This page explains why Calsay needs to transfer Your personal data — including Your health data — outside Your country or region of residence, which safeguards We apply to those transfers, and what risks You are accepting when You give Your consent during onboarding.
Why international transfers happen
Calsay is operated from Spain, but the Service is built on top of a small number of specialized technology providers, some of which are based in the United States or operate from multiple regions worldwide. When You use the Service, Your data is processed by these providers on Our behalf to deliver specific functions (voice transcription, database hosting, nutrition lookup, etc.).
This means that to provide You with Calsay, We necessarily have to transfer Your personal data — including Your health data — to jurisdictions outside the European Economic Area (EEA), and in some cases outside Your country/region of residence.
Where does Your data go?
The following Service Providers receive personal data from Us on Your behalf. Each one only receives the data necessary for its specific function:
- Supabase Inc. (United States) — hosts Your Account, profile, meal logs, weight logs and activity logs.
- Groq, Inc. (United States) — transcribes Your voice recordings to text. Audio is processed transiently and not retained.
- Google LLC (United States) — parses Your transcribed text into structured meal, weight or activity entries using the Gemini language model.
- Edamam Inc. (United States) — returns nutritional information for food items You log. We do not send Your name, email or identifiers to Edamam; only food descriptions (e.g. "100g chicken breast").
- Apple Inc. (United States) — processes App Store subscriptions and, if You choose to use it, Apple Sign-In and Apple HealthKit.
- Superwall Labs, Inc. (United States) — displays the paywall and reports anonymized subscription events.
These providers may in turn rely on globally distributed infrastructure, meaning data may be processed in data centers located in several countries.
What do the laws in those countries look like?
Data protection laws differ significantly between countries. In particular:
- The European Economic Area, the United Kingdom and Switzerland provide strong protections under the GDPR and equivalent frameworks, including strict rules on health data, a right to lodge a complaint with an independent supervisory authority, and a broad set of user rights (access, rectification, erasure, portability, objection).
- The United States does not have a single comprehensive federal data protection law equivalent to the GDPR. Some states (such as California, Colorado and Virginia) have enacted their own privacy laws, but protections vary. U.S. authorities may, under certain surveillance laws, request access to data held by U.S.-based companies.
- Other countries where data may be processed may have laws that offer a level of protection different from — and sometimes less protective than — those of Your country or region.
This is the core reason this consent exists: We want You to understand, before You agree, that Your data may be subject to legal regimes other than Your own.
Safeguards We apply
Even though some of Our providers are outside the EEA, We do not transfer Your data without protection. Specifically:
- Contractual safeguards. Each Service Provider is bound by a Data Processing Agreement that requires them to protect Your data, use it only for the purposes We specify, maintain appropriate security measures, notify Us of any breaches and assist Us in responding to Your privacy rights requests.
- Standard Contractual Clauses (SCCs).Where applicable, We rely on the European Commission's Standard Contractual Clauses to provide a legal basis for transfers to countries outside the EEA that do not benefit from an adequacy decision.
- Adequacy decisions. Where the European Commission has issued an adequacy decision (for example, for transfers to the United States under the EU-U.S. Data Privacy Framework for certified companies), We rely on those decisions.
- Data minimization. We send each provider only the data strictly necessary for their function. For example, Edamam receives food descriptions but never Your identity, and Groq receives audio but does not receive Your name, email or profile data.
- Encryption in transit. All communication with Our providers uses TLS encryption.
- Transient processing where possible. Voice recordings are processed and discarded; they are not stored beyond the transcription step.
Your explicit consent
In addition to the safeguards above, for health data specifically and for the transfer of this data outside Your country/region, We rely on Your explicit consent under Article 49(1)(a) of the GDPR. That is why this consent is presented separately during onboarding.
By giving Your consent, You acknowledge that:
- Your personal data, including Your health data, will be transferred to and processed in countries outside Your country or region of residence.
- The data protection laws in those countries may differ from, and may in some cases offer less protection than, the laws of Your country or region.
- Public authorities in those countries may, under their local laws, be able to access data held by providers established there.
- Despite those differences, We apply the safeguards described above to protect Your data.
What happens if You don't consent?
This transfer is necessary for Calsay to operate, because the providers that transcribe Your voice, store Your logs and compute Your nutrition are located in countries outside the EEA. Without Your consent to this transfer, We cannot provide the Service to You. If You prefer not to consent, please do not create an account.
Withdrawing Your consent
You can withdraw Your consent at any time. Because this transfer is required for the Service to function, withdrawing consent is equivalent to asking Us to stop processing Your data, which in practice means deleting Your Account. You can do this at any time from Profile → Delete Account inside the app, or by contacting Us at the email below.
Withdrawing Your consent does not affect the lawfulness of processing carried out before the withdrawal.
Your rights
You keep all Your rights under applicable data protection law regardless of where Your data is processed, including the right to:
- Access the data We hold about You.
- Correct inaccurate data.
- Delete Your data and Your Account.
- Export Your data in a machine-readable format.
- Object or restrict certain types of processing.
- Lodge a complaint with Your local supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD, aepd.es).
A complete description of how We process Your personal data, including the legal bases We rely on, is available in our Privacy Policy.
Contact
For any question about international transfers of Your data, or to exercise Your rights, contact Us at: