Calo
← Back home

Legal

Privacy Policy

Last updated: May 17, 2026

Calo (“we”, “us”, “our”) is operated by Stefan Neuber, Stahnsdorfer Straße 140a, 14482 Potsdam, Germany. This policy explains how we process personal data when you use textcalo.com, Calo’s onboarding, account, checkout, lab, and iMessage services.

1. Controller

Stefan Neuber
Stahnsdorfer Straße 140a
14482 Potsdam, Germany
Email: neuberapps@gmail.com

2. Data We Process

2.1 Website and onboarding

  • Onboarding answers: gender, activity/workout level, goal, previous tracking experience, units, height, weight, birthday, target weight, diet preference, referral source, obstacles, and specific goals.
  • Contact and account data: mobile phone number, email address if provided, Firebase user ID, phone verification status, handoff code, subscription status, and timezone.
  • Technical data: IP address, user agent, device/browser information, URLs visited, timestamps, and security or error logs.
  • Local device data: onboarding progress and a lead identifier stored in localStorage so you can continue the flow.

2.2 iMessage, SMS, and chat

  • Messages you send to Calo, including text, food photos, voice-note transcripts if provided by the messaging platform, attachments, message IDs, sender number, delivery/read/reaction metadata, and protocol metadata.
  • Food and nutrition data derived from messages and photos, including recognized items, estimated calories, macros, meal logs, daily totals, confidence scores, and clarifying questions.
  • Motivation, checkout, billing, refund, opt-out, and deletion-request messages you send.
  • AI processing records such as provider, model, run type, timestamps, and outputs needed to operate, debug, and improve Calo.

2.3 Payments and billing

  • Stripe customer, checkout, subscription, invoice, payment status, refund, trial, and billing-support metadata.
  • We do not store full card numbers. Payment details are handled by Stripe.

3. Sensitive Nutrition Data

Because Calo uses weight, diet, goals, meal photos, and nutrition estimates, some data may be health-related or otherwise sensitive. We process this data to provide the service you request and, where GDPR Article 9 applies, on the basis of your explicit consent. You can withdraw consent by stopping use and requesting deletion, but this will prevent Calo from providing personalized nutrition coaching. We may store the time and policy version connected to your consent.

4. Purposes and Legal Bases

  • Service delivery and account setup: phone verification, onboarding, plan calculation, messaging, meal logging, checkout, subscriptions, support, refunds, and account recovery under GDPR Art. 6(1)(b).
  • Safety, security, fraud prevention, debugging, and service reliability: Art. 6(1)(f), our legitimate interests.
  • Optional analytics and product improvement: Art. 6(1)(a) where consent is required, otherwise Art. 6(1)(f) for privacy-protective operational analytics.
  • Marketing or research: only with your consent, Art. 6(1)(a).
  • Legal, tax, accounting, chargeback, and regulatory obligations: Art. 6(1)(c), and where needed Art. 6(1)(f) for legal claims.

5. Processors and Recipients

We do not sell personal data. We share data only as needed to run Calo, under appropriate contractual safeguards where required:

  • Firebase / Google Cloud: authentication, Firestore database, Cloud Functions, Storage, logs, and infrastructure.
  • Vercel or similar hosting providers: website hosting, routing, and request logs.
  • Linq and telecom providers: iMessage/SMS delivery, message status, attachments, reactions, and read status.
  • OpenAI: food-photo and nutrition analysis.
  • Anthropic: chat, motivation, checkout, and coaching replies.
  • Stripe: checkout, subscriptions, billing portal, invoices, refunds, fraud prevention, and payment compliance.
  • PostHog: optional analytics, lead/contact event storage, and funnel diagnostics when configured.
  • Apple iMessage: your use of iMessage is governed by Apple’s own terms and privacy practices.
  • Professional advisers, authorities, or courts: where needed for legal compliance, disputes, or rights requests.

6. AI and Human Review

Messages and food photos may be sent to AI providers so Calo can understand food, estimate nutrition, and reply. A limited team may review snippets of conversations, logs, photos, and model outputs for safety, support, abuse prevention, billing, debugging, and product quality. Reviews are limited to people with a work-related need.

7. International Transfers

Some providers process data outside the EU/EEA, including in the United States. Where required, we rely on adequacy decisions, the EU Standard Contractual Clauses, Data Privacy Framework participation, transfer impact assessments, and provider security measures.

8. Cookies, LocalStorage, and Analytics

Calo uses localStorage to remember onboarding progress and account flow state. Optional analytics use PostHog and may store or access identifiers in the browser after consent where required. You can decline analytics and still use Calo. You can also clear browser site data to remove local onboarding state from your device.

9. Retention

  • Account, onboarding, plan, subscription, and conversation records: kept while your account is active and then for up to 24 months after your last interaction, unless a shorter or longer period is required below.
  • Meal logs, daily totals, and food-photo copies: kept while your account is active so Calo can provide history and personalization; deleted or anonymized on verified request unless we must keep limited records.
  • Incomplete lead/contact records: kept for up to 12 months unless you ask us to delete them sooner.
  • Security, delivery, webhook, and operational logs: usually kept up to 12 months, longer if needed for fraud, abuse, chargebacks, debugging, or legal claims.
  • Payment, invoice, tax, accounting, refund, and chargeback records: kept as long as legally required, generally up to 10 years under German commercial and tax retention rules.
  • Backups are overwritten on a rolling schedule and are not used as live records.

10. Your Rights

You may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete or anonymize data, subject to legal retention obligations.
  • Restrict or object to processing.
  • Receive a portable copy of data you provided.
  • Withdraw consent at any time.
  • Object to direct marketing.
  • Lodge a complaint with a supervisory authority. In Brandenburg, Germany, this is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg.

To exercise rights, text Calo “delete my data” or email neuberapps@gmail.com. We may need to verify your identity. We aim to respond within one month.

11. Automated Processing

Calo uses automated processing to estimate nutrition, calculate a plan, personalize replies, and decide when to offer checkout. These outputs are informational and do not create legal or similarly significant effects by themselves. You should not rely on Calo for medical decisions.

12. Security

We use TLS in transit, provider-managed encryption at rest, access controls, Firebase security rules, signed webhooks where supported, and limited operational access. No internet service is perfectly secure, so please avoid sending information Calo does not need.

13. Age eligibility

Calo is only available to people over 18. If you are 18 or younger, do not use Calo. If we learn that we collected onboarding or account data from someone 18 or younger, we will delete it unless we must keep a limited record for legal reasons.

14. Changes

We may update this policy as Calo evolves. For material changes, we will provide notice by website, text, email, or another reasonable method before or when the change takes effect.

15. Contact

Questions about privacy? Email neuberapps@gmail.com.