Privacy Policy

Watch My Calories ("we", "us", "our") is operated by Carra Labs. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Watch My Calories mobile application ("the App") and its associated backend services.

By using the App you agree to this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Account Information (provided by you)

• Name and email address (via Google Sign-In)
• Date of birth
• Gender
• Height and weight
• Activity level
• Country and language preference
• Dietary restrictions

1.2 Health & Nutrition Data (provided by you)

• Meals, food entries, and nutritional values (calories, protein, carbs, fat, fiber, sugar, sodium)
• Nutrition goals (target calories, macros, goal type, target weight)
• Body measurements (weight history, body fat percentage)
• Meal plans and recipes

1.3 Photos

• Food photos taken with the in-app camera for AI-based food recognition.
• Photos are stored locally on your device only in the App's private storage. They are not uploaded to our servers for permanent storage.
• When you use AI food recognition, the photo is temporarily sent (as encoded image data) to our server, which forwards it to Google's Gemini AI service for analysis. The image is not retained after processing.

1.4 Device Information

• A unique device identifier (UUID) generated by the App, stored in encrypted local storage. This is used to bind authentication sessions to your device.
• We do not collect your hardware ID, IMEI, advertising ID, or any other system-level device identifier.

1.5 Information We Do NOT Collect

• Location data (GPS)
• Contacts, call logs, or SMS
• Browsing history
• Financial information (payments are handled entirely by Google Play)
• Data from other health apps or fitness wearables

2. How We Use Your Information

3. Third-Party Services

3.1 Google (Authentication)

We use Google Sign-In for account creation and authentication. When you sign in, Google provides us with your name, email address, and Google account ID. Google's privacy policy applies to their processing of your data: policies.google.com/privacy.

3.2 Google Gemini AI (Food Recognition & Nutrition Analysis)

When you use AI-powered features (Premium only), certain data is sent to Google's Gemini API through our backend server:

• Food recognition: your food photo (encoded) and language preference
• Nutrition advice & analysis: age, gender, height, weight, activity level, dietary restrictions, and nutrition data for the relevant period
• Meal plan generation: the above plus your nutrition goals

We do not send your name, email, or any directly identifying information to the AI service. We use the paid tier of Google's Gemini API, which means Google does not use your data to train their AI models.

3.3 Open Food Facts (Barcode Lookup)

When you scan a product barcode, the barcode number is sent to the Open Food Facts API to retrieve product information. No personal data is shared. Open Food Facts is an open, non-profit database.

3.4 Google Play Billing

Subscription purchases are processed entirely by Google Play. We receive a purchase token to verify your subscription status but do not have access to your payment method or financial details.

4. Data Storage & Security

4.1 On Your Device

• Authentication tokens and device ID are stored in Android EncryptedSharedPreferences (AES-256-SIV key encryption, AES-256-GCM value encryption).
• Nutrition data is stored in a local Room (SQLite) database.
• Food photos are stored in the App's private file directory, inaccessible to other apps.

4.2 On Our Servers

• Your name, email, and date of birth are encrypted at rest using AES-256-GCM before being stored in our database.
• Authentication tokens are stored as SHA-256 hashes (not in plain text).
• All communication between the App and our servers uses TLS 1.2/1.3 encryption.
• Our servers are hosted in the European Union.

5. Data Retention

• Your data is retained for as long as your account is active.
• When you delete your account, all personal data is marked for deletion and permanently removed within 30 days.
• AI usage statistics (aggregated token counts, no content) are retained for billing and abuse-prevention purposes for up to 90 days after account deletion.
• Consent records are retained for legal compliance purposes.

6. Your Rights

Depending on your location, you may have the following rights:

• Access: request a copy of all data we hold about you.
• Rectification: update or correct your personal information through the App's profile screen.
• Deletion: delete your account and all associated data via Settings > Delete Account, or by contacting us.
• Data portability: request an export of your data in a structured, machine-readable format.
• Withdraw consent: you may withdraw consent for optional data processing (e.g., marketing communications) at any time.
• Object: you may object to certain processing activities by contacting us.

7. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly.

8. International Data Transfers

Your data may be processed by Google's AI services in data centers outside your country of residence. When this occurs, we ensure appropriate safeguards are in place (paid API tier, no data retention by Google for training). Our own servers are located in the European Union.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App and update the "Effective date" above. Your continued use of the App after a change constitutes acceptance of the updated policy.

10. Contact Us