Privacy Policy

Calma AI

Effective Date: November 9, 2025
Version: 1.0

1. Introduction

1.1 Who We Are

Calma AI is an informational and educational wellness platform. This Privacy Policy explains how we collect, use, store, and protect your personal information, including special category data (health data).

1.2 Our Commitment

We are committed to:

Protecting your privacy and personal data
Processing data transparently and lawfully
Giving you control over your data
Complying with GDPR, CCPA, and applicable data protection laws

1.3 Data Controller

For the purposes of data protection law, the data controller is:

Organization: Calma AI
Email: legal@calma-ai.com

2. What Data We Collect

2.1 Account Information

When you register, we collect:

Email address (required for account creation and communication)
Password (stored in encrypted form only)
Account creation date and time

Important Note: While you may choose to enter health-related information into your personal wellness journal, we recommend not uploading sensitive medical documents or detailed medical records. Calma AI is a wellness journal and educational tool, not a medical records system.

2.2 AI Consultation Data

We collect and store:

Questions you ask the AI assistant
AI responses
Consultation timestamps
Conversation context

2.3 Technical Data

We automatically collect:

IP address (for security purposes)
Device information (browser type, operating system)
Usage data (pages visited, features used)
Session information (login times, session duration)
Error logs (for service improvement)

2.4 Data We DO NOT Collect

We do NOT collect:

❌ Precise geolocation data
❌ Biometric data
❌ Social media data
❌ Data from third-party health apps (unless you explicitly connect them)

3. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

3.1 Explicit Consent (Article 9(2)(a))

For special category health data, we rely on your explicit consent, which you provide during registration.

3.2 Contract Performance (Article 6(1)(b))

We process account data to:

Provide the service to you
Maintain your account
Enable AI consultations

3.3 Legitimate Interests (Article 6(1)(f))

We process technical data for:

Service security and fraud prevention
Service improvement and optimization
Analytics (anonymized where possible)

3.4 Legal Obligation (Article 6(1)(c))

We may process data to:

Comply with legal requirements
Respond to lawful requests from authorities
Maintain required records

4. How We Use Your Data

4.1 Primary Purposes

We use your data to:

Provide the service: Enable you to use Calma AI features
AI consultations: Send relevant context to third-party AI providers for generating responses
Data storage: Store your health journal and history
Communication: Send service-related emails (account verification, security alerts)

4.2 Secondary Purposes

We may use anonymized or aggregated data to:

Improve service quality
Understand usage patterns
Develop new features
Generate statistical reports (no individual identification)

4.3 What We DO NOT Do

We do NOT:

❌ Sell your data to third parties
❌ Use your data for advertising
❌ Share your health data with insurers
❌ Share your data with employers
❌ Use your data for purposes other than stated here without your consent

5. Third-Party Data Sharing

5.1 Third-Party AI Service Providers

What we share:

Text of your health questions
Relevant context from your health history (minimized)
Conversation history for context

What we DO NOT share:

Your email address
Your full name (if stored)
Exact dates
Identifying information

Purpose: To enable AI-powered health information responses

Legal basis: Your explicit consent and contract performance

Data protection:

AI providers act as sub-processors under GDPR
Standard Contractual Clauses (SCCs) are in place where required
Data retention policies minimize storage duration

Important: We work only with AI providers that implement appropriate technical and organizational measures to protect your data.

5.2 Infrastructure Provider (Database Hosting)

What we share: All data stored in the service

Purpose: Database hosting and authentication

Location: EU data centers (GDPR compliant)

Legal basis: Contract performance

Data protection:

SOC 2 Type II certified
GDPR compliant
Data Processing Agreement (DPA) in place

5.3 No Other Sharing

We do NOT share your data with:

❌ Advertisers
❌ Marketing companies
❌ Data brokers
❌ Social media platforms
❌ Any other third parties (except as required by law)

6. International Data Transfers

6.1 Data Storage Location

Your data is primarily stored in:

European Union data centers (Supabase EU region)

6.2 Transfers Outside the EU

Data may be transferred outside the EU to:

Third-party AI providers: Protected by Standard Contractual Clauses (SCCs) and adequacy decisions where applicable

6.3 Your Rights

You have the right to:

Receive information about international transfers
Object to transfers (though this may limit service functionality)
Request that data be stored only in the EU (if feasible)

7. Data Security

7.1 Technical Measures

We implement:

Encryption at rest: AES-256-GCM for all health data
Encryption in transit: TLS 1.3 for all connections
Access controls: Role-based access control (RBAC)
Row-Level Security: Each user can only access their own data
Two-factor authentication: Available for all users
Regular security audits: Quarterly security assessments
Penetration testing: Annual third-party testing

7.2 Organizational Measures

We maintain:

Data protection policies: Comprehensive security policies
Staff training: Regular privacy and security training
Access restrictions: Need-to-know basis only
Incident response plan: Documented procedures for data breaches
Vendor management: Due diligence on all sub-processors

7.3 Data Breach Notification

In case of a data breach:

We will notify affected users within 72 hours of discovery
We will notify the relevant supervisory authority as required by law
We will provide details of the breach and mitigation steps
We will offer support and guidance to affected users

8. Data Retention

8.1 Active Accounts

We retain your data for as long as your account is active.

8.2 After Account Deletion

When you delete your account:

Immediate deletion: Account access is terminated immediately
Data deletion: All personal data is deleted within 30 days
Backup deletion: Data in backups is deleted within 90 days
Log retention: Anonymized logs may be retained for up to 3 years for legal compliance

8.3 Legal Retention

We may retain certain data longer if:

Required by law (e.g., tax records, audit logs)
Necessary for legal proceedings
You have explicitly requested retention

8.4 Inactive Accounts

If your account is inactive for 3 years:

We will send you an email notification
If you do not respond within 30 days, we may delete your account and data
You can reactivate your account at any time before deletion

9. Your Rights Under GDPR

9.1 Right to Access (Article 15)

You can:

Request a copy of all personal data we hold about you
Access your data at any time through your account dashboard

How to exercise: Email legal@calma-ai.com or use the in-app access feature

Response time: Within 30 days

9.2 Right to Rectification (Article 16)

You can:

Correct inaccurate personal data
Complete incomplete data
Update your information at any time

How to exercise: Edit directly in your account or email legal@calma-ai.com

Response time: Immediate for self-service edits; within 30 days for requests

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can:

Request deletion of all your personal data
Delete your account at any time

How to exercise: Delete your account in settings or email legal@calma-ai.com

Response time: Deletion begins immediately; complete within 30 days

Exceptions: We may retain data if required by law or for legal proceedings

9.4 Right to Restriction of Processing (Article 18)

You can:

Request that we limit how we use your data
Temporarily suspend data processing

How to exercise: Email legal@calma-ai.com

Response time: Within 30 days

Note: This may limit service functionality

9.5 Right to Object (Article 21)

You can:

Object to processing based on legitimate interests
Object to direct marketing (we don't do marketing currently)

How to exercise: Email legal@calma-ai.com

Response time: Within 30 days

9.6 Right to Withdraw Consent (Article 7(3))

You can:

Withdraw consent for health data processing at any time
Withdraw consent for AI data sharing

How to exercise: Email legal@calma-ai.com or manage consents in account settings

Response time: Immediate

Note: Withdrawal may require account deletion as consent is necessary for service operation

9.7 Right to Lodge a Complaint (Article 77)

You have the right to:

Complain to your local data protection authority
File a complaint if you believe we've violated your rights

EU Users: Contact your national supervisory authority
Find your authority: https://edpb.europa.eu/about-edpb/board/members_en

9.8 Right to Human Review

You have the right to:

Request human review of AI-generated content
Not be subject to solely automated decision-making (we don't make automated decisions that significantly affect you)

10. Children's Privacy

10.1 Age Requirement

Calma AI is intended for users 18 years and older.

10.2 Parental Control

If you are a parent or guardian:

You may create health profiles for minors in your care
You are responsible for all data related to minors
You must provide consent on their behalf

10.3 No Direct Minor Registration

Minors cannot create accounts independently
We do not knowingly collect data from children under 18 without parental consent
If we learn we have collected data from a child without consent, we will delete it immediately

11. Cookies and Tracking

11.1 Essential Cookies

We use essential cookies for:

Authentication: Keeping you logged in
Security: CSRF protection, session management
Preferences: Language settings, UI preferences

Legal basis: Necessary for service operation (no consent required under GDPR)

11.2 Analytics Cookies

We may use analytics cookies to:

Understand service usage
Improve user experience
Identify technical issues

Legal basis: Your consent (can be managed in cookie settings)

11.3 No Advertising Cookies

We do NOT use:

❌ Advertising cookies
❌ Third-party tracking cookies
❌ Social media pixels

11.4 Managing Cookies

You can:

Manage cookie preferences in your browser
Disable non-essential cookies (may affect functionality)
Delete cookies at any time

12. Updates to This Policy

12.1 Notification of Changes

We will notify you of material changes to this Privacy Policy:

By email: At least 30 days before changes take effect
In-app notification: When you next log in
Website banner: Prominently displayed

12.2 Version History

We maintain a version history of this policy:

Current version: 1.0 (November 9, 2025)
Previous versions: Available on request

12.3 Your Options

If you disagree with policy changes:

You can delete your account before changes take effect
Continued use after the effective date constitutes acceptance

13. Contact Us

13.1 General Privacy Inquiries

Email: legal@calma-ai.com
Response time: Within 7 days

13.2 Data Subject Rights Requests

Email: legal@calma-ai.com
Subject line: "Data Subject Rights Request - [Your Right]"
Response time: Within 30 days (as required by GDPR)

13.3 Data Protection Officer (if appointed)

Email: support@calma-ai.com
Role: Overseeing data protection compliance

13.4 Security Issues

Email: support@calma-ai.com
For: Reporting security vulnerabilities or data breaches

Last Updated: November 9, 2025
Version: 1.0
Next Review: May 9, 2026