Privacy Policy

CalTrack ("we", "us", "our", "CalTrack") is a nutrition, calorie, and fitness tracking web application. This Privacy Policy explains in detail what personal data we collect about you when you use the CalTrack service (the "Service"), why we collect it, what we do with it, who we share it with, how long we keep it, and what rights you have over it under applicable data-protection law — including the European Union General Data Protection Regulation 2016/679 ("GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), the UK Data Protection Act 2018, the California Consumer Privacy Act ("CCPA"), and any other applicable privacy or data-protection legislation in your jurisdiction.

We take your privacy seriously. By using CalTrack, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must not use the Service. We reserve the right to update this Policy at any time. Material changes will be communicated to you via email or a prominent in-app notification at least 30 days before they take effect.

The data controller responsible for the processing of your personal data is the natural or legal entity operating CalTrack. You can contact us at any time using the following channels:

• Email: [email protected]
• General support: [email protected]
• Postal: available on written request

We have not appointed a designated Data Protection Officer ("DPO") because the scale and scope of our processing does not meet the statutory threshold under Article 37 GDPR. However, all privacy-related inquiries are reviewed by our internal privacy lead within five (5) business days.

We collect the following categories of personal data:

3.1 Account & Identity Data

• Full name (as supplied by you during registration)
• Email address
• Hashed password (we use bcrypt with a work factor of 12; we never store cleartext passwords)
• Two-factor authentication secrets, where 2FA is enabled (stored encrypted at rest)
• OAuth identifiers for Google or Apple Sign-In, where used
• Account creation date, last login timestamp, and email-verification timestamp

3.2 Profile & Body Data

• Date of birth (used to compute age for TDEE calculation)
• Biological sex (used in the Mifflin–St Jeor BMR formula)
• Height in centimetres
• Current weight in kilograms
• Activity level (sedentary through very active)
• Primary fitness goal (cut, maintain, bulk)
• Daily nutrition targets (calories, protein, carbs, fat, fibre, water)

3.3 Dietary & Behavioural Data

• Food log entries: food item, quantity in grams, meal category, timestamp
• Recipes you create, edit, or save (including ingredient lists and per-serving nutrition)
• Meal plans (weekly calendar entries)
• Pantry inventory (Smart Fridge feature) including expiration dates
• Shopping lists
• Water intake logs (volume in millilitres, timestamp)
• Exercise logs (activity type, duration, calories burned)
• Streak data (consecutive days logged)
• Body measurement history (weight, optionally waist/chest/hip/etc.)
• Diary notes and food ratings you choose to record

3.4 Technical & Usage Data

• IP address (truncated for logs, full IP for fraud and rate-limit purposes for a maximum of 30 days)
• User-agent string (browser, operating system, device type)
• Device fingerprints for session management (so you can review and revoke active sessions)
• Approximate location derived from IP (city level, not precise GPS)
• Service Worker / Push Notification subscription endpoints (only if you opt in to push)
• Performance metrics and error logs for debugging purposes
• Pages visited, features used, and aggregated time-on-page (for product improvement)

3.5 Payment & Subscription Data

• Subscription tier (Free or Premium)
• Plan billing cycle (monthly or yearly)
• Subscription status (active, past due, canceled, etc.)
• Stripe customer identifier (a pseudonymous token)
• Billing period start and end dates

We never store any card numbers, expiration dates, CVV codes, or banking information. All payment data is processed and stored by Stripe Payments Europe, Ltd. ("Stripe") under their own privacy policy (stripe.com/privacy). Stripe is a PCI-DSS Level 1 certified payment service provider.

3.6 Social & Communications Data

• Friend connections (mutual relationships with other CalTrack users you have explicitly accepted)
• Diary sharing preferences (Private, Friends Only, or Public)
• Challenge participation and results
• Coach-client relationships (where applicable)
• Audit log of sensitive actions (password changes, 2FA toggles, data exports, account deletion requests)

3.7 Categories We Do NOT Collect

We do not knowingly collect: government-issued identification numbers, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric identifiers (no fingerprints or facial recognition), sexual orientation, criminal convictions, or any data of children under the age of 16. If you believe a child under 16 has provided us with personal data, please contact us immediately.

Under Article 6(1) GDPR we must have a specific legal basis for every type of processing. The table below details every purpose for which we process your data, the categories of data involved, and the legal basis we rely upon.

CalTrack uses the following categories of cookies and local storage:

5.1 Strictly Necessary

Session cookie (HttpOnly, Secure, SameSite=Lax), CSRF token cookie, language preference cookie (NEXT_LOCALE), and theme preference (light/dark/system) stored in localStorage. These cannot be disabled without breaking core functionality.

5.2 Functional

Onboarding-step progress, dismissed notifications, draft food-log entries (stored offline in IndexedDB to support the offline mode). All processed locally on your device.

5.3 Advertising

Google AdSense may set cookies on Free-tier pages. Used to deliver and measure non-personalised ads by default; personalised ads only with your consent via the cookie banner. You can opt out of personalised advertising at any time at adssettings.google.com.

