Effective date: April 20, 2026 Last updated: July 17, 2026
This Privacy Policy explains how Mr. Cal: Calorie Counter("the App", "we", "us", or "our") collects, uses, stores, and protects your information when you use our mobile application available on Google Play. We take your privacy seriously and have designed the App to collect only the minimum information needed to provide calorie-tracking features.
By using Mr. Cal: Calorie Counter you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.
Mr. Cal: Calorie Counter is an independent mobile application for tracking daily calorie intake, protein, meals, weight, water, and related fitness goals. It is built and maintained by an individual developer, not a company.
For the purpose of the European General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and India's Digital Personal Data Protection Act, 2023 (DPDP Act), the data controller / data fiduciary of your personal information is:
Founder & developer: Krishna Kumar
App name: Mr. Cal: Calorie Counter
Operating from: India
Contact email: mrcalsupport@gmail.com
Because we operate as an individual / small developer, we have not appointed a formal Data Protection Officer (DPO) or a separate grievance officer. All privacy questions, rights requests, and complaints should be sent to the email above and will be answered by the founder personally.
Account information: email address and password (used to sign in). Passwords are never stored by the App — they are handled securely by Google Firebase Authentication.
Display name (optional): a name you choose to show in the app.
Profile & goal information: height, weight, age, gender, activity level, goal (lose / maintain / gain), target weight, and preferred units (metric / imperial). Used to calculate your maintenance calories (TDEE).
Health & fitness data: meals you log (food name, serving, calories, protein), custom foods you create, water intake, weight entries over time, and fasting days. We treat this as health-related data and apply additional care when handling it.
Preferences: dark-mode setting, onboarding tour progress, and other in-app settings.
Support communications: if you email us, we keep your message, email address, and any details you include so we can respond.
Authentication metadata: Firebase Authentication records when you sign up, last sign-in time, and a unique user ID. Used only to keep you signed in and restore your data across devices.
Subscription and purchase data: if you subscribe to Pro, Google Play Billing sends us your purchase token, order ID, purchase time, subscription SKU (pro_monthly or pro_yearly), and auto-renewal status. We use this only to verify and maintain your Pro status.
Basic error diagnostics: if the App crashes or a network call fails, diagnostic messages may be printed to the local device log. We do not transmit these logs to any server unless you explicitly email them to us.
This data is briefly transmitted to a Cloudflare Worker for verification with Google Play and is not retained by Cloudflare.
We do not collect your precise or approximate location.
We do not access your contacts, photos, microphone, camera, SMS, call logs, or installed-app list.
We do not use advertising identifiers (GAID / IDFA) and we do not show third-party advertisements.
We do not run third-party advertising networks, trackers, or analytics SDKs inside the App.
We do not sell, rent, or trade your personal data to any third party (see also Section 11 — California privacy rights).
- Create and operate your account — Email, password hash (via Firebase Auth), user ID.
- Calculate maintenance calories & daily progress — Profile data (age, weight, height, activity), food log.
- Sync & restore data across devices / re-installs — Food log, profile, custom foods, weight log, water log.
- Process and maintain Pro subscription — Google Play purchase token, order ID, SKU.
- Respond to support messages — Email address, contents of your message.
- Keep the App secure, stable and improve it — Local error logs (on-device).
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent laws, we rely on the following legal bases under Article 6 of the GDPR:
Performance of a contract (Art. 6(1)(b)) — to create your account, keep you signed in, sync your data, and provide Pro features you purchased.
Consent (Art. 6(1)(a)) — for optional information (for example, display name) and for receiving responses to support emails you voluntarily send us. You may withdraw consent at any time by deleting your account or emailing us.
Legitimate interests (Art. 6(1)(f)) — to keep the App secure, prevent abuse, and fix bugs, in a way that does not override your rights.
Legal obligations (Art. 6(1)(c)) — where we must retain certain records (e.g. tax / billing records).
Health and fitness data may be considered a special category of personal data under Article 9 GDPR. We only process such data with your explicit consent (by choosing to enter it into the App) and solely to provide the calorie-tracking features you request.
Your data is stored in two places:
On your device: in the App's private local storage (browser localStorage inside the App's WebView). This lets the App work offline and load instantly. Uninstalling the App clears most of this local data.
In the cloud (Google Firebase): encrypted in transit (HTTPS / TLS) and at rest. Cloud storage allows your data to survive a device change or re-install. Only the signed-in account owner can read or write their own cloud data, enforced by Firebase Security Rules.
Purchase verification requests are processed by Cloudflare Workers, which run on Cloudflare's global edge network. These requests are ephemeral (in-memory only) and not stored at rest by Cloudflare.The verified entitlement is written back to Firestore, which remains the durable source of truth.
We do not operate our own servers. All cloud storage and authentication is handled by Google Firebase, a service of Google LLC.
The App does not use third-party advertising cookies or tracking pixels. It does use the following on-device storage technologies, which are strictly necessary for the App to function:
Browser localStorage: to cache your profile, logged meals, preferences, and offline data on your device.
Firebase SDK persistence: Firebase Authentication and Firestore SDKs use IndexedDB / localStorage on the device to keep you signed in and cache cloud data for offline use.
Because these storage mechanisms are essential to provide the service you requested, your consent to use them is implied by using the App.
Mr. Cal: Calorie Counter relies on the following third-party services. Each operates under its own privacy policy:
Google Firebase — Authentication, Firestore database, Cloud Storage. Used for sign-in and cloud sync. Firebase Privacy & Security
Google Play Billing — processes in-app subscription purchases. We never see or store your card number, UPI ID, or payment details. Google Privacy Policy
Google Play Services — required by the Android platform for billing and app updates.
Cloudflare Workers (Cloudflare, Inc.)
Used to verify Google Play subscription purchases server-side. When you complete a Pro purchase, your Firebase ID token and the Google Play purchase token are briefly transmitted to a Cloudflare Worker, which validates the purchase with the Google Play Developer API and writes the verification result to Firestore. The Worker does not persistently store any user data — it only acts as a validation gateway. No name, email, payment info, food log, or health data is sent to Cloudflare. Cloudflare's Privacy Policy: https://www.cloudflare.com/privacypolicy/
-Region: Global edge network (closest data center to user)
These providers may process limited technical data (for example, IP address, device type, approximate region) as part of delivering their service. Please review their policies for details.
We do not sell, rent, or trade your personal information. We disclose data only in these limited circumstances:
Service providers: with Google Firebase and Google Play as described above, strictly to operate the App.
Legal requirements: if required by a valid legal process (for example, a court order) or to protect the rights, property, or safety of users or the public.
Business transfer: if Mr. Cal: Calorie Counter is ever acquired or merged, your data may transfer to the successor entity under the same privacy commitments, and you will be notified.
Cloudflare, Inc. — receives your Firebase ID token and Google Play purchase token only during a Pro subscription purchase or restore attempt, for the sole purpose of validating the purchase. Data is processed in transit and not retained.
- Account (email, user ID, profile, meals, weight, water, fasting, custom foods) — Kept while your account is active. Deleted immediately when you delete your account from inside the App.
- On-device local cache (localStorage) — Kept on your device until you uninstall the App, sign out, or clear App data.
- Support emails — Up to 24 months from last reply, then deleted.
- Billing receipts / tax records — Retained by Google Play and us as required by law (typically 7 years) in anonymised form, even after account deletion.
- Firebase backend backups — Google Firebase may retain automated backups for up to 30 days after deletion before they are permanently purged.
Access & edit: view and edit your profile, goals, meals, and custom foods any time inside the App.
Delete your account & all associated data: App → Profile → Account section → Delete Account. This permanently removes your account and cloud data (profile, goals, meals, custom foods, weight log, water log, fasting days). This action cannot be undone.
Sign out: Profile → Account → Sign Out. Your cloud data is preserved; you can sign back in any time.
Cancel subscription: Google Play Store → profile icon → Payments & subscriptions → Subscriptions → Mr. Cal: Calorie Counter → Cancel. Handled entirely by Google Play.
If you cannot access the App (for example, you uninstalled it or lost your device), you can still request deletion of your account and all associated data by emailing mrcalsupport@gmail.com from the email address linked to your account, with the subject line "Account Deletion Request". We will verify ownership of the account and complete deletion within 30 days.
Right of access: ask for a copy of the personal data we hold about you.
Right of rectification: ask us to correct data that is inaccurate.
Right of erasure ("right to be forgotten"): as described above.
Right to data portability: receive your data in a machine-readable format (JSON export by email).
