Oneleaf SAS ("Oneleaf", "we", "us" or "our") provides Calorie Tracker by Oneleaf, a mobile and web application (the "App") that helps you log and track your food intake, estimate calorie and macronutrient consumption, track body metrics and progress, and receive related insights. When you use the App, you communicate personal data to Oneleaf.
Please read this Privacy Policy carefully as it explains how your personal data are collected, used and shared, and how to exercise your rights. This Privacy Policy supplements any documents or notices that refer to it, including our Terms and Conditions, our Refund Policy and our Cookies Policy. If you have any question, you may contact Oneleaf at
[email protected].
1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL DATA?
The data controller of your personal data is:
Oneleaf SAS, a société par actions simplifiée organized under the laws of France, with its registered office at 7 PL DE L HOTEL DE VILLE, 93600 Aulnay-sous-Bois, France, registered with the Bobigny Trade and Companies Register (RCS). Contact email:
[email protected].
Oneleaf acts as data controller: (i) to the extent that it determines the purposes and means of the processing operations related to the App; (ii) when it operates personal data processing in order to comply with its legal and regulatory obligations; and (iii) when it operates personal data processing in order to improve the App and its services.
2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?
2.1 Data you provide or generate through the App. The following categories of personal data are collected when you sign up for, or otherwise use, the App:
|
Type of data
|
Examples
|
|
Identification data
|
First name, last name, username, date of birth, gender (self-reported), age range
|
|
Contact details
|
Email address, optional phone number, postal address (where provided for refund correspondence)
|
|
Account credentials
|
Hashed password, authentication tokens, device identifiers associated with your account
|
|
Health and lifestyle data (treated as sensitive data / special category data under Article 9 GDPR)
|
- Body metrics: body weight, height, body measurements (for example waist or hips), BMI
- Goals: target weight, target calories, target macronutrients, dietary preferences and restrictions, declared food allergies or intolerances, declared medical conditions (where you choose to share them)
- Nutritional logs: foods and beverages consumed, portion sizes, meal times, calorie and macronutrient intake, fasting windows
- Media: photographs of meals, progress photographs
- Activity data you enter manually: workouts, steps, energy expended
|
|
Data imported from Health Integrations
|
Where you enable an integration with Apple HealthKit, Google Health Connect or a wearable (for example Fitbit, Garmin, Oura, Whoop): steps, workouts, active energy expenditure, heart rate, sleep, body composition, weight from connected scales, and other metrics you authorize
|
|
AI inputs
|
Photographs you upload for food recognition, text prompts, messages to the AI coach (where available)
|
|
Financial data
|
Billing information, transaction identifiers, subscription plan, payment status. Full payment card numbers are tokenized and processed by our payment providers (Stripe, Apple App Store, Google Play Billing, PayPal where applicable) and are not stored by Oneleaf.
|
|
Communication data
|
Support tickets, survey and questionnaire responses, feedback, email interactions, in-app messages
|
|
Preferences
|
Notification settings, language, measurement units (metric / imperial), marketing consent choices, data-sharing choices
|
2.2 Data collected automatically. When you use the App, the following categories of personal data are collected automatically, via cookies, SDKs and similar tracking technologies:
|
Type of data
|
Examples
|
Purposes
|
|
Technical and device data
|
IP address, device identifier (IDFA / GAID where permitted), device model, operating system and version, app version, language, timezone, crash logs, diagnostics
|
Proper functioning of the App, bug fixing, security
|
|
Usage and analytics data
|
Screens viewed, features used, session duration, tap and scroll events, conversion and retention events, in-app navigation paths
|
Internal analytics, product improvement, A/B testing
|
|
Attribution data
|
Install source, advertising campaign identifiers, click and view identifiers, referrer URLs
|
Measuring the effectiveness of our marketing
|
|
Cookies and similar trackers
|
Session cookies, persistent cookies, mobile SDK identifiers, pixel tags
|
See our Cookies Policy for details and consent management
|
2.3 Mandatory vs. optional data. The provision of certain types of personal data is necessary to provide the App’s services; other data are optional. Mandatory data are indicated at the time of collection. If you refuse to provide mandatory data, we may not be able to process your request (for example, creation of your account, provision of subscription services). Health and lifestyle data are processed only where you have provided your explicit consent.
