Privacy Policy
Effective date: 1 July 2026 · Last updated: 1 July 2026
This Privacy Policy explains how Calmsie Sp. z o.o. processes personal data of users of the Calmsie Community platform. We process personal data in accordance with Regulation (EU) 2016/679 (the GDPR / RODO), the Polish Act on the Protection of Personal Data of 10 May 2018 and the Polish Act on the Provision of Services by Electronic Means of 18 July 2002.
1. Data controller
The controller of your personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 ("GDPR" / "RODO") is:
Calmsie Sp. z o.o.
ul. Piastów Śląskich 29/25
01-494 Warsaw, Poland
VAT ID (NIP): PL7123401355
E-mail: contact@calmsie.ai
Calmsie Sp. z o.o. operates the Calmsie Community platform (the "Platform"), available at this website. References to "we", "us" or "Calmsie" in this Privacy Policy mean Calmsie Sp. z o.o.
2. Scope of this Policy
This Privacy Policy describes how we process personal data of users of the Platform, which provides: (i) a parent community forum, (ii) a curated resource library, (iii) a product marketplace, (iv) a newsletter service, (v) live video group sessions ("Breakout Rooms / Strefa Spotkań"), and (vi) an "Ask a Calmsie Expert" private Q&A service. It applies to visitors, registered users, Educational Contributors and administrators.
The Platform is targeted primarily at users located in Poland and the European Economic Area, but is accessible worldwide. Wherever you are located, we apply the GDPR standard to all users.
3. Personal data we collect
We only collect data that is necessary for the operation of the Platform:
- Account data: e-mail address, first name and last name (collected to identify the account holder on subscription invoices and payment receipts), display name, role (parent, Educational Contributor, administrator), account status, the date you created your account and the timestamp of your last activity / sign-in.
- Profile data (optional, contributors & admins only): avatar (profile picture), short biography, professional credentials.
- Children's data (optional): during onboarding you may provide information about your children — specifically each child's birth month and year, and gender. This information is used to personalise your experience on the Platform and is visible to other registered members of the community, enabling more relevant and meaningful conversations between parents. You are not required to provide this data. You can review, correct or delete it at any time from your account settings. Please note that this data may be accessed by Calmsie Therapeutics, Inc. (our affiliated entity in the United States) for the purposes of platform operations and quality improvement; where this occurs, the transfer is protected by Standard Contractual Clauses under Article 46 GDPR.
- Forum content: posts and comments you publish in the forum, including their category, the time of publication and any reports/flags you submit.
- Marketplace activity: items you save or interact with in the marketplace.
- Newsletter data: e-mail address and your delivery preferences (weekly digest, monthly summary, events).
- Subscription and billing data: when you subscribe to a paid plan or purchase an add-on (including the Ask a Calmsie Expert service), we process your chosen subscription tier, billing cycle, subscription status and renewal dates, and a transaction reference provided by our payment processor, Stripe. We also store a Stripe customer ID and subscription ID in order to manage your access to the Platform. Calmsie does not see, store, or have access to your full payment-card number, CVV or bank account details — those are entered directly on Stripe's secure payment page and handled entirely by Stripe on its own systems. If you purchase a Calmsie product sold separately (NeuralPositive, Mission Amygdala, Lila and the Dragon), the same applies.
- Referral data: if you join the Platform using a referral code, we record which code was used and link it to your account for the purpose of applying any promotional benefit (e.g. an extended free trial). We do not share referral data with third parties for marketing purposes.
- Breakout Rooms session data: when you join or host a live video session in the Breakout Rooms / Strefa Spotkań feature, your connection is routed through Daily.co (a third-party video infrastructure provider). Daily.co processes your IP address and connection metadata for the duration of the call. Where you enable your camera or microphone during a session, Daily.co will process your video image and voice in real time solely for the purpose of transmitting the live stream to other session participants. This processing occurs only for the duration of the session and only while your camera or microphone is active. As noted above, Calmsie does not record Breakout Rooms sessions. No video, audio or transcript of any session is stored by Calmsie. If you join a session, other participants will see your display name as shown on your Platform profile.
- Ask a Calmsie Expert data: if you submit a question through the Ask a Calmsie Expert feature, we store the text of your question, the timestamp of submission, and the expert's response. This data is linked to your account and is private — it is visible only to you, the responding Calmsie expert, and Platform administrators. We use it solely to provide the service and to improve expert content quality.
- Authentication data: hashed credentials, session identifiers and, if you sign in via Google, the e-mail address and basic profile information returned by Google.
