Legal · California

Do Not Sell or Share My Personal Information.

Last updatedMay 11, 2026
EffectiveMay 11, 2026
Reading time~3 minutes
Version1.3

Required by California Consumer Privacy Act (CCPA) for California residents. The substance applies to all our users.

KaleWay does not sell your personal information.

Not in aggregate. Not anonymized. Not "for research." Not for advertising. Not now, and we have no plan to change this.

This page exists to declare that explicitly to California residents (as required by the California Consumer Privacy Act) and to anyone else who wants to know. The detail follows.

01What CCPA requires this page to say

Under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), businesses that meet certain thresholds must:

  • Tell California residents whether they sell or share personal information
  • Provide a "Do Not Sell or Share My Personal Information" link on the homepage
  • Explain the rights California residents have over their data
  • Describe how to exercise those rights

This page satisfies those requirements.

We are also subject to other state privacy laws (Washington's My Health My Data Act, Colorado's Privacy Act, Connecticut, Virginia, etc.). The substance of how we handle data is the same across states; the legal frameworks that give you enforceable rights differ. For Washington-specific rights related to consumer health data, see our Consumer Health Data Privacy Notice. For our overall data handling, see our Privacy Policy.

02We do not sell or share — explained

Under CCPA, "selling" personal information means exchanging it for monetary or other valuable consideration. "Sharing" means disclosing personal information for cross-context behavioral advertising — often called targeted advertising.

2.1 We do not sell personal information

We do not exchange your personal information for money. We do not exchange it for in-kind services (for example, "free analytics in exchange for your data"). We do not exchange it for any other valuable consideration.

This includes "anonymized" or "aggregated" data — we do not sell these either. The widely-publicized weakness of anonymization (researchers can frequently re-identify "anonymized" data) is a reason we choose not to play that game in the first place.

2.2 What we do not do, and what we do share for advertising measurement

What we do not do

  • We do not place Meta / Facebook tracking pixels on our marketing site (kaleway.com). The website is fully cookie-light — see our Cookies Policy.
  • We do not place Google Ads conversion tags, TikTok pixels, or LinkedIn Insight tags on the website.
  • We never sell your personal information for money or any other valuable consideration.
  • We never share your personal information with data brokers.
  • We never share your KaleAI conversations, mood logs, weight, HealthKit data, allergies, dietary restrictions, health conditions, or any other health or behavioral data with advertising platforms.
  • We never upload customer lists to advertising platforms for “lookalike” or seed-audience modeling.

What we DO share — and your right to opt out

Our iOS app sends a small, narrowly-scoped set of measurement events to two third-party measurement partners so we can attribute ad-driven installs and subscription starts to specific ad campaigns across Meta, TikTok, Apple Search Ads, Google, and other networks. The events sent are: app install, account creation, paywall reached (only for users who go on to purchase), free trial started, and subscription started.

(1) Meta Platforms, Inc. — direct path

KaleWay's iOS app sends the standard events directly to Meta via the Meta App Events SDK and Meta Conversions API. The fields sent are:

  • A SHA-256 hash of your email
  • A SHA-256 hash of your KaleWay user ID
  • Your IP address
  • The event name (e.g., “StartTrial”)
  • The purchase amount — subscription events only
  • Your IDFA (Apple advertising identifier) — only if you granted Apple's “Allow Tracking” prompt

(2) AppsFlyer Ltd. — Mobile Measurement Partner (added V1.0.2)

KaleWay also uses AppsFlyer as a Mobile Measurement Partner (MMP) — a service that receives the same standard events, attributes the install to whichever ad network drove the user (Meta, TikTok, Apple Search Ads, Google, or one of ~5,000 other partners), and forwards the attribution signal back to that ad network so they can credit their campaigns. The fields sent to AppsFlyer are:

  • AppsFlyer's own per-install device identifier (not Apple's IDFA)
  • Your KaleWay user ID (a UUID, not your email)
  • Your IP address
  • The event name (e.g., af_complete_registration, af_start_trial)
  • Event parameters such as paywall_variant or plan_type — non-personal, never health-related
  • Your device model and OS version
  • Your IDFA — only if you granted Apple's “Allow Tracking” prompt
  • For subscription events, the purchase amount and currency — forwarded server-to-server by RevenueCat to AppsFlyer, which then forwards to the relevant ad network

AppsFlyer is purely a measurement intermediary — it does not show ads itself.

Under California's privacy laws, the act of sending measurement events to Meta directly and to AppsFlyer (which onward-shares with Meta / TikTok / Google for attribution-modeling purposes) both qualify as “sharing” under CCPA / CPRA §1798.140(ah). We disclose this transparently and give you the right to opt out of both paths.

How we minimize what these partners do with the data

  • For Meta: California residents' events are sent with Meta's Limited Data Use (LDU) flag set, restricting Meta to aggregated, non-personalized measurement.
  • For AppsFlyer: California residents' events are processed under AppsFlyer's CCPA-aware default. For users who explicitly opt out via the email path below, we will additionally invoke AppsFlyer's setSharingFilterForAllPartners API to block all downstream sharing with ad-network partners from that point forward.
  • For EEA / UK users (separate from California): KaleWay applies AppsFlyer's “limited consent” mode by default (silent, no banner) — this blocks individual-level event data from being shared with Meta / TikTok / Google for personalization, while still allowing aggregated SKAdNetwork measurement to flow.

How to fully opt out (Do Not Share My Personal Information)

You can exercise your right to opt out of this sharing through either of the following paths. At V1.0.2 publication, the email path is the operational primary; the in-app sharing-filter toggle for AppsFlyer lands in a V1.x update post-launch.

  1. In-app (immediate, IDFA-only). Tap Ask App Not to Track on the Apple App Tracking Transparency prompt the first time you reach the paywall — this immediately stops your IDFA from being shared with Meta or AppsFlyer regardless of state.
  2. By email (primary at V1.0.2 launch for full opt-out). Send support@kaleway.com with the subject line “California Privacy Request — Do Not Share” and your registered email/account info. We will:
    • Respond and verify your identity within 15 days
    • Set Meta's Limited Data Use flag on all future events for your account
    • Invoke AppsFlyer's sharing-filter API to block all downstream sharing for your account
    • Stop sending your IDFA to either partner regardless of ATT status
    • Never disclose your event-level data outside the strictly limited measurement use described above

Opting out does not change any KaleWay feature — the app works fully without either partner receiving sharable data.

2.3 What we DO do with personal information

We collect and use personal information only as needed to provide the KaleWay service to you (described in detail in our Privacy Policy). The third-party service providers we use (Anthropic for AI processing, Supabase for database, RevenueCat for billing, Apple/Google for app stores) are described in our Privacy Policy and AI Privacy Notice.

These are service providers under CCPA — meaning they process data on our behalf according to a contract that prohibits using your data for their own purposes. They are not data sales.

03Categories we collect

For California residents, here are the categories of personal information we collect, as defined under CCPA:

  • Identifiers — your name, email address, IP address (for security), account identifier
  • Identifiers shared with Meta and AppsFlyer for advertising measurement (iOS app only):
    • Meta — SHA-256 hashed email, SHA-256 hashed user ID, IP address, IDFA (only when ATT granted), app event names, and purchase amounts on subscription events.
    • AppsFlyer — AppsFlyer device ID (per-install identifier, not Apple's IDFA), KaleWay user ID (UUID), IP address, IDFA (only when ATT granted), device + OS info, app event names, event parameters, and subscription purchase amounts (via RevenueCat's server-to-server forwarding).
    See Privacy Policy §5 for full disclosure and opt-out paths, and §2.2 above for your right to opt out of this sharing.
  • Customer records — your account information, subscription state
  • Commercial information — your subscription history (handled by Apple/Google)
  • Internet activity — limited app usage analytics for service improvement (no cross-site tracking)
  • Geolocation data — approximate location only (for example, time zone), not precise GPS
  • Sensory data — none (we do not collect audio or video)
  • Professional information — none
  • Education information — none
  • Inferences — caloric needs, BMI, behavioral patterns
  • Sensitive personal information (CPRA category) — health information you share with KaleWay (dietary restrictions, health conditions, weight, mental health context)

For details on each category — including sources, purposes, retention, and recipients — see our Privacy Policy.

04Your CCPA rights

If you are a California resident, you have the following rights with respect to your personal information:

4.1 Right to know

You can ask us:

  • What categories of personal information we have collected about you
  • What sources we collected it from
  • The purposes for which we use it
  • The categories of third parties with whom we share it (limited to service providers, as we don't sell or share for advertising)
  • The specific pieces of personal information we have collected about you

4.2 Right to delete

You can ask us to delete personal information we have collected from you, subject to certain exceptions (for example, information needed to complete a transaction, comply with law, detect fraud, or exercise free speech).

4.3 Right to correct

You can ask us to correct inaccurate personal information we have about you.

