Last updated: May 13, 2026
Kalea ("we", "our", "the app") is operated by Ipanema Beauty. Kalea is available on iOS (App Store) and Android (Google Play). Your privacy matters to us. This policy explains what data we collect, how we use it, and your rights, on both platforms.
Email address and password (hashed) when you create an account. You can also sign in using a third-party identity provider:
You can sign in on either platform with email and password as well.
Meal descriptions, calorie and macro estimates, photos you choose to submit for AI analysis, and barcode scan results. All food data is stored locally on your device first (using SwiftData on iOS and Room on Android) and optionally synced to your private cloud account.
Weight entries you log manually, body metrics (height, age, biological sex) used to calculate your personalized calorie goal. If you grant health-data access:
Health data never leaves your device except to sync to your private Supabase account. You can disable health-data sync at any time in Settings or by revoking permission in the system health app.
When you use the AI photo scan feature, your photo is sent to our server for analysis and immediately discarded after processing. Photos are not stored on our servers.
Barcode scanning runs entirely on your device. On iOS we use Apple's VisionKit; on Android we use Google's ML Kit Barcode Scanning (bundled on-device model). The scanned barcode is then used to look up product information from the public OpenFoodFacts database. We do not send your camera feed or images to any third party for barcode scanning.
The app requests camera permission only when you actively use the AI photo scan or barcode scan features. The app requests photo library permission only when you choose to attach an existing photo from your library. On Android, the app uses CameraX; on iOS, AVFoundation. We do not access your camera or library in the background.
We use PostHog (EU-hosted) to collect anonymous usage events such as screen views, feature usage, and crash diagnostics. Analytics are not linked to your personal identity. Each install receives an anonymous device-scoped identifier; we do not collect the iOS IDFA or the Android Advertising ID. PostHog session replay is disabled by default and only activated if you explicitly opt in for support purposes. You can disable all analytics at any time in Settings.
Subscriptions and in-app purchases are processed entirely by Apple App Store (on iOS) and Google Play Billing (on Android). We never see your payment details. We use RevenueCat to manage entitlements; RevenueCat receives an anonymous purchase token from the respective store and the entitlement status linked to your Kalea account.
When you type a meal description or submit a photo, this data is sent to our server (Supabase Edge Functions, EU-hosted) which forwards it to an AI model (Claude, made by Anthropic, accessed via OpenRouter) for calorie estimation. We do not store your photos after analysis. Meal descriptions are cached temporarily (up to 90 days) to reduce API costs and improve response times. AI processing is performed on infrastructure operated by Anthropic and OpenRouter, which may include servers located outside the EU.
Your account data and synced journal are stored in Supabase (EU-hosted) with Row Level Security (RLS) ensuring you can only access your own data. Passwords are hashed using industry-standard algorithms. All network communication uses HTTPS/TLS. Food journal and weight data are also stored locally on your device for offline access — using SwiftData on iOS and Room (encrypted at rest by the operating system) on Android.
Kalea uses the following third-party services. Each is bound by its own privacy policy and applicable data-processing agreements with us:
| Service | Purpose | Location | Platform |
|---|---|---|---|
| Supabase | Authentication, data storage, sync | EU (Frankfurt) | iOS & Android |
| Google Identity / Credential Manager | Sign in with Google (account creation only) | Per Google terms | Android |
| Apple ID | Sign in with Apple (account creation only) | Per Apple terms | iOS |
| Anthropic (Claude) via OpenRouter | AI food recognition | US (with EU routing where available) | iOS & Android |
| RevenueCat | Subscription & entitlement management | US | iOS & Android |
| PostHog | Anonymous usage analytics | EU | iOS & Android |
| Apple HealthKit | Health data sync (with your permission) | On-device (Apple) | iOS only |
| Health Connect (Google) | Health data sync (with your permission) | On-device (Google) | Android only |
| ML Kit Barcode Scanning (Google) | On-device barcode recognition | On-device | Android only |
| OpenFoodFacts | Public food-product database lookup | EU (France) | iOS & Android |
| Apple App Store | iOS purchases & billing | Per Apple terms | iOS only |
| Google Play Billing | Android purchases & billing | Per Google terms | Android only |
Some of our service providers (notably RevenueCat, OpenRouter, and Anthropic) are based in the United States. When your data is processed outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent safeguards provided by these vendors to ensure an adequate level of protection. Health data, food journal data, and account data remain stored in the EU.
If you are in the EU/EEA, you have the right to:
To exercise these rights, contact us at privacy@getkalea.com.
You can delete your account and all associated data at any time:
Account deletion removes your account, journal, weight history, body metrics, and all data linked to your account from our Supabase database within 30 days. Cached AI responses are automatically purged after 90 days. Data written to Apple Health or Health Connect remains on your device under your control; you can remove it via the respective health app. Anonymous, aggregated analytics may be retained.
Your data is retained as long as your account is active. When you delete your account, all associated data is permanently removed within 30 days. Cached AI responses (meal-description lookups) are automatically purged after 90 days. Backups are rotated and deleted within 35 days.
Kalea is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we will delete it.
We may update this policy from time to time. We will notify you of significant changes through the app or by email. The "Last updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance.
Ipanema Beauty
Email (privacy): privacy@getkalea.com
Email (general): info@getkalea.com