Privacy Policy – BeyondCal

Effective Date: December 5, 2025

This Privacy Policy explains how BeyondCal (“we”, “us”, “our”) collects, uses, and protects your information when you use the BeyondCal mobile app and the website beyondcal.com (together, the “Service”).

By using BeyondCal, you agree to the practices described in this Privacy Policy.

1. Overview

BeyondCal is a nutrition and micronutrient tracking app. To provide the Service we need to process certain personal data, including health-related information that you choose to share (for example, meal logs, macros/micros, and basic body metrics).

We aim to:

  • Collect only what is necessary
  • Use your data only for clear, legitimate purposes
  • Store it securely
  • Give you reasonable control over your data

2. Information We Collect

We collect the following categories of data.

2.1 Account Data

  • Email address
  • Authentication data (hashed password if you sign up with email; identifiers from Apple/Google if you use social login)
  • Basic profile information you choose to provide (for example name or nickname)

2.2 Profile and Onboarding Data

To personalize targets and insights, you may choose to provide:

  • Age range or date of birth
  • Biological sex / gender
  • Height and weight
  • Activity level or lifestyle information
  • Nutritional goals and preferences (for example focus on specific domains like energy, brain, longevity)

These can be considered health-related data, and we treat them with extra care.

2.3 Nutrition and Tracking Data

To operate the core features of BeyondCal, we process:

  • Meals, foods, ingredients, and portion sizes you log
  • Micronutrient and macronutrient values associated with your logs
  • Photos of meals that you capture or upload
  • Derived data such as domain scores, trends, and summary statistics (for example daily coverage of certain nutrients)

This information is used to compute and display analytics and recommendations inside the App.

2.4 Technical and Usage Data

When you use the Service, we automatically collect:

  • Device information (model, operating system, language, app version)
  • Approximate region based on IP address
  • Log information such as timestamps, feature usage, screens visited
  • Basic diagnostic data (for example errors, crashes, performance metrics)

At the MVP stage we aim to keep analytics minimal and aggregated. If we later integrate third-party analytics, we will update this policy to list the providers and their roles.

2.5 Communication Data

If you contact us (for example via email or in-app forms), we collect:

  • The content of your messages
  • Your contact details (email, name if provided)
  • Any other information you voluntarily include

2.6 Push Notification Data

If you enable notifications, we collect:

  • A push notification token associated with your device and user account

We use this token only to send notifications (for example reminders to log meals or streak reminders).

2.7 Payment and Subscription Data

If you purchase a subscription or in-app product:

  • Payments are processed through Apple App Store and/or Google Play (or other platform providers).
  • We receive information such as subscription status, type of plan, and renewal dates, but we do not see your full payment card details.

3. How We Use Your Data

We use your data for the following purposes:

To provide and maintain the Service

  • Authenticate you and manage your account
  • Store and display your meal logs, micronutrient data, and scores
  • Remember your preferences and settings

To personalize the experience

  • Calculate recommended nutrient targets based on your profile
  • Show you summaries, trends, and domain scores relevant to you

To operate AI-powered features

  • Send meal photos and descriptions to AI providers to estimate ingredients, portions, and nutrients
  • Generate insights based on your logs

These operations are limited to what is strictly necessary to offer the feature.

To improve the Service

  • Analyze aggregated use patterns
  • Monitor performance and fix bugs
  • Decide which features to prioritize

To communicate with you

  • Send push notifications (for example reminders, streak alerts)
  • Send essential service emails (for example important updates, policy changes, account issues)
  • Send occasional product updates or tips, where permitted by law and your settings

To ensure security and prevent abuse

  • Detect and prevent fraud, abuse, or unauthorized access

To comply with legal obligations

  • Keep records as required by law
  • Respond to lawful requests from authorities, where applicable

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your personal data under the following legal bases:

  • Performance of a contract: To provide the Service you requested (account, logging, analytics, notifications).
  • Consent: For certain optional features (for example health-related profiling, marketing emails, some types of analytics).
  • Legitimate interests: To improve the Service, prevent fraud, and protect our rights, provided these interests are not overridden by your rights and interests.
  • Legal obligation: Where processing is necessary to comply with applicable laws (for example accounting or consumer rules).

