Privacy Policy.

01Who we are

KaleWay is a mindful weight loss app built around an AI companion called KaleAI. The app is operated by Granviex, LLC, a Florida limited liability company doing business as "KaleWay" (referred to in this Policy as "KaleWay," "we," "us," or "our"). When this Policy refers to "you" or "your," it means the person using KaleWay.

If you have questions about this Policy, you can reach us at support@kaleway.com.

02What this Policy covers

This Policy describes how we collect, use, store, share, and protect your personal information when you:

• Download, install, or use the KaleWay mobile app on iOS or Android
• Visit kaleway.com or any related KaleWay website
• Communicate with us by email
• Interact with us in any other way (for example, replying to a survey)

This Policy covers all of these uses except where another notice applies. In particular:

• AI-specific processing is described in our AI Privacy Notice.
• Health data subject to Washington state law is described in our Consumer Health Data Privacy Notice.
• Cookies and similar technologies are described in our Cookie Policy.

When the same topic is mentioned in this Policy and in one of those notices, the more specific notice controls.

03The information we collect

We organize the information we collect into seven categories.

3.1 — Information you give us directly

Account information: your email address, password (stored as a hashed value — we cannot read it), and your first name. If you sign up using Apple, we receive an anonymous identifier from Apple and (if you choose to share it) your email.

Profile information: your age, gender, height, current weight, goal weight, activity level, and the state or region you live in. (See Section 3.2 for how your country is initially detected.)

Food allergies (medical, sensitive): the FDA Big-9 allergens you select (milk, eggs, fish, shellfish, tree nuts, peanuts, wheat, soy, sesame) plus up to 3 free-text “Other” entries (max 30 characters each). We treat allergies as zero-tolerance medical constraints in your meal plans and in every KaleAI conversation.

Cuisine preferences: up to 10 cuisines you select (American, Italian, Mexican, Asian, Mediterranean, Japanese, Indian, French, Middle Eastern, Brazilian) or “Surprise me”. Used to personalize meal plan generation.

Health context: dietary restrictions and preferences (for example, vegetarian, gluten-free, dairy-free), health conditions you choose to share with us through the app's profile (for example, pregnancy, breastfeeding, menopause, polycystic ovary syndrome (PCOS), thyroid conditions), and other context you provide that affects your meal plan.

My Why List: the personal motivations you write down or that KaleAI suggests and you accept. We treat these as the most sensitive emotional content in your account and reference them only in motivational moments (the Help Me Now flow, paywall recap, occasional reminders).

Trap Cards content: behavioral coping cards generated either by KaleAI or by you. Each card has a category, situation, sabotaging thought, response, and action.

Conversations with KaleAI: the messages you send to KaleAI and the responses she provides. We treat these conversations as private to your account.

Mood logs (sensitive emotional data): optional one-tap mood entries (e.g., “great”, “okay”, “hard”) tied to a date. Used to surface patterns and trigger empathy in KaleAI.

Behavior Wins: pillar-tagged events when you log a workout, mark a meal as eaten, log your weight, and similar in-app actions. Used to power the streak counter.

Meal status logs: per-meal-type, per-date markers (“eaten”, “skipped”, “pending”) for your generated meal plan.

Mind Moments completion: date-stamped tracking of which Mind Moments you've completed (so we don't repeat them).

Off-plan food diary entries: when you log food outside the meal plan via KaleAI's log_food tool, we save the description, calories, macros, source (“fatsecret_grounded” or “ai_estimate”), confidence, and date.

Customer support information: if you email us, we receive your email address and the content of your message.

3.2 — Information we collect automatically

When you use the app, we and our service providers automatically collect:

Device and technical information: device model, operating system version, app version, language settings, time zone, IP address, and a randomly generated device identifier we use to operate the app.

Country (ISO 3166): we auto-detect your country code from your device's regional settings on first sign-in (using Expo Localization), and you can change it anytime in Profile. KaleWay V1 supports 14 countries: US, BR, PT, GB, DE, ES, FR, IT, MX, IN, AU, CA, IE, NZ. Country drives grocery store names, units (metric or imperial), and meal plan availability.

Usage information: which screens you visit, which features you use, and how long you spend on different parts of the app. We use this only to understand how to improve KaleWay; we do not use it to identify you to third parties.

Review-prompt state: if we asked you to rate the app, we record whether you said yes/no, when we asked, how many times we've asked, and whether you've opted out of being asked again.

