Privacy policy

Preamble

At Calerys, privacy is not a checkbox. It's a foundational commitment.

You trust us with information that's sometimes very personal: your weight, your eating habits, your goals, sometimes your struggles. This policy explains precisely, and without dodging, how that data is processed, protected, and what your rights are.

Processing is governed by:

• The General Data Protection Regulation (GDPR), regulation (EU) 2016/679;
• The Swiss Federal Act on Data Protection (nFADP), the revised version of which entered into force on September 1, 2023;
• Applicable standards for sensitive data, in particular health data.

1. Data controller

1.1 Data Protection Officer (DPO)

As a small organisation, Eatten Sàrl is not legally required to appoint a formal DPO within the meaning of GDPR article 37. Nevertheless, a dedicated point of contact for data protection matters is in place:

2. Data we collect

2.1 Identification data

• First name (or nickname), possibly last name
• WhatsApp phone number (the main Service identifier)
• Email address (for billing and critical notifications)
• Country / time zone (to tailor reminders)

2.2 Payment data

Payments are fully handled by Stripe Inc. Calerys never stores card numbers, security codes or banking credentials. We only receive:

• A Stripe customer identifier
• Subscription status (active, paused, cancelled)
• Billing information (amount, date, currency)

2.3 Health and wellbeing data (special category)

2.4 Conversation data

• Text messages exchanged with Calerys on WhatsApp
• Meal photos and other media you send
• Message metadata (date, time, delivery status)

2.5 Technical data

• Server logs (IP address, user-agent, timestamps): retained for 30 days maximum
• Technical session identifiers
• Performance and error analytics data (aggregated and anonymised)

3. Purposes of processing

We use your data strictly to:

1. Provide the Service: analyse your meals, generate nutritional recommendations, track your goals, produce reports, send reminders.
2. Personalise your recommendations: adapt advice to your profile, constraints and history.
3. Manage your subscription: billing, renewal, customer support.
4. Secure the Service: fraud, abuse and attack prevention.
5. Improve Calerys: anonymised and aggregated analytics only. No re-identification possible.
6. Comply with our legal obligations: notably Swiss accounting and tax obligations.

4. Legal bases

• Performance of the contract (GDPR art. 6.1.b) — To provide the Service you subscribe to.
• Explicit consent (GDPR art. 6.1.a and 9.2.a, nFADP art. 6) — For health and wellbeing data.
• Legal obligation (GDPR art. 6.1.c) — For invoice retention (10 years, Swiss law).
• Legitimate interest (GDPR art. 6.1.f) — For Service security, fraud prevention and anonymised product improvement.

5. Recipients and processors

Your data is accessible to a strictly limited number of processors, each bound to Eatten Sàrl by a data processing agreement (DPA) compliant with GDPR article 28:

No other recipients. No sharing with advertisers, data brokers, retargeting platforms or advertising networks.

6. Transfers outside the European Union

Some of our processors (Stripe, OpenAI, Anthropic, Meta) are established in the United States. These transfers are framed by:

• Adherence to the EU-US Data Privacy Framework (DPF) when the processor is certified;
• Standard Contractual Clauses (SCCs) approved by the European Commission (decision 2021/914);
• Additional technical measures: encryption, minimisation of transferred data, segregation of health data.

For Switzerland, transfers to the USA are also covered by the Swiss-US Data Privacy Framework recognised by the FDPIC.

7. Retention period

• Active account: duration of the subscription + 3 years after the last interaction (justified by possible contractual obligations and the possibility of reactivation).
• Conversation data: a rolling 24 months, unless deleted earlier at your request.
• Deleted account: effective deletion within 30 days of the request, except for legal obligations to the contrary.
• Invoices and accounting documents: 10 years (Swiss legal obligation — art. 958f CO).
• Technical logs: 30 days.
• Aggregated anonymised data: no time limit, as it is not linkable to an identifiable person.

8. Your rights

Pursuant to GDPR articles 15 to 22 and nFADP articles 25 to 28, you have the following rights:

8.1 Right of access

Obtain confirmation that your data is being processed and receive a copy of it.

8.2 Right of rectification

Have inaccurate data corrected or incomplete data completed.

8.3 Right to erasure (“right to be forgotten”)

Request the deletion of your data, subject to legal retention obligations.

8.4 Right to restriction of processing

Request a temporary suspension of the processing of your data.

8.5 Right to data portability

Receive your data in a structured, commonly used and machine-readable format (JSON).

8.6 Right to object

Object to the processing of your data on grounds relating to your particular situation.

8.7 Right to withdraw consent

Withdraw at any time the consent given, without affecting the lawfulness of processing carried out beforehand.

8.8 Right to decide what happens to your data after your death

Provide directives on the retention, deletion and disclosure of your data after your death.

Exercising your rights

To exercise any of these rights, write to hello@calerys.com specifying your request and attaching proof of identity if possible (in case of reasonable doubt about the requester's identity). We will respond within 30 days, extendable by 60 days for complex requests (with prior notice).

9. Security

Eatten Sàrl implements appropriate technical and organisational measures:

• Encryption in transit: TLS 1.3 for all communications
• Encryption at rest: AES-256 on databases and backups
• Strong authentication: mandatory 2FA for all administrative access
• Segregation: logical separation of production, staging and development environments
• Backups: daily, encrypted, geo-redundant within the EU
• Audits: regular security reviews of critical processors
• Minimisation: we only collect what is strictly necessary

10. Data breach notification

In case of a data breach likely to result in a risk to your rights and freedoms, Eatten Sàrl will notify:

• The competent supervisory authority (FDPIC in Switzerland or an EU authority) within 72 hours after becoming aware of it;
• The persons concerned, as soon as possible, when the breach is likely to result in a high risk.

11. Cookies and trackers

For details of the cookies used on the site, see our cookie policy.

12. Minors

13. Complaints to a supervisory authority

If you believe your rights are not being respected, you can lodge a complaint with:

• In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
• In France: the CNIL — www.cnil.fr
• In Belgium: the Data Protection Authority — www.autoriteprotectiondonnees.be
• Other EU countries: your competent national authority

We do however invite you to contact us first to try to resolve the situation directly.

14. Changes

This policy may be updated to reflect technical, legal or organisational changes. Any substantial change will be notified to active users at least 30 days before its entry into force, by email or via the WhatsApp channel.

Last updated: May 15, 2026. Version 1.0.