4.4 Right to opt out of sale or sharing

California residents have the right to opt out of the sale or sharing of their personal information. KaleWay does not sell your personal information. KaleWay does share narrowly-scoped measurement identifiers with Meta Platforms (directly) and AppsFlyer Ltd. (as a Mobile Measurement Partner that onward-forwards to Meta / TikTok / Google / Apple Search Ads / others) for ad attribution as described in §2.2. You can exercise your right to opt out of both paths simultaneously using either of the methods described in §2.2 (“How to fully opt out”) — the email path is the operational primary at V1.0.2 launch; the in-app sharing-filter toggle for AppsFlyer ships in a V1.x update.

We also honor any Global Privacy Control (GPC) signal your browser sends when you visit kaleway.com. If you want a GPC signal to extend to the iOS app's Meta and AppsFlyer events, please use the email opt-out above — in-app GPC parity will follow alongside the in-app sharing-filter toggle in V1.x.

4.5 Right to limit use of sensitive personal information

You can ask us to limit the use of your sensitive personal information (your health data) to only what is necessary to provide the KaleWay service. Because we already limit it to that, this right is essentially exercised by default. If we ever expand the use of sensitive personal information beyond service provision, we will provide an explicit opt-out.

4.6 Right to non-discrimination

We will not discriminate against you for exercising any CCPA right. We will not deny service, charge different prices, or reduce service quality because you exercised a right.

4.7 Right to access in a portable format

When you exercise your right to know, we will provide your personal information in a structured, commonly-used, machine-readable format where technically feasible.

05How to exercise your rights

To exercise any right described above:

Email
support@kaleway.com — subject "California Privacy Request"
Mail
Granviex, LLC · 4700 NW Boca Raton Blvd #202 · Boca Raton, FL 33431 · United States

In your request, please include:

  • Your name (so we can identify your account)
  • The email address associated with your KaleWay account
  • Which right you are exercising (know, delete, correct, opt-out, limit use, non-discrimination)
  • Specific information about what you are requesting

5.1 Verification

Before responding to a request, we may need to verify your identity. We do this so your data isn't released to someone else. Verification may involve confirming the email associated with your KaleWay account or asking you to confirm specific account details. We will explain what verification we need before proceeding.

5.2 Response time

We will acknowledge your request within 10 business days and substantively respond within 45 days of receiving it. For complex requests, we may extend the response time by up to an additional 45 days, with notice to you within the original window.

5.3 No new account required

You will not be required to create a new account to exercise your rights.

06Authorized agents

You may designate someone to submit a CCPA request on your behalf. To do so:

  • Provide written authorization from you to the agent
  • Include identification verification for the agent
  • We may contact you to confirm the authorization is genuine

07Non-discrimination

We will not discriminate against you for exercising your rights. Specifically, we will not:

  • Deny you goods or services
  • Charge you different prices or rates
  • Provide a different level or quality of service
  • Suggest that you will receive different prices or service quality for exercising rights

If we offer financial incentives related to data collection (we currently do not), we will disclose them, and they will be voluntary and reversible.

Recent updates

  • v1.3 — May 11, 2026. Extended the §2.2 Path A disclosure to cover AppsFlyer Ltd. as a Mobile Measurement Partner added in V1.0.2 alongside the existing Meta direct path. Disclosed AppsFlyer's downstream sharing with Meta / TikTok / Google / Apple Search Ads as “sharing” under CCPA, with the same opt-out paths (in-app ATT prompt + email request). Added AppsFlyer's setSharingFilterForAllPartners API as the technical mechanism that blocks all downstream sharing for opted-out California users (wiring lands in V1.x). Updated §3 categories and §4.4 right-to-opt-out wording to reflect dual-recipient sharing.
  • v1.2 — May 5, 2026. Replaced §2.2 absolute non-sharing statements with a scoped Path A disclosure under CCPA / CPRA §1798.140(ah): the iOS app's Meta Platforms advertising-measurement events are transparently classified as “sharing,” with Limited Data Use as the default for California residents and a dual opt-out path (email at V1 launch; in-app toggle in V1.x). Updated §3 categories to list the measurement identifiers shared with Meta. Updated §4.4 right-to-opt-out wording to acknowledge “sharing” applies and to point readers to the §2.2 opt-out paths. Cross-linked Privacy Policy §5.

08Contact

For questions about this notice or to exercise your rights:

Email
support@kaleway.com

Subject "California Privacy Request" if exercising a right.

Mailing address
Granviex, LLC
4700 NW Boca Raton Blvd #202
Boca Raton, FL 33431
United States

For appeals or complaints we have not resolved, you may also contact the California Office of the Attorney General at oag.ca.gov/privacy/ccpa.