Your Privacy, Protected

Cal 30 uses Apple Sign In exclusively. Apple authenticates your identity and delivers a secure token to our app. We never receive or store your Apple ID password. Apple may provide a private relay email at your discretion — we use this only to associate your account.

Your Apple token is exchanged with Firebase Authentication (Google) to create a secure session. Firebase stores your user ID (UID) — a random, anonymized string — and your relay email if provided. No passwords are stored by us or Firebase.

A flag indicating that you have previously signed in is stored in your device's secure Keychain. This lets the app show the Sign In screen on return visits. No personal data is stored in the Keychain.

You can permanently delete your account and all associated data from within the app (Settings → Delete Account). This removes your Firebase Auth record, all Firestore documents, and all AI usage logs. Deletion is irreversible and takes effect immediately.

During setup you provide: gender, age, current weight, height, goal weight, weight-change speed, diet type (e.g. Balanced, Keto, Vegan), food restrictions, health conditions, activity level, country, and preferred meals per day. This data is used solely to calculate your personalized calorie and macro targets and to generate your 30-day plan.

Your BMI, daily calorie budget, and daily protein, carbohydrate, and fat targets are calculated on-device and stored in your Firestore profile. These values are visible only to you.

Cal 30 tracks which 30-day cycle you are on, your cycle start weight, and your sub-goal target weight for each cycle. This progress data is stored in your Firestore profile and is visible only to you.

Cal 30 does not read from or write to Apple HealthKit. Your Apple Health data is never accessed by this app.

Cal 30 is a nutrition planning tool, not a medical device or service. Calorie and macro recommendations are for informational purposes only and do not constitute medical advice. Always consult a qualified healthcare professional before making significant dietary changes, especially if you have existing health conditions.

Meals you add manually — name, type, portion size, calories, protein, carbs, and fats — are stored in a Firestore sub-collection linked to your account. Your full meal history is accessible only to you.

When you request a meal plan, your profile data (goals, diet type, restrictions, calorie targets) is sent to Google Gemini to generate personalized suggestions. The resulting plan is saved to your Firestore account. See Section 4 for full AI processing details.

When you scan a meal photo, the image is sent to Google Gemini Vision AI for nutritional analysis. The image is used only for this single request and is not stored on our servers. The nutritional result is saved to your meal log in Firestore. Camera and Photo Library access requires your explicit permission.

Firestore is configured with persistent local caching on your device, so your meal history and profile remain accessible when offline. Changes sync automatically when connectivity is restored.

Three features use Gemini AI: Meal plan generation (sends your goals, diet type, restrictions, and calorie targets — no name or contact info); Food photo scanning (sends the selected image for nutritional estimation — images are not stored after processing); and AI nutrition chat (sends your messages with basic plan context). No uniquely identifying information is included in Gemini requests.

To protect your data and manage costs, AI usage is capped per user per day: up to 10 meal plan generations, 15 food photo scans, and 40 chat messages. These limits reset at midnight. Usage counts are stored in Firestore and in iCloud Key-Value Store as a local cache.

An anonymized daily cost estimate (a dollar amount, not personal data) is recorded in Firestore under your UID to enforce per-user daily budgets. This data is not shared with any third party.

Requests to Gemini are governed by Google's Privacy Policy and the Gemini API Terms. We use Gemini via Firebase AI Logic, which applies Google Cloud data processing terms. Google does not use Gemini API requests to train consumer models by default.

Camera permission is requested only when you choose to scan a food item. Photos taken are sent directly to Gemini Vision for nutritional analysis and are never stored in your photo library or on our servers.

Photo Library access is requested only when you choose to select an existing photo for food scanning. Cal 30 does not browse, index, or store any photos from your library beyond the one you explicitly select.

Both permissions are optional and can be revoked via iOS Settings → Cal 30 → Camera / Photos. Revoking these permissions only affects food scanning — all other features continue to work normally.

All notifications in Cal 30 are scheduled locally on your device using Apple's UserNotifications framework. No push notification server or third-party messaging service is used. Notification content never leaves your device.

Notification permission is entirely optional. Declining or revoking it has no impact on nutrition tracking or any other core feature of the app.

Your profile, meal logs, and AI usage records are stored in Google Cloud Firestore. Each document is scoped to your UID. Firestore Security Rules ensure only the authenticated owner can read or write their data — no other user, and no Cal 30 team member, can access your meal data through the app.

Daily AI usage counts are cached in Apple's iCloud Key-Value Store to enforce daily limits without a network round-trip. This cache does not contain any health or meal data and is governed by Apple's iCloud privacy policy.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party beyond the infrastructure providers in Section 9 (Firebase, Gemini, RevenueCat, Apple). These providers act as data processors under our direction and are bound by data processing agreements.

All purchases and subscriptions are processed by Apple through the App Store. Cal 30 never handles, stores, or transmits your payment card information. Apple's Privacy Policy governs all payment transactions.

Cal 30 uses RevenueCat to verify subscription status and manage entitlements. RevenueCat receives your App Store receipt for verification only. No payment details are shared with RevenueCat. Their handling is governed by the RevenueCat Privacy Policy.

You can restore your subscription at any time via Settings → Restore Purchases. This contacts RevenueCat and Apple to verify entitlements — no new personal data is created or shared.

Cal 30 is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 (or the applicable minimum age in your jurisdiction). If you believe a child has provided data through the app, please contact us at the address below and we will delete the data promptly.

You can view all your stored data — profile, goals, and meal history — directly within the app at any time.

You can edit your profile, goals, and any meal log entry within the app at any time.

Individual meals can be deleted within the app. Full account and data deletion is available via Settings → Delete Account. This permanently removes all your data from Firestore and Firebase Authentication and cannot be undone.

If you are in the European Economic Area, United Kingdom, or California, you may have additional rights including data portability, the right to object to processing, and the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at the address below.

All communication between Cal 30 and Firebase, Gemini, and RevenueCat is encrypted using TLS 1.2 or higher. Data is never sent over unencrypted connections.

Firestore data is encrypted at rest by Google Cloud using AES-256 encryption. Your device's local Firestore cache is protected by iOS Data Protection (encrypted when the device is locked).

Server-side Firestore Security Rules ensure each user can only read and write their own documents. No cross-user data access is possible through the app's data model.

Cal 30 contains no advertising SDKs, behavioral tracking libraries, or cross-app tracking frameworks. There are no third-party analytics tools beyond those listed in Section 9.

If we make material changes — such as adding new data types, new third-party integrations, or changing how data is used — we will update the "Last updated" date at the top of this page and, where appropriate, notify you through an in-app message. Continued use of the app after a policy update constitutes acceptance of the revised terms.

This Privacy Policy is governed by applicable law. For EEA users, processing complies with GDPR. For California residents, we comply with the California Consumer Privacy Act (CCPA).