How does Kairo track calories?

Kairo uses advanced AI to analyze photos of your food and automatically calculate calories and macronutrients. Simply take a photo of your meal, and Kairo does the rest.

Is Kairo available on Android?

Currently, Kairo is exclusively available for iOS devices. We are working on an Android version for the future.

How much does Kairo cost?

Kairo offers a yearly subscription with a 3-day free trial, as well as a monthly subscription. You can test all features during the trial and cancel anytime before it ends.

Does Kairo work with Apple Health?

Yes, Kairo fully integrates with Apple Health to sync your nutrition data and provide a comprehensive health overview.

How many calories do I need per day?

Your daily calorie needs depend on factors like age, gender, weight, height, and activity level. Kairo automatically calculates your Basal Metabolic Rate (BMR) and Total Daily Energy Expenditure (TDEE) based on your profile using the scientifically recognized Mifflin-St Jeor equation.

What is the difference between BMR and TDEE?

BMR (Basal Metabolic Rate) is the number of calories your body burns at rest to maintain basic functions. TDEE (Total Daily Energy Expenditure) includes your BMR plus calories burned through physical activity and digestion. TDEE is the total number of calories you need per day.

What is the Body Map in Kairo?

The Body Map is a unique Kairo feature that shows you at a glance how your nutrition supports different body systems — brain, heart, muscles, bones, digestion, and skin & immune system. It provides personalized insights based on your daily food intake.

What makes Kairo different from other calorie trackers?

Kairo combines AI-powered food scanning with features like Body Map nutrition insights, social group tracking with emoji reactions, streak motivation systems, and beautiful iOS widgets. It focuses on simplicity and design while providing comprehensive nutrition tracking.

What is BMI and how is it calculated?

BMI (Body Mass Index) is calculated by dividing your weight in kilograms by your height in meters squared: BMI = weight / (height in m)². A BMI of 18.5-24.9 is considered normal weight. Note that BMI does not account for muscle mass or body composition.

Back to Home

Privacy Policy

Last updated: February 2026

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit our website or use our mobile app "Kairo". Personal data is any data with which you can be personally identified. This privacy policy applies to both our website kairocalories.com and the Kairo iOS app.

2. Data Controller

The data controller responsible for data processing is:

Valentin Weinert
Dr.-Rohmer-Weg 11
65719 Hofheim am Taunus
Germany
Email: support@kairocalories.com

The data controller is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data.

3. Data Processing in the App

Account Data

When registering and using the Kairo app, we collect the following data:

Email address
First and last name
Profile picture (optional)
Display name

This data is processed based on Art. 6(1)(b) GDPR for the performance of our contract with you.

Health and Biometric Data

To calculate your personal nutrition goals, we collect the following sensitive data:

Biological sex
Date of birth
Height
Current weight
Target weight
Activity level
Fitness goal (lose weight, maintain, build muscle, gain weight)
Desired rate of weight change

This health data falls under Art. 9(1) GDPR (special categories of personal data). Processing is based exclusively on your explicit, separate consent pursuant to Art. 9(2)(a) GDPR. This consent is obtained separately and with full information during the initial app setup. You can revoke this consent at any time in the app settings or by contacting us. Revocation does not affect the lawfulness of processing carried out prior to revocation. Upon revocation, the affected health data will be deleted, which will however prevent the calculation of personalized nutrition goals.

From this data, we calculate your Basal Metabolic Rate (BMR) and Total Daily Energy Expenditure (TDEE) to determine optimal calorie and macronutrient goals.

Meal Data

When you log meals in the app, we store:

Meal name
Calories and macronutrients (protein, carbohydrates, fat)
Meal type (breakfast, lunch, dinner, snack)
Portion size and quantity
Meal notes
Meal photos (if taken)
Logging timestamps

Processing is based on Art. 6(1)(b) GDPR for contract performance and Art. 9(2)(a) GDPR for health data.

AI Image Analysis

When you take a photo of a meal, it is transmitted to the Google Gemini AI service for food recognition and nutritional calculation:

The image is transmitted as base64-encoded data to Google Gemini 2.0 Flash
Google analyzes the image and recognizes foods, ingredients, and estimated quantities
Analysis results are cached to avoid repeated API requests
Images are stored anonymized using a hash method

Transmission is based on Art. 6(1)(b) GDPR for contract performance. Google processes data according to their privacy policy.

https://policies.google.com/privacy

Apple HealthKit Integration

With your explicit consent, Kairo can sync with Apple HealthKit:

Data read:

Active calories burned
Basal energy burned

Data written:

Dietary calories consumed
Dietary protein, carbohydrates, and fat

This processing only occurs after your explicit consent via the iOS permission dialog. You can revoke this permission at any time in iOS Settings.

HealthKit data is processed locally on your device and is not transmitted to our servers unless required for app functionality.

Groups Feature

When you join or create groups, the following data is shared with other group members:

Your display name
Your meal entries (visible in group feed)
Your daily progress and streak data
Reactions and comments on meals

Sharing this data is based on your consent (Art. 6(1)(a) GDPR) by joining the group. You can leave groups at any time to stop data sharing.

4. Third-Party Services

Supabase (Database & Backend)

We use Supabase as our backend infrastructure for storing and managing your data.

Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992

Supabase hosts our PostgreSQL database and processes all app data. Our database is hosted in an EU region. Row-level security policies ensure users can only access their own data. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded.

https://supabase.com/privacy

Clerk (Authentication)

We use Clerk for user authentication.

Provider: Clerk Inc., 660 4th Street #515, San Francisco, CA 94107, USA

Clerk processes your login data (email, name, profile picture) and securely manages authentication tokens. Passwords are never stored by us. Clerk is certified under the EU-US Data Privacy Framework (DPF). A DPA pursuant to Art. 28 GDPR has been concluded.

https://clerk.com/privacy

Google Gemini (AI Image Analysis)

We use the paid Google Gemini API (Gemini 2.0 Flash) for food recognition in photos.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

When you take a meal photo, the image is transmitted as base64-encoded data to the Google Gemini API and analyzed using artificial intelligence. Since we use the paid API, your data is NOT used by Google for AI model training. Google retains transmitted data for a maximum of 30 days for abuse and security monitoring and automatically deletes it afterwards. Google is certified under the EU-US Data Privacy Framework (DPF). A DPA pursuant to Art. 28 GDPR has been concluded.

Data processed:

Meal photos (base64-encoded)
Analysis results generated by the AI model (recognized foods, estimated nutritional values)

Transmission is based on Art. 6(1)(b) GDPR for contract performance.

https://policies.google.com/privacy

PostHog (Analytics)

We use PostHog analytics to improve our app.

Provider: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA

PostHog collects anonymized usage data such as app usage, feature interactions, and performance metrics. We use EU hosting (eu.posthog.com), so your data is processed within the EU. A DPA pursuant to Art. 28 GDPR has been concluded.

Data collected includes:

App features and screens used
Meal tracking events (anonymized)
Device information
App performance metrics

Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in improving our service. PostHog stores an anonymous device ID for session recognition on your device.

https://posthog.com/privacy

Sentry (Error Monitoring)

We use Sentry for detecting and fixing app errors.

Provider: Functional Software Inc. (Sentry), 132 Hawthorne Street, San Francisco, CA 94107, USA

Sentry captures error reports, stack traces, and diagnostic information when problems occur. We use Sentry's EU data processing. A DPA pursuant to Art. 28 GDPR has been concluded.

When errors occur, the following data may be transmitted:

Error details and stack traces
Device type and operating system
App version and session information
IP address (for diagnostics)

Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing a stable service. Access to terminal device information is technically necessary pursuant to § 25(2) No. 2 TDDDG.

https://sentry.io/privacy/

Superwall (Subscriptions)

We use Superwall for managing in-app purchases and subscriptions.

Provider: Superwall Inc., 2261 Market Street #4561, San Francisco, CA 94114, USA

Superwall processes subscription status, purchase history, and entitlements. Payment data is processed directly by Apple and never shared with us. A DPA pursuant to Art. 28 GDPR has been concluded.

Data processed:

Subscription status and expiration date
Purchase transaction IDs
Trial information
App user ID
Email address
Name (first and last name)

https://superwall.com/privacy

AppsFlyer (Attribution & Analytics)

We use AppsFlyer to measure the effectiveness of our marketing campaigns.

Provider: AppsFlyer Ltd., 14 Maskit Street, Herzliya, Israel

AppsFlyer collects attribution data to track through which channel you discovered the app. A DPA pursuant to Art. 28 GDPR has been concluded.

Data collected includes:

Device identifiers (IDFA, if consent is given)
IP address (anonymized)
Installation time and app events
Campaign and source attribution

Processing is based on your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). You can refuse consent via the iOS App Tracking Transparency dialog or withdraw it later in iOS Settings.

Opt-out: You can disable personalized tracking in iOS Settings under Privacy > Tracking.

https://www.appsflyer.com/privacy-policy/

Expo Push Notifications

We use the Expo Push Notification Service for sending push notifications.

Provider: 650 Industries Inc. (Expo), 140 2nd Street, Floor 4, San Francisco, CA 94105, USA

When you enable push notifications, a device-bound push token is generated and transmitted to the Expo service. Expo forwards notifications to Apple Push Notification Service (APNs). A DPA pursuant to Art. 28 GDPR has been concluded.

Data processed:

Expo push token (device-bound)
Notification content
Delivery timestamp

Processing is based on your consent (Art. 6(1)(a) GDPR), which you grant via the iOS permission dialog. You can disable push notifications at any time in iOS Settings.

https://expo.dev/privacy

OpenFoodFacts (Food Database)

We use the OpenFoodFacts database for barcode recognition of packaged foods.

Operator: Open Food Facts (non-profit organization), Paris, France

When you scan a barcode, the barcode number is transmitted to the OpenFoodFacts API to retrieve product name and nutritional information. OpenFoodFacts is an open, community-maintained database under the Open Database License (ODbL). No personal data is transmitted to OpenFoodFacts.

Data transmitted:

Barcode number (EAN/UPC) of the scanned product

Processing is based on Art. 6(1)(b) GDPR for contract performance.

https://world.openfoodfacts.org/terms-of-use

5. Data Collection on the Website

Hosting

This website is hosted by Vercel Inc.

Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

When you visit our website, your data is processed on Vercel servers. Personal data may be transferred to the USA. Data transfer is based on EU Standard Contractual Clauses.

https://vercel.com/legal/privacy-policy

Server Log Files

The hosting provider automatically collects and stores information in server log files that your browser transmits:

Browser type and version
Operating system used
Referrer URL
Hostname of the accessing computer
Time of the server request
IP address

This data is collected based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website.

Waitlist / Newsletter Registration

If you sign up for our waitlist, we require your email address. This is used exclusively for information about the app launch and updates.

We use the double opt-in procedure: After signing up, you will receive an email with a confirmation link. Only after clicking this link will your email address be added to our mailing list. This serves as proof of your consent in accordance with Art. 7 GDPR.

We use MailerLite to manage our waitlist.

Provider: UAB MailerLite, J. Basanaviciaus 15, LT-03108 Vilnius, Lithuania

MailerLite stores and processes your email address for sending newsletters and sends the double opt-in confirmation email.

https://www.mailerlite.com/legal/privacy-policy

Processing is based on your consent (Art. 6(1)(a) GDPR). You can revoke this at any time by unsubscribing.

Your data is stored until you unsubscribe and is then deleted from our servers and MailerLite's servers.

6. International Data Transfers

As we use service providers in the USA and other third countries, your data may be transferred to countries outside the European Economic Area (EEA). We ensure an adequate level of protection through:

EU-US Data Privacy Framework (DPF): Since the EU Commission's adequacy decision of July 10, 2023, personal data can be transferred to DPF-certified US companies. The following of our providers are DPF-certified: Google LLC, Clerk Inc.
EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR with all providers not covered by the DPF
Selecting providers with EU data centers where possible (Supabase EU, PostHog EU, Sentry EU)
Regular review of the data protection practices of our processors

For more information about the EU-US Data Privacy Framework, visit: https://www.dataprivacyframework.gov. You can also verify the DPF certification of individual companies there.