- Technical data: IP address, browser and device information, and basic diagnostic logs generated by our hosting provider for security and stability.
- Analytics data: we use Google Analytics 4 (Google LLC) and Microsoft Clarity (Microsoft Corporation) to understand how users interact with the Platform. These tools may collect your IP address (anonymised), browser and device information, pages visited, clicks, scroll depth, and session recordings (Microsoft Clarity). This data is processed only with your consent, which you provide via the cookie consent banner on your first visit. You may withdraw consent at any time by updating your cookie preferences.
We do not ask you to provide, and we ask you not to publish, any special categories of personal data as defined in Article 9 GDPR (e.g. health data, racial or ethnic origin). For information about how we handle children's data you voluntarily provide, see the "Children's data" bullet above. The forum is a peer-support space, not a medical service — please see Section 11 below.
4. Purposes and legal bases
We process personal data on the following legal bases under Article 6(1) GDPR:
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Creating and managing your account, providing forum, resources and marketplace features | Account, profile, forum content, marketplace activity | Performance of a contract — Art. 6(1)(b) GDPR (Terms & Conditions) |
| Sending the newsletter and managing your preferences | E-mail address, newsletter preferences | Consent — Art. 6(1)(a) GDPR; withdrawable at any time |
| Processing orders for Calmsie's own products and statutory after-sales obligations | Order data, billing/shipping addresses | Performance of a contract — Art. 6(1)(b) GDPR; legal obligation — Art. 6(1)(c) GDPR (accounting, consumer law) |
| Managing subscriptions, processing payments, granting and revoking platform access based on subscription status | Subscription and billing data, first name, last name (for invoice identification), Stripe customer/subscription IDs | Performance of a contract — Art. 6(1)(b) GDPR |
| Personalising the Platform experience based on children's profile data | Children's data (birth month/year, gender) | Consent — Art. 6(1)(a) GDPR; you may withdraw by deleting this data from your account settings |
| Providing the Ask a Calmsie Expert private Q&A service | Ask Expert questions and responses | Performance of a contract — Art. 6(1)(b) GDPR |
| Facilitating live video sessions (Breakout Rooms) | Session connection data, real-time video image and voice (where camera/microphone enabled), processed by Daily.co | Performance of a contract — Art. 6(1)(b) GDPR; legitimate interest — Art. 6(1)(f) GDPR (providing the service) |
| Administering referral promotions | Referral code, account data | Legitimate interest — Art. 6(1)(f) GDPR (running a fair referral programme) |
| Platform analytics and UX improvement (Google Analytics 4, Microsoft Clarity) | Analytics data, session recordings | Consent — Art. 6(1)(a) GDPR |
| Authentication, session management, security and abuse prevention | Authentication data, technical data, login timestamps | Legitimate interest — Art. 6(1)(f) GDPR (running a secure service) |
| Moderation of forum content and handling user reports | Forum content, account data, flags | Legitimate interest — Art. 6(1)(f) GDPR (safe community) |
| Compliance with legal obligations (e.g. accounting, responding to authorities) | As required by the relevant law | Legal obligation — Art. 6(1)(c) GDPR |
| Defending and pursuing legal claims | Account, forum content, communications | Legitimate interest — Art. 6(1)(f) GDPR |
The Polish Act on the Provision of Services by Electronic Means (ustawa o świadczeniu usług drogą elektroniczną) and the Polish Civil Code (Kodeks cywilny) provide the legal framework for the contract between you and Calmsie when you use the Platform.
5. How long we keep your data
- Account data and profile: for as long as your account exists. When you delete your account, your account record and profile are removed within 30 days, except for data we must keep for legal reasons.
- Forum posts and comments: kept while the account exists. When you delete an item, it is removed from the public forum; when you delete your account, your posts and comments are deleted or anonymised within 30 days.
- Newsletter: we keep your e-mail and preferences until you unsubscribe, and for an additional 30 days after unsubscribing in order to honour the request and prevent re-subscription errors.
- Subscription and billing data: retained for the duration of your subscription and for 5 years after termination for accounting and legal compliance purposes (in line with Polish accounting law).
- Children's data: retained while your account is active. Deleted (along with your account) within 30 days of account deletion. You may also delete it at any time independently through account settings.
- Ask Expert questions and responses: retained while your account is active, and deleted within 30 days of account deletion.
- Referral data: retained for 12 months after account creation, then deleted unless required for an ongoing dispute.