Right to object / restrict processing: object to, or restrict, how we use your data in specific cases.
Right to withdraw consent: at any time, without affecting prior lawful processing.
To exercise any of these rights, email mrcalsupport@gmail.com. We respond within 30 days.
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with your local data protection authority. In the EU this is your national supervisory authority (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en). In the UK this is the Information Commissioner's Office (https://ico.org.uk/).
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights:
Right to know what personal information we collect, use, and disclose.
Right to delete personal information we hold about you.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of.
Right to limit use of sensitive personal information.
Right to non-discrimination for exercising any of the above.
To exercise these rights, email mrcalsupport@gmail.com. You may designate an authorised agent to act on your behalf, subject to reasonable verification.
We apply industry-standard safeguards to protect your information:
All network communication uses HTTPS / TLS encryption.
Passwords are never stored by the App directly; authentication is performed by Google Firebase Authentication, which applies its own cryptographic protections.
Cloud data is protected by Firebase Security Rules that restrict reads and writes to the signed-in account owner only.
Subscription entitlements are re-verified against Google Play Billing every time the App starts; Pro access is revoked automatically if a subscription is cancelled, refunded, or expires.
We keep dependencies up to date and enable code shrinking / obfuscation (R8) on release builds.
No electronic transmission or storage is ever 100% secure. While we use reasonable protections, we cannot guarantee absolute security. In the unlikely event of a data breach affecting your personal information, we will notify you and the relevant authority as required by law.
Mr. Cal: Calorie Counter is not directed to children under 13 (or the equivalent minimum age in your country — 16 in parts of the EU, 14 in some jurisdictions). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at trackfoodkcal@gmail.com and we will promptly delete it in accordance with the Children's Online Privacy Protection Act (COPPA) and equivalent laws.
Google Firebase may process and store data on servers located outside your country of residence, including in the United States. Where data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, Google relies on Standard Contractual Clauses (SCCs) and additional safeguards. By using the App you consent to such transfer, subject to the protections described in this Privacy Policy and in Google's own policies.
Cloudflare Workers run on a global edge network. Your purchase verification request is processed by the data center geographically closest to you. Cloudflare, Inc. is headquartered in the United States and is committed to compliance with GDPR, UK GDPR, and other international data protection frameworks. See Cloudflare's Privacy Policy and Data Processing Addendum for details.
15. Android Permissions
- INTERNET — Sign in, sync data to the cloud, process subscriptions.
- ACCESS_NETWORK_STATE — Detect whether you are online before attempting a sync.
- com.android.vending.BILLING — Process Google Play subscription purchases for Pro.
- READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE — Keep a local backup that survives uninstall on older Android devices (SDK ≤ 28/32 only).
Mr. Cal: Calorie Counter offers an optional Pro subscription, available as a monthly plan (auto-renewing every 30 days) or a yearly plan (auto-renewing every 365 days). All payments are processed by Google Play. Your subscription will auto-renew unless you cancel at least 24 hours before the end of the current period. You can manage or cancel anytime through your Google Play account. Refund requests are subject to Google Play's refund policy.
Because the App is operated from India by an individual developer, the Digital Personal Data Protection Act, 2023 (the "DPDP Act") applies to our processing of personal data of users located in India.
Under the DPDP Act, as a Data Principal (user) you have the right to:
Obtain information about the personal data we process and the purpose of processing.
Request correction, completion, updating, or erasure of your personal data.
Nominate another person to exercise these rights in case of death or incapacity.
Readily access a grievance redressal mechanism.
Withdraw consent that you previously gave.
To exercise any of these rights or raise a grievance, please email mrcalsupport@gmail.com. We will acknowledge your request and respond within 30 days. If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted.
Governing law: This Privacy Policy is governed by the laws of India, without regard to conflict-of-law principles. Any dispute arising out of or related to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in India.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will also be announced inside the App via an in-app notice the next time you open it, and where required by law we will request your renewed consent. Your continued use of the App after an update means you accept the revised policy.
If you have any questions, concerns, or requests about this Privacy Policy or about your personal data, please contact us at:
Email: trackfoodkcal@gmail.com
For faster service, please send the email from the same address that is linked to your Mr. Cal: Calorie Counter account.
© 2026 Mr. Cal: Calorie Counter. All rights reserved.