3. FOR WHAT PURPOSES DOES ONELEAF USE YOUR PERSONAL DATA?
Oneleaf processes your personal data only for the following purposes and on the corresponding legal bases:
Purpose | Examples | Legal basis |
Creating and managing your account | - Account creation and authentication
- Updating your profile and settings
- Collecting the information required to deliver the services
| Performance of the contract + your explicit consent for the processing of health data |
Providing the core tracking services | - Logging foods and beverages
- Calculating calorie and macronutrient intake
- Tracking body weight and other body metrics
- Managing goals and progress
| Performance of the contract + your explicit consent for health data |
AI-assisted features | - Recognizing foods from photographs
- Generating personalized insights or coaching messages
- Suggesting meals or recipes
| Your explicit consent |
Third-party Health Integrations | - Reading data from Apple HealthKit, Google Health Connect or wearables
- Writing nutrition data back to those platforms
| Your explicit consent |
Personalization | - Tailored content and recommendations
- Suggested goals and plans
| Performance of the contract / legitimate interest in providing a useful product |
Payments and billing | - Processing subscription purchases, renewals and refunds
- Fraud and chargeback management
| Performance of the contract + legal obligations (in particular accounting and tax) |
Customer support | - Answering your questions
- Solving technical issues
- Managing refund requests
| Performance of the contract |
Service improvement and analytics | - Aggregated and anonymized usage analytics
- A/B testing and QA
- Research on feature effectiveness
| Legitimate interest in operating and improving the App (with your right to object). Where required by law, your consent (e.g., for non-essential trackers). |
Marketing communications | - Product updates, promotions, newsletters
- Surveys and research invitations
| Consent (users in the EU, UK and certain other jurisdictions) or legitimate interest in promoting similar products with an opt-out right (where permitted by law) |
Advertising and attribution | - Measuring the effectiveness of our ads
- Building audiences for retargeting and lookalike campaigns on platforms such as Meta and Google (with your consent where required)
| Your consent for non-essential trackers; legitimate interest for non-personalized measurement |
Fraud prevention and security | - Detecting abuse and unauthorized access
- Protecting our users and our systems
| Legitimate interest in ensuring the security of the App and our users |
Legal compliance | - Complying with tax, accounting and consumer protection laws
- Responding to requests from competent authorities
| Legal and regulatory obligations |
Pre-litigation and litigation management | - Asserting and defending legal claims
- Managing disputes
| Legitimate interest in defending our rights and interests |
Business transfers | - Merger, acquisition, insolvency, reorganization
| Legitimate interest in the continuity of the business |
4. WHO CAN ACCESS YOUR PERSONAL DATA?
Your personal data may be transmitted to the following categories of recipients, strictly as needed to provide the App’s services and on the legal bases described in Section 3:
Category of recipient | Purpose |
Oneleaf SAS employees, agents and contractors, strictly on a need-to-know basis | Operating, supporting and improving the App |
Cloud hosting and infrastructure providers (for example providers of cloud computing, storage, backup and CDN services) | Hosting, storage, backup, delivery of the App |
Payment processors (Stripe; Apple App Store; Google Play Billing; PayPal where applicable) | Processing subscription payments, refunds and chargebacks; fraud prevention |
Product analytics providers | Measuring usage, retention and performance of the App (anonymized or pseudonymized where possible) |
Attribution and marketing providers | Measuring the effectiveness of our advertising campaigns (with your consent where required) |
Advertising platforms (such as Meta and Google) | Delivering and measuring ads, building custom and lookalike audiences (with your consent where required for non-essential trackers) |
AI service providers (such as OpenAI, Anthropic, Google Cloud, or similar) | Providing AI-assisted features such as food recognition and AI coaching, where you have enabled them and given explicit consent |
Email, SMS and push notification providers | Sending transactional and marketing communications (where you have opted in) |
Customer support platforms | Managing support tickets and customer communications |
Crash reporting, monitoring and debugging tools | Identifying and fixing technical issues |
Health integration partners (Apple, Google, and wearable makers such as Fitbit, Garmin, Oura, Whoop) | Only where you enable the integration, and only for the features you have authorized |
Professional advisors (lawyers, auditors, accountants, consultants) | Legal, tax, audit and compliance purposes |
Administrative, judicial and law-enforcement authorities | Where required by law, court order or enforceable governmental request |
Acquirers, investors and their advisors | In the context of a merger, acquisition, sale of assets, insolvency, restructuring or similar transaction |
An up-to-date list of our key subprocessors is available at www.calorietrackeroneleaf.com/subprocessors. We will use reasonable efforts to notify you of material changes to this list.
