Privacy Policy
Effective date: May 21, 2026 Last updated: May 7, 2026
This Privacy Policy explains how Elliot Consulting Quality AB ("we", "us", "our") collects, uses, and protects your personal data when you use the Kalivo mobile application and our website at kalivo.co (together, the "Service").
This document is provided in English only. By using Kalivo, you accept this Privacy Policy in English. If you need assistance understanding it, please contact hello@kalivo.co.
1. Data Controller
The data controller responsible for your personal data is:
Elliot Consulting Quality AB Organisation number: 559467-3864 VAT: SE559467386401 Sommarrovägen 9, 702 30 Örebro, Sweden Email: hello@kalivo.co Responsible person: Rickard Elliot
We have not appointed a Data Protection Officer (DPO) as we fall below the thresholds in GDPR Article 37. We are established in the European Union and therefore do not require an EU representative.
2. Minimum age
Kalivo is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are under 13, please do not use Kalivo. If you believe a child under 13 has provided us with personal data, contact hello@kalivo.co and we will delete it.
In some jurisdictions the minimum age for processing personal data without parental consent is higher (for example 16 in several EU countries). Where local law requires a higher age, that higher age applies.
3. Health and wellness disclaimer
Kalivo is a general wellness and nutrition tracking tool. It is not a medical device. Information provided by Kalivo, including calorie targets, macronutrient estimates, and suggestions from our AI assistant Kai, does not constitute medical advice. Always consult a qualified healthcare professional before making decisions that affect your health.
If you have or have had an eating disorder, please consult a healthcare professional before using calorie tracking tools. Kalivo is not designed for use as part of eating disorder recovery and should not replace professional treatment.
4. What personal data we process
We process the following categories of personal data:
4.1 Account data
- Email address
- Password (stored as a secure hash, never in plain text)
- Display name (if you provide one)
- Authentication tokens from Google Sign-In or Apple Sign-In (when used)
- Avatar image (if you upload one)
- Account creation and last login timestamps
- Subscription tier (free or premium) and expiry date
- Preferred units (metric or imperial) and language
4.2 Profile and onboarding data
- Date of birth (used to calculate age for calorie formulas)
- Biological sex (used in calorie formulas)
- Height
- Current weight and target weight
- Weight goal (lose, maintain, or gain)
- Activity level
- Dietary preferences
- Goals and motivations you share during onboarding
4.3 Food and nutrition data
- Meals you log (name, meal type, timestamp)
- Calories, protein, carbohydrates, and fat values
- Water intake
- Photos of meals you upload for AI analysis
- Barcodes you scan
- Recipes you create, import, or share
- Meal plans generated for you
4.4 Health and activity data
- Steps (manually entered or imported from Health Connect / Apple Health)
- Sleep duration (manually entered or imported)
- Weight history (manually entered or imported)
- Activity logs and calories burned (manually entered or imported)
- Source attribution of health data (for example, Samsung Health or the device itself)
4.5 AI chat data
- Messages you send to Kai (our AI assistant, powered by Anthropic's Claude)
- Kai's responses to you
- Images you share with Kai for food analysis
4.6 Payment and subscription data
We do not store your full payment card details. Subscriptions are processed by Apple (App Store) or Google (Google Play) and managed through RevenueCat. We receive:
- Subscription status (active, expired, cancelled)
- Plan type (monthly or yearly)
- Renewal date
- Product identifier
- Anonymised purchase token from the store
4.7 Technical and usage data
- Device type, operating system, and app version
- IP address (temporarily, for security and fraud prevention)
- Approximate region derived from IP
- Anonymised analytics events (for example, when you open the app, sign in, log a meal)
- Crash reports and error logs
- App performance metrics
- Advertising identifiers (IDFA on iOS when you grant tracking permission, GAID on Android when you grant advertising consent, and an anonymised AppsFlyer device ID)
- Attribution metadata (which marketing campaign or partner referred you to install Kalivo)
- Anonymised conversion events sent to advertising partners (such as completing onboarding, starting a trial, or making a purchase)
5. Why we process your data and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| To create and manage your account | Contract (Art. 6(1)(b)) |
| To provide calorie tracking, food logging, and insights | Contract |
| To calculate personalised calorie and macronutrient targets | Contract |
| To operate the Kai AI assistant | Contract |
| To process subscriptions and prevent payment fraud | Contract + Legal obligation (Art. 6(1)(c)) |
| To keep the Service secure and prevent abuse | Legitimate interests (Art. 6(1)(f)) |
| To diagnose crashes and errors | Legitimate interests |
| To understand how the Service is used and improve it | Legitimate interests |
| To comply with Swedish bookkeeping and tax law | Legal obligation |
| To respond to legal requests | Legal obligation |
| To measure advertising campaign effectiveness and attribute installs | Consent (Art. 6(1)(a)), withdrawn at any time in Profile → Privacy |
| To prevent install fraud and ensure marketing integrity | Legitimate interests |
For health and wellness data (such as weight, sleep, and activity), we rely on Article 9(2)(a) of the GDPR: your explicit consent, given by creating an account and completing onboarding. You can withdraw this consent at any time by deleting your account.
