GDPR Compliance

CalmCall, operated by CalmCall SRL (Bucharest, Romania), is committed to fully complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR").

Given that CalmCall processes sensitive mental health data, we commit to the highest standards of protection and transparency.

1. Data Protection Officer (DPO)

We have designated a Data Protection Officer whom you can contact for any requests regarding your personal data:

2. Legal Bases for Data Processing

We process your personal data based on the following legal grounds provided by GDPR:

• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): For processing special mental health data (AI conversations, emotional assessments, journal entries). Consent is requested at account creation and can be withdrawn at any time.
• Contract performance (Art. 6(1)(b)): For providing CalmCall services, account management and payment processing.
• Legal obligation (Art. 6(1)(c)): For compliance with applicable tax, accounting and legal requirements.
• Vital interest (Art. 6(1)(d)): In exceptional cases of detecting imminent risk to user life.
• Legitimate interest (Art. 6(1)(f)): For service improvement, security and fraud prevention — while respecting users rights and interests.

3. Data Retention Periods

Data is kept strictly for the duration necessary for the purpose for which it was collected:

4. Third-Party Processors

We work with the following third-party processors, all GDPR compliant with signed data processing agreements (DPA):

• Hetzner Online GmbH (Germany): Hosting and server infrastructure. Servers located in EU (Germany).
• Stripe Inc. (USA/Ireland): Payment processing. PCI DSS Level 1 certified. Standard contractual clauses for EU-US transfer.
• OpenAI (USA): AI processing for voice companion. Data processed per DPA with standard contractual clauses. User data is not used for model training.
• ElevenLabs (USA): Voice synthesis for AI companion. Standard contractual clauses.
• Google Analytics (USA/Ireland): Anonymized traffic analysis. IPs anonymized, no identification cookies.

5. Cross-Border Data Transfers

All data is stored on servers within the European Union. When data transfer to countries outside the European Economic Area is necessary (e.g., for AI processing), we ensure that:

• Standard Contractual Clauses (SCC) approved by the European Commission are implemented
• Processors have relevant compliance certifications (SOC 2, ISO 27001, PCI DSS)
• Additional technical measures apply: end-to-end encryption, pseudonymization, data minimization
• Impact assessments (Transfer Impact Assessments) are conducted for each transfer

6. Data Deletion Requests

You can request complete deletion of your personal data through:

• From account: Settings > Privacy > Delete all data
• Email: Send a request to dpo@calmcall.ai
• Form: Complete the GDPR request form on the website

Deletion process:

• Identity confirmation within maximum 3 business days
• Main data deletion within maximum 30 days
• Backup deletion within maximum 90 days
• Final deletion confirmation via email

Note: Certain data may be retained per legal obligations (tax data — 5 years).

7. Cookie Policy — Details

Complete classification of cookies used on CalmCall:

Strictly Necessary Cookies

• session_id: Session identifier. Duration: browser session. Cannot be disabled.
• csrf_token: Protection against CSRF attacks. Duration: session. Cannot be disabled.
• auth_token: Authentication token. Duration: 30 days or on logout. Cannot be disabled.

Functional Cookies

• language: Language preference. Duration: 1 year. Can be disabled.
• theme: Visual theme preference. Duration: 1 year. Can be disabled.
• cookie_consent: Consent preferences. Duration: 1 year.

Analytics Cookies

• _ga: Google Analytics — anonymous user identification. Duration: 13 months. Can be disabled.
• _ga_*: Google Analytics — session state. Duration: 13 months. Can be disabled.

We do not use marketing, advertising or remarketing cookies.

8. Data Protection Impact Assessment (DPIA)

Given that CalmCall processes sensitive mental health data at large scale, we have conducted a Data Protection Impact Assessment (DPIA) per Art. 35 GDPR. The DPIA is reviewed annually or upon any significant change to processing activities. DPIA results are available upon request to supervisory authorities.

9. Your Rights

Under GDPR, you have the following rights:

• Right of access (Art. 15) — obtain a copy of your data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — request data deletion
• Right to restriction (Art. 18) — limit processing
• Right to portability (Art. 20) — receive data in structured format
• Right to object (Art. 21) — object to processing
• Right to withdraw consent (Art. 7(3)) — at any time, without retroactive effect
• Right to lodge a complaint (Art. 77) — with supervisory authority

10. Supervisory Authorities

If you believe your rights have been violated, you can file a complaint with:

• Romania: National Authority for the Supervision of Personal Data Processing (ANSPDCP) — www.dataprotection.ro
• Cyprus: Office of the Commissioner for Personal Data Protection — www.dataprotection.gov.cy

11. Contact

For any questions or requests regarding GDPR and personal data protection: