Privacy Policy

Effective Date: May 10, 2026
Last Updated: May 10, 2026

1. Introduction

This Privacy Policy explains how caKao Inc. ("caKao," "we," "us," or "our") collects, uses, and protects your personal information when you use the caKao app or website (the "Service"). caKao is a wellness app that helps you understand how you really look and feel through three features: a daily GlowScore based on your mood and energy, Moves for tracking exercise and movement, and Meals for logging food with a HealthScore.

This policy applies to everyone who uses caKao, including users, content creators, and visitors to our website. By using caKao, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

If anything in this policy is unclear, contact us at team@cakao.ai.

2. The Information We Collect

We collect only what we need to make caKao work for you. There are six kinds of information involved.

Profile information

When you sign up, you provide:

  • Your age

  • Your gender

  • Your preferred language

  • A name or display name (optional)

We do not ask for your full legal name, address, government ID, or other identifying information beyond what is listed above.

GlowScore check-in content

Each time you check in, you provide:

  • Your mood level (bad to great)

  • Your stress level (1 to 10)

  • Your sleep hours

  • An optional personal note (free text you choose to share)

  • Optional fields you have enabled, such as cycle stage, skin, hair, or appearance

This is some of the most personal data we hold. It is sometimes called sensitive personal information, especially the cycle and health-related fields. We treat it accordingly.

Meals feature data

When you log a meal, you provide:

  • A photo of your meal (optional), OR a text description of what you ate

  • Any manual edits you make to the AI's estimates

caKao then generates:

  • An estimated calorie count

  • Estimated macronutrient breakdown (protein, carbs, fat)

  • A HealthScore value

  • A short description of the meal

The AI-generated values are stored with your meal history so you can review your patterns over time.

Moves feature data

When you log a workout or movement, you provide:

  • The activity type (run, walk, yoga, etc.)

  • Duration

  • Any manual notes you add

caKao then generates an estimated calorie burn for the activity.

If you have connected Apple Health (on iPhone) or Android Connect (on Android), and you have explicitly granted permission, we also receive:

  • Calorie burn (active energy)

  • Workout duration

  • Step count

We do not read any other data from Apple Health or Android Connect, even if you have given the device-level permission for them. See Section 4 for full details on this integration.

Authentication and payment information

You sign in using Apple ID or Google. The authentication provider shares a unique identifier with us, plus whatever profile fields you allow them to share (typically a display name and email address, which you can choose to hide). We do not see your Apple ID or Google password.

If you subscribe to caKaoPRO, payment processing happens through Apple's in-app purchase system (on iPhone and iPad) or Google Play's billing system (on Android). We do not see or store your payment card information. Apple or Google shares with us only a subscription status flag.

Technical and device data

When you use the app, we automatically collect:

  • App version

  • Operating system version and device model (for example, "iPhone 15, iOS 17.4")

  • Error and crash logs needed to keep the app working

  • Approximate region inferred from your language setting (we do not collect precise GPS location)

  • Time stamps of your check-ins, meals, and workout logs

We do not use cookies, analytics SDKs, or tracking pixels. We do not collect your contacts, microphone, camera (beyond meal photos you explicitly take or upload), or precise location.

3. How We Use Your Information

We use your information for exactly four purposes:

  1. To provide the Service. We process your check-ins, meal logs, and exercise logs to generate your GlowScore, HealthScore, calorie estimates, smart hints, taglines, and personalized features, and to remember your history across sessions.

  2. To improve caKao. We review aggregated, non-identifying patterns to fix bugs, develop features, and measure how the app is performing.

  3. To keep the Service safe. We use your check-in content to detect crisis content, abuse, or fraud, and to protect users and our infrastructure.

  4. To comply with legal obligations. When law requires it, we may use your information to respond to lawful requests, enforce our Terms, or protect rights and safety.

We do not use your information to build advertising profiles, score you for credit or insurance, or train any AI model for any purpose other than improving caKao itself.

4. Apple Health and Android Connect Integration

This section explains in detail how the Health integration works, because health data deserves clear, specific treatment.

Permission is required

caKao cannot access any data from Apple Health or Android Connect unless you explicitly grant permission in your device settings. The first time you try to use the integration, your device shows a permission prompt listing exactly which data types caKao is asking to read. You can grant or deny each one individually, and you can change your mind at any time.

What caKao reads

When you grant permission, caKao reads only:

  • Calorie burn (active energy expended)

  • Workout duration

  • Step count

That is the complete list. We do not read heart rate, blood pressure, sleep tracking, weight, body measurements, glucose, menstrual cycle data, blood oxygen, ECG, body temperature, respiratory rate, or any other metric. Even if you have granted device-level permission for those metrics, caKao does not request or read them.

What caKao writes back

Nothing. caKao does not write any data to Apple Health or Android Connect. The integration is strictly read-only. The GlowScore, HealthScore, meal data, exercise estimates, and any other content caKao generates are never written back to your device's health store.

How synced data is used

The data we receive from Apple Health or Android Connect is used only inside the Moves feature of caKao. It is:

  • Not used for advertising

  • Not shared with any third party

  • Not used to train AI models

  • Not combined with data sold or licensed to data brokers (we don't do that anyway)

Revoking access

You can revoke caKao's access to Apple Health or Android Connect at any time in your device settings. When you revoke access, no further data is synced.

Data that was previously synced into caKao stays in your caKao account until you delete it or delete your account. If you want all previously-synced Health data removed, you can either delete individual entries in the Moves section or delete your entire account (which purges all your data within 24 hours, see Section 7).

5. Who We Share Information With

We work with a small number of trusted technology partners. Each one processes specific data on our behalf, under contractual privacy and security obligations. We do not allow any of them to use your information for their own purposes.

OpenAI. When you submit a check-in, log a meal, or log an exercise, the relevant text content may be sent to OpenAI's servers to generate the smart hint, mood score, HealthScore, calorie estimates, or tagline. When you scan a meal photo, the image may be sent to OpenAI's vision model (GPT-4o vision) for analysis. OpenAI processes this under an enterprise agreement that prohibits using your content to train its public models.

Anthropic. For some check-ins, meal scans, and exercise estimates, the same content may be sent to Anthropic instead of or in addition to OpenAI. Anthropic processes this under the same kind of enterprise terms. Meal photos may be sent to Anthropic's Claude vision model for analysis.

Amazon Web Services. Our backend, including the database where your profile, check-in history, meal logs, exercise logs, and synced Health data are stored, runs on Amazon Web Services infrastructure in the United States. Amazon Web Services provides the hosting and database storage layer and does not access the content of your data.

Apple and Google. Apple provides authentication (Sign in with Apple) and subscription billing (in-app purchase). Google provides authentication (Sign in with Google) and subscription billing (Google Play). These services operate under their own privacy policies, which you accepted when you set up your Apple or Google account.

Apple Health and Android Connect are integrations on your device, not separate third parties we share data with. When you grant permission, your device exposes specific health data types to the caKao app. We then read those values, but no data flows in the other direction.

That is the full list of who sees your data outside caKao. We do not share with advertising networks, data brokers, analytics companies, marketing platforms, or any other third party.

6. What We Do Not Do

This section is intentionally explicit because it matters.

  • We do not sell your data. Ever, to anyone.

  • We do not share your data with third parties for analytics, advertising, marketing, profiling, or any commercial purpose.

  • We do not use your check-in content, cycle data, meal photos, meal logs, exercise logs, or synced Health data to train AI models. Our AI providers (OpenAI and Anthropic) also do not train on this content because they process it under enterprise contracts that prohibit it.

  • We do not display ads in caKao.

  • We do not send you marketing emails. All communication with you happens inside the app.

  • We do not track you across other websites or apps. caKao has no tracking SDK.

  • We do not share your period, cycle, mood, or any health data with insurers, employers, advertisers, data brokers, law enforcement (except under valid legal process described in Section 9), or anyone else.

  • We do not write any data back to Apple Health or Android Connect. The Health integration is read-only.

If we ever change any of these commitments, we will notify you in advance through the app and you will have the option to delete your account before any change takes effect.

7. How Long We Keep Your Information

While your account is active:

  • Profile, GlowScore history, meal log values (calories, macros, HealthScore, descriptions), exercise log values, and synced Health data: kept for as long as your account exists, so you can see your history and trends.

  • Meal photos: kept for 14 days, then automatically deleted from our systems. The text analysis (calories, macros, HealthScore) is retained even after the photo is deleted.

After you delete your account: All your personal data, including profile, check-ins, meal logs, meal photos (if any remain within the 14-day window), exercise logs, cycle records, notes, and synced Health data is deleted immediately from active systems. Within 24 hours, the data is purged from all backups and replicated storage. After 24 hours, your personal data no longer exists in our systems.

Operational logs: Anonymous technical logs (app version, error traces, performance metrics, anonymized check-in metadata such as language and timestamp) are retained for 14 days for debugging and security, then deleted automatically.

Legal exceptions: In rare cases, we may retain specific information longer if required by law (for example, a court order). We will only retain what is specifically required, and only for as long as required.

8. Security

We protect your data with industry standard security measures, including:

  • Encryption in transit using TLS for all communication between your device, our servers, and our AI processing partners

  • Encryption at rest for stored data, including meal photos

  • Access controls so only authorized caKao personnel can access systems containing user data

  • Routine security review of our infrastructure and code

No system is perfectly secure, and we cannot guarantee absolute security. If we ever discover a data breach that affects your information, we will notify you and applicable authorities as required by law.

If you discover a security issue, report it to team@cakao.ai.