We share personal data with the following third parties, all of whom act as processors under Article 28 GDPR and are bound by written data-processing agreements containing the Standard Contractual Clauses where transfers leave the EU/EEA:

• Stripe Payments Europe, Ltd. (Ireland) — payment processing. International transfers to the US under Article 46 GDPR SCCs.
• Google LLC (USA) — Sign-In with Google, AdSense advertising for Free tier, Gemini AI for food image recognition (forthcoming). Transfers under SCCs and the EU–US Data Privacy Framework.
• Apple Inc. (USA) — Sign in with Apple, where used. Transfers under SCCs.
• Spoonacular / Edamam, Inc. (USA) — Recipe and ingredient nutrition data, made available to Premium subscribers. Transfers under SCCs.
• USDA FoodData Central (US Government) — Public-domain food nutrition database. No personal data is shared; only your search queries.
• Open Food Facts (France, non-profit) — Barcode lookup. No personal data is shared; only the scanned barcode.
• Email service provider (SMTP) — Transactional emails (verification codes, password reset, magic links). We do not use the email provider for any marketing communications.
• Our hosting infrastructure — Ubuntu Linux servers located in the European Union, operated by us directly.

We do not sell, rent, or trade your personal data to any third party. We have never received a request from a government or law enforcement agency to disclose user data; if such a request is ever received we will challenge it where legally permissible and notify you unless prohibited by law.

Our infrastructure is located within the European Economic Area (EEA). Some of our sub-processors listed in Section 6 are based outside the EEA, including in the United States. Where data transfers leave the EEA, we ensure an adequate level of protection by:

• Relying on European Commission adequacy decisions, where available
• Using the Standard Contractual Clauses ("SCCs") adopted by the European Commission on 4 June 2021
• Conducting transfer impact assessments where required by Schrems II
• Encrypting data in transit (TLS 1.3) and at rest where supported by the processor

You have extensive rights regarding your personal data. To exercise any of these rights, email [email protected] or use the self-service tools in Settings. We respond to all verified requests within one calendar month (Article 12(3) GDPR), extendable by a further two months for complex requests.

9.1 Right of Access (Article 15)

You can download a complete copy of your data in machine-readable JSON or CSV via Settings → Account → Export. Includes profile, all food logs, water logs, exercise logs, weight logs, body measurements, recipes, and meal plans.

9.2 Right to Rectification (Article 16)

Update any incorrect data in Settings → Profile and Settings → Goals. If you cannot edit a specific field yourself, contact us.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Delete your account in Settings → Danger Zone → Delete Account. All personal data is permanently removed within 30 days; backups age out within a further 30 days.

9.4 Right to Restriction (Article 18)

You can request that we temporarily restrict processing while disputed data is being verified.

9.5 Right to Data Portability (Article 20)

Use Settings → Export to obtain a portable copy in JSON or CSV.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests at any time by contacting us.

9.7 Right to Withdraw Consent

Where we rely on consent (e.g. push notifications), you can withdraw at any time in Settings, with no effect on the lawfulness of prior processing.

9.8 Right to Lodge a Complaint

You may complain to your national supervisory authority. In Germany this is the relevant Landesdatenschutzbehörde. A list of EU authorities is available at edpb.europa.eu.

9.9 California Residents — Your CCPA Rights

California residents have additional rights including the right to know what personal information is collected, the right to delete that information, and the right to opt out of the "sale" of personal information. We do not sell personal information as defined by the CCPA. To exercise CCPA rights, email [email protected].

We implement appropriate technical and organisational measures to protect your data consistent with Article 32 GDPR. These include, but are not limited to:

• TLS 1.3 encryption for all data in transit; Let's Encrypt managed certificates
• Passwords hashed with bcrypt (work factor 12); never stored in plain text
• Optional two-factor authentication (TOTP, RFC 6238)
• Session tokens stored in HttpOnly, Secure, SameSite cookies
• Application-level rate limiting on all authentication endpoints
• Audit logging of sensitive actions
• Strict Content-Security-Policy and other security headers
• Database backups encrypted with AES-256, stored in geographically distinct location
• Principle of least privilege applied to all infrastructure access
• Regular security review of code changes before production deployment
• Email-verification gate to prevent account-creation abuse from disposable email providers

No system is perfectly secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours pursuant to Article 33 GDPR, and we will notify you without undue delay where the risk is high (Article 34 GDPR).

CalTrack is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately so we can delete the data and close the account.

We use rule-based, deterministic algorithms (e.g. the Mifflin–St Jeor BMR formula) to compute your daily calorie targets. These are not "automated decisions producing legal effects" within the meaning of Article 22 GDPR — they are simply calculations on numeric inputs you provide, and they do not affect your legal rights. AI features such as food recognition (when launched) will require explicit opt-in consent and will not produce decisions with legal effect.

We may amend this Privacy Policy from time to time to reflect changes in law, our processing activities, or our services. The "Last updated" date at the top of this page will always reflect the most recent revision. For material changes, we will notify you via email or via a prominent notification within the Service at least 30 days before the new policy takes effect, giving you time to review or close your account.

For all privacy-related questions, requests, or complaints:

Email: [email protected]
General support: [email protected]

We aim to respond to all requests within five (5) business days. Verified data-subject requests under the GDPR will be resolved within one calendar month of receipt.