Privacy Policy

Effective Date: March 27, 2026 Last Updated: March 27, 2026

1. Introduction and Scope

This Privacy Policy (the "Policy") describes how Kaltro, operated by Kareem Barhoumi ("Kaltro," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information and health-related data when you access or use the Kaltro mobile application (the "App"), our website, and any related services (collectively, the "Services").

Kaltro is an AI-assisted nutrition platform for iOS that enables you to log food intake through text, voice, photos, or barcodes; computes calories, macronutrients, and micronutrients; displays a daily tracker, personalized insights, meal planning, and an AI-powered nutritional coach. Kaltro is not a medical device and does not provide medical advice, diagnosis, or treatment.

By creating an account or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, you must not use the Services. We may update this Policy from time to time; material changes will be communicated through the App or by email before they take effect.

1.1 Applicability

This Policy applies globally to all users of Kaltro, regardless of location. Where local law grants you additional rights or imposes additional obligations on us, those provisions are addressed in the jurisdiction-specific sections of this Policy (Section 13). In the event of a conflict between the general provisions and a jurisdiction-specific section, the jurisdiction-specific section shall control for residents of that jurisdiction.

1.2 Not a Medical Service

Kaltro is designed for general wellness and nutritional awareness purposes only. The Services do not constitute medical advice, professional dietary counseling, or health care services as defined under any applicable law. Kaltro is not a covered entity or business associate under the Health Insurance Portability and Accountability Act ("HIPAA"). You should always consult a qualified health professional before making changes to your diet, supplement regimen, or health practices based on information provided through the Services.

2. Eligibility and Age Restrictions

The Services are intended for individuals who are at least thirteen (13) years of age. We do not knowingly collect personal information from children under 13. If you are under 13, you may not use the Services.

If you are between 13 and 16 years old and located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you must have verifiable parental or guardian consent before using the Services. If you are between 13 and 18 years old, we recommend that you review this Policy with a parent or guardian.

If we learn that we have collected personal information from a child under 13 (or under the applicable minimum age in your jurisdiction) without verifiable parental consent, we will take steps to delete that information as quickly as practicable. If you believe we have collected information from a child in violation of these restrictions, please contact us at team@kaltro.com.

3. Information We Collect

We collect information you provide directly, information generated through your use of the Services, and limited information from third-party sources. The categories below reflect data actually processed by the current version of the App.

3.1 Account and Identity Information

Email address and password (hashed and stored by our authentication provider).
Unique user identifier (UUID) assigned at account creation.
Name (if provided).
Waitlist email (collected before account creation if you join the waitlist).

3.2 Profile and Health-Related Information

During onboarding and through your profile settings, you may provide information that constitutes health-related data under certain jurisdictions. This includes:

Biological sex, age or date of birth, height, and weight.
Goal weight, body composition goals (e.g., lose fat, maintain, build muscle).
Lifestyle activity level and training frequency/type.
Dietary preferences, allergies, and food sensitivities (stored as structured data).
Calculated or manually adjusted nutrition targets (calories, macros, TDEE).
Unit system preference and timezone.

3.3 Food and Nutrition Logging Data

The core function of Kaltro is food logging. When you log meals, we collect and process:

Food names, brands, serving sizes, and descriptions you enter.
Macronutrient values (protein, carbohydrates, fat) and micronutrient values (vitamins, minerals, omega-3, etc.).
Meal type (breakfast, lunch, dinner, snack, supplement) and timestamps.
Logging method used (manual entry, barcode scan, photo AI, voice, multimodal).
Barcode data scanned from product packaging.
Photos of food captured or selected from your photo library, which may be transmitted to our servers for AI-powered nutritional analysis.
Voice recordings captured for voice-based food logging, which are transmitted to our servers for transcription and nutritional parsing.
AI confidence scores and source input data used for parsing accuracy.
Subjective notes, feelings, or annotations you attach to a meal log.
Daily aggregate logs including raw meal descriptions, parsed items, and totals.

3.4 Weight and Supplement Data

Weight entries with dates and optional notes.
Supplement names, dosing information, timing schedules, and daily taken/skipped logs.

