Effective: June 1, 2025
Who We Are
Nut Calculator is a U.S. LLC (“we,” “us,” “our”) that operates the online service available at https://nutcalculator.com (the “Service”). We are the data controller for all personal data processed through the Service.
We take transparency seriously. While no system is perfect, we aim to follow industry best-practice security, to review our privacy controls at least annually, and to incorporate community feedback. If you have concerns, write us—we welcome constructive input and continuously improve.
Definitions
For clarity, the following terms have the meanings given below. Other capitalised terms retain the meanings assigned elsewhere in this Policy.
- “Personal Data” – any information that identifies or can reasonably be linked to an individual.
- “Sensitive Personal Information” – a subset of Personal Data that reveals sexual orientation or activity, precise geolocation, or other information deemed sensitive under applicable law.
- “Service” – the websites, apps, APIs, and related services we operate under the Nut Calculator brand.
- “Account” – a user profile created to access the Service.
- “Processing” – any operation performed on Personal Data, whether automated or not (collecting, storing, using, disclosing, deleting, etc.).
- “You” / “User” – an individual who visits, registers for, or otherwise interacts with the Service.
Data We Collect
| Category | Examples | Purpose | Lawful Basis (Art. 6 GDPR) |
|---|---|---|---|
| Account data | e-mail, display name, password hash | Create & maintain your account | Contract |
| Dating-life metrics (special-category data) | encounter notes, cost entries, “cost-per-nut” calculations | Provide core functionality | Explicit consent (Art. 9 (2)(a)) |
| Usage & device data | IP address, browser type, Firebase device IDs | Operate & secure the Service | Legitimate interests |
| Marketing & analytics | aggregated cost-per-nut statistics, country breakdowns | Improve & promote the Service | Legitimate interests |
| Payment data | cardholder name, partial PAN, billing address (via Creem.io) | Process payments | Contract / legal obligation |
No data about minors: The Service is intended for users 18 years or older only. We do not knowingly collect information about children. If we discover such data, we will delete it and may notify law enforcement authorities.
How We Use Your Data
We use personal data to:
- deliver core features (logging encounters, expenses, analytics);
- authenticate and secure accounts;
- aggregate and anonymise usage statistics for research, marketing, and product decisions (e.g., “lowest cost-per-nut countries”);
- process payments via Creem.io;
- comply with legal obligations and cooperate with law enforcement requests.
Your Privacy Rights
Depending on where you live, you may have the right to access, rectify, erase, restrict, or transfer your Personal Data, object to certain Processing, or withdraw consent. To exercise any right, email us; we will respond within the time limits set by applicable law. If no statutory deadline applies, we aim to reply within 30 days.
Third-Party Processors
We rely on the following subprocessors for user data:
| Provider | Role | Location |
|---|---|---|
| Google Cloud / Firebase | hosting, authentication, encrypted data storage | United States |
| Google Analytics & Google Marketing Platform | usage analytics & advertising pixels | United States |
| Creem.io | merchant-of-record / payment processing | United States |
Additional processors may be added when judged necessary to operate or improve the Service. A current list will always be available on this page.
International Transfers
Data may be stored and processed in Google Cloud facilities in the United States. Our service is not intended for use within the EEA or UK, if it is accessed from the EEA/UK, data transfers rely on SCCs and Google’s Cloud Data Processing Addendum. If we later market in these jurisdictions, we will appoint an EU/UK representative.
Data Retention
We keep personal data indefinitely to support aggregate analytics, unless you exercise your right to erasure or we are required to delete it sooner. When you delete your account, we scrub or irreversibly anonymise all personal-identifier fields periodically, except where retention is legally required (e.g., payment records) or for legitimate business needs such as security auditing and tax compliance. We aim to review the data we hold at least every 24 months and delete or irrevocably de-identify information that is no longer needed for the purposes set out in this Policy, unless a longer period is required for purposes set forth elsewhere within this policy.
Security Measures
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 in Firebase). Access is limited by least-privilege IAM roles. No method of transmission or storage is 100 % secure; we therefore disclaim any express or implied warranty regarding security.
Cookies & Tracking
We use strictly-necessary cookies for authentication and optional cookies for analytics/advertising. Where local law requires, we obtain consent through a banner. We do not honor legacy ‘Do Not Track’ signals.
Legal Disclaimers
- No warranties. The Service is provided “as is” and “as available,” without any warranty of fitness, merchantability, accuracy, or non-infringement, whether express or implied.
- Limitation of liability. To the fullest extent permitted by law, we, or our officers, employees, and agents, will not be liable for any indirect, incidental, special, punitive, or consequential damages, or for loss of profits, revenues, data, or goodwill, arising from or related to this policy, the Service, or your use of the Service.
- Cap on damages. In all cases, our aggregate liability will not exceed the greater of (i) USD 10 or (ii) the amount you paid us in the 12 months preceding the event giving rise to liability.
