Privacy Policy
This policy describes how Calmauria (hereinafter “Calmauria”, “we”, “us”) processes the personal data of users of the calmauria.com website and the related service (the “Service”), in accordance with Regulation (EU) 2016/679 (“GDPR”) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
Calmauria is an AI-based emotional support and wellness service. It is not a healthcare service, it does not provide diagnoses, therapy or treatment, and it is not a substitute for the advice of a doctor or a psychologist.
1. Data controller
The data controller is CR OÜ (società di diritto estone, codice registro 16778262), che opera con il marchio Calmauria, with its registered office at Nõmme tee 64-3, Kristiine linnaosa, 11311 Tallinn, Harju maakond, Estonia. For any request concerning your data you can write to us at [email protected].
2. Categories of data we process
- Account data: email address, name (optional), password (stored exclusively as a cryptographic hash), confirmation of adult age.
- Session data: chosen topic, brief initial description, mode (audio/phone), selected voice, duration and time of the sessions.
- Conversation content: what you say during your sessions with Auria and the corresponding responses. This content may reveal data belonging to special categories under Article 9 GDPR (in particular data concerning health and psychological wellbeing).
- Payment data: handled directly by Stripe. We do not process or store card numbers; we only receive transaction identifiers, amount, payment status and billing email.
- Technical data: IP address, device and browser type, technical and security logs necessary for the operation and protection of the Service.
3. Purposes and legal bases
- Provision of the Service (account, sessions, payments): legal basis is the performance of the contract (Art. 6(1)(b) GDPR).
- Processing of conversation content and cross-session memory (special category data): legal basis is your explicit consent (Art. 9(2)(a) GDPR), which you may withdraw at any time.
- Security, abuse prevention and handling of crisis situations: legitimate interest (Art. 6(1)(f)) and, where applicable, protection of vital interests (Art. 9(2)(c)).
- Tax and accounting obligations relating to payments: legal obligation (Art. 6(1)(c)).
- Service communications (e.g. confirmations, security notices): performance of the contract and legitimate interest.
4. Cross-session memory
Only if you give a specific, optional consent, Auria keeps an encrypted summary of your conversations so that you can pick up where you left off in later sessions. You can withdraw this consent at any time from your account area or by writing to us: from that moment the memory will no longer be used and the summaries will be deleted.
5. How we protect your data
Sensitive content (session transcripts and summaries) is encrypted at the application level using the AES-256-GCM algorithm; the encryption keys are managed separately from the database. Passwords are protected with key derivation functions (scrypt). We adopt appropriate technical and organisational measures to ensure confidentiality, integrity and availability.
6. Providers and data processors
To provide the Service we rely on providers acting as data processors, each under appropriate contractual safeguards:
- Stripe — payments;
- Neon — database;
- LiveKit — real-time audio/video transmission;
- Anam — video avatar (feature currently not active);
- Cartesia — voice synthesis;
- Deepgram — voice transcription;
- Anthropic — the artificial intelligence model that generates the responses.
Some providers may process data outside the European Economic Area. In that case, transfers take place on the basis of appropriate safeguards under Articles 44 et seq. GDPR (in particular Standard Contractual Clauses). Where technically possible we favour providers offering EU data residency and contractual commitments not to train their models on your content.
7. Automated decision-making
The Service uses artificial intelligence to generate responses and, in parallel, an automated safety classifier that analyses each turn to detect risk signals (e.g. suicidal thoughts, danger to yourself or others). This processing does not produce legal effects concerning you: its sole purpose is your safety. We do not carry out profiling for marketing purposes.
8. Data retention
- Account data: for the duration of the relationship and for as long as the account remains active.
- Transcripts and summaries: retained only with your consent; if you do not consent to memory, the content is not retained beyond the session or is deleted within the timeframes set out in our retention policies.
- Payment data and tax documents: for the period required by law.
- Security logs: for the time strictly necessary for security purposes.
9. Minors
The Service is strictly reserved for adults (18 years of age or older). We do not knowingly collect data from minors. If we detect signs that a user may be a minor, we end the session and direct them to dedicated resources. If you believe that a minor has provided us with data, please write to us and we will delete it.
10. Handling of crisis situations
Calmauria does not handle emergencies. Where there are signals of a risk to life, Auria interrupts the conversation and directs the user to immediate human help (emergency numbers and helplines). In situations of imminent danger, call 112 (or your local emergency number).
11. Your rights
As a data subject you may exercise at any time the rights provided for in Articles 15-22 GDPR:
- access to your data and a copy of it;
- rectification of inaccurate data;
- erasure (“right to be forgotten”);
- restriction of, and objection to, processing;
- data portability;
- withdrawal of consent at any time, without affecting the lawfulness of processing carried out beforehand.
To exercise your rights, write to [email protected]. We will respond within the timeframes required by law.
12. Complaint to a supervisory authority
You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) or with the supervisory authority of the EU Member State in which you reside.
13. Changes
We may update this policy from time to time. Changes will be published on this page together with the relevant update date.
Additional notice for United States residents — Consumer Health Data
The content of your conversations with Auria may constitute “consumer health data” under certain US state laws, including the Washington My Health My Data Act. With respect to such data:
- we collect and process it only with your explicit consent and solely to provide the Service to you;
- we do not sell consumer health data and we do not share it for advertising purposes;
- you may exercise your rights of access, deletion and withdrawal of consent at any time by writing to [email protected];
- this data is protected by application-level encryption, as described in Section 5.
Note: this is a courtesy translation provided for convenience. In the event of any inconsistency between the English and Italian versions, the Italian version prevails to the extent permitted by mandatory consumer law. This policy is drafted with the utmost care but does not replace tailored legal advice: review by qualified counsel is recommended prior to public launch, together with a data protection impact assessment (DPIA).