3.5 Meal Planning, Recipes, and Grocery Data

Meal plans and meal plan items generated or customized by you.
Saved recipes and custom foods you create.
Grocery list items, categorizations, and shopping preferences.
Food preferences influencing meal recommendations.

3.6 AI Coach Interaction Data

The Coach feature provides AI-driven nutritional guidance through conversational chat. When you use the Coach, we collect:

Full message text you send and the AI-generated responses.
Conversation metadata (type, title, timestamps, pinned/archived status).
Structured rich content and attachments within conversations.
Documents and images you upload to Coach conversations, which may include lab reports, blood test results, nutritional labels, or other health-related documents. These are transmitted to our servers and processed by AI services.
Voice recordings sent to Coach that are transcribed using AI transcription services.
Context snapshots (a summary of your profile and recent data) sent alongside messages to personalize AI responses.
Proactive AI-generated insight cards (titles, bodies, structured content, read/dismiss state).
Token usage counts and AI model identifiers for operational and billing purposes.

3.7 Engagement and Gamification Data

Logging streaks, streak history, and milestone achievements.
Achievement unlock status and progress metrics.

3.8 Device and Technical Information

Apple Push Notification service (APNs) device tokens for remote notifications.
Device platform (iOS), app version, and operating system version.
IP address (automatically collected by infrastructure providers during network requests).
Local notification preferences (meal reminders, streak reminders, weekly check-in settings).
App usage patterns and interaction data stored locally (e.g., tracker nutrient visibility toggles).

3.9 Operational and AI Usage Logs

To maintain service quality, debug issues, and manage costs, we maintain server-side logs that may include:

API call logs tied to your user ID, including request type, timestamps, and response metadata.
AI usage event records including event type, AI model and provider used, token counts, estimated processing costs, latency metrics, and associated metadata.
Parsed payloads and model responses for debugging food-logging accuracy (retained in accordance with our retention schedule described in Section 8).

3.10 Information Processed On-Device

Certain features process data locally on your device without transmitting it to our servers, unless you choose to save the result:

Nutrition label scanning: Apple Vision framework performs optical character recognition (OCR) on nutrition labels directly on your device. Only saved log entries are transmitted to our servers.
Grocery voice input: Apple Speech Recognition framework processes spoken grocery items on-device. Apple's own privacy policies govern this processing.
Cached food and meal images stored locally under the app's Caches directory.
A bundled read-only grocery/food reference database (SQLite) used for offline search.

4. How We Use Your Information

We use your information for the purposes described below. For users in jurisdictions that require a legal basis for processing (such as the GDPR), the applicable legal basis is indicated in parentheses.

4.1 Providing and Operating the Services

Authenticating your identity and managing your account. (Contract performance)
Computing personalized nutrition targets based on your profile, goals, and logged data. (Contract performance)
Displaying your daily tracker, macro/micronutrient progress, and meal timelines. (Contract performance)
Processing food logs through AI parsing (text, photo, voice, barcode, multimodal) to resolve nutritional content. (Contract performance)
Generating and delivering personalized Insights, body-system support analysis, trends, and opportunities. (Contract performance)
Powering the AI Coach to provide conversational nutritional guidance based on your data. (Contract performance)
Creating meal plans, recipe recommendations, and grocery lists. (Contract performance)
Tracking streaks, achievements, and engagement milestones. (Contract performance)
Sending local and remote push notifications (meal reminders, streak reminders, Coach conversation updates, export readiness, weekly summaries). (Consent / Contract performance)

4.2 Improving and Developing the Services

Analyzing aggregated, de-identified usage patterns to improve features and user experience. (Legitimate interest)
Monitoring AI parsing accuracy and refining models. (Legitimate interest)
Debugging errors, resolving technical issues, and ensuring service reliability. (Legitimate interest)

4.3 Safety, Security, and Compliance

Enforcing row-level security (RLS) so users only access their own data. (Legitimate interest / Legal obligation)
Maintaining API and AI usage logs for rate limiting, cost control, abuse prevention, and auditability. (Legitimate interest)
Complying with applicable laws, regulations, legal processes, or governmental requests. (Legal obligation)
Protecting the rights, property, or safety of Kaltro, our users, or third parties. (Legitimate interest / Legal obligation)

4.4 Communications

Sending transactional communications (account verification, password resets, security alerts). (Contract performance)
Sending service-related announcements (maintenance, policy updates, feature launches). (Legitimate interest)

We do not sell your personal information. We do not use your data for behavioral advertising. We do not share your data with third-party advertisers.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your data only in the limited circumstances described below, and only to the extent necessary for the stated purpose.