6. Automated decision-making and profiling
We use your profile data (age, sex, height, weight, activity level, goal) to calculate your personalised daily calorie and macronutrient targets. This calculation is based on the Mifflin–St Jeor equation and widely accepted nutrition science. It is an estimate and not a substitute for professional advice.
This is not automated decision-making that produces legal effects or significantly affects you under GDPR Article 22. You can adjust the suggested targets manually at any time.
7. Who we share your data with
We do not sell your personal data. We share it with the following categories of recipients, who act as our processors or independent controllers:
7.1 Infrastructure and hosting
- Supabase Inc. (United States) — authentication, database, file storage, real-time sync
- Vercel Inc. (United States) — hosting of the kalivo.co website and landing pages
7.2 AI and machine learning
- Anthropic PBC (United States) — powers the Kai AI assistant. Messages you send to Kai and any images you share are sent to Anthropic for processing. Anthropic does not train on Kalivo user data under our commercial terms. See Anthropic's commercial terms and privacy policy at https://www.anthropic.com/legal
7.3 Payments and subscriptions
- RevenueCat Inc. (United States) — subscription management and entitlement checks
- Apple Inc. (United States) — iOS in-app purchases via the App Store
- Google LLC (United States) — Android in-app purchases via Google Play
Apple and Google act as independent controllers for payment transactions. Their privacy policies apply in addition to ours.
7.4 Analytics and error monitoring
- Google LLC / Firebase (United States) — Firebase Analytics for anonymised product analytics
- Functional Software, Inc. (Sentry) (Germany / European Union) — error and crash reporting. We use Sentry's EU region to keep error data within the EU.
7.5 Email
- Resend (United States) — transactional emails such as password reset and email verification
7.6 Sign-in providers
- Google LLC (Google Sign-In) — when you sign in with Google
- Apple Inc. (Sign in with Apple) — when you sign in with Apple on iOS
7.7 Advertising attribution
AppsFlyer Ltd. (Israel, with EU operations in the Netherlands) — measures the effectiveness of our advertising and attributes app installs to marketing campaigns. AppsFlyer receives advertising identifiers (IDFA, GAID, AppsFlyer ID), conversion events, attribution metadata, and your subscription status. AppsFlyer also forwards anonymised conversion data to advertising platforms such as Meta, TikTok, and Google to optimise our advertising spend. AppsFlyer's privacy policy: https://www.appsflyer.com/legal/services-privacy-policy/
You can opt out of advertising and tracking at any time:
- In the Kalivo app: Profile → Privacy → Manage consent preferences. Toggle off 'Advertising'.
- On iOS: Settings → Privacy & Security → Tracking → Kalivo → off.
- On Android: Settings → Google → Ads → 'Delete advertising ID' or 'Opt out of Ads Personalisation'.
When you opt out, we stop sharing your data with AppsFlyer and our advertising partners going forward. Data shared before you opted out cannot always be retroactively recalled.
7.8 Authorities and legal requests
We may disclose your data to Swedish authorities or courts where we are legally required to do so.
A complete and up-to-date list of sub-processors is available on request from hello@kalivo.co.
8. International data transfers
Several of our processors are based in the United States (Supabase, Vercel, Anthropic, RevenueCat, Firebase, Resend) or operate internationally. When your data is transferred outside the European Economic Area (EEA), we rely on:
- The EU–U.S. Data Privacy Framework, where the recipient is certified
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical safeguards such as encryption in transit (TLS) and at rest
You can request copies of the safeguards in place by emailing hello@kalivo.co.
Sentry data is stored within the European Union (Frankfurt, Germany).
9. How long we keep your data
| Data | Retention period |
|---|---|
| Account data and profile | For as long as your account exists |
| Food logs, weight logs, sleep, steps, water, activity | For as long as your account exists |
| Kai chat history | For as long as your account exists, or until you delete individual conversations |
| AI inference logs (Anthropic) | Up to 30 days by Anthropic for abuse monitoring, then deleted |
| Deleted account data | Up to 30 days after deletion, then fully removed from our active systems |
| Supabase automated backups | Up to 7 days after deletion |
| Invoices and payment records | 7 years, as required by Swedish Bookkeeping Act (Bokföringslagen) |
| Error reports in Sentry | 90 days |
| Firebase Analytics events | 14 months |
| IP addresses in server logs | Up to 30 days |
| AppsFlyer attribution data | 24 months from last activity, then anonymised |
When you delete your account, your personal data is removed from our active systems within 30 days and from automated backups within a further 7 days. Anonymised or aggregated data derived from your usage may be retained for longer where it can no longer be linked to you.
