Privacy Policy

As of: December 2025

1. Data Protection at a Glance

This privacy policy was written to inform you, in accordance with GDPR (General Data Protection Regulation (EU) 2016/679), what information is collected for what purpose, and how you as a user can influence data collection and processing.

We have tried to collect as little personal data as possible to provide the services ("data minimization").

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is all data that can be used to personally identify you. Detailed information on data protection can be found in our privacy policy listed below this text.

Data collection on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the "Note on the Controller" section of this privacy policy.

How do we collect your data?

Your data is collected, on the one hand, when you provide it to us. This can, for example, be data that you enter into a contact form.

Other data is collected automatically or with your consent when you visit the website by our IT systems. This primarily includes technical data (e.g., internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other order inquiries.

What rights do you have regarding your data?

You have the right to obtain information about the origin, recipient, and purpose of your stored personal data at any time and free of charge. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time with effect for the future. Furthermore, you have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time regarding this and other questions regarding data protection.

2. Hosting

We host the content of our website with the following provider:

webgo

The provider is webgo GmbH, Heidenkampsweg 81, 20097, Hamburg (hereinafter "webgo"). When you visit our website, webgo records various log files, including your IP addresses.

You can find details in webgo's privacy policy: https://www.webgo.de/datenschutz/.

The use of webgo is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in the most reliable presentation of our website possible. If consent has been requested, processing will be carried out exclusively on the basis of Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g., for device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Processing by a processor (Art. 28 GDPR)

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which guarantees that the personal data of our website visitors will only be processed according to our instructions and in compliance with the GDPR.

3. General information and mandatory information

Terms

The following explains terms frequently used in the privacy policy:

Data processing: Collection, storage, use, and deletion of data
Data: Personal data (according to GDPR) is "all information relating to an identified or identifiable natural person (hereinafter "data subject" or "user")"
Pseudonymization: The name or other identification feature is replaced by a pseudonym, making it impossible to determine the identity of the data subject is significantly hindered or even completely excluded.

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this happens.

We would like to point out that data transmission over the Internet (e.g., when communicating by email) can have security gaps. Complete protection of data from access by third parties is not possible.

Note on the Controller

The controller for data processing on this website is:

Kalorime UG (haftungsbeschränkt)
Kreuzweg 26
31868 Ottenstein

Phone: +49 (0) 176 - 416 029 13
E-mail: contact@kalorime.com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

Note on minimum age

Our service is not aimed at children under 16 years of age. Persons under 16 years of age may only use the service with the consent of their legal guardians.

Storage period

Unless a more specific storage period has been specified within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or wish to revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., retention periods under tax or commercial law); In the latter case, deletion will occur once these reasons no longer apply.

When the account is deleted, personal content data (e.g., diary, photos, private database entries) will be deleted or anonymized; statutory retention periods (in particular, invoice and contract data for up to 10 years) remain unaffected.

Backup copies of personal data

Backups are created regularly and in encrypted form in accordance with the GDPR.

For technical reasons, personal data contained in backup copies is not permanently deleted immediately, but only when the backups are regularly overwritten.

Technical and organizational measures (TOMs)

We use appropriate technical and organizational measures (TOMs) - in particular role-based access and authorization concepts, encryption during transmission (SSL/TLS) and in backups, logging of access events, and regular security updates – to protect personal data from loss, misuse, and unauthorized access.

General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6 Paragraph 1 lit. a GDPR or Article 9 Paragraph 2 lit. a GDPR, provided that special categories of data are processed pursuant to Article 9 Paragraph 1 GDPR. In the case of express consent to the transfer of personal data to third countries, data processing will also be carried out on the basis of Article 49 Paragraph 1 lit. a GDPR. If you have consented to the storage of cookies or to access information on your end device (e.g. via device fingerprinting), data processing will also be carried out on the basis of Section 25 Paragraph 1 TDDDG. Consent can be revoked at any time. If your data is required to fulfill the contract or to carry out pre-contractual measures, we will process your data on the basis of Article 6 Paragraph 1 lit. b GDPR. Furthermore, we process your data if it is necessary to fulfill a legal obligation on the basis of Art. 6 (1) (c) GDPR. Data processing may also be based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The relevant legal bases in each individual case are explained in the following paragraphs of this privacy policy.