5.1 Service Providers and Processors

We engage the following categories of third-party service providers who process data on our behalf under contractual obligations to protect your information:

Provider / Category	Role	Data Accessed
Supabase, Inc.	Cloud infrastructure: authentication, PostgreSQL database, real-time subscriptions, edge functions, file storage.	All account data, food logs, profile data, coach conversations, images, and documents stored in our database and file storage.
OpenAI, Inc.	AI processing via API: food parsing (text, photo, voice, multimodal), Coach chat, meal plan generation, transcription, body-system analysis, insight generation, image generation.	Meal descriptions, photos, voice transcripts, Coach messages, profile context snapshots, aggregated nutrition data. Processed via API under OpenAI's enterprise/API data usage policies (not used for model training).
USDA FoodData Central	Nutritional database lookup for food search and nutrient detail retrieval.	Food search queries (text). No personal identifiers are transmitted.
Open Food Facts	Barcode-based product lookup for nutritional information.	Barcode numbers and app identifier (User-Agent). No personal identifiers are transmitted.
UPC Item DB	Supplementary barcode product lookup.	Barcode numbers only. No personal identifiers are transmitted.
Apple Inc.	Push notification delivery (APNs), on-device processing (Vision, Speech frameworks), photo library and camera access, App Store distribution.	Device push token, on-device sensor data processed locally. Apple's own privacy policies govern on-device framework processing.

5.2 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, legal process, or enforceable governmental request.
Enforce our Terms of Service or other agreements, including investigation of potential violations.
Detect, prevent, or address fraud, security issues, or technical problems.
Protect against harm to the rights, property, or safety of Kaltro, our users, or the public, as required or permitted by law.

5.3 Business Transfers

If Kaltro is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy. You will have the opportunity to opt out of such transfer where required by applicable law.

5.4 With Your Consent

We may share your information for purposes not described in this Policy if we obtain your explicit prior consent.

5.5 De-Identified or Aggregated Data

We may create, use, and share de-identified or aggregated data derived from your information for any lawful purpose, including analytics, research, and service improvement. De-identified data cannot reasonably be used to identify you.

6. Data Storage, Security, and International Transfers

6.1 Infrastructure and Storage

Your data is stored in cloud infrastructure provided by Supabase and its underlying cloud providers. AI processing occurs through API calls to OpenAI and other service providers. Data may be stored and processed in the United States or other countries where our service providers maintain facilities.

6.2 Security Measures

We implement technical and organizational measures designed to protect your personal information, including:

Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption.
Authentication security: Passwords are hashed before storage. Session tokens and access tokens are managed securely on-device.
Row-Level Security (RLS): Database-level enforcement ensures that each user can only access their own data.
Access controls: API calls to our backend use Bearer JWT authentication tied to your user session.
Data isolation: Local device caches (images, notification settings, UI preferences) are cleared upon sign-out.
Deep link security: Password reset tokens and export links are time-limited and single-use.

While we employ commercially reasonable safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

6.3 International Data Transfers

If you are located outside the United States, your information will be transferred to and processed in the United States and potentially other countries. For transfers of personal data from the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data processing agreements with our service providers that include appropriate safeguards.
Your explicit consent to the transfer as provided when you create your account.

By using the Services, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your jurisdiction of residence.

7. Device Permissions

Kaltro requests the following device permissions, each of which is optional and may be denied without affecting unrelated features:

Permission	Purpose	When Requested
Camera	Capture meal photos for AI nutritional analysis; scan food barcodes; scan nutrition labels.	When you initiate photo-based or barcode-based food logging.
Photo Library	Select existing meal photos for logging; attach images to Coach conversations.	When you choose to log a meal from an existing photo or attach an image.
Microphone	Record voice-based food logs; record voice notes for Coach conversations.	When you initiate voice-based logging or Coach voice input.
Speech Recognition	Transcribe spoken grocery items using on-device Apple Speech Recognition.	When you use voice input in the grocery list feature.
Notifications	Deliver meal reminders, streak updates, Coach conversation updates, weekly summaries, and system announcements.	During onboarding or when you enable notifications in settings.