5. INTERNATIONAL DATA TRANSFERS
Some of the recipients listed in Section 4 are located outside the European Economic Area (EEA), the United Kingdom or Switzerland, including in the United States. When your personal data is transferred to a country whose level of protection has not been recognized as adequate by the European Commission (or the UK authorities), we rely on appropriate safeguards to protect your data, in particular:
- the EU Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable the UK International Data Transfer Addendum;
- for transfers to certified organizations in the United States, the EU–U.S. Data Privacy Framework and its UK and Swiss extensions;
- additional technical and organizational measures where required (for example encryption in transit and at rest, pseudonymization, access controls).You may request a copy of the safeguards applied to transfers concerning you by contacting
[email protected].
6. HOW DOES ONELEAF PROTECT YOUR PERSONAL DATA?
Oneleaf has implemented technical and organizational measures in order to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or disclosure of your personal data. These measures include, without limitation, encryption of data in transit and at rest, access control based on least-privilege principles, security logging and monitoring, vulnerability management and regular review of our security practices. These measures ensure a level of security adapted to the data and take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected. However, no data, on the Internet or otherwise, can be guaranteed to be 100% secure. While we strive to protect your information from unauthorized access, use, or disclosure, we cannot and do not warrant the security of your information.
Oneleaf requires that all members of its personnel and any other person processing your personal data comply with the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data.
If you have found a vulnerability or would like to report a security incident, please send an email to
[email protected].
Oneleaf is a provider of online and mobile consumer health and wellness tools and is not a covered entity or a business associate of a covered entity under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As such, HIPAA does not apply to the collection, storage, use, and disclosure of the information you provide to us.
7. FOR HOW LONG ARE YOUR PERSONAL DATA STORED?
As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data were collected, or as necessary to fulfill legal or regulatory obligations. In the absence of applicable exceptions:
- all personal data processed in order to provide the App’s services (including health and lifestyle data) will be stored until the deletion of your personal account, or after two (2) years of inactivity on your personal account;
- meal and progress photographs, once uploaded, are retained until you delete them or your account is deleted;
- after deletion, personal data may be archived in restricted-access archives for five (5) years for evidential purposes and for ten (10) years for invoicing and accounting data, in accordance with applicable French law;
- traffic data are stored for a period of thirteen (13) months from the connection date;
- data processed on the basis of your consent are kept only for as long as your consent is valid and you have not withdrawn it;
- anonymized or aggregated data may be retained indefinitely for analytics and product improvement purposes.
8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?
Subject to the conditions set out in applicable data protection laws (in particular the GDPR), you have the following rights over your personal data:
- Right of access: obtain clear, transparent and understandable information on how we process your personal data and your rights, as well as a copy of your personal data.
- Right of rectification: obtain the modification of your personal data if they are obsolete, inaccurate or incomplete.
- Right to object: object to the processing of your personal data when the processing is based on our legitimate interest. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
- Right to restrict processing: request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications.
- Right to withdraw consent: withdraw your consent where the processing is based on consent, at any time and without this withdrawal affecting the lawfulness of processing operations previously carried out.
- Right to data portability: receive your personal data in a structured, commonly used and machine-readable format, and request their transmission to another controller where technically feasible.
- Right to erasure (right to be forgotten): request the deletion of your personal data in the cases provided for by applicable law.
- Right to lodge a complaint: lodge a complaint with your national data protection authority. In France, this is the CNIL (www.cnil.fr). For users in other EEA / UK jurisdictions, the competent authority of your country of residence.
- Right regarding post-mortem directives (France): define directives regarding the retention, deletion and communication of your personal data after your death, in accordance with Article 85 of the French Data Protection Act.
The availability of these rights depends on the legal basis of the processing, as follows:
Legal basis | Access | Rectification | Erasure | Restriction | Portability | Objection |
Consent | Yes | Yes | Yes | Yes | Yes | Withdrawal of consent |
Steps prior to entering into a contract | Yes | Yes | Yes | Yes | Yes | No |
Contract | Yes | Yes | Yes | Yes | Yes | No |
Legitimate interest | Yes | Yes | Yes | Yes | No | Yes |
Legal obligation | Yes | Yes | No | Yes | No | N/A |
Under certain circumstances, Oneleaf may ask you for specific information in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.