You can request a copy of the Standard Contractual Clauses by contacting us at support@kairocalories.com.

7. Data Security

We implement comprehensive security measures to protect your data:

SSL/TLS encryption for all data transfers
Encrypted storage on your device (iOS Data Protection)
Row-level security in our database (access only to your own data)
Secure token storage via iOS Keychain
Regular security audits of our infrastructure

8. Data Retention

We retain your data only as long as necessary for the purposes for which it was collected:

Account data: Until account deletion
Meal data: Until deleted by you or account deletion
Onboarding data: 7 days (automatically deleted)
Analytics data: 90 days
Error reports: 90 days
Billing data: As required by law (up to 10 years)

9. Data Processing Agreements (Art. 28 GDPR)

We have concluded Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all service providers that process personal data on our behalf. These agreements ensure that processors only process data according to our instructions and in compliance with the GDPR.

10. Use of Artificial Intelligence

Kairo uses Artificial Intelligence (AI) for food recognition and nutritional value estimation. In accordance with the transparency obligations of the EU AI Act (Regulation (EU) 2024/1689), we inform you as follows:

AI System Used

We use Google Gemini 2.0 Flash, a multimodal AI model by Google LLC, for meal image analysis.

Purpose of AI Use

Recognition of foods and ingredients in photos
Estimation of portion sizes and quantities
Calculation of estimated nutritional values (calories, protein, carbohydrates, fat)

How It Works

When you take a photo of a meal, the image is transmitted via our server to the Google Gemini API. The AI model analyzes the image and returns a structured response with recognized foods and estimated nutritional values. These results are displayed to you in the app.

Important Notes

AI results are estimates and may differ from actual nutritional values
Results do not replace professional nutritional counseling or medical diagnosis
You can manually correct AI estimates at any time in the app
No legally or medically binding decisions are made solely based on the AI

In accordance with Art. 4 of the AI Regulation (EU) 2024/1689, we ensure that persons responsible for the operation of the AI system have sufficient AI competence.

11. Automated Decision-Making (Art. 22 GDPR)

Kairo uses automated processing to calculate personalized nutrition recommendations:

AI-based food recognition: Photos are automatically analyzed to estimate foods and nutritional values
Calorie calculation: Your BMR and TDEE are automatically calculated from your body data (Mifflin-St Jeor formula)
Macronutrient goals: Personalized macro targets are created based on your fitness goal

These automated processes have no legal effect and do not significantly affect you. The results are non-binding estimates and recommendations that you can manually adjust at any time. Nevertheless, you have the right to request review by a human, to express your point of view, and to contest the decision.

12. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) - You can request a copy of your data
Right to rectification (Art. 16 GDPR) - You can correct inaccurate data
Right to erasure (Art. 17 GDPR) - You can request deletion of your data
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR) - You can receive your data in a machine-readable format
Right to object (Art. 21 GDPR) - You can object to processing
Right to withdraw consent (Art. 7(3) GDPR)
Right regarding automated decision-making (Art. 22 GDPR) - You can request human review

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Hesse is:

The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany

https://datenschutz.hessen.de

To exercise your rights, please contact us at support@kairocalories.com. We will respond within 30 days.

13. Children's Privacy

Children under 16 years of age may only use Kairo with the consent of a parent or legal guardian (Art. 8 GDPR). Consent for data processing must be given or approved by the holder of parental responsibility. If you are a parent or guardian and learn that your child is using our services without your consent or has provided us with personal data, please contact us at support@kairocalories.com so we can take appropriate action.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time. For significant changes, we will notify you by email or through an app notification. The date of the last update is shown at the top of this page.

15. Contact

If you have questions about this privacy policy or our privacy practices, please contact us:

Email: support@kairocalories.com

Postal address:
Valentin Weinert, Dr.-Rohmer-Weg 11, 65719 Hofheim am Taunus, Germany