You may revoke any permission at any time through your device's Settings. Revoking a permission will disable the corresponding feature but will not affect data previously collected with that permission.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Services, and thereafter for the periods described below.

Data Category	Retention Period
Account data (email, UUID, profile)	Retained while your account is active. Deleted upon verified account deletion request, subject to the deletion process described in Section 9.
Food logs, daily logs, weight history	Retained while your account is active. Deleted upon account deletion.
Coach conversations, messages, and attachments	Retained while your account is active. Individual messages are immutable (not editable by users) for integrity purposes. Deleted upon account deletion.
Supplement logs and tracking data	Retained while your account is active. Deleted upon account deletion.
Meal plans, recipes, grocery lists	Retained while your account is active. Deleted upon account deletion.
Photos and uploaded documents	Retained in cloud storage while your account is active. Deleted upon account deletion.
Streaks and achievements	Retained while your account is active. Deleted upon account deletion.
API and AI usage logs	Retained for up to 90 days for operational purposes (debugging, abuse prevention, cost management). Anonymized or deleted thereafter. May be retained longer if required by law.
Device push tokens	Retained while active. Deactivated upon sign-out and deleted upon account deletion.
Local device data (caches, preferences)	Cleared automatically upon sign-out from the App. Not retained on our servers.

We may retain certain information beyond the above periods where required by law (e.g., tax, legal, or regulatory obligations), to resolve disputes, enforce agreements, or where legitimate business interests justify retention (e.g., fraud prevention). When retained for legal reasons, data will be restricted from active processing and securely stored until deletion is permissible.

9. Your Rights and Choices

Depending on your location, you may have some or all of the following rights regarding your personal information. We honor these rights for all users regardless of jurisdiction where operationally feasible.

9.1 Universal Rights (Available to All Users)

Access and Export: You may export a copy of your personal data at any time through Profile > Export Data in the App. The export generates a JSON file on your device containing your profile, food logs, weight history, supplement data, meal plans, grocery lists, recipes, Coach data, and achievements. While the export is assembled on your device, the underlying data is retrieved from our servers.
Rectification: You may correct or update your profile information, food logs, and other data through the App at any time.
Deletion: You may delete your account through Profile > Delete Account. Upon confirmed deletion, we will delete or anonymize your personal information from our active systems, including your authentication record, database records, and stored files. Deletion is processed via a server-side function that removes your data across our infrastructure. Please allow up to thirty (30) days for complete deletion from all systems, including backups. Certain residual data may be retained in archived backups for up to 90 additional days before being permanently purged.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
Notification Preferences: You may manage or disable notifications through the App settings or your device settings at any time.

9.2 Additional Rights Under Specific Laws

If you are located in a jurisdiction that provides additional privacy rights, please see Section 13 for rights specific to your jurisdiction, including but not limited to the right to data portability, the right to restrict processing, the right to object to processing, the right to opt out of sale or sharing, and the right to lodge a complaint with a supervisory authority.

9.3 Exercising Your Rights

You may exercise your rights through the in-app controls described above or by contacting us at team@kaltro.com. We will respond to your request within the timeframe required by applicable law (generally 30 days under GDPR or 45 days under CCPA/CPRA). We may verify your identity before fulfilling your request. We will not discriminate against you for exercising any of your privacy rights.

10. Cookies and Tracking Technologies

The Kaltro mobile application does not use cookies, pixels, web beacons, or browser-based tracking technologies. We do not engage in cross-app tracking or behavioral advertising. We do not participate in ad networks or share data with advertising platforms.

If we operate a website in the future that uses cookies or similar technologies, this Policy will be updated accordingly, and you will be provided with appropriate notice and consent mechanisms.

11. Third-Party Links and Services

The Services may contain links to third-party websites, services, or content that are not operated or controlled by Kaltro. This Policy does not apply to any third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party services.