If you have any questions or wish to exercise your rights, you may directly contact Oneleaf by sending an email to
[email protected]. We will reply within the timeframes set by applicable law (generally, one month under the GDPR, extendable by two months for complex requests).
9. ARTIFICIAL INTELLIGENCE FEATURES
Where you enable an AI-assisted feature (for example, food recognition from photographs, AI coaching, or personalized insights), your inputs — including photographs, text prompts, food logs and body metrics — may be transmitted to, and processed by, third-party AI service providers (for example, OpenAI, Anthropic, Google Cloud, or similar). Such processing takes place only with your explicit consent and strictly for the purposes of providing the AI feature you have enabled.
We contractually require our AI service providers, where commercially available, to: (i) not use your inputs or outputs to train their own foundation models; (ii) apply limited data retention (zero-retention or short-retention endpoints) to the extent available; and (iii) process your data in accordance with applicable data protection laws. You can revoke your consent to AI features at any time in the App settings; revocation will take effect going forward and will not affect processing already carried out.
AI outputs are estimates and may be inaccurate. Please refer to our Terms and Conditions for applicable disclaimers.
10. THIRD-PARTY HEALTH INTEGRATIONS
The App may offer optional integrations with third-party health platforms, including Apple HealthKit, Google Health Connect, Fitbit, Garmin, Oura and Whoop. These integrations are disabled by default and operate only with your explicit consent.
Apple HealthKit. Where you enable the HealthKit integration, Oneleaf will only access, use and share HealthKit data with your prior consent and strictly to provide the features you have enabled. In accordance with Apple’s requirements, Oneleaf will not: (a) use HealthKit data, or data derived therefrom, for advertising, marketing, or other use-based data mining purposes other than improving health management, or for health research (and, for health research, only with your explicit consent); (b) sell HealthKit data to any third party (including advertising platforms, data brokers or information resellers); or (c) disclose HealthKit data to third parties without your explicit consent.
Google Health Connect and other integrations. Where you use Google Health Connect, Google Fit, or another health-data integration, we will only access such data as you authorize and only for the purposes of providing the App. We will not sell Google-sourced health or fitness data, nor use it for advertising or any purpose unrelated to the features you have enabled.
You can revoke any Health Integration at any time in your device settings or in the App.
11. CHILDREN’S PRIVACY
The App is not intended for, and may not be used by, individuals under 18 years of age (or the age of majority in your jurisdiction, if higher). We do not knowingly collect personal data from persons under 18. If you are a parent or guardian and you believe that your child has provided us with personal data, please contact us at
[email protected] so that we can delete that information and, where applicable, disable the account.
California residents under 16 years of age may have additional rights regarding the collection and sale or sharing of their personal information; see Section 12 below.
12. YOUR STATE PRIVACY RIGHTS (UNITED STATES)
State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.
California. To learn more about California residents’ privacy rights under the CCPA and CPRA, please see our California Privacy Notice available at www.calorietrackeroneleaf.com/ccpa. California’s "Shine the Light" law (Civil Code Section § 1798.83) permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please email
[email protected].
Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Nebraska and similar state comprehensive privacy laws may each provide their state residents with some or all of the following rights:
- confirm whether we process their personal information and access that personal information;
- delete certain personal information;
- correct inaccuracies in their personal information;
- obtain their personal information in a portable format;
- opt out of the sale or sharing of their personal information, of targeted advertising, and of profiling that produces legal or similarly significant effects.
Certain of these states require that we obtain your opt-in consent before we share your personal information with third parties for marketing, sales or solicitation purposes, or before we process sensitive data (which typically includes health data). We rely on your consent for such processing.
To exercise any of these rights, or to appeal a decision regarding a consumer rights request, please send an email to
[email protected].
Nevada provides its residents with a limited right to opt out of certain sales of covered information. To exercise this right, please contact us at
[email protected].
13. CHANGES TO THIS POLICY
This Privacy Policy may be amended from time to time, in particular to reflect changes in the services provided by the App or in applicable regulations. We recommend that you review this Privacy Policy each time you use the App. If we make material changes to this Privacy Policy, we will make reasonable attempts to notify you, for example by email or through an in-app notification. The "Effective date" at the top of this Privacy Policy indicates when it was last updated.
14. CONTACT
If you have any question regarding this Privacy Policy or the processing of your personal data, you may contact us:
- by email:
[email protected];
- by post: Oneleaf SAS, 7 PL DE L HOTEL DE VILLE, 93600 Aulnay-sous-Bois, France.