3.3 — Information from Apple HealthKit (only if you grant permission)

If you grant the permission, we read only the following from your Apple HealthKit:

• Your weight history
• Your daily step count and active energy data

We do not write to your HealthKit. We do not access any other category of HealthKit data. HealthKit data is used only to personalize your nutrition and movement plans within the app, in compliance with Apple's HealthKit terms.

We do not share HealthKit data with any third party, including Anthropic, our analytics provider, or our marketing partners. HealthKit data is processed and stored only on your device and on our backend (Supabase), and it is not used for any purpose other than personalizing your KaleWay experience.

3.4 — Information from Sign in with Apple (only if you choose this method)

If you sign up using Apple, we receive an anonymous user identifier from Apple. You can choose whether to share your email address; if you do not, you will receive a private relay email from Apple, which we use only to communicate with you about the service.

3.5 — Subscription information

When you start a trial or subscribe to a paid plan, the transaction is processed by Apple (on iOS) or Google (on Android). We never see your full payment information. We receive only:

• A subscription identifier
• Your subscription state (trial, active, canceled, expired)
• The plan you selected

We use a service called RevenueCat to manage subscription state across platforms. See Section 5 for details.

3.6 — Information you choose to share

If you opt in, we may collect:

• Your email address for our newsletter (entirely optional)
• In-app feedback. When you submit feedback via the post-rating dialog or the Profile → Send Feedback row, we store the category you picked (nutrition, movement, mindset, kaleai, app_speed, other), the body of your message (max 500 characters), and the source channel. Feedback is insert-only on our backend — we cannot edit it on your behalf.
• Feedback you submit through a survey
• A photo or screenshot you choose to send us for support purposes (we do not require photos)

3.7 — Information from third-party sources

We do not buy lists of users or pull your data from advertising partners. The only "third-party source" we use is Apple HealthKit, described in Section 3.3.

04How we use your information

We use the information we collect to:

Provide the service. Generate your meal plan, build your workout program, power KaleAI's conversations with you, track your weight, manage your subscription, and let you log in.

Personalize your experience. Adjust meal recommendations based on your preferences and feedback, suggest workouts that fit your stated energy and time, and help KaleAI remember context from earlier conversations.

Communicate with you. Send you transactional emails (account confirmations, password resets, subscription receipts), respond to your support requests, and — if you opted in — send you the newsletter.

Keep KaleWay safe. Detect and prevent abuse, fraud, and unauthorized access. Enforce our Terms of Service.

Improve KaleWay. Understand how the app is used (in aggregate, never tied to your identity) so we can build better features. We do not log identifying health information to our analytics.

Comply with the law. Respond to legal requests, comply with court orders, and meet our regulatory obligations.

We do not use your information for advertising or for "people-based" marketing targeting on third-party platforms. We do not sell your information.

05Who we share your information with

We share specific categories of information with specific third parties, only for the purposes described below. Each one is a service provider acting on our instructions, not an independent recipient of your data for their own purposes.

Apple Search Ads & app attribution providers (limited)

We may receive aggregated installation attribution data from Apple Search Ads or similar attribution services. This data does not identify you personally and is used only to understand which marketing channels work.

Customer support tools

If you write to support@kaleway.com, your email is processed by Google Workspace.

Government, law enforcement, or legal process

If we are required by law to share information — for example, in response to a subpoena, court order, or other valid legal request — we will. We will only share what we are legally required to share and will, where legally permitted, notify you first.

Business transfers

If KaleWay is acquired, merged, or sold, your information may be transferred to the new owner along with the rest of the business. If this happens, the new owner will be bound by the commitments in this Privacy Policy or will notify you of changes.

06What we do not do with your information

This list is as important as the list above.

• We do not sell your personal information. Ever. Under any definition — including “sale” or “share” under California Civil Code §1798.140, or sale or transfer under the GDPR. Not for analytics, not for advertising, not for any purpose. The advertising measurement we do (Meta install + subscription attribution — see Section 5) does not constitute a sale.
• We do not train AI models on your data — ours or Anthropic's. KaleWay is a commercial API customer of Anthropic; under Anthropic's Commercial Terms, your KaleAI inputs and outputs are not used to train Anthropic's models. We also do not train any KaleWay-side models on your conversations, profile, or behavior. (See our AI Privacy Notice for the contractual no-training commitment.)
• We do not record or replay your screen interactions. PostHog Session Recording and Sentry Session Replay are both disabled in this version of the app. If we ever enable them in a future version, this Policy will be updated and we will require renewed consent before turning them on.
• We never use your KaleAI conversations, mood logs, My Why List, Trap Cards, weight history, health conditions, allergies, dietary restrictions, or any HealthKit data for advertising. The advertising measurement events the iOS app sends to Meta are strictly scoped: install, account creation, paywall reached (purchasers only), free trial started, and subscription started — with hashed identifiers and (only with your ATT consent) IDFA. No conversation content, no health data, no behavioral patterns. See Section 5 (Meta Platforms) for the full field list.
• We do not place third-party tracking scripts on kaleway.com. No Meta Pixel, no Google Analytics, no other web trackers on the marketing site or on the parts of the site that display health information. (The iOS app's Meta App Events SDK is a separate, in-app integration disclosed in Section 5.)
• We do not share your conversations with KaleAI with anyone outside Anthropic (the AI provider, who processes them and then deletes them — see Section 5) and Supabase (where we store your chat history within your account).
• We do not share your HealthKit data with any third party. Not Anthropic, not analytics, not Meta, not anyone. HealthKit data stays between your device and our backend.
• We do not share your information with your employer, your insurance company, your healthcare provider, or data brokers unless you specifically ask us to and we have built that integration. We have not built any such integration; we have no B2B program.

07How long we keep your information

We keep different categories of information for different lengths of time, based on what's necessary to operate KaleWay and meet our legal obligations.

Account information: for as long as your account is active.

Health profile and behavior data: for as long as your account is active.

Mood logs, Trap Cards, Mind Moment completions, My Why List, Behavior Wins: for the duration of your active account. Deleted within 30 days of account deletion (with backup propagation to follow per the schedule below).

Conversations with KaleAI: stored on our backend for as long as your account is active. Anthropic deletes their copies within approximately 7 days of receipt or generation.

In-app feedback (app_feedback) submissions: up to 3 years from submission, for product-improvement and dispute-resolution purposes. Deleted earlier on request.

Review-prompt state: persists with your account. Reset only if you delete your account or successfully request a review-state reset via support.

Subscription records: for as long as required by tax and accounting laws (typically 7 years), even after you close your account.

Customer support correspondence: for up to 3 years after the conversation ends, to help us serve you better if you contact us again.

Backups: when you delete your account or specific data, the data is removed from our active systems immediately and from our routine backups within approximately 30 days.

08Your rights and choices

You have rights to your information. The exact set of rights depends on where you live, but the following rights apply to all KaleWay users regardless of location.

Universal rights

Access. You have the right to ask us what personal information we have about you.

Correction. You have the right to update or correct inaccurate information. You can do this directly in the app's profile settings, or by writing to support@kaleway.com.

Deletion. You have the right to ask us to delete your information. You can delete your account directly from the app's profile screen (the "Delete My Account" option), or by writing to support@kaleway.com.

Withdrawal of consent. Where we rely on your consent to process your information, you can withdraw that consent at any time. Withdrawing consent for AI features is described in our AI Privacy Notice.

Account closure. You can close your KaleWay account at any time. When you do, we delete your information from our active systems and notify our service providers (including Anthropic) to do the same.

How to exercise rights

To exercise any of these rights — including access, correction, deletion, or data portability — email support@kaleway.com with the subject line “Privacy Request” and your registered email address. We may need to verify your identity before responding so your information is not given to someone else; we will explain what verification we need.

We respond within 30 days for users covered by the GDPR (per Art. 12(3)) and within 45 days for California residents (per CCPA §1798.130(a)(2)(B)). Either window can be extended once if your request is complex, with notice to you within the original window.

California residents who wish to use an authorized agent can do so by emailing the address above; we will provide instructions for the agent to verify their authorization. We do not discriminate against users who exercise privacy rights.

Opt out of Meta advertising measurement (iOS only)

The first time you reach our paywall and grant AI consent, the iOS app shows Apple's App Tracking Transparency (ATT) prompt. Tap Ask App Not to Track — KaleWay continues to work fully without your advertising identifier (IDFA). You can revoke this decision at any time in iOS Settings → Privacy & Security → Tracking → KaleWay.

Even with ATT off, the iOS app still sends a small number of measurement events to Meta (without your IDFA) so we can attribute installs at the campaign level. The fields sent in that no-IDFA case are listed in Section 5 (Meta Platforms). If you want those events to stop entirely, delete your account — once your account is gone, no further measurement events fire from your device or our backend.

Region-specific rights

09Account deletion in detail

When you delete your KaleWay account:

Some information must be retained after account deletion:

• Subscription transaction records (kept for tax and accounting purposes, typically 7 years).
• Records related to legal disputes or investigations, until resolved.
• Aggregated, de-identified data that no longer identifies you (for example, "we had X total active users last month").