These rights apply to all data subjects whose data we process - regardless of whether they reside in the European Union, the United Kingdom, or another country, insofar as the respective legal provisions (e.g., EU GDPR or UK GDPR) are applicable. The same rights under the UK GDPR apply to data subjects in the United Kingdom; Inquiries can be made using the contact details provided in the "Note on the Controller" section.

To exercise your rights, you can contact us at any time using the contact details provided in the "Note on the Controller" section.

Recipients of personal data

As part of our business activities, we work with various external parties. In some cases, this also requires the transfer of personal data to these external parties. We only transfer personal data to external parties if this is necessary to fulfill a contract, if we are legally obliged to do so (e.g., transferring data to tax authorities), if we have a legitimate interest in the transfer pursuant to Art. 6 (1) (f) GDPR, or if another legal basis permits the transfer of data. When using data processors, we only share our customers' personal data on the basis of a valid data processing agreement. In the case of joint processing, a contract for joint processing is concluded.

Withdrawal of Your Consent to Data Processing

Where we process personal data on the basis of your consent (Article 6(1)(a) GDPR and/or Article 9(2)(a) GDPR), you may withdraw this consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

You may withdraw your consent at any time by sending an email to contact@kalorime.com.

Consequences of withdrawal: As the use of our service is technically and functionally dependent on the processing of the health- and tracking-related data you provide, and it is currently not possible to deactivate individual consent-based processing operations separately, a withdrawal of consent may result in our inability to continue providing the service. In such cases, your user account will be deleted upon your request.

Upon deletion of the user account, personal content data stored in your account (e.g. diary entries, progress data and uploaded photos) will be deleted or anonymised, unless statutory retention obligations (e.g. accounting or tax law requirements) require continued storage.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 (1) (e) or (f) GDPR, you have the right to object at any time to the processing of your personal data for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which any processing is based can be found in this data protection declaration. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN PROVE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 (1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO OBJECT TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING; THIS ALSO APPLIES TO PROFILING IN RESPECT OF SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION ACCORDING TO ART. 21 PARA. 2 GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, those affected have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work, or place of the alleged violation. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.

An overview of the data protection supervisory authorities in Germany can be found here: https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html

The competent supervisory authority for Kalorime UG (haftungsbeschränkt) is the State Commissioner for Data Protection of Lower Saxony (LfD Lower Saxony). https://lfd.niedersachsen.de

Right to data portability

You have the right to have data that we process automatically based on your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if technically feasible.

Information, Correction, and Deletion

Within the scope of applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipient, and the purpose of data processing, as well as the right to have this data corrected or deleted, if applicable. Data is only collected where absolutely necessary. Entries made by users can be deleted immediately and completely by the data subject. The exception to this is data that the data subject has made publicly visible and that is currently being used by other users (in this case, the data subject's pseudonym associated with the content will always be removed) or legal regulations that prevent deletion. You can contact us at any time with any questions about this or other issues relating to personal data.

Right to Restriction of Processing

You have the right to request that the processing of your personal data be restricted. You can contact us at any time to do so. The right to restrict processing applies in the following cases:

If you dispute the accuracy of the personal data we have stored about you, we generally need time to verify this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
If the processing of your personal data was/is unlawful, you can request that the data processing be restricted instead of deleted.
If we no longer need your personal data, but you need it to exercise, defend, or assert legal claims, you have the right to request that the processing of your personal data be restricted instead of deleted.
If you have lodged an objection pursuant to Art. 21 (1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request that the processing of your personal data be restricted.

If you have restricted the processing of your personal data, this data may - apart from its storage - only with your consent or for the establishment, exercise, or defense of legal claims or to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or a member state.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://". and by the lock symbol in your browser bar.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to advertising emails

The use of contact data published as part of the imprint obligation to send unsolicited advertising and information materials is hereby prohibited. The operators of the site expressly reserve the right to take legal action in the event of unsolicited advertising information being sent, for example through spam emails.

4. Data collection on this website

Cookies

Our websites use so-called "cookies." Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted after your visit. Permanent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser.

Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain third-party services within websites (e.g., cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary because certain website functions would not work without them (e.g., the shopping cart function or the display of videos). Other cookies can be used to evaluate user behavior or for advertising purposes.

Cookies that are required to carry out electronic communications, to provide certain functions you have requested (e.g., for the shopping cart function), or to optimize the website (e.g., cookies for measuring web audiences) (necessary cookies) are stored on the basis of Art. 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and similar recognition technologies has been requested, processing will take place exclusively on the basis of this consent (Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

You can find out which cookies and services are used on this website in this privacy policy. Where cookies are strictly necessary to provide the login/session functionality requested by the user, processing may also be based on Art. 6(1)(b) GDPR.

When you visit the Kalorime website, an information banner is displayed informing the user about the use of cookies and containing a link to the privacy policy.

Note on Withdrawal / Settings

If we use only technically necessary cookies, no consent is required (§ 25(2) No. 2 TDDDG). You can delete or block cookies at any time via your browser settings. Please note that disabling technically necessary cookies may restrict certain functions (e.g. login).

Types of cookies

Strictly necessary cookies: These cookies are necessary to ensure basic website functions (example: session cookies).
Functional cookies: These cookies collect information about user behavior. These cookies are also used to measure the loading time and behavior of the website in different browsers (not used).
Advertising cookies: These cookies are also called targeting cookies. They are used to deliver customized advertising to the user (example: Google AdSense).

Delete cookies

You can deactivate or delete cookies in your browser at any time. This will prevent cookies from being stored on your device.
If cookies are not accepted, the familiar cookie message will appear as an information banner each time you visit a page. Furthermore, a large part of the website will not function.

Cookies used

Only strictly necessary cookies are used on Kalorime. We do not use analysis/advertising cookies.

Legal basis: Section 25 (2) No. 2 TDDDG (technically required), Art. 6 (1) (b) GDPR (contractual performance - session/login).

Type: strictly necessary

Name: PHPSESSID

Duration: 60 minutes

Purpose: Identification of the user during a session (a session lasts until the browser is closed)

Content: Session ID

Legal basis: Section 25 (2) No. 2 TDDDG (technically required), Art. 6 (1) (f) GDPR (legitimate interest in convenient use - "stay logged in").

Type: absolutely necessary

Name: sok

Duration: 30 days

Purpose: Identification of the user after a session - stay logged in beyond sessions

Content: User key

Note on third-party providers

No analysis, marketing, or other third-party cookies are set on Kalorime. Third-party providers only receive data if you actively click on an external link (e.g., to social media profiles or PayPal); In this case, the privacy policy of the respective provider applies.

Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass this data on without your consent.

This data is processed on the basis of Art. 6 (1) (b) GDPR, provided that your inquiry is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), if this was requested; Consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request its deletion, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g., after your request has been processed). Mandatory legal provisions—in particular retention periods—remain unaffected.

Inquiry by email, telephone, or fax

If you contact us by email, telephone, or fax, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 (1) (b) GDPR, provided your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), if this was requested; Consent can be revoked at any time.

The data you send to us via contact enquiries will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions—in particular statutory retention periods— remain unaffected.

Server log files and technical data

When registering, logging in, and using our services, our server at webgo automatically records the following data, which is technically necessary to deliver the website, ensure security, and prevent misuse:

IP address
Date and time of the request
Browser type and version
Operating system
Referrer URL (if transmitted)

For security reasons (e.g., to investigate misuse or fraud), this data is stored in server log files for 7 days and automatically deleted when it is no longer needed for its intended purpose. In principle, data can also be stored longer than necessary, for example, if evidence is needed for legal disputes. The legal basis for this is Art. 6 (1) (f) GDPR (legitimate interest in ensuring technical operation and system security).

Storage serves to ensure IT security (e.g., detection of recurring attacks, error analysis, investigation of misuse).

Registration, Account, Premium Membership, and Use of Our Services

Registration and Account Creation

Registration is required to use certain features of our website. During registration, we collect the following data:

Email address
Password

This data is necessary to create a user account and give you access to the features of our platform (Art. 6 (1) (b) GDPR – contract fulfillment or pre-contractual measures).

Free Trial Period (3 Days)

When you register for the first time, you have the one-time opportunity to test our Premium Membership free of charge for three (3) days (“Trial Period”). During this Trial Period, all premium features are fully available to you.

To provide and manage the Trial Period, we process the same personal data that is required for registration (e.g. email address, password, technical usage and metadata). The legal basis for this processing is Article 6(1)(b) GDPR (processing necessary for the performance of a contract or for pre-contractual measures).

After the Trial Period ends, access to the premium features automatically expires; there is no automatic renewal or conversion into a paid subscription. Your data will remain stored in your free user account unless you delete it. If you do not purchase a paid membership after the Trial Period, your data will continue to be processed solely within the scope of the free account.

Repeated or multiple participation in the Trial Period is not permitted. We reserve the right to deny or terminate the Trial Period if there are indications of misuse (e.g. multiple registrations).

Two-Factor Authentication (2FA)

To protect your account, we offer optional or mandatory two-factor authentication (2FA). In addition to your password, you will be asked to enter a verification code, which may be provided, for example, by email or via an authenticator app.

As part of 2FA, we process the following data:

Your email address or the second authentication method you have stored
Date and time of the 2FA login
Technical metadata (e.g., IP address, browser information)

The processing is carried out to secure your user account and prevent unauthorized access (Art. 6 (1) (b) GDPR - contract fulfillment or Art. 6 (1) (f) GDPR - legitimate interest in IT security).

Voluntary Profile Information

After registration, you can voluntarily store additional information in your account in order to use the range of functions (e.g., calorie calculator):

Username
Weight, height, age
Sleep duration, physical activity, activity level
Health goal

We process this information to provide the functions you request (e.g., calculating nutritional values, calorie consumption) (Art. 6 (1) (b) GDPR).

The processing of health data stored in your profile and in the calorie calculator is carried out on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR and for the performance of the functions you have requested pursuant to Art. 6(1)(b) GDPR. You may withdraw this consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out prior to the withdrawal. Further information on withdrawal can be found in the section “Withdrawal of Your Consent to Data Processing”.

Note: The recommendations determined in the calorie calculator (e.g., calorie and nutrient goals) are based on an automated calculation, but do not constitute a legally relevant decision within the meaning of Art. 22 GDPR. The recommendations are for personal information only and have no legal effect.

Diary functions, database entries, and account links

Within our diary and tracking function, you can enter the following data:

Notes
Progress values (e.g., weight, hip circumference)
Photos (e.g., progress photos or photos of meals)
Information on food eaten and sporting activities
Your own private database entries (e.g., individual foods, recipes, or exercise routines)

Account Linking: You can link your account with the account of one other person. To do this, you generate a linking key in your profile, which is only valid for a few minutes for security reasons. The link is established only when the other person enters this key in their account.

By linking accounts, you expressly agree that the other person may:

view all your diary entries, progress data, photos, and private database entries,
see your email address and your pseudonym as a linked account,
add their own entries to your diary (only possible if the partner has an active Premium subscription).

The processing of this data is based on Art. 6(1)(b) GDPR (provision of the functionality you requested). Since this may involve health data, the disclosure is made only with your explicit consent in accordance with Art. 9(2)(a) GDPR. Further information on withdrawing your consent can be found in the section “Withdrawal of Your Consent to Data Processing.”

You can remove the account link at any time in your account settings. After removal, your data will no longer be visible to the other person, and they will no longer be able to create new entries in your diary.

If an existing account link is removed, any entries created exclusively by the linked person — and containing data belonging to their account — will be copied. This ensures that after the unlinking, all data entered by each account holder remains intact without impairing functionality.

Data processing upon conclusion of contract

We process personal data when you purchase a paid service or digital content (e.g., our premium membership). Processing is necessary to conclude and fulfill the contract with you (Art. 6 (1) (b) GDPR). Without the provision of this data, we cannot execute the contract.

The provision of the information marked as required is necessary for registration, contract execution, and billing; without this information, the use of the corresponding functions is not possible. Invoice data is retained for up to ten years for tax and commercial law reasons.

For correct international invoicing and tax calculation, we determine the user's country based on the IP address. The IP address is processed and stored exclusively for this purpose. It is not passed on to external services. The legal basis for this is Art. 6 (1) (c) GDPR (legal obligation to issue correct invoices).

To process the contract, we will pass on the required data to commissioned service providers, insofar as this is necessary for the fulfillment of the contract (e.g., hosting providers, payment service providers).

Premium Membership and Payment

Purchasing a Premium Membership enables additional functions, such as:

Creating your own database entries (private)
Adding diary entries (food/exercise/progress) for yourself and a linked account, if applicable
Analysis of uploaded food photos with AI support (automatic calculation of nutritional values and entry in the diary)

As part of the purchase, we also collect the following data:

Name
Billing address

The purchase of a Premium Membership is based on a subscription model. This means that payments will be automatically debited regularly (e.g., monthly or annually, depending on the selected plan) using your chosen payment method until you cancel the subscription.

Payment is processed via the PayPal service (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). Upon purchase of the Premium Membership, a recurring payment mandate (billing agreement) is created with PayPal. PayPal stores a unique mandate reference for this purpose in order to automatically process future payments.

The data processed may include, in particular:

Name
Email address
Billing and delivery address
Payment information (e.g., invoice amount, currency, transaction ID, mandate reference)
If applicable, other data required for payment processing

The data transfer is based on Art. 6 (1) (b) GDPR, as it is necessary to fulfill the contract concluded with you. PayPal may conduct a credit check for certain payment methods (e.g., purchase on account). PayPal may transfer data to group companies and service providers outside the EEA. We would like to point out that in third countries such as the USA, the level of data protection may not be comparable to that in the EU, and access by authorities cannot be ruled out. Details at PayPal.

Where necessary, PayPal bases third-country transfers on appropriate safeguards, in particular standard contractual clauses (Art. 46 GDPR); details can be found in PayPal's privacy policy.

Further information on data processing by PayPal can be found in the PayPal's privacy policy.

You can cancel your subscription at any time via the account settings on our service or via your PayPal account. After cancellation, no further payments will be collected.

Encrypted payment transactions on our website

Payment transactions via our website are also carried out exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the browser's address bar changing from "http://" to "https://" and by the lock symbol in your browser bar.

Thanks to SSL or TLS encryption, the data you transmit to us cannot be read by third parties.

Use of Artificial Intelligence (AI) / Use of OpenAI GPT-5

We use artificial intelligence (AI) exclusively to evaluate uploaded food photos and to determine the food they contain and its nutritional values. The analysis is carried out using the service GPT-5 (OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA) and serves exclusively to provide the function you requested (e.g., automatically entering meals into your diary).

Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
Type of processing: No automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR takes place; These are merely automated calculations (e.g., calorie and nutrient recommendations).
No use for training purposes: Where contractually agreed (e.g. as part of our Data Processing Addendum), data transmitted to OpenAI will not be used to develop or train models for other customers.
Note on image content: If possible, please do not upload photos in which people (e.g., faces) are recognizable. Before being transmitted to OpenAI, image files are cleaned of EXIF metadata (e.g., location/time) on the server side.
Transfer to a third country: During use, data may be transferred to the USA. The level of data protection there may not be comparable to that in the EU; access by authorities cannot be ruled out. However, OpenAI provides a Data Processing Addendum (DPA) and standard contractual clauses (SCCs) pursuant to Art. 46 GDPR to ensure an adequate level of data protection.
Role of OpenAI: OpenAI acts as our data processor (Art. 28 GDPR). Processing is carried out exclusively according to our instructions and only to provide the functionality you request. It is not used for our own purposes (e.g., marketing or training).

Further information can be found in the OpenAI Privacy Policy and in the OpenAI Data Processing Addendum.

Categories of personal data processed

Category	Examples	Purpose of processing
Identification data	Email address, username	Account creation, login, communication
Authentication data	Password, 2FA token, login events	Access control and security
Health and fitness data	Weight, height, age, activity level, health goal, sleep duration, sport	Calorie and nutrient calculation, diary functions
Diary contents	Notes, photos, meals, sports activities, progress values	Documentation of nutrition and progress, evaluation of daily goals
Private database entries	Self-added foods and recipes	Personalization of the nutritional value calculation
Payment data	Name, billing address, PayPal transaction data	Invoicing, processing of premium memberships
Server and usage data	IP address, browser type, operating system, date/time of Inquiry	IT security, misuse detection, website provision

Use of data processors

We use various external service providers who process personal data on our behalf ("data processors" pursuant to Art. 28 GDPR). We have concluded corresponding data processing agreements (DPAs) with all data processors to ensure the protection of your data.

Our most important data processors are:

Hosting providers - for providing the technical infrastructure and storing the data.
Email providers - for sending system and notification emails.
OpenAI, L.L.C. (USA) - for analyzing food photos with GPT-5 (including Data Processing Addendum and Standard Contractual Clauses; see section "Use of GPT-5 for Photo Analysis").

These service providers process personal data exclusively according to our instructions and only for the purposes stated in this Privacy Policy. Processing for the service providers' own purposes does not occur.

Use of OpenAI as a data processor

To provide the "Photo Analysis" function, we use the service provider OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA. We have concluded a Data Processing Addendum (DPA) including Standard Contractual Clauses (SCCs) with OpenAI to ensure an appropriate level of protection for the processing of your data (Art. 28, 46 GDPR).

Processing by OpenAI is carried out exclusively in accordance with our instructions and for the purpose of providing the functions you have requested (e.g., analysis of food photos and nutritional value calculation). OpenAI does not use the data for its own purposes, in particular for training or marketing purposes. Further information about data processing by OpenAI can be found in the OpenAI Privacy Policy and the Data Processing Addendum.

Social Media - Facebook, X (Twitter), Instagram

Facebook, X (Twitter), and Instagram are integrated into Kalorime via a link. Clicking on one of the links transmits reference data to the platform. The platform receives the information that the user originates from Kalorime. The online presences on these platforms are maintained to promote Kalorime and communicate with users. Therefore, GDPR Art. 6 (1) (f) provides the legal basis for the processing of personal data. If the user consents to the processing of data by the respective platform, GDPR Art. 6 (1) (a) provides the legal basis for the processing of personal data.
User data may be processed outside of Europe for market research or advertising purposes. Cookies are usually set by the respective platforms. In particular, the data is also processed if the user is not a member of the respective platform. The duration of data storage can be found in the platforms' privacy policies.
Kalorime does not have direct access to the data stored on the platforms. It is therefore advisable to contact the respective platforms when asserting user rights. The user has the right to object to the processing of data at any time.

Meta is primarily responsible for the collection of insights and usage data on our Facebook and Instagram pages. Data subjects' rights can be asserted against us or Meta. The essential contents of the agreement according to Art. 26 GDPR can be found here: Page Controller Addendum.

The privacy policies of the platforms:

Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) https://www.facebook.com/about/privacy/
Instagram (service of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) http://instagram.com/about/legal/privacy/
X (Twitter) (X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) https://x.com/de/privacy

5. Newsletter

Newsletter Data

We use the double opt-in procedure: The newsletter will only be sent after you confirm your email address by clicking on the link contained in the confirmation email. We do not measure success (open and click rates).

If you would like to receive the newsletter offered on the website, we require an email address from you as well as information that allows us to verify that you are the owner of the specified email address and that you agree to receive the newsletter. Further data is not collected or is only collected on a voluntary basis. We use this data exclusively to send the requested information and do not pass it on to third parties.

The data entered into the newsletter registration form is processed exclusively on the basis of your consent (Art. 6 (1) (a) GDPR). You can revoke your consent to the storage of your data, your email address, and their use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The legality of any data processing already carried out remains unaffected by this revocation.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter. After you unsubscribe from the newsletter or if the purpose no longer applies, the data will be deleted from the newsletter distribution list. We reserve the right to delete or block email addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

Data stored by us for other purposes remains unaffected.

After you unsubscribe from the newsletter distribution list, your email address may be stored on a blacklist by us or the newsletter service provider if this is necessary to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Storage on the blacklist is not time-limited. You can object to the storage if your interests outweigh our legitimate interest.

6. Right to Change

This privacy policy may be changed at any time in compliance with legal provisions. You should therefore regularly check for the latest status.