AI Usage Agreement and Third-Party Data Sharing Consent

Calma AI

Effective Date: November 9, 2025
Version: 1.0

Purpose of This Document

This document explains how Calma AI uses artificial intelligence (AI) technology and how your data is shared with third-party AI service providers. This consent is required under GDPR for international data transfers and transparency obligations.

1. Understanding AI Technology

1.1 What is AI?

Artificial Intelligence (AI) in Calma AI refers to:

  • Large Language Models (LLMs): Advanced computer systems trained on vast amounts of text
  • Natural Language Processing: Technology that understands and generates human-like text
  • Machine Learning: Systems that can recognize patterns and generate responses

1.2 Our AI Providers

We use third-party AI service providers:

  • Services: Large Language Models (LLMs) and AI APIs
  • Purpose: Generating intelligent responses to health questions
  • Details provided in Privacy Policy

2. How AI Works in Calma AI

2.1 When You Use AI

When you ask the AI assistant a question:

  1. You type: A question or description of symptoms
  2. We prepare: We add relevant context from your health history (minimized)
  3. We send: Your question + context to third-party AI provider servers
  4. AI processes: The AI model analyzes and generates a response
  5. We receive: The response from the AI provider
  6. You see: The AI-generated response in Calma AI

2.2 What Data is Sent to third-party AI providers

Data WE SEND to AI providers:

  • ✅ Text of your question
  • ✅ Relevant context from your health history (symptoms, conditions you mentioned)
  • ✅ Previous conversation messages (for context)
  • ✅ Instructions to the AI (e.g., "provide general health information only")

Data WE DO NOT SEND to AI providers:

  • ❌ Your name
  • ❌ Your email address
  • ❌ Your exact date of birth
  • ❌ Your home address
  • ❌ Your phone number
  • ❌ Your account ID (only an anonymous session ID)
  • ❌ Your full medical history (only relevant context)

2.3 Data Minimization

We practice strict data minimization:

  • We remove or pseudonymize identifying information before sending to third-party AI providers
  • We only send the minimum data necessary for AI to generate a helpful response
  • We use third-party AI providers's Zero Data Retention option (explained below)

3. Third-Party AI Data Processing

3.1 AI Provider's Role

Third-party AI providers act as our sub-processor under GDPR:

  • Purpose: Process data to generate AI responses
  • Legal basis: Standard Contractual Clauses (SCCs) where applicable
  • Your control: This consent allows the transfer

3.2 Data Retention Policies

We work with AI providers that implement responsible data retention:

  • ✅ AI providers minimize data retention periods
  • ✅ Your data is used only for generating responses
  • ✅ Data retention is limited to what's necessary for service operation and safety monitoring
  • ✅ AI providers do not use your data inappropriately

3.3 AI Provider's Privacy Commitments

Our AI providers implement:

  • Security measures: Encryption, access controls, audit logs
  • Data Processing Agreements: Standard Contractual Clauses (SCCs) where required
  • Limited retention: Data is not retained longer than necessary

3.4 AI Provider's Data Handling

Third-party AI providers:

  • Store data temporarily: Only for generating responses and safety monitoring
  • Encrypt data: In transit (TLS) and at rest
  • Access controls: Only authorized personnel can access systems
  • Audit logs: All access is logged
  • No routine human review: Your data is not routinely reviewed by humans (except for safety/abuse investigations)

4. AI Capabilities and Limitations

4.1 What AI Can Do

The AI assistant can:

  • ✅ Provide general health and wellness information
  • ✅ Answer questions about common health topics
  • ✅ Help you understand medical terminology
  • ✅ Suggest questions to ask your healthcare provider
  • ✅ Organize and summarize information you provide
  • ✅ Provide educational content about health conditions

4.2 What AI CANNOT Do

The AI assistant CANNOT:

  • ❌ Diagnose medical conditions
  • ❌ Prescribe medications or treatments
  • ❌ Interpret medical tests or imaging
  • ❌ Provide dosage recommendations
  • ❌ Replace professional medical care
  • ❌ Guarantee accuracy of information
  • ❌ Access your actual medical records (only what you enter)
  • ❌ Provide emergency medical assistance

4.3 AI Errors and "Hallucinations"

CRITICAL UNDERSTANDING: AI can make serious mistakes:

"Hallucinations": AI may generate:

  • ❌ Plausible-sounding but completely false information
  • ❌ Non-existent medical studies or statistics
  • ❌ Incorrect medication names or dosages
  • ❌ Misinterpretation of your symptoms

Other Errors:

  • ❌ Outdated information (medical knowledge changes rapidly)
  • ❌ Overgeneralizations (not specific to your situation)
  • ❌ Misunderstanding your question
  • ❌ Incomplete or biased information
  • ❌ Contradictory information across responses

YOUR RESPONSIBILITY:

  • NEVER trust AI responses for medical decisions
  • ALWAYS verify information with healthcare professionals
  • NEVER use AI responses for self-diagnosis or self-treatment
  • ✅ Report concerning AI responses to support@calma-ai.com

4.4 AI Training and Biases

Training Data:

  • AI was trained on vast amounts of text from the internet
  • Training data may include inaccuracies, biases, or outdated information
  • Training data cutoff: AI's knowledge is limited to its training date

Potential Biases:

  • AI may reflect biases present in training data
  • May be more accurate for certain demographics or conditions
  • May use terminology or perspectives that don't apply to you

Continuous Improvement:

  • third-party AI providers regularly updates and improves models
  • We provide feedback to third-party AI providers about problematic responses
  • You can report issues to help us improve

5. Your Rights and Controls

5.1 Right Not to Use AI

You can:

  • ✅ Use Calma AI without using the AI assistant
  • ✅ Use only the health journal features
  • ✅ Choose which questions to ask AI
  • ✅ Delete AI conversation history at any time

5.2 Right to Withdraw Consent

You can withdraw consent for third-party AI providers data sharing:

  • How: Email legal@calma-ai.com or disable AI in settings
  • Effect: AI assistant will be disabled
  • Note: Other Calma AI features will still work

5.3 Right to Access AI Data

You can:

  • ✅ View all your AI conversation history
  • ✅ Export your AI conversations
  • ✅ Delete specific AI conversations
  • ✅ Request information about what was sent to third-party AI providers

5.4 Right to Delete AI Data

You can:

  • ✅ Delete individual AI conversations
  • ✅ Delete all AI conversation history
  • ✅ Request deletion from third-party AI providers (though already deleted under Zero Data Retention)

5.5 Right to Object

You can:

  • ✅ Object to AI processing of your data
  • ✅ Object to international data transfers to third-party AI providers
  • ✅ Request alternatives (though AI is core to this service)

6. International Data Transfer Details

6.1 Transfer to United States

Your data is transferred to third-party AI providers in the United States:

  • From: European Union / United Kingdom / Your location
  • To: United States (not considered "adequate" under GDPR without additional safeguards)
  • Why: third-party AI providers's servers and AI processing infrastructure are located in the US

6.2 Legal Safeguards

We have implemented appropriate safeguards:

Standard Contractual Clauses (SCCs):

  • ✅ EU Commission-approved contract clauses
  • ✅ Legally binding obligations on third-party AI providers
  • ✅ Enforceable data subject rights
  • ✅ Liability provisions

Data Processing Agreement (DPA):

  • ✅ Detailed agreement with third-party AI providers
  • ✅ Specifies processing purposes and limitations
  • ✅ Security and confidentiality obligations
  • ✅ Sub-processor provisions

Additional Security Measures:

  • ✅ Data minimization (remove identifiers)
  • ✅ Pseudonymization where possible
  • ✅ Encryption in transit and at rest
  • ✅ Zero Data Retention policy

6.3 US Government Access

Important Note: Despite safeguards, US government agencies may potentially access data:

  • US surveillance laws (FISA, CLOUD Act) may apply
  • This risk exists for any US-based service provider
  • third-party AI providers has procedures to challenge unlawful requests
  • third-party AI providers provides transparency reports on government requests

Your Right to Know: We will inform you if we receive lawful requests for your data (unless prohibited by law)

6.4 Alternatives to US Transfer

If you do not consent to international data transfers:

  • ❌ You cannot use the AI assistant feature
  • ✅ You can still use other Calma AI features (health journal, manual record-keeping)

7. Safety and Content Filtering

7.1 Our Safety Measures

We implement safety measures:

  • Content filtering: Detect and block dangerous queries
  • Response filtering: Review AI responses for harmful content
  • Emergency detection: Identify when you may need immediate medical care
  • Prompt engineering: Instruct AI to provide safe, educational responses only

7.2 third-party AI providers's Safety Measures

third-party AI providers implements:

  • Content policy: Prohibits harmful uses of AI
  • Abuse monitoring: Detects misuse patterns
  • Safety systems: Built-in guardrails in AI models
  • Human review: May review flagged content for safety

7.3 Reporting Unsafe Responses

If you receive unsafe or harmful AI responses:

  • Report to: support@calma-ai.com
  • We will: Review within 24 hours, improve filters, report to third-party AI providers
  • third-party AI providers will: Investigate and improve safety systems

7.4 Limitations of Safety Measures

Important: No safety system is perfect

  • Harmful content may occasionally bypass filters
  • AI may provide dangerous advice despite safeguards
  • Your responsibility: Exercise critical judgment, verify with professionals

8. Data Retention and Deletion

8.1 Calma AI Data Retention

We retain AI conversation data:

  • Active account: As long as you use the service
  • After deletion: 30 days to complete deletion

8.2 third-party AI providers Data Retention

third-party AI providers retains your data:

  • Zero Data Retention: Data deleted after response generation
  • Abuse monitoring: Up to 30 days for safety monitoring
  • No training: Your data is NOT used to train AI models