10How we protect your information

We take reasonable and appropriate measures to protect your information, including:

• Encryption in transit: all communication between your device and our servers, and between our servers and our processors (Supabase, Anthropic, PostHog, Sentry, Resend), uses TLS 1.3.
• Encryption at rest: your data is encrypted when stored in our database (AES-256, Supabase Postgres default).
• Access controls: only authorized personnel can access user data, and only when necessary for support, debugging, or legal compliance.
• Authentication: access to administrative systems requires multi-factor authentication.
• Monitoring: we monitor our systems for unusual activity.
• Vendor diligence: we choose service providers with strong security practices.

No system is perfectly secure. If we discover a breach that affects your personal information, we will notify you in accordance with applicable law, including the Federal Trade Commission's Health Breach Notification Rule (within 60 days where required) and any applicable state breach notification laws.

Data residency

Your account data is stored on Supabase in the us-east-1 region (Northern Virginia). KaleAI conversations are processed by Anthropic in the United States. Product analytics events go to PostHog in the European Union (Frankfurt). Crash reports go to Sentry in the United States. Transactional emails are sent through Resend in the United States.

If you access KaleWay from the EU or UK, your data crosses jurisdictional boundaries on the way to most of these processors. We rely on the EU–US Data Privacy Framework (effective July 2023) and on Standard Contractual Clauses where applicable. If the Framework is invalidated or a processor's certification lapses, we will move that processor onto SCCs within 30 days and update this Policy.

11Children's privacy

KaleWay is rated for users 17 years and older. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that age applies). If we learn that a person under the applicable minimum age has created an account, we will delete that account and any associated data.

If you believe a child has provided us with personal information, please contact support@kaleway.com.

12International data transfers

KaleWay's servers and our service providers' systems are located in the United States. If you use KaleWay from outside the United States, your information will be transferred to and processed in the United States. By using KaleWay, you consent to this transfer.

For users in regions that require additional safeguards for international transfers (such as the EU and UK), we rely on Standard Contractual Clauses with our service providers and on each provider's own compliance frameworks (for example, Anthropic's published policies and Supabase's compliance documentation).

13Third-party links and integrations

The KaleWay app and website may contain links to third-party websites or services. This Policy does not apply to those third parties — they have their own privacy policies. We are not responsible for the practices of third parties we link to.

If you choose to integrate KaleWay with a third-party service (for example, by granting HealthKit permission, or in the future by linking another app), the integration is governed by what we describe in this Policy plus the third party's own terms.

14Changes to this Policy

We may update this Privacy Policy from time to time as KaleWay grows or as laws change. When we make a material change, we will:

• Update the "Last updated" date at the top
• Post a notice in the app
• For significant changes, send an email to your account email address before the change takes effect

Your continued use of KaleWay after a change becomes effective means you accept the updated Policy. If you do not agree with a change, you can close your account at any time.

Recent updates

• v1.3 — May 11, 2026. Added Section 5 disclosure of AppsFlyer Ltd. as an additional recipient of advertising measurement events from the iOS app, used as a Mobile Measurement Partner to attribute installs across multiple ad networks (Meta, TikTok, Apple Search Ads, Google, and ~5,000 other partners). Added a cross-reference paragraph in the Meta entry acknowledging the AppsFlyer-Meta overlap during the V1.0.2–V1.0.x transition window. Disclosed the EEA “limited consent” default for AppsFlyer downstream personalization sharing (GDPR / DMA legitimate-interest basis).
• v1.2 — May 5, 2026. Added Section 5 disclosure of Meta Platforms as a recipient of advertising measurement events from the iOS app (install + subscription attribution via Meta App Events SDK and Conversions API). Removed two outdated bullets in Section 6 that no longer reflected the iOS app's measurement integrations and replaced them with scoped truth-claims that distinguish marketing-site practices from in-app measurement. Added Section 8 opt-out path for Apple App Tracking Transparency (ATT).
• v1.1.1 — May 4, 2026. Lockstep version bump alongside AI Privacy Notice and Terms of Service. No content change to this Policy.
• v1.1 — May 4, 2026. Section 3 expanded with twelve explicit data categories the app now collects; Section 5 named PostHog, Sentry, and Resend as processors; Section 6 tightened with explicit no-sale, no-AI-training, no-session-recording commitments; Section 7 added retention rows for behavioral data, in-app feedback, and review-prompt state; Section 8 clarified rights-exercise channels (30 days GDPR / 45 days CCPA); Section 10 added data residency and the EU–US Data Privacy Framework; CCPA Appendix A expanded with the Internet activity row.

15Contact us

For any question about this Privacy Policy, your rights, or how we handle your information: