b))
AI food image recognition	Contract performance (Art. 6(1)(b))
Sending account notifications & verification emails	Contract / Legitimate interests (Art. 6(1)(f))
Personalised health analytics & recommendations	Consent (Art. 6(1)(a))
Anonymous AI model improvement	Legitimate interests (Art. 6(1)(f))
Fraud prevention & security	Legitimate interests (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))

3. Data Sharing & Third Parties

We do not sell your personal information. We may share data with:

Service Providers (bound by Data Processing Agreements): Google Gemini API (AI recognition), Vercel / Supabase (database & hosting), Resend (transactional email), Google / Facebook / LINE OAuth (authentication)
Legal Requirements: when required by law, court order, or governmental authority
Business Transfers: in the event of a merger or acquisition, with advance notice to you

4. Data Retention

Account data: retained while account is active; deleted within 30 days of account deletion
Food logs: retained while account is active
Food photos: maximum 180 days (can be manually deleted at any time)
Anonymised usage statistics: maximum 2 years

5. Your Rights

GDPR Rights (EU/UK residents):

Access

Request a copy of your data (Art. 15)

Rectification

Correct inaccurate data (Art. 16)

Erasure

"Right to be forgotten" (Art. 17)

Restriction

Restrict how we process your data (Art. 18)

Portability

Receive your data in a portable format (Art. 20)

Object

Object to processing based on legitimate interests (Art. 21)

CCPA Rights (California residents):

Right to Know what personal information is collected and used
Right to Delete your personal information
Right to Opt-Out of Sale — we do not sell personal information
Right to Non-Discrimination for exercising your rights

To exercise your rights, contact: support@calo-circle.yisoapp.com — we respond within 30 days (GDPR) / 45 days (CCPA).

6. International Data Transfers

Your data may be processed in Taiwan, the United States, and Japan. For transfers from the EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.

7. Security Measures

All data in transit encrypted via HTTPS/TLS
Passwords hashed with bcrypt (12 rounds) — never stored in plaintext
Database access requires authenticated credentials
API rate limiting to prevent brute-force attacks
Regular security audits; health data stored separately from account data

8. Cookies

We use only necessary session cookies to maintain your logged-in state. We do not use third-party advertising or tracking cookies. You can manage cookies in your browser settings, though disabling session cookies will prevent login.

9. Children's Privacy

Our Service is not directed to children under 13 (or 16 in the EU where applicable). If we discover we have collected personal data from a child without parental consent, we will delete it immediately. Users under 18 require parental or guardian consent.

10. Changes to This Policy

We will notify you of significant changes via in-app notification or email at least 30 days before the change takes effect. Minor updates will be reflected on this page with an updated effective date.

11. Contact & Data Protection

For privacy inquiries or to exercise your rights: support@calo-circle.yisoapp.com

EU/UK residents: if you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK).