CalZA Privacy Policy

Introduction

CalZA ("we", "our", "us") is owned and operated by Clear Signal Group (Pty) Ltd, a company registered in Johannesburg, South Africa. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the CalZA mobile application (the "App") and any related services.

By creating an account or using CalZA, you consent to the practices described below. If you do not agree, please do not use the App.

This policy is designed to comply with the South African Protection of Personal Information Act, 2013 (POPIA), the Google Play Data Safety requirements, the Apple App Store privacy requirements, and applicable international data-protection standards.

Who We Are

Clear Signal Group (Pty) Ltd
Johannesburg, South Africa
Information Officer: calza@clearsignalgroup.org

Information We Collect

Account information

Email address and display name (username)
Password — stored only as a one-way bcrypt hash. We never see or store your plaintext password.
Login session tokens (JWT) used to keep you signed in securely

Health and nutrition data

Sex, age, height, weight, activity level, fitness goals, dietary preferences, and restrictions
Food logs, meals, recipes, calorie intake, macro/micronutrient totals, water consumption, weight history, fasting schedules
Streak counts, daily goals, and progress milestones

Photos and voice recordings

Food photos you submit to the AI scanner — sent to OpenAI in real time and not retained on our servers. A copy may be cached on your device for your food-log thumbnails.
Voice clips you record to log a meal — sent to OpenAI Whisper for transcription, then discarded. The transcribed text becomes part of your food log.

Subscription and purchase data

Subscription tier (Pro Monthly/Annual, Ultimate Monthly/Annual), trial status, renewal date, entitlement state
Purchase history — handled entirely by Apple App Store or Google Play. We never receive or store your card number or banking details.

Technical and device data

Device type, model, operating system version, app version, and language
Anonymous crash logs and performance diagnostics
Expo push notification token — only if you enable push notifications

What we do NOT collect

Your contacts, calendar, SMS messages, or call logs
Your precise GPS location
Your advertising ID, IDFA, or any cross-app tracking identifier
Your payment card details, banking information, or financial accounts

How We Use Your Information

We process your data only for the purposes listed below:

To calculate personalised calorie and macronutrient targets
To identify food items via AI image scanning, voice transcription, and barcode lookup
To track your daily nutrition, streaks, weight history, and progress
To generate weekly reports and AI nutrition insights
To send local push notifications for meal reminders and streak alerts (only if you enable them)
To send transactional emails such as password-reset codes
To manage your subscription, trial period, and entitlements via Apple or Google's billing systems
To diagnose crashes and improve app stability
To improve the South African food database and AI recognition accuracy
To comply with legal and regulatory obligations

What we will never do

Sell, rent, or trade your personal information to anyone
Use your data for third-party advertising or behavioural profiling
Share your food logs, weight, or health data with insurance companies, employers, or marketers

Third-Party Services & Data Sharing

We share limited data with the following service providers strictly to operate the App. Each provider is contractually bound to handle your data in accordance with applicable data-protection laws.

OpenAI (United States) Purpose: AI food recognition (GPT-4o Vision), voice transcription (Whisper), nutrition coaching (Calzy), and recipe suggestions. Data shared: Food images, voice clips, and text prompts you submit. OpenAI's API does not use this data to train its models. Retention: Processed in real time. Not retained on our servers.

RevenueCat (United States) Purpose: Subscription management and entitlement validation. Data shared: Anonymous subscriber ID and subscription state. We do not share your email, name, or food data with RevenueCat.

Apple App Store / Google Play Store Purpose: All in-app purchases and subscription billing. Data shared: Handled directly by the platform under their own privacy policies. We never see your card number.

Resend (United States) Purpose: Transactional emails such as password-reset codes. Data shared: Your email address and the message content needed to deliver the email. Not used for marketing.

Sentry (United States) Purpose: Crash and error monitoring. Data shared: Anonymous device info, app version, and stack traces. We do not send food logs, health data, photos, or your password to Sentry.

Expo (United States) Purpose: Push notification delivery and over-the-air JavaScript updates. Data shared: Expo push token (only if notifications enabled), update channel, runtime version. No personal information.

SAFOODS / SAMRC Purpose: South African Medical Research Council food composition data, bundled inside the App. Data shared: None — the database lives on your device. No data is sent to SAMRC.

International Data Transfers

Several of our service providers — OpenAI, RevenueCat, Resend, Sentry, and Expo — are based in the United States. By using CalZA, you consent to your data being processed in those jurisdictions.

We ensure all such transfers are protected by contractual safeguards (Standard Contractual Clauses or equivalent) consistent with Section 72 of POPIA, which requires that the recipient be subject to law or binding agreements providing an adequate level of protection.

Data Retention

Active accounts

Data is retained for as long as your account remains active and for as long as it is needed to provide the service.

Account deletion

When you request account deletion, your account is immediately marked for deletion. All personal data is permanently removed from our active systems within 30 days. You may cancel the deletion by signing in again before the 30-day grace period ends.

Photos and voice clips

Processed in memory only. Never written to our server's disk. A device-side copy of food photos may persist as a thumbnail in your local food log; deleting the App removes it.

Backups

Encrypted database backups may persist for up to 90 days before being overwritten on rotation.

Anonymised analytics

Aggregate, non-identifying statistics (such as "X scans were performed today") may be retained indefinitely for service improvement.

Your Rights Under POPIA

You have the right to:

Access — request a copy of the personal information we hold about you
Rectification — correct inaccurate or incomplete personal data. Most fields can be updated directly in Profile and Settings.
Deletion — delete your account and personal data at any time (see "Account Deletion" below)
Object — object to processing for direct marketing or other specific purposes
Withdraw consent — at any time, where consent is the basis for processing
Data portability — request an export of your data in a structured, commonly-used format
Lodge a complaint with the Information Regulator of South Africa: inforegulator.org.za · enquiries@inforegulator.org.za

To exercise any of these rights, email calza@clearsignalgroup.org. We will respond within a reasonable timeframe in line with POPIA requirements.

Account Deletion

You can delete your account and all associated personal data using any of these methods:

In-app

Open CalZA → Settings → Delete Account. Confirm with your password. Deletion takes effect immediately and cannot be undone after the 30-day grace window.

Web

Visit cal-za-nutrition.replit.app/account-deletion and follow the on-page instructions.

Email

Send a request to calza@clearsignalgroup.org with the subject "Data Deletion Request".

On receipt of a verified deletion request, your personal data will be permanently removed from our active systems within 30 days. You will receive an email confirmation once deletion is complete. Anonymised aggregate statistics may persist as outlined in the Data Retention section.

Security

We follow a local-first approach: your food logs, health data, and preferences are stored on your device using secure local storage. Only data needed for cross-device sync is uploaded to our servers.

We implement appropriate technical and organisational safeguards, including:

Password hashing using bcrypt (industry-standard)
All data in transit encrypted via HTTPS / TLS
JWT-based authentication with rate-limiting on login attempts
Server hardening via Helmet.js, input sanitisation, and strict body-size limits
Restricted employee access on a strict need-to-know basis
Continuous crash and error monitoring via Sentry
Regular review of third-party processor agreements

While we take security seriously, no system is 100% secure. We encourage you to use a strong, unique password and to keep your login credentials confidential.

Device Permissions

CalZA requests only the device permissions strictly necessary for features you actively use:

Camera

To photograph food and barcodes for AI scanning. You can deny this and still use manual entry.

Photo Library

To upload existing food photos from your gallery. Optional.

Microphone

To record voice meals for transcription. Recordings are sent to OpenAI Whisper and discarded after transcription. Optional.

Notifications

To send local meal reminders and streak alerts. Off by default — enable in Settings.

You can revoke any permission at any time through your device's system settings. Doing so will only disable the corresponding feature.

Children's Privacy

CalZA is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

Users between 13 and 18 should use the App only with the involvement of a parent or legal guardian. Parents who believe their child has provided personal information without consent may contact us at calza@clearsignalgroup.org and we will delete the data immediately.

Calorie restriction can be harmful for developing bodies. CalZA is designed for general adult use and should not be used as a substitute for medical advice. If you have an eating disorder or are at risk, please consult a registered dietitian or mental-health professional.

Health Disclaimer

CalZA provides general nutrition tracking and information. It is not a medical device and does not provide medical advice, diagnosis, or treatment. AI-generated nutrition estimates may be inaccurate. Always consult a qualified healthcare professional before making significant dietary, exercise, or health decisions, especially if you are pregnant, nursing, taking medication, or managing a medical condition.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

Update the "Last updated" date at the top of this page
Notify you in-app for material changes
Continue to comply with POPIA and any other applicable laws

Your continued use of the App after a policy update constitutes acceptance of the revised policy.

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

Company

Clear Signal Group (Pty) Ltd
Johannesburg, South Africa

Information Officer

calza@clearsignalgroup.org

Information Regulator (South Africa)

inforegulator.org.za
enquiries@inforegulator.org.za