You can withdraw consent at any time in the App settings (where available) or by contacting us.

5. AI and Third-Party Providers

To run the Service we rely on trusted third parties acting as data processors:

  • Supabase – database, authentication, and file storage (including meal photos); data is stored in data centers located in the region we selected when setting up the project, currently within the European Union.
  • AI provider(s) such as OpenAI – processing of text and images (for example meal descriptions and photos) to extract ingredients, portions, and insights.
  • Platform providers – Apple, Google, and similar stores that handle distribution and payments.
  • Push notification infrastructure – services used to deliver notifications to your device via Apple/Google push systems.

We require these providers to process your data only as needed to deliver their part of the Service, under appropriate security and confidentiality obligations.

We do not sell your personal data and we do not share your data with third parties for their own marketing purposes.

6. Data Storage, Location, and Security

Data is stored primarily using Supabase (managed PostgreSQL and object storage).

We use technical and organizational measures such as encryption in transit (HTTPS), access controls, and least-privilege principles to protect your data.

No system is perfectly secure, but we take reasonable steps to reduce the risk of unauthorized access, disclosure, or loss.

If we become aware of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authorities as required by law.

7. Push Notifications and Email

Push Notifications

We may send push notifications about:

  • Meal logging reminders
  • Streak status and progress
  • Important changes to the Service

You can disable push notifications at any time through your device settings.

Email

We may send:

  • Essential service emails (for example security alerts or changes to terms)
  • Optional tips and product updates, where permitted

You can unsubscribe from non-essential emails at any time by using the unsubscribe link (if available) or contacting us.

8. Data Retention

We keep your personal data only as long as necessary for the purposes described above:

  • Account, profile, and nutrition logs: kept while your account is active.
  • Logs and technical data: kept for a shorter period as needed for security and diagnostics.
  • Communication data: kept as long as needed to manage your request and maintain reasonable records.

If you delete your account or ask us to delete your data, we will:

  • Remove or anonymize your personal information from active systems, unless we are legally required or allowed to preserve some of it (for example, for accounting or to resolve disputes).
  • Some data may remain in backups for a limited retention period, after which it is overwritten.

Details on how to request deletion are in section 10.

9. Children's Privacy

BeyondCal is not intended for children under 16. We do not knowingly collect personal data from users under 16.

If we discover that we have collected data from a child under 16 without appropriate consent, we will delete that data as soon as reasonably possible. If you believe this has happened, contact us at privacy@craftuplearn.com.

10. Your Rights

Depending on your location (for example EEA, UK), you may have the following rights:

  • Access – obtain a copy of the personal data we hold about you
  • Rectification – correct inaccurate or incomplete data
  • Deletion (“right to be forgotten”) – request deletion of your personal data, subject to legal limitations
  • Restriction – ask us to limit processing in certain circumstances
  • Portability – receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
  • Objection – object to processing based on legitimate interests or direct marketing
  • Withdraw consent – where processing is based on consent

Currently, in the MVP:

  • Some of these actions may be possible directly within the App (for example editing your profile or deleting logs).
  • For other requests (including full account deletion and export), you can contact us at privacy@craftuplearn.com.

We may need to verify your identity before acting on your request.

You also have the right to lodge a complaint with a data protection authority (for example, the Italian Data Protection Authority if you reside in Italy).

11. International Data Transfers

Because we use cloud providers and global infrastructure, your data may be transferred and processed outside your country of residence.

Where such transfers involve data leaving the European Economic Area or UK, we rely on appropriate safeguards, such as:

  • Hosting in the EU where possible
  • Standard Contractual Clauses or equivalent mechanisms, where required

We only work with providers who offer privacy and security standards consistent with applicable law.

12. Third-Party Links

The App or website may contain links to third-party sites or services (for example external articles or resources). We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any personal data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new features, use new providers, or when laws change.

If we make material changes, we will notify you inside the App and/or by email. The updated policy will be effective from the date indicated at the top. Continued use of the Service after that date means you accept the updated policy.

14. Contact

If you have questions, concerns, or requests about this Privacy Policy or your data, you can contact us at:

Privacy email: privacy@craftuplearn.com

Support email: support@craftuplearn.com