Changes to This Policy
We may update this policy at any time with updates made to this page. Continued use of the Service after the effective date constitutes acceptance.
California Privacy Notice (CCPA/CPRA)
This section applies only to “consumers” who reside in California.
Categories of Personal Information We Collect
Under the CCPA/CPRA, we collect the following categories for the purposes described above:
| Statutory category (Cal. Civ. Code §1798.140) | Examples we collect | Retention |
|---|---|---|
| Identifiers | email address, IP address, Firebase device ID | Until account deletion or 5 years after last log-in, whichever comes first |
| Commercial information | purchase history through Creem.io | 7 years (tax & accounting) |
| Internet / electronic activity | log files, device information | 24 months |
| Sensitive personal information | dating-life metrics you actively enter (encounter notes, cost data) | Until you erase it or delete your account |
| Inferences | cost-per-nut analytics, country averages | Retained only in aggregated or de-identified form |
We do not use or disclose “Sensitive Personal Information” under CPRA §1798.140 for any purpose that requires a “Limit the Use” link (§1798.121).
Consideration
We have not sold personal information in the last 12 months, but we reserve the right to do so in future. If that happens, the data that could be transferred for monetary or other valuable consideration includes:
- Identifiers – hashed e-mail address, IP address
- Internet / electronic-activity information – device or usage logs
- Dating-life metrics – the encounter notes, cost entries, and related analytics you enter
- De-identified or aggregated inferences drawn from your use of the Service
Before any sale begins, we will update this notice. We will not sell or share Sensitive Personal Information unless you have first provided explicit consent, and you may withdraw that consent at any time, in compliance with CPRA requirements.
Opt-out and limit rights
- E-mail [email protected] with “California Opt-Out” as the subject.
Browser support
We honour Global Privacy Control (GPC) signals; a valid GPC header is treated as a standing opt-out and limit request. The Service is optimised for current versions of Chrome and Safari. Features may be degraded in other browsers; however, any valid GPC signal we receive will still be respected.
Anti-Discrimination Notice (California)
We will not discriminate against you for exercising any privacy right granted under the California Consumer Privacy Act, as amended.
Security Disclaimer & Allocation of Risk
We employ reasonable administrative, technical, and physical safeguards, yet no online system or data transmission can be guaranteed 100 % secure. By using the Service, you acknowledge and accept the following:
- Residual Risk. Despite encryption, access controls, and monitoring, data may still be lost, intercepted, altered, or disclosed through accident, malicious action, or forces beyond our reasonable control.
- No Absolute Guarantee. We make no warranty—express or implied—that the Service or any data stored in it is invulnerable to breach, malware, or other security failures.
- Limited Liability for Security Incidents. To the fullest extent permitted by applicable law, we are not liable for any unauthorized access, use, disclosure, or destruction of data, including special-category or sensitive personal information, except to the extent the incident was caused by our willful misconduct or where liability cannot be disclaimed under mandatory law.
- Your Responsibilities.
- Keep your login credentials confidential and use a strong, unique password.
- Enable any optional multifactor authentication we provide.
- Promptly notify us by email of any suspected compromise.
- Regulatory Compliance. Nothing in this Section limits our statutory duties to (a) notify affected users and regulators of a “personal-data breach” under GDPR Articles 33–34, CPRA Civil Code §1798.150, or other mandatory law; or (b) implement security measures required under applicable data-protection legislation.
Third-Party Links and Integrations
The Service may contain links to websites, plug-ins, SDKs, or services that we do not operate or control (collectively, “third-party services”). Examples include outbound links in user-generated content and payment processing screens hosted by Creem.io.
- Clicking those links or enabling those integrations is voluntary.
- We are not responsible for the privacy or security practices of third-party services, and their inclusion does not imply endorsement.
- Your interactions with any third-party service are governed solely by that service’s own terms and privacy policy. We encourage you to review them carefully.
If you believe a linked site or integration is jeopardising your privacy, you can notify us so we can investigate.
Business Transfers and Insolvency
We may sell, transfer, or otherwise share some or all of our business or assets, including personal data, in connection with a merger, acquisition, reorganisation, financing, sale of assets, or bankruptcy.
Automated Decision-Making
We do not make decisions that produce legal or similarly significant effects on you based solely on automated Processing.
Accessibility
On request, we will provide this Policy in alternative formats, such as large print or screen-reader-optimised PDF, at no charge. Contact us.
Transparency & Support
We aim to operate with maximum transparency. We therefore endeavour to:
- respond to legitimate privacy questions within 10 business days;
- publish an annual high-level summary of government data-access requests (if any); and
- notify you promptly and in clear language if we ever learn of a security incident that poses a real risk to your data.
These statements reflect our current intentions only and do not create any contractual obligation beyond those already stated elsewhere in this Policy or required by applicable law.
Governing Law
Our Terms of Service, including governing law and dispute-resolution provisions, are incorporated here by reference.
Contact
For privacy questions or complaints, e-mail [email protected].