12. AI-Specific Disclosures

Kaltro relies extensively on artificial intelligence to provide its core functionality. This section provides transparency about how AI processes your data.

12.1 AI Processing Activities

Food Parsing: Text descriptions, photos, voice recordings, and barcode data you provide are sent to our AI processing pipeline (powered by OpenAI models via API) to identify foods and estimate nutritional content. Your input data is used solely for your request and is not used to train third-party AI models.
Coach Conversations: Messages, attachments, and context snapshots are processed by AI to generate personalized responses. The AI has access to a summary of your profile, recent nutrition data, and the conversation history. It does not have access to other users' data.
Transcription: Voice recordings are transcribed using AI speech-to-text services (via our backend edge function). The audio is processed for transcription only and is not retained by the transcription provider beyond processing.
Meal Plans and Images: AI generates meal plan suggestions and meal images based on your preferences, goals, and dietary data.
Body-System Analysis and Insights: Aggregated nutrition scores, nutrient breakdowns, and a limited profile snippet (sex, age, goal) are sent to AI for analysis. Results are cached for performance.
Proactive Insights and Weekly Summaries: AI periodically generates insight cards and summaries based on your logged data.

12.2 AI Data Handling

All AI processing is performed via API calls to our service providers. Under our contractual arrangements with OpenAI (our primary AI provider): (a) your data submitted via API is not used to train or improve OpenAI's models; (b) data is retained by the provider only as long as needed to process your request and for a limited period for trust and safety monitoring, in accordance with the provider's API data usage policies; and (c) your data is not shared with other API customers.

12.3 Limitations of AI

AI-generated nutritional estimates, insights, Coach responses, and meal plans are approximations and may contain inaccuracies. Kaltro provides confidence scores where applicable but does not guarantee the accuracy of AI outputs. AI-generated content should not be relied upon as medical advice. The Coach is not a licensed dietitian, nutritionist, or health care provider.

13. Jurisdiction-Specific Provisions

The following provisions supplement the general sections of this Policy and apply to residents of the specified jurisdictions. In the event of a conflict, these provisions control for the applicable jurisdiction.

13.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

Data Controller

Kareem Barhoumi, operating as Kaltro, is the data controller for personal data processed through the Services. Contact: team@kaltro.com.

Legal Bases for Processing

We process your personal data based on the following legal bases:

Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Services you have requested, including account management, food logging, insights, Coach, and meal planning.
Consent (Article 6(1)(a) and Article 9(2)(a)): Where required for health-related data (a "special category" under GDPR), we rely on your explicit consent provided during onboarding and when you voluntarily submit health-related information. You may withdraw consent at any time.
Legitimate interests (Article 6(1)(f)): Service improvement, security, fraud prevention, and operational analytics, balanced against your fundamental rights.
Legal obligation (Article 6(1)(c)): Compliance with applicable laws and regulations.

Special Category Data

Certain data you provide (biological sex, weight, dietary restrictions due to health conditions, supplement intake, allergy data, and any health documents uploaded to Coach) may constitute "special category data" under Article 9 of the GDPR. We process this data based on your explicit consent provided when you submit such information through the App. You are never required to provide special category data to use the basic features of the Services.

Your GDPR Rights

In addition to the universal rights described in Section 9, you have the right to:

Data portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON via the in-app export function).
Restriction of processing: Request that we restrict processing of your personal data under certain circumstances (e.g., while we verify accuracy of disputed data).
Object to processing: Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Automated decision-making: Kaltro does not make decisions with legal or similarly significant effects based solely on automated processing. AI-generated insights and recommendations are informational and advisory only.
Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

International Transfers

Your data is transferred to the United States for processing. We rely on Standard Contractual Clauses (SCCs) and/or your explicit consent as the legal mechanism for such transfers. You may request a copy of the applicable SCCs by contacting us.