8.3 Deleting AI Data

To delete AI conversation data:

  1. Individual conversations: Delete in-app
  2. All AI data: Delete in settings or delete account
  3. third-party AI providers copy: Automatically deleted per Zero Data Retention policy

9. Changes and Updates

9.1 AI Model Updates

third-party AI providers may update AI models:

  • New versions may improve accuracy and safety
  • We will notify you of significant changes
  • You can continue using the service or withdraw consent

9.2 Policy Changes

If we change how we use AI or share data with third-party AI providers:

  • We will notify you by email (30 days advance notice)
  • We will request new consent if changes are material
  • You can withdraw consent if you disagree

9.3 New AI Providers

If we add or change AI providers:

  • We will notify you in advance
  • We will request new consent
  • We will ensure similar or better privacy protections

10. Consent Statement

10.1 What You Are Consenting To

By providing consent, you agree to:

  1. AI Processing: I consent to Calma AI using third-party AI service providers to process my health questions and data
  2. Data Sharing: I consent to Calma AI sharing necessary data with third-party AI providers for AI processing
  3. International Transfer: I consent to my data being transferred to third-party jurisdictions (third-party AI providers's location)
  4. third-party AI providers Processing: I consent to third-party AI providers processing my data to generate AI responses
  5. Temporary Storage: I consent to third-party AI providers temporarily storing my data (up to 30 days for abuse monitoring)
  6. Zero Data Retention: I understand third-party AI providers does not use my data for AI training
  7. AI Limitations: I understand AI can make errors and "hallucinate" false information

10.2 What You Acknowledge

I acknowledge that:

  1. ✅ I have read and understood this AI Usage Agreement
  2. ✅ I understand what data is shared with third-party AI providers and why
  3. ✅ I understand my data is transferred to third-party jurisdictions
  4. ✅ I understand the safeguards in place (SCCs, DPA, Zero Data Retention)
  5. ✅ I understand AI can make errors and provide false information
  6. ✅ I will not rely on AI responses for medical decisions
  7. ✅ I will verify all AI information with healthcare professionals
  8. ✅ I can withdraw this consent at any time
  9. ✅ I provide this consent freely and voluntarily
  10. ✅ I am at least 18 years old (or have parental consent)

10.3 Voluntary Consent

  • You are NOT required to consent to AI usage
  • You can use Calma AI without the AI assistant (health journal only)
  • You can withdraw consent at any time
  • No negative consequences for not consenting (except inability to use AI features)

11. Questions and Support

11.1 General Questions

For questions about AI usage:

  • Email: legal@calma-ai.com
  • Response time: Within 7 days

11.2 third-party AI providers Privacy Questions

For specific questions about third-party AI providers's practices:

  • third-party AI providers Privacy:
  • third-party AI providers Support: Via our team at legal@calma-ai.com

11.3 Withdrawing Consent

To withdraw AI usage consent:

  • Email: legal@calma-ai.com with "Withdraw AI Consent" in subject
  • Or: Disable AI features in settings
  • Response time: Immediate

11.4 Safety Concerns

To report unsafe AI responses:

  • Email: support@calma-ai.com
  • Response time: Within 24 hours

12. Legal Information

12.1 Applicable Laws

This consent complies with:

  • GDPR Chapter V: International data transfers (EU)
  • UK GDPR: International transfers (UK)
  • CCPA: California Consumer Privacy Act (US)
  • Other laws: As applicable to your jurisdiction

12.2 Standard Contractual Clauses

We use EU Commission SCCs (2021 version):

  • Module 1: Controller to Controller
  • Module 2: Controller to Processor
  • As applicable to the relationship with third-party AI providers

Available: You can request a copy at legal@calma-ai.com

12.3 Transfer Impact Assessment

We have conducted a Transfer Impact Assessment (TIA) as required by GDPR:

  • Assessed risks of international data transfers
  • Evaluated third-party AI providers's safeguards
  • Implemented additional protective measures
  • Concluded that transfer provides adequate protection

Available: Summary available on request

13. Consent Declaration

By checking the AI consent box during registration, I declare that:

✅ I have read and understood this AI Usage Agreement in full

✅ I understand that Calma AI uses third-party AI providers for AI processing

✅ I understand what data is shared with third-party AI providers and why

✅ I understand the risks and safeguards for international data transfer

✅ I understand that AI can make errors and provide false information

✅ I will not rely on AI responses for medical decisions

✅ I know that I can withdraw this consent at any time

✅ I provide this explicit consent freely and voluntarily

✅ I consent to Calma AI sharing necessary data with third-party AI providers for AI processing

Date of Consent: [Automatically recorded when you check the consent box]
Version Consented To: 1.0 (November 9, 2025)
Your Account: [Your email address]

Last Updated: November 9, 2025
Version: 1.0
Next Review: May 9, 2026

© 2025 Calma AI. All rights reserved.