Privacy Policy

Last updated: 2026-04-29

1. Introduction

This Privacy Policy explains how Sunbranch AS ("we", "us", or "our") collects, uses, and protects your personal data when you use the Kalori application ("the App").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Sunbranch AS is the data controller responsible for your personal data.

Contact:

Email: support@kaloriapp.no

3. Data We Collect

Account Data:

  • Email address
  • Authentication credentials (password hash or OAuth tokens)
  • Account creation date

Profile Data:

  • Birth date (for calorie calculations)
  • Gender (for calorie calculations)
  • Height and weight
  • Activity level
  • Health and fitness goals

Health and Dietary Data:

  • Meals and food entries you log
  • Portion sizes
  • Calorie and macronutrient data
  • Weight history entries
  • Custom foods you create

Photos (Optional):

  • Meal photos uploaded for AI food recognition
  • Photos are processed transiently for food identification and are not permanently stored on our servers

Technical Data:

  • Device type and operating system
  • App version
  • Crash reports and error logs (if enabled)
  • Usage analytics (anonymized)

4. How We Use Your Data

We process your data for the following purposes:

To Provide the Service (Legal basis: Contract performance)

  • Calculate your personalized calorie and macro targets
  • Track your meals and nutritional intake
  • Display your progress and history
  • Process food photos for AI-based food recognition

To Improve the App (Legal basis: Legitimate interest)

  • Analyze anonymized usage patterns to improve features
  • Fix bugs and technical issues
  • Develop new features based on aggregated insights

To Communicate With You (Legal basis: Contract performance / Consent)

  • Send account-related notifications
  • Respond to support requests
  • Send marketing communications (only with your consent)

AI and Photo Processing

When you use our food photo scanning feature:

  • Your photos are sent to AI services to identify food items and estimate nutritional content
  • Photos are processed in real-time and are not stored permanently by us or our AI providers
  • We do not use your photos to train AI models
  • Your personal health data, progress photos, and identifiable information are never used for AI training

Anonymized Data

We may create anonymized, aggregated data from your usage that cannot be traced back to you. This data may be used for:

  • Statistical analysis and research
  • Improving nutritional database accuracy
  • Understanding general usage patterns
  • Business analytics and reporting

Anonymized data is not considered personal data under GDPR and may be retained indefinitely.

5. Data Storage and Security

Your data is stored securely using Supabase, a cloud database platform with:

  • Encryption at rest and in transit (TLS/SSL)
  • Row-level security ensuring you can only access your own data
  • Regular security audits and compliance certifications
  • Data centers located in the European Union

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

6. Third-Party Services

We use the following third-party services that may process your data:

Supabase

Database and authentication services. Privacy Policy: https://supabase.com/privacy

Open Food Facts

Food database for nutritional information. Privacy Policy: https://world.openfoodfacts.org/privacy

Matvaretabellen

Norwegian food database for nutritional information. Operated by the Norwegian Food Safety Authority.

Apple / Google

Sign-in services and payment processing for subscriptions, subject to their respective privacy policies.

AI Services

Food image recognition processing. Photos are processed transiently (in real-time) and are not stored or used for training by the AI provider.

Analytics (PostHog)

We use PostHog for product analytics to understand how features are used and to improve the App. Analytics data is processed in the EU. Privacy Policy: https://posthog.com/privacy

7. Apple Health (HealthKit)

If you connect Apple Health on iOS, the App reads and writes specific health data to power your daily targets, weight history, and activity-based goals. This section discloses exactly what we read, what we write, where each category is stored, and how to revoke access.

Data we read from Apple Health:

  • Active energy (calories burned)
  • Steps
  • Workouts (type, duration, and energy expenditure)
  • Body weight
  • Height

What stays on your device:

Active energy, steps, and workouts are read on demand to display your activity and — if you enable "Add calories burned" — adjust your daily calorie target. These categories are never written to our servers, never logged in our backend, and never sent to our analytics provider.

What syncs to your Kalori account:

Body weight and height samples are saved to your Kalori account so your weight history and BMI calculations stay consistent across devices. They are stored alongside your other Kalori data in our EU database (see Section 5 for storage details).

Data we write to Apple Health:

  • Meal nutrition you log in Kalori (calories, protein, carbs, fat, fibre, sugar)
  • Water intake entries
  • Body weight entries you log in Kalori

No advertising or third-party use:

HealthKit data is never used by us for advertising or marketing, and is never sold or transferred to third parties for advertising, marketing, or other use-based data mining. We do not store HealthKit data in iCloud.

Revoking access:

Disconnecting from Apple Health in the App's settings stops Kalori from reading and writing health data. To fully revoke iOS-level permissions, also open iOS Settings → Privacy & Security → Health → Kalori and turn off each category you no longer want to share.

8. Your Rights (GDPR Articles 15-22)

Under GDPR, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days.

Right to Rectification (Article 16)

You can correct inaccurate personal data through the App's settings or by contacting us.

Right to Erasure (Article 17)

You can delete your account and all associated personal data through the App's settings. We will complete deletion within 30 days.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format (JSON or CSV).

Right to Object (Article 21)

You can object to processing based on legitimate interests. We will stop processing unless we have compelling grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Right to Restriction (Article 18)

You can request that we limit how we use your data while we address your concerns.

To exercise any of these rights, use the in-app settings or contact us at support@kaloriapp.no. We will respond within 30 days. There is no fee for exercising your rights.

9. Data Retention

We retain your data for as long as your account is active. After account deletion:

  • Personal data is deleted within 30 days
  • Meal photos are deleted immediately (they are not stored long-term)
  • Backup copies are deleted according to our backup rotation schedule (maximum 90 days)
  • Anonymized, aggregated data may be retained indefinitely as it cannot identify you

We may retain certain data longer if required by law, to resolve disputes, or to protect our legal rights.

If your account is inactive for more than 24 months, we may send you a reminder email. If you don't respond, we may delete your account in accordance with this policy.

10. Children's Privacy

Users between 13 and 17 years old must have permission from a parent or legal guardian to use the App.

Parents/guardians are responsible for supervising their child's use of the App and ensuring the accuracy of any information provided.

We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.

The App is available to users aged 13 and older.

Parents or guardians may exercise data rights on behalf of their children by contacting us at support@kaloriapp.no.

11. International Data Transfers

Your data is primarily stored in the European Union. If data is transferred outside the EU/EEA (for example, to AI processing services), we ensure appropriate safeguards are in place, such as:

  • EU Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Data processing agreements with appropriate security measures

AI processing of food photos may occur outside the EU, but photos are processed transiently and not stored.

12. Cookies and Tracking

The App uses the TikTok Events SDK for advertising attribution, which may access your device's advertising identifier (IDFA) if you grant permission through Apple's App Tracking Transparency prompt. This is used solely to measure the effectiveness of our advertising campaigns and is not used to track you across other apps or websites. You can revoke this permission at any time in your device's Settings > Privacy > Tracking. The App does not use cookies. Our website (kaloriapp.no) uses the TikTok Pixel for web-based ad measurement, subject to your cookie consent.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or by email at least 30 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the App after changes take effect constitutes acceptance of the revised policy.

14. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • The Norwegian Data Protection Authority (Datatilsynet): https://www.datatilsynet.no
  • The supervisory authority in your country of residence

We encourage you to contact us first at support@kaloriapp.no so we can try to resolve your concerns directly.

15. Contact

For any questions about this Privacy Policy or your personal data, please contact us:

Email: support@kaloriapp.no

We aim to respond to all inquiries within 48 hours during business days.