- Analytics data: retained in accordance with Google Analytics 4 and Microsoft Clarity data retention settings, which we configure to the shortest available period (maximum 14 months for GA4; 30 days for Clarity session recordings).
- Security and diagnostic logs: typically up to 90 days.
- Data required by law (e.g. accounting): for the statutory periods (in Poland generally 5 years from the end of the relevant tax year).
- Data needed to defend legal claims: until the relevant limitation period expires.
6. Recipients and processors
We share personal data only with carefully selected service providers acting as processors under written agreements compliant with Article 28 GDPR:
- Supabase, Inc. — database, authentication and file storage for the Platform. Privacy notice.
- Resend (Resend, Inc.) — transactional and newsletter e-mail delivery. Privacy notice.
- Stripe, Inc. — payment processing, subscription management and billing. Stripe processes payment card data and subscription details directly on its own infrastructure under its own privacy policy. Calmsie does not transmit raw card data to Stripe — users enter card details on Stripe's hosted payment page. Privacy notice.
- Daily.co (Daily, Inc.) — video infrastructure for Breakout Rooms live sessions. Daily.co processes connection metadata (IP address, connection quality) for the duration of each session. No session recordings are made or stored. Privacy notice.
- Google LLC — only if you choose to sign in with Google; Google shares your basic profile data with us under its own privacy policy.
- Google LLC (Google Analytics 4) — platform analytics. Processes anonymised usage data with your consent. Privacy notice.
- Microsoft Corporation (Microsoft Clarity) — UX analytics and session recordings. Processes usage data and session recordings with your consent. Privacy notice.
We may also disclose personal data to public authorities or courts where we are legally required to do so. We do not sell personal data and we do not share it with advertising networks or data brokers.
7. International data transfers
Some of our processors (in particular Supabase, Resend, Stripe, Daily.co, Google LLC and Microsoft Corporation) may process personal data outside the European Economic Area, including in the United States. Additionally, children's data provided during onboarding may be accessed by our affiliated entity Calmsie Therapeutics, Inc. (San Francisco, USA) for platform operations and quality improvement purposes. Where this happens, the transfer is protected by appropriate safeguards under Chapter V GDPR — primarily the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the EU–US Data Privacy Framework. You may request a copy of the safeguards by writing to contact@calmsie.ai.
8. Your rights under the GDPR
You have the right to:
- Access your personal data (Art. 15 GDPR) and request a copy.
- Rectify data that is inaccurate or incomplete (Art. 16 GDPR).
- Erasure of your data — the "right to be forgotten" (Art. 17 GDPR).
- Restrict processing in the cases set out in Art. 18 GDPR.
- Data portability — receive your data in a structured, machine-readable format (Art. 20 GDPR).
- Object to processing based on our legitimate interests (Art. 21 GDPR).
- Withdraw consent at any time, without affecting the lawfulness of processing done before withdrawal (Art. 7(3) GDPR).
You can exercise most of these rights directly in the Platform (edit profile, change newsletter preferences, delete posts, delete account). You can also send a request to contact@calmsie.ai; we respond within one month, as required by Art. 12(3) GDPR.
You have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych):
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Phone: +48 22 531 03 00
Website: uodo.gov.pl
10. Automated decision-making and profiling
We do not carry out automated decision-making that produces legal effects or significantly affects you, and we do not engage in profiling within the meaning of Article 22 GDPR.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encryption at rest at our hosting provider, role-based access controls, row-level security in the database, and regular review of administrator access. No system can be guaranteed 100% secure; please notify us promptly at contact@calmsie.ai if you suspect a compromise of your account.
12. Non-medical nature of the service
Calmsie Community is a peer-support and educational platform. Nothing published on the Platform — including content from Educational Contributors — constitutes medical, psychological or psychiatric advice, diagnosis or treatment. Please do not share sensitive health information about yourself or your children in forum posts or comments, and consult a qualified professional for any health concern. Note that the Ask a Calmsie Expert service provides general informational responses only and does not constitute medical, psychological, psychiatric, legal or financial advice, diagnosis or treatment.
13. Changes to this Policy
We may update this Privacy Policy to reflect changes in the Platform or in applicable law. The "Last updated" date at the top of the page always indicates the current version. For material changes we will notify registered users by e-mail or through an in-app notice at least 14 days before the change takes effect.
14. Contact
Questions, requests and complaints regarding personal data: contact@calmsie.ai, or by post to Calmsie Sp. z o.o., ul. Piastów Śląskich 29/25, 01-494 Warsaw, Poland.