9. Your Rights

You have the following rights regarding your personal information. To exercise any of them, contact us at team@cakao.ai.

Access. You can request a copy of the personal information we hold about you.

Correction. You can update most of your profile information directly in the app. For anything you cannot edit yourself, contact us.

Deletion. You can delete your account at any time from the app settings. All your data is deleted immediately and purged within 24 hours, as described in Section 7.

Objection. You can object to specific uses of your data. In practice, the way to do this is to delete your account, since caKao only collects data needed to provide the Service.

Portability. You can request a copy of your check-in history, meal log, and exercise log in a machine-readable format.

Withdraw Health integration permission. You can revoke caKao's access to Apple Health or Android Connect at any time through your device settings. See Section 4 for details.

Complaint. If you believe we have mishandled your data, you can complain to us directly or to a data protection authority in your country (see the regional sections below).

We respond to verified requests within 30 days. We may ask you to confirm your identity before acting on a request, to protect your data from unauthorized access.

Legal requests. We may be required to disclose your information in response to a valid court order, subpoena, government request, or to protect the safety of users or the public. When this happens and we are legally permitted to do so, we will notify you.

10. International Data Transfers

caKao is a Singapore company. Our backend runs on Amazon Web Services infrastructure in the United States. AI processing happens on OpenAI and Anthropic servers, which are primarily in the United States. This means your data crosses international borders.

For users in Europe, the United Kingdom, Brazil, and other regions with cross-border transfer rules, we rely on standard contractual clauses and equivalent legal mechanisms with our processors to maintain the level of protection required by your local law.

11. Children

caKao is not intended for use by children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, contact us at team@cakao.ai and we will delete it.

Users between 13 and the age of majority in their jurisdiction must have a parent or guardian's consent to use caKao.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • We update the "Last Updated" date at the top

  • We notify you through the app if changes are material

  • For significant changes that expand how we use your data, we give you the option to delete your account before the changes take effect

Continued use of caKao after a change means you accept the updated policy.

13. Contact

For privacy questions, data requests, or concerns:

  • Email:team@cakao.ai

  • Mail: caKao Inc., One-North district, Singapore

We respond to all privacy inquiries within 20 business days.

Region-Specific Addenda

For users in the European Economic Area, United Kingdom, and Switzerland (GDPR)

If you live in Europe, the following information explains your rights under the General Data Protection Regulation.

Legal bases for processing:

  • Contract: We process your account, check-in, meal, and exercise data because it is necessary to provide the Service you signed up for.

  • Consent: Optional fields such as cycle, skin, hair, personal notes, meal photos, and Health integration data are processed based on your consent. You can withdraw consent at any time by leaving those fields blank, disconnecting the Health integration in your device settings, or deleting your account.

  • Legitimate interests: We process limited technical and security data to keep the Service running and safe. Our interest in operating a functional, secure app is balanced against your privacy rights.

  • Legal obligation: When law requires us to retain or disclose information.

Your rights under GDPR: access, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. Most can be exercised directly in the app or by emailing team@cakao.ai.

Right to lodge a complaint: You can complain to a data protection authority in your country of residence. A list of EU authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.

Data Protection Contact: team@cakao.ai

For users in California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: what personal information we collect, why we collect it, and who we share it with. See Sections 2, 3, and 5 of this policy.

  • Right to delete: delete your information. See Section 7.

  • Right to correct: correct inaccurate information about you.

  • Right to opt out of sale or sharing: caKao does not sell or share personal information as those terms are defined under California law. There is nothing to opt out of, but we confirm this here for transparency.

  • Right to limit use of sensitive personal information: We collect health-related information (cycle, mood, stress, meal data, exercise data, and Health sync data when you provide them) only to provide the Service. We do not use it for any other purpose and you can request it be deleted at any time.

  • Right to non-discrimination: We will not deny you service, charge you a different price, or provide a lower quality service because you exercised your rights.

Sensitive personal information categories we collect:

  • Health and reproductive health information (cycle data and related fields, when you provide them)

  • Health and fitness information (mood, stress, sleep, meal logs, exercise logs, and data synced from Apple Health or Android Connect)

  • Account credentials

Categories we do not collect: government IDs, Social Security numbers, financial account numbers, precise geolocation, biometric data, genetic data, racial or ethnic origin, religious beliefs, sexual orientation, philosophical beliefs, union membership, or contents of private communications.

To exercise California rights, email team@cakao.ai with the subject line "California Privacy Request."

For users in Singapore (PDPA)

caKao Inc. is incorporated in Singapore and complies with the Personal Data Protection Act. You have the right to:

  • Withdraw consent for data processing

  • Access and correct your personal data

  • Request information about the disclosure of your personal data

Contact team@cakao.ai for any PDPA-related request. If you are not satisfied with our response, you may contact the Personal Data Protection Commission of Singapore at https://www.pdpc.gov.sg.