13.2 California, United States (CCPA / CPRA)

This section applies to California residents and supplements the information provided in this Policy with disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following CCPA categories:

CCPA Category	Examples from Kaltro
A. Identifiers	Name, email address, unique user ID, device token, IP address.
B. Personal information per Cal. Civ. Code 1798.80(e)	Name, email address.
D. Commercial information	Subscription or purchase history (if applicable).
F. Internet or electronic network activity	API logs, AI usage events, app interaction data.
G. Geolocation data	Approximate location inferred from IP address only.
H. Sensory data	Photos of food, voice recordings for food logging and Coach.
I. Professional or employment information	Not collected.
K. Inferences	Nutrition scores, body-system support analysis, TDEE estimates, AI-generated insights derived from your data.
Sensitive Personal Information	Health-related data (weight, dietary restrictions, allergies, supplement intake, body metrics, health documents uploaded to Coach).

Sale and Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. As such, we do not offer an opt-out of sale or sharing, because no such activity occurs.

Sensitive Personal Information

We collect and use sensitive personal information (health-related data) solely for the purpose of providing the Services you have requested. We do not use or disclose sensitive personal information for purposes beyond those permitted under CCPA Section 1798.121. You have the right to limit the use and disclosure of your sensitive personal information.

Your CCPA Rights

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes, and the categories of third parties with whom we share your information.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing transactions, security, legal obligations).
Right to Correct: You may request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: You may direct us to limit use of your sensitive personal information to providing the Services.
Non-Discrimination: We will not discriminate against you for exercising any CCPA right.

To exercise your rights, use the in-app controls or email team@kaltro.com. We will verify your identity through your authenticated account session or by matching information you provide to information we have on file. We will respond within 45 calendar days (extendable by 45 additional days with notice).

Financial Incentives

We do not offer financial incentives for the collection, sale, retention, or deletion of personal information.

13.3 Other U.S. States

Washington State (My Health My Data Act)

If you are a Washington State consumer, the Washington My Health My Data Act ("MHMDA") provides you with additional rights over your "consumer health data," which may include nutritional data, body metrics, supplement intake, weight data, and any health-related documents you provide. Under MHMDA:

We collect consumer health data only with your consent or as necessary to provide the Services you have requested.
We do not sell consumer health data.
You have the right to request deletion of your consumer health data, including from archives and backups, within 30 days of a verified request.
We maintain this consumer health data privacy policy to disclose the categories of health data collected, purposes of collection, categories of third parties with whom data is shared, and how you may exercise your rights.

Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and Other States

If you reside in a U.S. state with a comprehensive consumer privacy law, you generally have rights to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising (which we do not engage in), profiling, and sale of personal data (which we do not conduct). To exercise these rights, contact us at team@kaltro.com. If we deny your request, you may appeal by contacting us, and we will respond within the timeframe required by your state's law.

13.4 Brazil (LGPD)

If you are located in Brazil, your personal data is processed in accordance with the Lei Geral de Protecao de Dados (LGPD). You have rights to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, revocation of consent, and the right to petition the ANPD (National Data Protection Authority). We process health-related data based on your explicit consent.

13.5 Gulf Cooperation Council (GCC) and Middle East

If you are located in the United Arab Emirates, Saudi Arabia, Bahrain, Qatar, Kuwait, Oman, or another GCC state, we process your data in compliance with applicable local data protection laws, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the Saudi Arabia Personal Data Protection Law (PDPL), and the Bahrain Personal Data Protection Law. You have rights to access, correct, and request deletion of your personal data. Health-related data is processed based on your explicit consent. By using the Services, you consent to the transfer of your data outside the GCC to the locations described in Section 6.

13.6 Other Jurisdictions

If you reside in a jurisdiction not specifically addressed above (including but not limited to Canada under PIPEDA, Australia under the Privacy Act, Singapore under PDPA, or South Africa under POPIA), we will comply with applicable local privacy laws. Where local law provides you with additional rights beyond those described in this Policy, we will honor those rights. Contact us at team@kaltro.com to exercise any rights provided by your local law.

14. Health Breach Notification

Kaltro is subject to the U.S. Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318), as amended in 2024. In the event of a breach of security involving your unsecured personally identifiable health information, we will:

Notify you without unreasonable delay and no later than 60 calendar days after discovery of the breach, via email and/or in-app notification.
Provide clear and conspicuous notice describing the nature of the breach, the types of health information involved, the identity of any third parties that acquired your data as a result, and steps you can take to protect yourself.
Notify the Federal Trade Commission as required (concurrently for breaches affecting 500 or more individuals; annually for smaller breaches).
Notify prominent media outlets if the breach affects 500 or more residents of a single state or jurisdiction, as required by the Rule.

We also comply with all applicable state breach notification laws, including but not limited to the California Civil Code Section 1798.82, which may require additional or earlier notification.

15. Disclaimers and Limitations of Liability

15.1 Not Medical Advice

THE SERVICES ARE PROVIDED FOR GENERAL WELLNESS AND NUTRITIONAL AWARENESS PURPOSES ONLY AND DO NOT CONSTITUTE MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT. Kaltro is not a health care provider, and the information and AI-generated content provided through the Services (including but not limited to nutritional estimates, Coach responses, body-system analyses, insights, and meal plans) should not be used as a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician, registered dietitian, or other qualified health provider with any questions you may have regarding a medical condition, dietary changes, or supplement use.

15.2 Accuracy of AI Outputs

AI-generated nutritional estimates, insights, and recommendations are approximations based on the information you provide and publicly available nutritional data. These outputs may contain errors, omissions, or inaccuracies. Kaltro does not warrant the accuracy, completeness, or reliability of any AI-generated content. You acknowledge and agree that you use AI-generated information at your own risk.

15.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KALTRO AND ITS OPERATOR, KAREEM BARHOUMI, SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, RESULTING FROM (A) YOUR ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SERVICES; (B) ANY CONDUCT OR CONTENT OF ANY THIRD PARTY ON THE SERVICES; (C) ANY CONTENT OBTAINED FROM THE SERVICES, INCLUDING AI-GENERATED CONTENT; (D) UNAUTHORIZED ACCESS, USE, OR ALTERATION OF YOUR DATA; OR (E) ANY HEALTH-RELATED DECISIONS YOU MAKE BASED ON INFORMATION PROVIDED THROUGH THE SERVICES. THIS LIMITATION APPLIES WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER BASIS, EVEN IF KALTRO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

15.4 Indemnification

You agree to indemnify, defend, and hold harmless Kaltro and Kareem Barhoumi from and against any claims, damages, obligations, losses, liabilities, costs, or debt, and expenses (including but not limited to attorney's fees) arising from: (a) your use of and access to the Services; (b) your violation of any term of this Policy or our Terms of Service; (c) your violation of any third-party right, including any privacy, intellectual property, or other proprietary right; or (d) any claim that your use of the Services caused damage to a third party.

16. Dispute Resolution and Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law principles, except where superseded by mandatory local law (such as GDPR for EEA residents).

Any dispute arising out of or relating to this Policy that cannot be resolved through good-faith negotiation shall be resolved through binding arbitration administered in accordance with the rules of the American Arbitration Association. The arbitration shall take place in Delaware, United States, or remotely at the mutual agreement of the parties. You agree that any dispute resolution proceedings will be conducted on an individual basis and not in a class, consolidated, or representative action. Nothing in this section shall prevent either party from seeking injunctive relief in a court of competent jurisdiction.

For users in the European Economic Area, this arbitration clause does not affect your right to bring proceedings before a competent court in your country of residence or to lodge a complaint with a supervisory authority.

17. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Services, legal requirements, or for other operational reasons. When we make material changes, we will:

Provide notice through the App (e.g., a prominent in-app banner or push notification).
Send an email notification to the address associated with your account.
Update the "Last Updated" date at the top of this Policy.
Where required by law, obtain your consent before the changes take effect.

Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with the revised Policy, you must stop using the Services and delete your account.

18. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Kaltro Operated by Kareem Barhoumi Email: team@kaltro.com

For GDPR-related inquiries, you may also address your request to our data protection contact at the email above. We will respond to all legitimate requests within 30 days (or as otherwise required by applicable law) and will inform you if we need additional time.

This Privacy Policy was last reviewed and updated on March 27, 2026. It is designed to comply with the General Data Protection Regulation (EU) 2016/679, the UK General Data Protection Regulation, the California Consumer Privacy Act (as amended by CPRA), the Federal Trade Commission Health Breach Notification Rule, the Washington My Health My Data Act, the Children's Online Privacy Protection Act, and other applicable privacy laws worldwide.