Calzone is a calorie- and nutrition-tracking app. This Privacy Policy explains what personal data we collect when you use the app or visit this website, why we collect it, who we share it with, and the rights you have over it.
Quick summary
- We collect what's needed to run the app: your account, what you log, and basic device/usage info.
- We send food photos and meal descriptions to AI providers only to generate calorie estimates.
- We don't sell your personal data. Ever.
- You can export or delete your account and data from the app's Settings, or by emailing us.
1. Who we are
For the purposes of this policy, the "data controller" is the operator of Calzone (referred to as "we", "us", or "our"). You can reach us at szymon.szyszka@icloud.com.
2. What we collect
Information you give us
- Account info — name (or username), email, and the auth provider you signed up with (Apple, Google, or email). If you sign up via Apple or Google, we also receive a stable user ID from them.
- Profile & goals — height, weight, age, sex, activity level, target weight, dietary goals. You enter these during onboarding so we can calculate your daily calorie target.
- Food logs — meals you record manually, by barcode, or via AI: food names, portions, calories, macros, micro-nutrients, timestamps, and any notes you add.
- Food photos & descriptions — when you use AI logging, the photo or text you submit is sent to our AI provider for analysis. We store these alongside the resulting log so you can review or correct it.
- Beta signup info — on this website, when you join the beta we collect the name, email, source ("how did you hear?"), and any notes you submit.
- Communications — emails, feedback, or bug reports you send us.
Information we collect automatically
- Device & app data — device type, OS version, app version, language, timezone, and crash reports. Used to fix bugs and improve the experience.
- Usage data — basic events about how the app is used (e.g. number of logs, feature taps), so we can prioritize what to build.
- Web analytics (this site) — visitor counts and referring page. We do not use third-party advertising trackers on this site.
What we don't collect
- Health data from Apple Health or Google Fit — unless you explicitly turn it on (we'll ask first).
- Your contacts, location, or microphone.
- Payment card details — those go directly to Apple. We see your subscription status, not your card.
3. How we use it
- To run the Service — sign you in, store your logs, calculate your daily targets.
- To generate AI estimates — by sending the food photo or description to our AI provider.
- To process Pro subscriptions — verify entitlement via the Apple App Store / our subscription provider.
- To support you when you contact us.
- To improve and debug the app — using usage data and crash reports.
- To email you about your account or material updates to the Service. Marketing emails go only to people who opt in (e.g. the beta signup checkbox), and you can unsubscribe at any time.
- To meet legal obligations and protect against fraud or abuse.
4. Legal basis (GDPR)
If you're in the EEA, UK, or Switzerland, we rely on these legal bases:
- Contract — to provide the Service you signed up for (account, logging, AI estimates, subscriptions).
- Consent — for marketing emails and any optional features that need it (e.g. health data integrations). You can withdraw consent at any time.
- Legitimate interests — for security, fraud prevention, debugging, and improving the Service. We balance these against your rights and use the minimum data needed.
- Legal obligation — when a law requires us to keep or share specific information.
5. Who we share data with
We don't sell your personal data and we don't share it with advertisers. We do rely on a small set of trusted sub-processors to run the Service:
- Supabase — hosts our database, authentication, and beta signups. Stores your account, profile, and logs.
- OpenAI — analyzes food photos and descriptions to produce calorie/macro estimates. Photos and prompts are sent to OpenAI only when you use AI features. Per OpenAI's API terms, your inputs are not used to train their general models.
- RevenueCat — manages Pro subscriptions and entitlements on top of the App Store.
- Apple — App Store, TestFlight, Sign in with Apple, push notifications.
- Google — Sign in with Google (only if you choose it).
- Email — transactional and beta-invite emails go through our email provider.
Each sub-processor only receives the minimum data needed to do its job, under a data-processing agreement. We may also disclose information when legally required (e.g. valid court order) or to protect rights, safety, or property.
6. International transfers
Some of our sub-processors (notably OpenAI) are based in the United States. Where data is transferred outside the EEA / UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, or equivalent measures.
7. How long we keep it
- Account & logs — for as long as your account is active. When you delete your account, we delete or anonymize personal data within 30 days, except where we're required to retain it for legal or accounting reasons.
- AI photo data — stored with your log so you can edit it later. Deleted when you delete the log or your account.
- Beta signups — until launch + 12 months, or until you ask us to delete it.
- Crash & usage logs — typically up to 12 months.
- Backups — encrypted backups roll off automatically; deletions propagate within 60 days.
8. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct data that's inaccurate or incomplete.
- Delete your account and data ("right to erasure").
- Restrict or object to certain processing.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
You can exercise most of these from the app: Settings → Account. For anything else, email szymon.szyszka@icloud.com. We respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority — in Poland, that's the Urząd Ochrony Danych Osobowych (UODO).
If you're in California (CCPA/CPRA), you have similar rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. Calzone does not sell or share personal information for cross-context behavioural advertising.
9. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to a small number of people on a need-to-know basis and protected by two-factor authentication. We review our security practices regularly. No method of transmission or storage is 100% secure, so we can't guarantee absolute security — but we treat your data like our own.
10. Children
Calzone is not intended for children under 13 (or the minimum age in your country, whichever is higher). If you believe a child has given us personal data, email szymon.szyszka@icloud.com and we'll delete it.
11. Cookies & tracking
This website uses a minimal set of strictly necessary cookies and similar technologies — for example, to remember whether you've dismissed a notice. We don't use third-party advertising or cross-site tracking cookies on this website. The Calzone app itself does not use ad-tracking and does not present App Tracking Transparency prompts because it doesn't track you across other companies' apps and websites.
12. Changes to this policy
When we make material changes, we'll update the "Last updated" date at the top and, where appropriate, notify you in the app or by email before the changes take effect.
13. Contact
Questions, requests, or concerns about your data? Email szymon.szyszka@icloud.com. We read every message.