10. Your rights under the GDPR
As a data subject you have the following rights:
- Access — you may request a copy of the personal data we hold about you (Art. 15)
- Rectification — you may ask us to correct inaccurate data (Art. 16)
- Erasure — you may ask us to delete your data ("right to be forgotten") (Art. 17)
- Restriction — you may ask us to restrict processing (Art. 18)
- Data portability — you may ask for a machine-readable copy of your data (Art. 20)
- Objection — you may object to processing based on legitimate interests (Art. 21)
- Withdraw consent — where processing is based on consent, you may withdraw it at any time (Art. 7(3))
- Lodge a complaint — you may complain to your data protection authority
To exercise these rights, email hello@kalivo.co. We will respond within 30 days.
You can also delete your account at any time from the Profile section of the app. This exercises your right to erasure.
Supervisory authority
Our lead supervisory authority is:
Integritetsskyddsmyndigheten (IMY) Box 8114 SE-104 20 Stockholm, Sweden Website: https://www.imy.se Telephone: +46 (0)8-657 61 00
If you live in another EU or EEA country, you may contact your local data protection authority.
11. Security
We take the security of your data seriously. Measures include:
- TLS encryption for all data in transit
- Encryption at rest for databases and backups
- Row-level security in our database so each user can only access their own data
- Passwords stored as salted hashes
- Access control and audit logs for our own team
- Regular security updates of our dependencies
- Error monitoring to detect abnormal behaviour
No system is perfectly secure. If you suspect unauthorised access to your account, contact hello@kalivo.co immediately.
12. Cookies, tracking technologies, and advertising
Our landing page at kalivo.co uses cookies and similar technologies in two categories:
Strictly necessary cookies — for session handling, security, and basic site functionality. These are always active.
Marketing and analytics tracking — Meta Pixel (Facebook) and TikTok Pixel are loaded on kalivo.co only after you accept the marketing category in our cookie consent banner. These pixels help us measure the effectiveness of our advertising campaigns on Meta and TikTok platforms. If you reject the marketing category or do not interact with the banner, these pixels are not loaded and no data is sent to Meta or TikTok.
The Kalivo mobile app does not use cookies. Instead, when you grant advertising consent during onboarding (or later in Profile → Privacy), we use mobile advertising identifiers and SDK-based event tracking via AppsFlyer to measure campaign effectiveness and attribute new installs to marketing partners. This is not cookie-based tracking, but it serves a similar purpose under GDPR and Apple/Google's tracking definitions.
You can withdraw advertising consent at any time. See Section 7.7 for details on opt-out controls for the mobile app. For website cookies, you can revisit your choices via the cookie banner reopen link in the website footer.
13. Children
See Section 2. If you are a parent or guardian and believe a child under 13 has created a Kalivo account, contact hello@kalivo.co and we will delete the account.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the app or by email at least 14 days before the change takes effect. The "Last updated" date at the top of this document reflects the most recent version.
15. Data practices summary (for app store privacy labels)
This section summarises our data practices for app store privacy labels (Apple App Privacy and Google Play Data Safety).
Data linked to you:
- Contact info (email)
- User content (photos you upload, meals you log, Kai chat messages)
- Identifiers (user ID, device ID when you consent to advertising, AppsFlyer ID)
- Health and fitness (weight, steps, sleep, activity, calories)
- Purchases (subscription status)
- Usage data (product interactions, including events shared with AppsFlyer for advertising attribution when you have consented)
- Diagnostics (crash data, performance)
Data used to track you (under Apple's definition of tracking, when you grant advertising consent):
- Device ID
- Product interaction events
New users must make an explicit choice about advertising tracking during onboarding — Accept all, Manage preferences (per-purpose toggles), or Reject all. We do not start tracking until that choice is made. If you choose Reject all, or later withdraw advertising consent, or deny iOS tracking permission, we do not use your data for cross-app tracking.
Data not collected: contacts, browsing history outside the app, precise location, financial information beyond subscription status, sensitive information other than health data you explicitly provide.
16. Contact
If you have any questions about this Privacy Policy or how we handle your data, contact:
Elliot Consulting Quality AB Email: hello@kalivo.co Address: Sommarrovägen 9, 702 30 Örebro, Sweden